Nobody cares if NS_HOLD_JS_OBJECTS/NS_DROP_JS_OBJECTS fails

RESOLVED FIXED

Status

()

Core
XPConnect
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: mccr8, Assigned: mccr8)

Tracking

({sec-moderate})

Trunk
sec-moderate
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox18 fixed, firefox-esr10 wontfix, firefox-esr17 wontfix, b2g18 fixed)

Details

(Whiteboard: [uwisc-analysis] fixed by bug 782792)

(Assignee)

Description

6 years ago
It turns out that NS_HOLD_JS_OBJECTS and NS_DROP_JS_OBJECTS can fail, basically only in OOM situations where we couldn't create mJSHolders, or can't add an entry to the hashtable.  There are around 28 places the former is called (including a bunch in IndexedDB), and only 4 of them check for error.

http://mxr.mozilla.org/mozilla-central/ident?i=NS_HOLD_JS_OBJECTS&filter=

This is bad because the object will think that the JS object it holds is rooted when it is not.

So we should either fix the other 24 callees or just make these functions infallible and crash the browser if these hash table operations fail. I'm inclined to do the latter, because that will avoid regressions in the future, and it will require less changes, but I'll defer to the opinions of others.

(NS_DROP_JS_OBJECTS isn't really checked either, but the only way it can fail is if there is no table, in which case the corresponding HOLD probably also failed, so who cares...)

I marked this security sensitive, though I'm not sure if potential GC hazards when we're running out of memory and likely to be in danger of imminent crashing anyways is a big deal.

This was found by Cindy Rubio González <crubio@cs.wisc.edu>'s error propagation analysis.
Aren't hashtable allocations infallible now?
(Assignee)

Comment 2

6 years ago
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #1)
> Aren't hashtable allocations infallible now?

XPConnect uses JS_DHash, which uses js_malloc, which I think is fallible.  I could be wrong.

Comment 3

6 years ago
Would someone please add "[uwisc-analysis]" to the Whiteboard list for this bug?  We've been using that elsewhere to tag bugs discovered by Cindy Rubio González <crubio@cs.wisc.edu>'s error propagation analysis.  I'd add it here myself, but I don't have that power.  Thanks!
> I'd add it here myself, but I don't have that power.  Thanks!

Refresh and you will!

Updated

6 years ago
Whiteboard: [uwisc-analysis]
Keywords: sec-moderate
(Assignee)

Updated

6 years ago
Assignee: nobody → continuation
Depends on: 782792
(Assignee)

Comment 5

6 years ago
I eliminated one of the ways NS_HOLD_JS_OBJECTS can fail in bug 782792, so this is mostly fixed now. Technically, it can still fail if there's no sXPConnect. That seems unlikely, though, so maybe it should just crash in that case...
Whiteboard: [uwisc-analysis] → [uwisc-analysis] fixed by bug 782792
(Assignee)

Comment 6

5 years ago
Bug 792861 eliminates the last ways that these functions can fail, and adds checks to the chokepoints that will make the browser crash if it starts being able to fail, which will make this whole interface much safer. After that is done, we can close this.
Depends on: 792861
(Assignee)

Comment 7

5 years ago
I guess we don't care too much what happens when there's no XPConnect around, so I'll mark this fixed...
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Updated

5 years ago
status-firefox-esr10: --- → wontfix
status-firefox-esr17: --- → wontfix
status-b2g18: --- → fixed
status-firefox18: --- → fixed
Group: core-security
You need to log in before you can comment on or make changes to this bug.