Consider poisoning DOM stuff

RESOLVED WORKSFORME

Status

()

Core
DOM: Core & HTML
--
enhancement
RESOLVED WORKSFORME
5 years ago
24 days ago

People

(Reporter: mats, Unassigned)

Tracking

({sec-want})

Trunk
sec-want
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

Comment hidden (empty)
(Reporter)

Comment 1

5 years ago
Created attachment 744063 [details] [diff] [review]
Poison some nsINode subclasses
(Reporter)

Comment 2

5 years ago
Created attachment 744064 [details] [diff] [review]
Poison the nsAttrAndChildArray buffer and nsINodeInfo objects
(Reporter)

Comment 3

5 years ago
Created attachment 744066 [details]
stack, bug 865076

I did an experiment with the attached patches (on top of the patches in
bug 867530) to see if it could help mitigate exploitable crashes in
content code.  I used bug 865076 as an example.  Using an Opt build
on Linux64 it seems like it would make it non-exploitable.

There are of course limitations to how useful this is in content code
where the memory is quickly allocated for other purposes (unlike pres-
arena objects) but it might help a bit.  It could be made more useful
with a special purpose allocator for content I guess.

Comment 4

5 years ago
Unless this is much simpler than bug 860254, I'd really prefer that we work on that one instead.
Keywords: sec-want
Mats, shall we close this in lieu of (fixed) bug 860254 or is there something more we can do here?
Flags: needinfo?(matspal)
(Reporter)

Comment 6

4 years ago
If nsINode-derived classes are still allocated from the general heap, then yes, bug 860254
should take care of it, except for the issue that Jesse raises in bug 860254 comment 34.
(assuming we use jemalloc on all platforms we care about)
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(matspal)
Resolution: --- → WORKSFORME
Yes, nodes are allocated from the general heap, and we use jemalloc on all Tier 1 platforms.

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.