Closed Bug 893519 Opened 6 years ago Closed 6 years ago

Compartment mismatch with asm module in event listener attribute

Categories

(Core :: DOM: Events, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla26
Tracking Status
firefox23 --- wontfix
firefox24 + fixed
firefox25 + fixed
firefox26 + verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: jruderman, Assigned: luke)

References

(Blocks 3 open bugs)

Details

(Keywords: crash, sec-high, testcase, Whiteboard: [adv-main24+])

Attachments

(5 files)

Attached file stack
Assignee: nobody → continuation
Luke, could you take a look at this?  It seems like some kind of problem with cloning asm.js scripts across compartments.

Olli said that setAttribute lazily compiles whatever its argument is, so maybe that's related.  I didn't hit an error when I changed the setAttribute line to:
  e.ondrag = function module() { 'use asm'; return {}; };

I'm not very familiar with script cloning, so my poking around with the debugger was not very fruitful.
Assignee: continuation → nobody
Flags: needinfo?(luke)
Attached patch fix and testSplinter Review
Ah, event handlers.  With bug 900669 there will be an easy way to clone an AsmJS module which will allow CloneScript to just clone the the nested asm.js module.  However, a quick fix is to just disable Odin on non-compile-and-go scripts.  All normal <script>/eval/Function code is compile-and-go, so this shouldn't affect anyone.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Attachment #789180 - Flags: review?
Flags: needinfo?(luke)
Attachment #789180 - Flags: review? → review?(bbouvier)
Attachment #789180 - Flags: review?(bbouvier) → review+
checkin - https://hg.mozilla.org/mozilla-central/rev/bb2abb7412e6 patch and test
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Attached patch aurora-fixSplinter Review
At the least this is trivial to port to aurora (just need to rename /jit/ to /ion/ in paths).

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 840282
User impact if declined: potential security vulnerability
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): very low
Attachment #789566 - Flags: review+
Attachment #789566 - Flags: approval-mozilla-aurora?
Attached patch beta-fixSplinter Review
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 840282
User impact if declined: potential security vulnerability
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): very low
Attachment #789578 - Flags: review+
Attachment #789578 - Flags: approval-mozilla-beta?
Attachment #789566 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #789578 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [adv-main24+]
Confirmed crash on ASan FF24, 2013-06-06.
Verified fixed on ASan FF26, 2013-11-20.
Group: core-security
You need to log in before you can comment on or make changes to this bug.