Closed
Bug 851987
Opened 11 years ago
Closed 11 years ago
Crash [@ nsGlobalWindow::GetChildWindow] with event.view, lookupMethod
Categories
(Core :: DOM: Events, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
| Tracking | Status | |
|---|---|---|
| firefox20 | --- | unaffected |
| firefox21 | + | fixed |
| firefox22 | + | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: jruderman, Assigned: bholley)
References
Details
(4 keywords)
Attachments
(3 files)
|
268 bytes,
text/html
|
Details | |
|
7.27 KB,
text/plain
|
Details | |
|
2.45 KB,
patch
|
bzbarsky
:
review+
bajaj
:
approval-mozilla-aurora+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The crash is reliable under ASan. It's less reliable in a normal debug build. While the testcase reminds me of bug 809674, I think this is regression from within the last few days.
|
Reporter | |
Comment 1•11 years ago
|
||
|
Assignee | |
Comment 2•11 years ago
|
||
Yes, this is a regression from bug 850517.
Assignee: nobody → bobbyholley+bmo
Depends on: 850517
|
|
Assignee | |
Updated•11 years ago
|
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox20:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → affected
status-firefox-esr17:
--- → unaffected
|
|
Assignee | |
Updated•11 years ago
|
|
|
Assignee | |
Comment 3•11 years ago
|
||
Attachment #726006 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 4•11 years ago
|
||
So, the issue here is that nsIDOMWindow can actually be implemented by XPCWrappedJS in various situations. So a static cast from nsIDOMWindow to nsGlobalWindow isn't safe. I'm pretty sure nsPIDOMWindow is safe, but I'd appreciate if someone could confirm that. bz did something similar in bug 823228, so aurora is affected as well.
|
||
Comment 5•11 years ago
|
||
Comment on attachment 726006 [details] [diff] [review] QI to nsPIDOMWindow instead of nsIDOMWindow in XPCWrappedJS. v1 Oh, yikes. Good catch. r=me
Attachment #726006 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Updated•11 years ago
|
Keywords: sec-critical
|
|
Assignee | |
Comment 6•11 years ago
|
||
Comment on attachment 726006 [details] [diff] [review] QI to nsPIDOMWindow instead of nsIDOMWindow in XPCWrappedJS. v1 [Security approval request comment] How easily could an exploit be constructed based on the patch? Not super easily. The issue here is a mis-cast, which means that the attacker would need to do some fancy heap exploit stuff to make this work. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Nope. Which older supported branches are affected by this flaw? Aurora. If not all supported branches, which bug introduced the flaw? bug 823228 and bug 850517. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Easy backport. The aurora backport should just be one of the two chunks of this patch. How likely is this patch to cause regressions; how much testing does it need? Not risky.
Attachment #726006 -
Flags: sec-approval?
|
||
Comment 7•11 years ago
|
||
Comment on attachment 726006 [details] [diff] [review] QI to nsPIDOMWindow instead of nsIDOMWindow in XPCWrappedJS. v1 Please create an Aurora patch as well and nominate it for inclusion there. Sec-approval+
Attachment #726006 -
Flags: sec-approval? → sec-approval+
|
|
||
Updated•11 years ago
|
tracking-firefox21:
--- → ?
tracking-firefox22:
--- → +
|
||
Updated•11 years ago
|
|
|
Assignee | |
Comment 8•11 years ago
|
||
Comment on attachment 726006 [details] [diff] [review] QI to nsPIDOMWindow instead of nsIDOMWindow in XPCWrappedJS. v1 Requesting aurora approval for this patch. Note that this patch has two hunks, one of which will apply on aurora and one of which won't. That's to be expected, we just want to push the hunk in XPCWrappedNativeXrayTraits::resolveOwnProperty. [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 823228 User impact if declined: security Testing completed (on m-c, etc.): Going into inbound now. Risk to taking this patch (and alternatives if risky): Not risky. String or UUID changes made by this patch: None.
Attachment #726006 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 9•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/632ec7d6a9ae
|
||
Comment 10•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/632ec7d6a9ae
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
|
|
||
Comment 11•11 years ago
|
||
Comment on attachment 726006 [details] [diff] [review] QI to nsPIDOMWindow instead of nsIDOMWindow in XPCWrappedJS. v1 low risk fix for a sec-crit regression .Approving for uplift . [Please keep https://bugzilla.mozilla.org/show_bug.cgi?id=851987#c8 in mind when landing this on aurora ]
Attachment #726006 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Updated•11 years ago
|
Group: core-security
|
|
Assignee | |
Comment 13•11 years ago
|
||
This testcase uses |Components|, so I don't think it's worth checking in at this point.
Flags: in-testsuite? → in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•