Last Comment Bug 719315 - Use-after-free in LifoAlloc::freeUnused
: Use-after-free in LifoAlloc::freeUnused
Status: RESOLVED FIXED
[sg:moderate][qa-]
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
: -- critical (vote)
: mozilla10
Assigned To: Chris Leary [:cdleary] (not checking bugmail)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-18 18:48 PST by Chris Leary [:cdleary] (not checking bugmail)
Modified: 2012-03-29 12:05 PDT (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
fixed
fixed
unaffected


Attachments
Loop with temporary. (687 bytes, patch)
2012-01-18 18:48 PST, Chris Leary [:cdleary] (not checking bugmail)
luke: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Chris Leary [:cdleary] (not checking bugmail) 2012-01-18 18:48:06 PST
Created attachment 589751 [details] [diff] [review]
Loop with temporary.

Affected up to beta.

Despite the use-after free, since this is in a tight loop it will be fairly difficult to exploit.
Comment 1 Chris Leary [:cdleary] (not checking bugmail) 2012-01-18 18:57:08 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/02e6d576cbd3

Waiting for approval on aurora/beta.
Comment 2 Chris Leary [:cdleary] (not checking bugmail) 2012-01-25 20:38:34 PST
Comment on attachment 589751 [details] [diff] [review]
Loop with temporary.

[Approval Request Comment]
Regression caused by (bug #): 684039
User impact if declined: Potential vulnerability.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): None.
Comment 3 Alex Keybl [:akeybl] 2012-01-26 15:43:37 PST
Comment on attachment 589751 [details] [diff] [review]
Loop with temporary.

[Triage Comment]
The recommendation of the security team and engineering is to take this given its near-zero risk evaluation and potential exploitability. Please land ASAP.
Comment 5 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-02-01 12:57:56 PST
Is there anything QA can do to verify this fix?

Note You need to log in before you can comment on or make changes to this bug.