"ABORT: wrong compartment" with setUserData on node whose __proto__ is from a different frame

RESOLVED FIXED in Firefox 20

Status

()

--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: jruderman, Assigned: bzbarsky)

Tracking

(Blocks: 2 bugs, 4 keywords)

Trunk
mozilla20
x86_64
Mac OS X
assertion, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox19 unaffected, firefox20+ fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [adv-main20-])

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 693431 [details]
testcase (asserts fatally when loaded)

###!!! ABORT: wrong compartment: 'js::IsObjectInContextCompartment(scope, mJSContext)', file XPCInlines.h, line 110

(Related to bug 764307 / bug 645560?)

(I hope settable __proto__ isn't being standardized.)
(Reporter)

Comment 1

6 years ago
Created attachment 693432 [details]
stack
699   JS::Value result;
700   aError = nsContentUtils::XPConnect()->VariantToJS(aCx, GetWrapper(), oldData,
701                                                     &result);

So the key is that aCx comes in on the compartment of the proto, since that's where the method was found.  But GetWrapper() is in a different compartment....

We should be entering the compartment of GetWrapper() here, I think.  Sorry I missed that when reviewing.  :(

GetUserData has the same problem, afaict.

The good news is that I think this is trunk-only, since bug 812333 is Firefox 20 only.
Blocks: 812333
tracking-firefox20: --- → ?
Oh, and I would think that doing get/setUserData via Xrays would have the same problem.
status-firefox19: --- → unaffected
status-firefox20: --- → affected
Keywords: regression, sec-critical
Boris, who can we assign this to?
Created attachment 695981 [details] [diff] [review]
Need to enter the right compartment before working with objects from it.
Attachment #695981 - Flags: review?(bugs)
Assignee: nobody → bzbarsky
Whiteboard: [need review]
Attachment #695981 - Flags: review?(bugs) → review+
Depends on: 825025
This patch on its own fails tests because of bug 825025.  So I'll need to land that first.
https://hg.mozilla.org/integration/mozilla-inbound/rev/2618c84dd765
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla20
https://hg.mozilla.org/mozilla-central/rev/2618c84dd765
Status: NEW → RESOLVED
Last Resolved: 6 years ago
status-firefox20: affected → fixed
Resolution: --- → FIXED
tracking-firefox20: ? → +
status-b2g18: --- → unaffected
status-firefox-esr17: --- → unaffected
Whiteboard: [adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.