Closed
Bug 679593
Opened 13 years ago
Closed 13 years ago
Possible JSScript double-free
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
People
(Reporter: billm, Assigned: billm)
Details
(Whiteboard: [sg:critical?], wanted-standalone-js [qa-])
Attachments
(1 file)
874 bytes,
patch
|
dmandelin
:
review+
asa
:
approval-mozilla-aurora+
asa
:
approval-mozilla-beta-
|
Details | Diff | Splinter Review |
The problem is in js_CloneFunctionObject. Consider the cross-compartment case where we're clonging |fun|. We create a new function |cfun| and do: cfun->u = fun->getFunctionPrivate()->u; For an interpreted script, this makes cfun->script() == fun->script(). Then we do JSScript *cscript = js_CloneScript(cx, script); and, after a null check on cscript, make |cfun->script() == cscript|. Say that we fail to allocate cscript. Then we'll have two allocated function objects, in different compartments, pointing to the same script. This is bad because of the compartment thing and also because each function object finalizer will free the script, so it will be freed twice.
Updated•13 years ago
|
Assignee: general → wmccloskey
Whiteboard: [sg:critical?]
Updated•13 years ago
|
status-firefox5:
--- → wontfix
status-firefox6:
--- → wontfix
status-firefox7:
--- → affected
status-firefox8:
--- → affected
status-firefox9:
--- → affected
tracking-firefox5:
--- → -
tracking-firefox6:
--- → -
tracking-firefox7:
--- → +
tracking-firefox8:
--- → +
tracking-firefox9:
--- → +
Assignee | ||
Comment 1•13 years ago
|
||
This was totally my fault. I changed this recently and it was a bad idea. This should fix it.
Attachment #554933 -
Flags: review?(dmandelin)
Updated•13 years ago
|
Attachment #554933 -
Flags: review?(dmandelin) → review+
Assignee | ||
Updated•13 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][inbound]
Comment 2•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/c8eea83232b2
Status: NEW → RESOLVED
Closed: 13 years ago
OS: Linux → All
Hardware: x86 → All
Resolution: --- → FIXED
Whiteboard: [sg:critical?][inbound] → [sg:critical?]
Version: unspecified → Trunk
Updated•13 years ago
|
Comment 3•13 years ago
|
||
Is this patch good for aurora and beta? If so, please request approvals.
Assignee | ||
Comment 4•13 years ago
|
||
Comment on attachment 554933 [details] [diff] [review] fix There's a very slight possibility that this is broken in beta. It's definitely broken in aurora. I'm not sure how significant a problem this actually is, but it's unlikely to regress anything so we should probably get it in.
Attachment #554933 -
Flags: approval-mozilla-beta?
Attachment #554933 -
Flags: approval-mozilla-aurora?
Updated•13 years ago
|
Attachment #554933 -
Flags: approval-mozilla-beta?
Attachment #554933 -
Flags: approval-mozilla-beta-
Attachment #554933 -
Flags: approval-mozilla-aurora?
Attachment #554933 -
Flags: approval-mozilla-aurora+
Updated•13 years ago
|
Comment 5•13 years ago
|
||
Bill, can you get this landed on aurora, we've only got a few days left!
Assignee | ||
Comment 6•13 years ago
|
||
Sorry, forgot about this. https://hg.mozilla.org/releases/mozilla-aurora/rev/391c8ebfa0a6
Updated•13 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?], wanted-standalone-js
Comment 7•13 years ago
|
||
This landed in aurora before the most recent uplift, which means it's fixed for 8! Marking so.
qa- as nothing to do for QA fix verification -- please set to qa+ if this is not the case.
Whiteboard: [sg:critical?], wanted-standalone-js → [sg:critical?], wanted-standalone-js [qa-]
Comment 9•13 years ago
|
||
The 1.9.2 code is significantly different and there's no testcase, assuming 3.6.x is OK.
status1.9.2:
--- → unaffected
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•