Closed
Bug 893519
Opened 11 years ago
Closed 11 years ago
Compartment mismatch with asm module in event listener attribute
Categories
(Core :: DOM: Events, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
Tracking | Status | |
---|---|---|
firefox23 | --- | wontfix |
firefox24 | + | fixed |
firefox25 | + | fixed |
firefox26 | + | verified |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: jruderman, Assigned: luke)
References
Details
(Keywords: crash, sec-high, testcase, Whiteboard: [adv-main24+])
Attachments
(5 files)
490 bytes,
text/html
|
Details | |
23.95 KB,
text/plain
|
Details | |
1.54 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
1.13 KB,
patch
|
luke
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
1.14 KB,
patch
|
luke
:
review+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
Reporter | ||
Comment 1•11 years ago
|
||
Updated•11 years ago
|
status-firefox25:
--- → affected
status-firefox26:
--- → affected
Updated•11 years ago
|
Assignee: nobody → continuation
Comment 2•11 years ago
|
||
Luke, could you take a look at this? It seems like some kind of problem with cloning asm.js scripts across compartments.
Olli said that setAttribute lazily compiles whatever its argument is, so maybe that's related. I didn't hit an error when I changed the setAttribute line to:
e.ondrag = function module() { 'use asm'; return {}; };
I'm not very familiar with script cloning, so my poking around with the debugger was not very fruitful.
Assignee: continuation → nobody
Flags: needinfo?(luke)
Assignee | ||
Comment 3•11 years ago
|
||
Ah, event handlers. With bug 900669 there will be an easy way to clone an AsmJS module which will allow CloneScript to just clone the the nested asm.js module. However, a quick fix is to just disable Odin on non-compile-and-go scripts. All normal <script>/eval/Function code is compile-and-go, so this shouldn't affect anyone.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Attachment #789180 -
Flags: review?
Flags: needinfo?(luke)
Assignee | ||
Updated•11 years ago
|
Attachment #789180 -
Flags: review? → review?(bbouvier)
Updated•11 years ago
|
Attachment #789180 -
Flags: review?(bbouvier) → review+
Assignee | ||
Comment 4•11 years ago
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox23:
--- → wontfix
status-firefox24:
--- → affected
status-firefox-esr17:
--- → unaffected
Comment 5•11 years ago
|
||
checkin - https://hg.mozilla.org/mozilla-central/rev/bb2abb7412e6 patch and test
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Updated•11 years ago
|
Assignee | ||
Comment 6•11 years ago
|
||
At the least this is trivial to port to aurora (just need to rename /jit/ to /ion/ in paths).
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 840282
User impact if declined: potential security vulnerability
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): very low
Attachment #789566 -
Flags: review+
Attachment #789566 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 7•11 years ago
|
||
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 840282
User impact if declined: potential security vulnerability
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): very low
Attachment #789578 -
Flags: review+
Attachment #789578 -
Flags: approval-mozilla-beta?
Updated•11 years ago
|
Updated•11 years ago
|
Attachment #789566 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•11 years ago
|
Attachment #789578 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 8•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/6e0534f87045
https://hg.mozilla.org/releases/mozilla-beta/rev/ecdbdbed2233
Any particular reason the branch patches didn't include the test?
Updated•11 years ago
|
Whiteboard: [adv-main24+]
Comment 9•11 years ago
|
||
Confirmed crash on ASan FF24, 2013-06-06.
Verified fixed on ASan FF26, 2013-11-20.
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•