Closed Bug 821573 (CVE-2014-8631) Opened 7 years ago Closed 5 years ago

Stop allowing COWs to be passed as native interfaces

Categories

(Core :: XPConnect, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla34
Tracking Status
firefox34 --- fixed
firefox-esr31 --- wontfix

People

(Reporter: bholley, Assigned: bholley)

References

Details

(Keywords: sec-low, Whiteboard: [adv-main34+])

Attachments

(1 file)

My patches in bug 658909 effectively make them so, and I discovered that this breaks the contact API, because it expects to be able to pass COWs into native XPCOM methods and have them appear as XPCJWrappedJS.

There's a pretty low chance that this is exploitable. Exploiting it involve finding a content-accessible native method that accepts an interface type not marked builtin-class whose method/property requirements are somehow satisfied by those on content-accessible chrome object and that somehow manipulates the XPCWrappedJS-wrapped chrome object in a harmful way.

I think this is unlikely, and this will be fixed by bug 658909 anyway. Still, I wanted to get it on file. So I'm flagging sec-low and marking the dep.
Just making moz_bug_r_a4 aware in case this trick is useful somehow :-)
Now that PeerConnection and Contacts are on WebIDL, we should hopefully be able to get rid of this case.

https://tbpl.mozilla.org/?tree=Try&rev=d73009dd967a
Assignee: nobody → bobbyholley+bmo
Depends on: 850430, 917328
Looks like we also need to remove COWs from:

* mozApps
* browser-element CustomEvents
* indexedDB IPC tests
Depends on: 899322
I'd wait a little bit before actually landing anything that relies on Contacts being WebIDL, as it has a lot of regressions filed against it.
Summary: COWs are not SCRIPT_ACCESS_ONLY → Stop allowing COWs to be passed as native interfaces
I think we may be able to do this now.

https://tbpl.mozilla.org/?tree=Try&rev=2307927f1c4e
Attachment #8475702 - Flags: review?(gkrizsanits)
Attachment #8475702 - Flags: review?(gkrizsanits) → review+
Looks like the ICS xpcshell bustage is actually present on the underlying revision on m-c. Looks green otherwise.

https://hg.mozilla.org/integration/mozilla-inbound/rev/a23b03bf9f61
https://hg.mozilla.org/mozilla-central/rev/a23b03bf9f61
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Flags: qe-verify-
Whiteboard: [adv-main34+]
Alias: CVE-2014-8631
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.