Only check the XBL bit if XBL scopes are disabled

RESOLVED FIXED in Firefox 21

Status

()

Core
XBL
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: bholley, Assigned: bholley)

Tracking

({regression, sec-moderate})

unspecified
mozilla22
regression, sec-moderate
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox20 unaffected, firefox21+ fixed, firefox22 fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [adv-main21-])

Attachments

(2 attachments)

This is one of the causes of bug 842255.

Because the old model of XBL detection uses stack introspection, it's possible to fool it using certain moz_bug_r_a4 tricks. This wasn't really a limiting security factor before XBL scopes, but now we care more because it can cause the XBL scope protections to be circumvented.

Fix should be straightforward. I'll whip it up now.
Created attachment 717232 [details] [diff] [review]
Only check the XBL bit if XBL scopes are disabled. v1
Attachment #717232 - Flags: review?(bzbarsky)
Comment on attachment 717232 [details] [diff] [review]
Only check the XBL bit if XBL scopes are disabled. v1

r=me
Attachment #717232 - Flags: review?(bzbarsky) → review+
Keywords: sec-moderate
https://tbpl.mozilla.org/?tree=Try&rev=c3cf535a3332
Created attachment 720805 [details] [diff] [review]
Make this-object nativeCall special-casing actually do something. v1

Epic fail. :-(
Attachment #720805 - Flags: review?(jorendorff)
https://tbpl.mozilla.org/?tree=Try&rev=759cf5bbb6e0
Comment on attachment 720805 [details] [diff] [review]
Make this-object nativeCall special-casing actually do something. v1

Sorry I missed this on review.
Attachment #720805 - Flags: review?(jorendorff) → review+
The b-c failure in that last try push was related to the other patch in the same push. Otherwise, this looks more or less green.

remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/06b6880a8241
remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/c5a4010013ed

Comment 8

4 years ago
https://hg.mozilla.org/mozilla-central/rev/c5a4010013ed
https://hg.mozilla.org/mozilla-central/rev/06b6880a8241
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox22: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Comment on attachment 717232 [details] [diff] [review]
Only check the XBL bit if XBL scopes are disabled. v1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): These patches fix a hole in the security protections implemented by running XBL in a separate compartment (bug 834697), which is now on aurora. See bug 842255 for the details on the security flaw here. 
User impact if declined: The security benefits of XBL scopes can potentially be bypassed.
Testing completed (on m-c, etc.): Just landed on m-c.
Risk to taking this patch (and alternatives if risky): Not risky. No alternatives. 
String or UUID changes made by this patch: None
Attachment #717232 - Flags: approval-mozilla-aurora?
(This approval request applies to both patches).

Updated

4 years ago
status-firefox21: --- → affected
tracking-firefox21: --- → +

Updated

4 years ago
Attachment #717232 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
bug 842255 affects ESR-17, but I suspect that this fix is not wanted there since the xbl scopes change (bug 834697) didn't land there.
Yes. bug 842255 is just another attack of the bug 816071 variety. The only thing that makes it special is that it can attack XBL scopes, which this patch fixes.

We still have no esr17 solution for the general case without landing XBL scopes there.
https://hg.mozilla.org/releases/mozilla-aurora/rev/21f6a4529d8a
https://hg.mozilla.org/releases/mozilla-aurora/rev/745cae64974c
status-firefox21: affected → fixed
How far back does this issue go? I assume we shipped 20 with it?
Flags: needinfo?(bobbyholley+bmo)
(In reply to Al Billings [:abillings] from comment #14)
> How far back does this issue go? I assume we shipped 20 with it?

No. The entire issue is not applicable to releases before bug 834697.
Flags: needinfo?(bobbyholley+bmo)
status-firefox20: --- → unaffected
Whiteboard: [adv-main21-]
Blocks: 834697
status-b2g18: --- → unaffected
status-firefox-esr17: --- → unaffected
Keywords: regression
Group: core-security
You need to log in before you can comment on or make changes to this bug.