Closed
Bug 905370
Opened 11 years ago
Closed 11 years ago
Data race on js::SelfHostedClass::head (in JSRuntime::finishSelfHosting())
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla26
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | + | fixed |
firefox25 | + | fixed |
firefox26 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: bent.mozilla, Assigned: till)
References
Details
(Keywords: csectype-race, regression, sec-critical)
Attachments
(3 files, 1 obsolete file)
6.96 KB,
patch
|
till
:
review+
shu
:
review+
abillings
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
6.98 KB,
patch
|
till
:
review+
shu
:
review+
abillings
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
7.02 KB,
patch
|
till
:
review+
shu
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
JSRuntime::finishSelfHosting() runs on multiple threads (workers) concurrently and modifies a shared static list: mozjs.dll!finishSelfHosting - selfhosting.cpp:774 mozjs.dll!DestroyContext - jscntxt.cpp:283 mozjs.dll!JS_DestroyContext - jsapi.cpp:873 xul.dll!~WorkerJSRuntime - runtimeservice.cpp:853 xul.dll!Run - runtimeservice.cpp:944 Marking s-s until someone can prove that this is not exploitable :)
Comment 1•11 years ago
|
||
Till, could you look at this? It involves self hosting. Thanks.
Flags: needinfo?(till)
Assignee | ||
Comment 2•11 years ago
|
||
Looking
Assignee: general → till
Status: NEW → ASSIGNED
Flags: needinfo?(till)
Assignee | ||
Comment 3•11 years ago
|
||
I wonder why this doesn't blow up constantly. Instead, it made its way into beta. :(
Attachment #794034 -
Flags: review?(bhackett1024)
Comment 4•11 years ago
|
||
Things bleeding between runtimes sounds bad, so I'm going to mark this sec-critical.
status-b2g18:
--- → unaffected
status-firefox23:
--- → unaffected
status-firefox24:
--- → affected
status-firefox25:
--- → affected
status-firefox26:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox24:
--- → ?
tracking-firefox25:
--- → ?
tracking-firefox26:
--- → ?
Keywords: regression,
sec-critical
Updated•11 years ago
|
tracking-firefox24:
? → ---
tracking-firefox25:
? → ---
Updated•11 years ago
|
Attachment #794034 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 5•11 years ago
|
||
Attachment #794602 -
Flags: review+
Assignee | ||
Comment 6•11 years ago
|
||
These three patches should all apply cleanly. I think a try run is advisable before landing, but I don't know the rules for that. Do I just push the m-i patch to try, accepting that that leaks information, or do we land the patches in the (warranted, IMO) hope that they'll stick?
Attachment #794604 -
Flags: review+
Comment 7•11 years ago
|
||
Yeah, a try run is fine. I change the commit message so it doesn't mention the bug, but not everybody even does that...
Assignee | ||
Comment 8•11 years ago
|
||
Thanks for the info, that makes sense. Rebased and pushed to try here: https://tbpl.mozilla.org/?tree=Try&rev=c858e0bc2437
Attachment #794034 -
Attachment is obsolete: true
Attachment #794609 -
Flags: review+
Assignee | ||
Comment 9•11 years ago
|
||
Try run is green, but it occurred to me that running some unit tests might be advisable. New run: https://tbpl.mozilla.org/?tree=Try&rev=2cdc1ab75f88
Assignee | ||
Comment 10•11 years ago
|
||
Comment on attachment 794602 [details] [diff] [review] Move SelfHostedClass list to JSRuntime. For beta. [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 844882 User impact if declined: potentially sec-critical data race and overwriting of data belonging to other threads Testing completed (on m-c, etc.): not landed, but green try runs Risk to taking this patch (and alternatives if risky): low String or IDL/UUID changes made by this patch: none
Attachment #794602 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 11•11 years ago
|
||
Comment on attachment 794604 [details] [diff] [review] Move SelfHostedClass list to JSRuntime. For aurora. [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 844882 User impact if declined: potentially sec-critical data race and overwriting of data belonging to other threads Testing completed (on m-c, etc.): not landed, but green try runs Risk to taking this patch (and alternatives if risky): low String or IDL/UUID changes made by this patch: none
Attachment #794604 -
Flags: approval-mozilla-aurora?
Comment 12•11 years ago
|
||
Comment on attachment 794602 [details] [diff] [review] Move SelfHostedClass list to JSRuntime. For beta. approval after it actually lands on trunk and things are green.
Attachment #794602 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 13•11 years ago
|
||
Comment on attachment 794604 [details] [diff] [review] Move SelfHostedClass list to JSRuntime. For aurora. approval after it actually lands on trunk and things are green.
Attachment #794604 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 14•11 years ago
|
||
But, wait a sec, you didn't fill out sec-approval? for this. Sorry for the spam but we need the sec-approval? template to be filled out first.
Updated•11 years ago
|
Attachment #794602 -
Flags: approval-mozilla-beta+ → approval-mozilla-beta?
Updated•11 years ago
|
Attachment #794604 -
Flags: approval-mozilla-aurora+ → approval-mozilla-aurora?
Comment 15•11 years ago
|
||
See https://wiki.mozilla.org/Security/Bug_Approval_Process
Updated•11 years ago
|
Assignee | ||
Comment 16•11 years ago
|
||
Comment on attachment 794609 [details] [diff] [review] Move SelfHostedClass list to JSRuntime. [Security approval request comment] How easily could an exploit be constructed based on the patch? Not sure, but since it causes worker threads to be able to free objects from other threads, including the main thread, it can easily be used to create use-after-free scenarios. So probably somewhat easily. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? beta, aurora If not all supported branches, which bug introduced the flaw? bug 844882 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? yes How likely is this patch to cause regressions; how much testing does it need? not likely
Attachment #794609 -
Flags: sec-approval?
Comment 17•11 years ago
|
||
Comment on attachment 794609 [details] [diff] [review] Move SelfHostedClass list to JSRuntime. sec-approval for trunk and I'll approve it for beta and aurora but please only land after it has cleanly landed on trunk.
Attachment #794609 -
Flags: sec-approval? → sec-approval+
Updated•11 years ago
|
Attachment #794604 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•11 years ago
|
Attachment #794602 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•11 years ago
|
Attachment #794602 -
Flags: review+
Attachment #794602 -
Flags: approval-mozilla-beta?
Attachment #794602 -
Flags: approval-mozilla-beta+
Updated•11 years ago
|
Attachment #794604 -
Flags: review+
Updated•11 years ago
|
Attachment #794609 -
Flags: review+
Comment 18•11 years ago
|
||
Seems like I accidentally overrode the beta a+ for the beta patch.
Assignee | ||
Comment 19•11 years ago
|
||
Landed on m-i: https://hg.mozilla.org/integration/mozilla-inbound/rev/be4a241c1cf3
Updated•11 years ago
|
Attachment #794602 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Assignee | ||
Comment 20•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/d856284278cc https://hg.mozilla.org/releases/mozilla-aurora/rev/83ae78484491
Updated•11 years ago
|
Assignee | ||
Comment 21•11 years ago
|
||
Oh, hum. So this required a clobber for windows to build cleanly on inbound. I didn't think of touching the respective CLOBBER files before pushing to beta and aurora, so I just triggered clobbers and restarted the windows builds via the web interface.
Comment 22•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/be4a241c1cf3
Target Milestone: --- → mozilla26
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•