Closed Bug 821573 (CVE-2014-8631) Opened 9 years ago Closed 7 years ago

Stop allowing COWs to be passed as native interfaces


(Core :: XPConnect, defect)

Not set



Tracking Status
firefox34 --- fixed
firefox-esr31 --- wontfix


(Reporter: bholley, Assigned: bholley)



(Keywords: sec-low, Whiteboard: [adv-main34+])


(1 file)

My patches in bug 658909 effectively make them so, and I discovered that this breaks the contact API, because it expects to be able to pass COWs into native XPCOM methods and have them appear as XPCJWrappedJS.

There's a pretty low chance that this is exploitable. Exploiting it involve finding a content-accessible native method that accepts an interface type not marked builtin-class whose method/property requirements are somehow satisfied by those on content-accessible chrome object and that somehow manipulates the XPCWrappedJS-wrapped chrome object in a harmful way.

I think this is unlikely, and this will be fixed by bug 658909 anyway. Still, I wanted to get it on file. So I'm flagging sec-low and marking the dep.
Just making moz_bug_r_a4 aware in case this trick is useful somehow :-)
Now that PeerConnection and Contacts are on WebIDL, we should hopefully be able to get rid of this case.
Assignee: nobody → bobbyholley+bmo
Depends on: 850430, 917328
Looks like we also need to remove COWs from:

* mozApps
* browser-element CustomEvents
* indexedDB IPC tests
Depends on: 899322
I'd wait a little bit before actually landing anything that relies on Contacts being WebIDL, as it has a lot of regressions filed against it.
Summary: COWs are not SCRIPT_ACCESS_ONLY → Stop allowing COWs to be passed as native interfaces
I think we may be able to do this now.
Attachment #8475702 - Flags: review?(gkrizsanits)
Attachment #8475702 - Flags: review?(gkrizsanits) → review+
Looks like the ICS xpcshell bustage is actually present on the underlying revision on m-c. Looks green otherwise.
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Whiteboard: [adv-main34+]
Alias: CVE-2014-8631
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.