Closed Bug 642022 Opened 9 years ago Closed 9 years ago

"Assertion failure: compartment mismatched" with InstallTrigger.constructor

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla5
Tracking Status
status2.0 --- ?
status1.9.2 --- unaffected

People

(Reporter: jruderman, Assigned: mrbkap)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [sg:critical?])

Attachments

(3 files, 1 obsolete file)

Assertion failure: compartment mismatched, at js/src/jscntxtinlines.h:545
Attached file stack trace
Reproduced with mozilla-central rev 4866be78732f and tracemonkey rev 67b102d581dd.
Attached patch Patch (obsolete) — Splinter Review
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #519564 - Flags: review?(jst)
Comment on attachment 519564 [details] [diff] [review]
Patch

oops, wrong bug.
Attachment #519564 - Attachment is obsolete: true
Attachment #519564 - Flags: review?(jst)
Attached patch Real patchSplinter Review
This was the easiest fix.
Attachment #519573 - Flags: review?(gal)
Attachment #519573 - Flags: review?(gal) → review+
Is this a compartment-leaking security bug (sg:high or worse), or just an oops? I don't crash in an opt build, is "testcase (crashes Firefox when loaded)" simply a fatal assert in a debug build?
I think this can cause problems during GC with compartment GCs. Based on that alone I would say sg:something.
From talking to billm on IRC, operating on JS objects in the wrong compartment can cause us to collect reachable objects during GC. That's sg:critical. So, we should probably consider this as [sg:critical?]. Looking at the code, I'm not convinced that this case in particular is actually exploitable at all (and the result of the code that causes the assertion is thrown away anyway) but it's better to be safe than sorry.
Whiteboard: [sg:critical?]
http://hg.mozilla.org/mozilla-central/rev/bed34ea0027c
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Per security group discussion, requesting landing on mozilla-2.0.
status2.0: --- → ?
Attachment #519573 - Flags: approval2.0?
Comment on attachment 519573 [details] [diff] [review]
Real patch

Approved for the mozilla2.0 repository, a=dveditz for release-drivers
Attachment #519573 - Flags: approval2.0? → approval2.0+
Group: core-security
Target Milestone: --- → mozilla5
You need to log in before you can comment on or make changes to this bug.