Compartment mismatch with asm module in event listener attribute

RESOLVED FIXED in Firefox 24

Status

()

--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: jruderman, Assigned: luke)

Tracking

(Blocks: 4 bugs, {crash, sec-high, testcase})

Trunk
mozilla26
x86_64
Mac OS X
crash, sec-high, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox23 wontfix, firefox24+ fixed, firefox25+ fixed, firefox26+ verified, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [adv-main24+])

Attachments

(5 attachments)

(Reporter)

Description

5 years ago
Created attachment 775293 [details]
testcase (crashes Firefox when loaded)

bp-3956aca3-ec88-4820-8830-a6f392130714
(Reporter)

Comment 1

5 years ago
Created attachment 775294 [details]
stack
Keywords: sec-high
status-firefox25: --- → affected
status-firefox26: --- → affected
Assignee: nobody → continuation
Luke, could you take a look at this?  It seems like some kind of problem with cloning asm.js scripts across compartments.

Olli said that setAttribute lazily compiles whatever its argument is, so maybe that's related.  I didn't hit an error when I changed the setAttribute line to:
  e.ondrag = function module() { 'use asm'; return {}; };

I'm not very familiar with script cloning, so my poking around with the debugger was not very fruitful.
Assignee: continuation → nobody
Flags: needinfo?(luke)
(Assignee)

Comment 3

5 years ago
Created attachment 789180 [details] [diff] [review]
fix and test

Ah, event handlers.  With bug 900669 there will be an easy way to clone an AsmJS module which will allow CloneScript to just clone the the nested asm.js module.  However, a quick fix is to just disable Odin on non-compile-and-go scripts.  All normal <script>/eval/Function code is compile-and-go, so this shouldn't affect anyone.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Attachment #789180 - Flags: review?
Flags: needinfo?(luke)
(Assignee)

Updated

5 years ago
Attachment #789180 - Flags: review? → review?(bbouvier)
Attachment #789180 - Flags: review?(bbouvier) → review+
status-b2g18: --- → unaffected
status-firefox23: --- → wontfix
status-firefox24: --- → affected
status-firefox-esr17: --- → unaffected
checkin - https://hg.mozilla.org/mozilla-central/rev/bb2abb7412e6 patch and test
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
tracking-firefox24: --- → ?
tracking-firefox25: --- → ?
tracking-firefox26: --- → ?
(Assignee)

Comment 6

5 years ago
Created attachment 789566 [details] [diff] [review]
aurora-fix

At the least this is trivial to port to aurora (just need to rename /jit/ to /ion/ in paths).

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 840282
User impact if declined: potential security vulnerability
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): very low
Attachment #789566 - Flags: review+
Attachment #789566 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 7

5 years ago
Created attachment 789578 [details] [diff] [review]
beta-fix

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 840282
User impact if declined: potential security vulnerability
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): very low
Attachment #789578 - Flags: review+
Attachment #789578 - Flags: approval-mozilla-beta?
status-firefox26: affected → fixed
tracking-firefox24: ? → +
tracking-firefox25: ? → +
tracking-firefox26: ? → +
Attachment #789566 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #789578 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
https://hg.mozilla.org/releases/mozilla-aurora/rev/6e0534f87045
https://hg.mozilla.org/releases/mozilla-beta/rev/ecdbdbed2233

Any particular reason the branch patches didn't include the test?
status-firefox24: affected → fixed
status-firefox25: affected → fixed
Whiteboard: [adv-main24+]
Confirmed crash on ASan FF24, 2013-06-06.
Verified fixed on ASan FF26, 2013-11-20.
status-firefox26: fixed → verified
Group: core-security
You need to log in before you can comment on or make changes to this bug.