Closed
Bug 821760
Opened 12 years ago
Closed 12 years ago
Static operations called via Xrays end up with compartment mismatches
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
Tracking | Status | |
---|---|---|
firefox17 | --- | unaffected |
firefox18 | --- | unaffected |
firefox19 | + | fixed |
firefox20 | + | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
Details
(Keywords: sec-critical, Whiteboard: [adv-main19-])
Attachments
(1 file)
3.06 KB,
patch
|
peterv
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Code looks like this: if (js::IsWrapper(obj)) { obj = XPCWrapper::Unwrap(cx, obj, false); if (!obj) { return Throw<true>(cx, NS_ERROR_XPC_SECURITY_MANAGER_VETO); } } ... val.setObjectOrNull(JS_GetGlobalForObject(cx, obj)); with nary a compartment-enter in sight. I just checked, and this is the only consumer of XPCWrapper::Unwrap that doesn't handle compartments in the process.
Assignee | ||
Updated•12 years ago
|
status-firefox17:
--- → unaffected
status-firefox18:
--- → unaffected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
tracking-firefox19:
--- → ?
tracking-firefox20:
--- → ?
Assignee | ||
Comment 1•12 years ago
|
||
Attachment #692337 -
Flags: review?(peterv)
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → bzbarsky
Whiteboard: [need review]
Updated•12 years ago
|
Attachment #692337 -
Flags: review?(peterv) → review+
Updated•12 years ago
|
Keywords: sec-high → sec-critical
Assignee | ||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/040f5d35fa6a
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla20
Assignee | ||
Comment 7•12 years ago
|
||
Comment on attachment 692337 [details] [diff] [review] Properly handle compartments in WebIDL static operation bindings. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 763643 User impact if declined: Some crashes with the fatal compartment checks, possible security issues. Testing completed (on m-c, etc.): Passes tests. Should have no behavior impact otherwise. Risk to taking this patch (and alternatives if risky): Should be low risk. The other option is to ship the compartment mismatch, which I think is undesirable. String or UUID changes made by this patch: None.
Attachment #692337 -
Flags: approval-mozilla-aurora?
Comment 8•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/040f5d35fa6a
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 9•12 years ago
|
||
There seem to be no crashes with this stack with a build of 12-16 or later. Hooray.
Updated•12 years ago
|
Comment 10•12 years ago
|
||
Comment on attachment 692337 [details] [diff] [review] Properly handle compartments in WebIDL static operation bindings. Hooray indeed, please go ahead with uplift.
Attachment #692337 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 11•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/f4c455dd56a1
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Comment 12•12 years ago
|
||
As an aside, this should have had sec-approval+ per policy before going into trunk since it affected Aurora. https://wiki.mozilla.org/Security/Bug_Approval_Process: "Core-security bug fixes should just be landed by a developer without any explicit approval if: The bug has a sec-low, sec-moderate, sec-other, or sec-want rating. OR The bug is a recent regression on mozilla-central (this means that the specific regressing check-in has been identified on mozilla-central) This means that the developer can mark the status flags for ESR, Beta, and Aurora as 'unaffected.' It also means that we haven't shipped anywhere public in an official release yet." I know that the last comment may seem confusing but it means that it hasn't gone out in an Aurora or Beta build yet.
Updated•11 years ago
|
Whiteboard: [adv-main19-]
Updated•10 years ago
|
Group: core-security
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•