Bug 783867 (CVE-2012-3989)

ASSERTION: This only works on nsISupports classes! and segfault

RESOLVED FIXED in Firefox 16

Status

()

Core
XPConnect
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: Ms2ger, Assigned: bz)

Tracking

(Blocks: 1 bug, {csectype-wildptr, regression, sec-critical})

Trunk
mozilla17
csectype-wildptr, regression, sec-critical
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +
in-testsuite ?

Firefox Tracking Flags

(firefox14 wontfix, firefox15 wontfix, firefox16+ fixed, firefox17+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [advisory-tracking+])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Running

new Worker("http://base.com") instanceof Components.interfaces.nsIArray

in a mochitest will hit

NS_ASSERTION(mozilla::dom::DOMJSClass::FromJSClass(
                  js::GetObjectJSClass(obj))->mDOMObjectIsISupports,
             "This only works on nsISupports classes!");

at <http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCJSID.cpp#484>. We then unwrap the object to nsISupports and try to call QueryInterface on it, and segfault in nsWrapperCache::WrapObject.
How dangerous is this?
This is reasonably bad.  It's also a regression from the original landing in bug 740069.

Probably too late to fix this on 15 now, but we should fix elsewhere.  Also, not check in a test for this until after we ship the fix.  :(
Assignee: nobody → bzbarsky
Blocks: 740069
tracking-firefox16: --- → ?
tracking-firefox17: --- → ?
Whiteboard: [need review]
Created attachment 654288 [details] [diff] [review]
Don't blindly assume IsDOMClass objects are nsISupports.
Attachment #654288 - Flags: review?(peterv)
Attachment #654288 - Flags: review?(peterv) → review+
status-firefox-esr10: --- → unaffected
status-firefox14: --- → wontfix
status-firefox15: --- → wontfix
status-firefox16: --- → affected
status-firefox17: --- → affected
http://hg.mozilla.org/integration/mozilla-inbound/rev/2f60f3a4bdd7

No test landed yet; we should do that once we reopen it.
Flags: in-testsuite?
Whiteboard: [need review]
Target Milestone: --- → mozilla17
Comment on attachment 654288 [details] [diff] [review]
Don't blindly assume IsDOMClass objects are nsISupports.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 740069
User impact if declined: Possibly-exploitable crash
Testing completed (on m-c, etc.): Tested on testcase in this bug
Risk to taking this patch (and alternatives if risky): Very safe: just makes us
  return false in cases where it should be returned, instead of crashing
  exploitably.
String or UUID changes made by this patch:
Attachment #654288 - Flags: approval-mozilla-aurora?
tracking-firefox16: ? → +
tracking-firefox17: ? → +

Comment 6

5 years ago
https://hg.mozilla.org/mozilla-central/rev/236d384dc4f9
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox17: affected → fixed
Resolution: --- → FIXED

Comment 7

5 years ago
Apologies, had two security bugs open to mark, and pasted other s-g bug's cset in this one.

The correct changeset is:
https://hg.mozilla.org/mozilla-central/rev/2f60f3a4bdd7
Attachment #654288 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/5a76e53d11fc
status-firefox16: affected → fixed
Can someone suggest a sec rating for this issue?
Keywords: csec-wildptr, regression, sec-critical
Whiteboard: [advisory-tracking+]
Alias: CVE-2012-3989
Group: core-security
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.