Closed Bug 783867 (CVE-2012-3989) Opened 12 years ago Closed 12 years ago

ASSERTION: This only works on nsISupports classes! and segfault

Categories

(Core :: XPConnect, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla17
Tracking Status
firefox14 --- wontfix
firefox15 --- wontfix
firefox16 + fixed
firefox17 + fixed
firefox-esr10 --- unaffected

People

(Reporter: Ms2ger, Assigned: bzbarsky)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [advisory-tracking+])

Attachments

(1 file)

Running new Worker("http://base.com") instanceof Components.interfaces.nsIArray in a mochitest will hit NS_ASSERTION(mozilla::dom::DOMJSClass::FromJSClass( js::GetObjectJSClass(obj))->mDOMObjectIsISupports, "This only works on nsISupports classes!"); at <http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCJSID.cpp#484>. We then unwrap the object to nsISupports and try to call QueryInterface on it, and segfault in nsWrapperCache::WrapObject.
How dangerous is this?
This is reasonably bad. It's also a regression from the original landing in bug 740069. Probably too late to fix this on 15 now, but we should fix elsewhere. Also, not check in a test for this until after we ship the fix. :(
Assignee: nobody → bzbarsky
Blocks: 740069
Whiteboard: [need review]
Attachment #654288 - Flags: review?(peterv) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/2f60f3a4bdd7 No test landed yet; we should do that once we reopen it.
Flags: in-testsuite?
Whiteboard: [need review]
Target Milestone: --- → mozilla17
Comment on attachment 654288 [details] [diff] [review] Don't blindly assume IsDOMClass objects are nsISupports. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 740069 User impact if declined: Possibly-exploitable crash Testing completed (on m-c, etc.): Tested on testcase in this bug Risk to taking this patch (and alternatives if risky): Very safe: just makes us return false in cases where it should be returned, instead of crashing exploitably. String or UUID changes made by this patch:
Attachment #654288 - Flags: approval-mozilla-aurora?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Apologies, had two security bugs open to mark, and pasted other s-g bug's cset in this one. The correct changeset is: https://hg.mozilla.org/mozilla-central/rev/2f60f3a4bdd7
Attachment #654288 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Can someone suggest a sec rating for this issue?
Whiteboard: [advisory-tracking+]
Alias: CVE-2012-3989
Group: core-security
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: