GC hazard during global object creation

RESOLVED FIXED in Firefox 14

Status

()

Core
DOM
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: billm, Assigned: billm)

Tracking

({regression, sec-high})

unspecified
mozilla16
regression, sec-high
Points:
---

Firefox Tracking Flags

(firefox13 unaffected, firefox14 fixed, firefox15 fixed, firefox16 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [advisory-tracking-][qa-])

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
Created attachment 633279 [details] [diff] [review]
fix

If we GC right after we create a JSCLASS_DOM_GLOBAL global object, the DOM_PROTOTYPE_SLOT hasn't been set yet. The GC will call TraceProtoOrIfaceCache and crash because it doesn't check if it's okay to call GetProtoOrIfaceArray.

This is unlikely to cause a problem in practice, but it's stopping me from running a browser with GC zeal set.
Attachment #633279 - Flags: review?(bzbarsky)
Comment on attachment 633279 [details] [diff] [review]
fix

r=me
Attachment #633279 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 2

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/3f164ec683a5
Target Milestone: --- → mozilla16

Comment 3

5 years ago
https://hg.mozilla.org/mozilla-central/rev/3f164ec683a5
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox16: --- → fixed
Resolution: --- → FIXED
Do we want or need this fix on previous branches?
(Assignee)

Comment 5

5 years ago
Comment on attachment 633279 [details] [diff] [review]
fix

I guess we should probably take this on branches. It's an easy fix and it may be exploitable.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 744772
User impact if declined: Possible security hole.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Low.
String or UUID changes made by this patch: None.
Attachment #633279 - Flags: approval-mozilla-beta?
Attachment #633279 - Flags: approval-mozilla-aurora?
(Assignee)

Updated

5 years ago
Whiteboard: [needs-branches]
Comment on attachment 633279 [details] [diff] [review]
fix

Looks small enough and low risk assessment suggests we're good to land this on beta/aurora.  Please update status flags once landed and also confirm if we need this on and can land it to the ESR branch as well.
Attachment #633279 - Flags: approval-mozilla-beta?
Attachment #633279 - Flags: approval-mozilla-beta+
Attachment #633279 - Flags: approval-mozilla-aurora?
Attachment #633279 - Flags: approval-mozilla-aurora+
status-firefox-esr10: --- → ?
status-firefox14: --- → affected
status-firefox15: --- → affected
(Assignee)

Comment 7

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/5a9b4f19f1b4
https://hg.mozilla.org/releases/mozilla-beta/rev/99bb1f06b597
status-firefox14: affected → fixed
status-firefox15: affected → fixed

Comment 8

5 years ago
(In reply to Bill McCloskey (:billm) from comment #7)
> https://hg.mozilla.org/releases/mozilla-aurora/rev/5a9b4f19f1b4
> https://hg.mozilla.org/releases/mozilla-beta/rev/99bb1f06b597

Given status flags in bug 744772, the ESR branch is unaffected.
status-firefox-esr10: ? → unaffected
Whiteboard: [needs-branches] → [needs-branches][advisory-tracking+]
Blocks: 744772
status-firefox13: --- → unaffected
Keywords: regression, sec-high
Whiteboard: [needs-branches][advisory-tracking+] → [needs-branches][advisory-tracking-]
Whiteboard: [needs-branches][advisory-tracking-] → [advisory-tracking-]
Group: core-security

Updated

5 years ago
Whiteboard: [advisory-tracking-] → [advisory-tracking-][qa-]
You need to log in before you can comment on or make changes to this bug.