Closed
Bug 783867
(CVE-2012-3989)
Opened 12 years ago
Closed 12 years ago
ASSERTION: This only works on nsISupports classes! and segfault
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: Ms2ger, Assigned: bzbarsky)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [advisory-tracking+])
Attachments
(1 file)
1.49 KB,
patch
|
peterv
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Running
new Worker("http://base.com") instanceof Components.interfaces.nsIArray
in a mochitest will hit
NS_ASSERTION(mozilla::dom::DOMJSClass::FromJSClass(
js::GetObjectJSClass(obj))->mDOMObjectIsISupports,
"This only works on nsISupports classes!");
at <http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCJSID.cpp#484>. We then unwrap the object to nsISupports and try to call QueryInterface on it, and segfault in nsWrapperCache::WrapObject.
Comment 1•12 years ago
|
||
How dangerous is this?
Assignee | ||
Comment 2•12 years ago
|
||
This is reasonably bad. It's also a regression from the original landing in bug 740069.
Probably too late to fix this on 15 now, but we should fix elsewhere. Also, not check in a test for this until after we ship the fix. :(
Assignee: nobody → bzbarsky
Blocks: 740069
tracking-firefox16:
--- → ?
tracking-firefox17:
--- → ?
Whiteboard: [need review]
Assignee | ||
Comment 3•12 years ago
|
||
Attachment #654288 -
Flags: review?(peterv)
Updated•12 years ago
|
Attachment #654288 -
Flags: review?(peterv) → review+
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → wontfix
status-firefox15:
--- → wontfix
status-firefox16:
--- → affected
status-firefox17:
--- → affected
Assignee | ||
Comment 4•12 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/2f60f3a4bdd7
No test landed yet; we should do that once we reopen it.
Assignee | ||
Updated•12 years ago
|
Flags: in-testsuite?
Whiteboard: [need review]
Target Milestone: --- → mozilla17
Assignee | ||
Comment 5•12 years ago
|
||
Comment on attachment 654288 [details] [diff] [review]
Don't blindly assume IsDOMClass objects are nsISupports.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 740069
User impact if declined: Possibly-exploitable crash
Testing completed (on m-c, etc.): Tested on testcase in this bug
Risk to taking this patch (and alternatives if risky): Very safe: just makes us
return false in cases where it should be returned, instead of crashing
exploitably.
String or UUID changes made by this patch:
Attachment #654288 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
Comment 6•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 7•12 years ago
|
||
Apologies, had two security bugs open to mark, and pasted other s-g bug's cset in this one.
The correct changeset is:
https://hg.mozilla.org/mozilla-central/rev/2f60f3a4bdd7
Updated•12 years ago
|
Attachment #654288 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 8•12 years ago
|
||
Comment 9•12 years ago
|
||
Can someone suggest a sec rating for this issue?
Updated•12 years ago
|
Updated•12 years ago
|
Whiteboard: [advisory-tracking+]
Updated•12 years ago
|
Alias: CVE-2012-3989
Updated•12 years ago
|
Group: core-security
Flags: sec-bounty+
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•