Closed
Bug 655098
Opened 13 years ago
Closed 13 years ago
CreateNPObjectMember jsids don't appear to be rooted
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(firefox5- wontfix, firefox6+ fixed, firefox7+ fixed, blocking1.9.2 .23+, status1.9.2 .23-fixed)
People
(Reporter: benjamin, Assigned: benjamin)
Details
(Whiteboard: [sg:critical?][qa-ntd-192][qa-])
Attachments
(2 files)
1.20 KB,
patch
|
cdleary
:
review+
mrbkap
:
review+
christian
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
1.20 KB,
patch
|
cdleary
:
review+
christian
:
approval1.9.2.20+
|
Details | Diff | Splinter Review |
The jsid in CreateNPObjectMember may be a non-rooted identifier. http://mxr.mozilla.org/mozilla-central/source/dom/plugins/base/nsJSNPRuntime.cpp#2089 It should be traced at http://mxr.mozilla.org/mozilla-central/source/dom/plugins/base/nsJSNPRuntime.cpp#2292 But currently the JSAPI doesn't actually expose a public function for tracing jsid. Filing as private becuase it's theoretically possible to abuse this via script to perhaps dereference string characters which were GCed.
Comment 1•13 years ago
|
||
(In reply to comment #0) > But currently the JSAPI doesn't actually expose a public function for tracing > jsid. We should add one, but in the meantime you can do if (JSID_IS_STRING(id)) JS_CALL_STRING_TRACER(trc, JSID_TO_STRING(id), "some_name")
Assignee | ||
Comment 2•13 years ago
|
||
Assignee: nobody → benjamin
Status: NEW → ASSIGNED
Attachment #530636 -
Flags: review?(mrbkap)
Attachment #530636 -
Flags: review?(cdleary)
Updated•13 years ago
|
Attachment #530636 -
Flags: review?(mrbkap) → review+
Comment 3•13 years ago
|
||
Comment on attachment 530636 [details] [diff] [review] Root the NPObjectMember id, rev. 1 Review of attachment 530636 [details] [diff] [review]: ----------------------------------------------------------------- Sorry I didn't see this earlier. Got buried in my email.
Attachment #530636 -
Flags: review?(cdleary) → review+
Comment 4•13 years ago
|
||
summary sounds bad, guessing at severity rating. Is this in old code (affecting 1.9.2.x as well)?
status1.9.2:
--- → ?
status-firefox5:
--- → affected
status-firefox6:
--- → affected
status-firefox7:
--- → affected
Whiteboard: [sg:critical?]
Assignee | ||
Comment 5•13 years ago
|
||
Yes, this affects all older branches. I guess it's possible to exploit this... not easy, though.
Comment 6•13 years ago
|
||
Can we get this patch landed?
tracking-firefox5:
--- → -
tracking-firefox6:
--- → +
tracking-firefox7:
--- → +
Keywords: checkin-needed
Assignee | ||
Comment 7•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/49e57fa259dc
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•13 years ago
|
Target Milestone: --- → mozilla7
Updated•13 years ago
|
Attachment #530636 -
Flags: approval-mozilla-aurora?
Comment on attachment 530636 [details] [diff] [review] Root the NPObjectMember id, rev. 1 Approved for mozilla-aurora
Attachment #530636 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Keywords: checkin-needed
Updated•13 years ago
|
Comment 9•13 years ago
|
||
bsmedberg, can we get this landed on aurora?
Comment 10•13 years ago
|
||
Do we need a different patch for the 1.9.2 branch?
Assignee | ||
Comment 11•13 years ago
|
||
Comment on attachment 530636 [details] [diff] [review] Root the NPObjectMember id, rev. 1 This patch will probably apply to 1.9.2 manually using the old location (modules/plugin/base/src) instead of dom/plugins/base.
Attachment #530636 -
Flags: checkin?
Assignee | ||
Comment 12•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-aurora/rev/4e20ef627458
Target Milestone: mozilla7 → mozilla6
Assignee | ||
Updated•13 years ago
|
Attachment #530636 -
Flags: checkin?
Assignee | ||
Comment 13•13 years ago
|
||
Somehow this got marked a branch blocker without me noticing. This might be the correct branch version of this, but I'm not sure and I'm not sure it's really serious enough to block.
Attachment #549927 -
Flags: review?(cdleary)
Updated•13 years ago
|
Attachment #549927 -
Flags: review?(cdleary) → review+
Comment 14•13 years ago
|
||
Comment on attachment 549927 [details] [diff] [review] 1.9.2 branch version, maybe, rev. 1 http://hg.mozilla.org/releases/mozilla-1.9.2/rev/48b6fb82a960
Attachment #549927 -
Flags: approval1.9.2.20+
Comment 15•13 years ago
|
||
Are there any STR for this issue to use for verification of this fix?
blocking1.9.2: .20+ → .21+
Whiteboard: [sg:critical?] → [sg:critical?][qa-examined-192][qa-needs-STR]
Assignee | ||
Comment 16•13 years ago
|
||
No, it was entirely theoretical.
Comment 17•13 years ago
|
||
Ok. Marking this as "Nothing to Do" for QA.
Whiteboard: [sg:critical?][qa-examined-192][qa-needs-STR] → [sg:critical?][qa-ntd-192]
Comment 18•13 years ago
|
||
qa-: fix needs no QA verification
Whiteboard: [sg:critical?][qa-ntd-192] → [sg:critical?][qa-ntd-192][qa-]
Updated•13 years ago
|
Group: core-security
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•