Closed
Bug 840263
Opened 10 years ago
Closed 10 years ago
[FIX] nsDocumentViewer::LoadComplete doesn't guarantee that window object stays alive
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: smaug, Assigned: smaug)
References
Details
(Keywords: csectype-uaf, sec-critical, Whiteboard: [adv-main20+][adv-esr1705+][qa-])
Attachments
(1 file)
|
1.95 KB,
patch
|
hsivonen
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr17+
lsblakk
:
approval-mozilla-b2g18+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
I was debugging bug 840019, and noticed that we may have a security bug there, not only a null pointer crash. SetReadyStateInternal dispatches readystatechanged, yet we dispatch load event after that to window, and window is just a raw pointer. The patch fixes both this bug and bug 840019.
Attachment #712612 -
Flags: review?(hsivonen)
|
||
Updated•10 years ago
|
Keywords: csec-uaf,
sec-critical
|
||
Updated•10 years ago
|
Attachment #712612 -
Flags: review?(hsivonen) → review+
|
Assignee | |
Comment 1•10 years ago
|
||
Comment on attachment 712612 [details] [diff] [review] patch [Security approval request comment] How easily could an exploit be constructed based on the patch? I don't have the exploit, but making a raw pointer to nsCOMPtr shows pretty explicitly what is happening. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Comment will be about making sure null mDocument isn't accessed. Which older supported branches are affected by this flaw? all Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The patch should work with all the supported branches How likely is this patch to cause regressions; how much testing does it need? Should be very safe. [Approval Request Comment] Bug caused by (feature/regressing bug #): Old stuff User impact if declined: possible security sensitive crashes Testing completed (on m-c, etc.): hasn't landed yet Risk to taking this patch (and alternatives if risky): should be safe String or UUID changes made by this patch: NA
Attachment #712612 -
Flags: sec-approval?
Attachment #712612 -
Flags: approval-mozilla-esr17?
Attachment #712612 -
Flags: approval-mozilla-beta?
Attachment #712612 -
Flags: approval-mozilla-b2g18?
Attachment #712612 -
Flags: approval-mozilla-aurora?
|
||
Updated•10 years ago
|
status-b2g18:
--- → affected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
status-firefox21:
--- → affected
status-firefox-esr17:
--- → affected
tracking-b2g18:
--- → ?
tracking-firefox20:
--- → +
tracking-firefox21:
--- → +
tracking-firefox-esr17:
--- → ?
|
|
||
Comment 2•10 years ago
|
||
Pretty sure we're totally done for Firefox 19, but I'd take this safe patch if we need to respin. If it doesn't make 19 though I'd prefer landing it next cycle.
|
||
Comment 3•10 years ago
|
||
Sec-approval+ but only on 2/19 or later (after we ship).
|
|
||
Updated•10 years ago
|
Attachment #712612 -
Flags: sec-approval? → sec-approval+
|
||
Comment 4•10 years ago
|
||
Batch edit: Bugs marked status-b2g18: affected after 2/13 branching of v1.0.1 are now also status-b2g18-v1.0.1: affected
status-b2g18-v1.0.1:
--- → affected
|
||
Comment 5•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2) > Pretty sure we're totally done for Firefox 19, but I'd take this safe patch > if we need to respin. If it doesn't make 19 though I'd prefer landing it > next cycle. Yeah, agreed this is too late for FF19. What makes this bug more critical than other security fixes? Or perhaps you're suggesting the fix is so low risk that we should be comfortable with taking it in a 19.0.1 (if spun up)?
|
|
Assignee | |
Comment 6•10 years ago
|
||
Should be super-safe patch.
|
|
||
Comment 7•10 years ago
|
||
I would take it in a re-spin of 19.0.0, but if do then we have to take it on the ESR release as well. It's not "worse" than other criticals, but being a simple patch we don't want to leave it hanging out there for a cycle. We probably don't want to take it in a 19.0.1 unless we're also planning an ESR extra-release.
|
|
Assignee | |
Updated•10 years ago
|
Summary: nsDocumentViewer::LoadComplete doesn't guarantee that window object stays alive → [FIX] nsDocumentViewer::LoadComplete doesn't guarantee that window object stays alive
|
|
||
Comment 8•10 years ago
|
||
Comment on attachment 712612 [details] [diff] [review] patch Approving for beta/aurora with the intent that it land on Firefox 20 which is Aurora today and will be on Beta tomorrow morning. Flagging mozilla-release approval nom in case there is a 19.0.1 so this will be on the radar. We've also gone to build with the ESR17 shipping alongside FF 19 so approving for ESR17 landing that will go with FF20.
Attachment #712612 -
Flags: approval-mozilla-release?
Attachment #712612 -
Flags: approval-mozilla-esr17?
Attachment #712612 -
Flags: approval-mozilla-esr17+
Attachment #712612 -
Flags: approval-mozilla-beta?
Attachment #712612 -
Flags: approval-mozilla-beta+
Attachment #712612 -
Flags: approval-mozilla-aurora?
Attachment #712612 -
Flags: approval-mozilla-aurora+
|
|
||
Comment 9•10 years ago
|
||
Comment on attachment 712612 [details] [diff] [review] patch Approving for v1-train uplift.
Attachment #712612 -
Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
|
|
||
Updated•10 years ago
|
|
|
Assignee | |
Comment 10•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/979456163be1
|
||
Comment 11•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/979456163be1
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox22:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
|
|
||
Comment 12•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/65ce204912f1 https://hg.mozilla.org/releases/mozilla-beta/rev/fe0904c73e1c https://hg.mozilla.org/releases/mozilla-b2g18/rev/393e9a617ffa https://hg.mozilla.org/releases/mozilla-esr17/rev/7c616543869d
|
||
Comment 13•10 years ago
|
||
Is there a PoC we can use to verify this is fixed?
|
|
Assignee | |
Comment 14•10 years ago
|
||
No PoC
|
|
||
Updated•10 years ago
|
Whiteboard: [adv-main20+][adv-esr1705+]
|
|
||
Comment 15•10 years ago
|
||
Since Firefox 20 is now released, v1.0.1 branches are still open, and this is considered low risk, we can uplift to v1.0.1. Marking as tef+ and flipping status-b2g18-v1.0.1 to affected.
blocking-b2g: --- → tef+
|
|
||
Updated•10 years ago
|
|
|
||
Comment 18•10 years ago
|
||
Tagging [qa-] since we cannot verify this fixed based on comment 13 and 14. Please drop this tag and add the verifyme keyword if you can advise us on verification. Thank you.
Whiteboard: [adv-main20+][adv-esr1705+] → [adv-main20+][adv-esr1705+][qa-]
|
|
||
Updated•10 years ago
|
Attachment #712612 -
Flags: approval-mozilla-release?
|
|
||
Updated•9 years ago
|
Group: core-security
|
||
Updated•4 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•