The default bug view has changed. See this FAQ.

Use-after-free in LifoAlloc::freeUnused

RESOLVED FIXED in Firefox 10

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: cdleary, Assigned: cdleary)

Tracking

unspecified
mozilla10
Points:
---

Firefox Tracking Flags

(firefox10 fixed, firefox11 fixed, firefox12 fixed, status1.9.2 unaffected)

Details

(Whiteboard: [sg:moderate][qa-])

Attachments

(1 attachment)

Created attachment 589751 [details] [diff] [review]
Loop with temporary.

Affected up to beta.

Despite the use-after free, since this is in a tight loop it will be fairly difficult to exploit.
Attachment #589751 - Flags: review?(luke)

Updated

5 years ago
Attachment #589751 - Flags: review?(luke) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/02e6d576cbd3

Waiting for approval on aurora/beta.
status1.9.2: --- → unaffected
Whiteboard: [sg:moderate]
Comment on attachment 589751 [details] [diff] [review]
Loop with temporary.

[Approval Request Comment]
Regression caused by (bug #): 684039
User impact if declined: Potential vulnerability.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): None.
Attachment #589751 - Flags: approval-mozilla-beta?
Attachment #589751 - Flags: approval-mozilla-aurora?

Comment 3

5 years ago
Comment on attachment 589751 [details] [diff] [review]
Loop with temporary.

[Triage Comment]
The recommendation of the security team and engineering is to take this given its near-zero risk evaluation and potential exploitability. Please land ASAP.
Attachment #589751 - Flags: approval-mozilla-beta?
Attachment #589751 - Flags: approval-mozilla-beta+
Attachment #589751 - Flags: approval-mozilla-aurora?
Attachment #589751 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/8b22c18ae5ee
https://hg.mozilla.org/releases/mozilla-beta/rev/226c1a05e0b6
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10

Updated

5 years ago
status-firefox10: affected → fixed
status-firefox11: affected → fixed
status-firefox12: affected → fixed
Is there anything QA can do to verify this fix?
Whiteboard: [sg:moderate] → [sg:moderate][qa?]
Group: core-security
Whiteboard: [sg:moderate][qa?] → [sg:moderate][qa-]
You need to log in before you can comment on or make changes to this bug.