Closed
Bug 930091
Opened 11 years ago
Closed 10 years ago
Do a subsumes check before passing objects through a COW membrane
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla33
People
(Reporter: bholley, Assigned: bholley)
References
Details
(Keywords: sec-other, Whiteboard: [adv-main33-])
Attachments
(2 files, 4 obsolete files)
9.02 KB,
patch
|
gkrizsanits
:
review+
|
Details | Diff | Splinter Review |
1.39 KB,
patch
|
mdas
:
review+
|
Details | Diff | Splinter Review |
Jesse suggested this, and I think it might just work. If it does, it will fix bugs like bug 924329. This doesn't remove the need to move everything to WebIDL, but it will fix this particular attack pattern in a backportable way. One of the problems we run into with COWs is that content can pass cross-origin objects (like Location) to chrome, and trick it into performing a toString() and passing back the result. The fact that this object shouldn't be toString()ed is undetectable by the time the object reaches chrome, because wrappers don't record a history of where they've been passed - each time something ends up on the other side of a membrane, we strip off all the old wrappers and compute a new one. However, we _can_ override the behavior of COWs such that, before bouncing to the CrossCompartmentWrapper machinery, we do a subsumes check on any value passing through. I'm going to give this a shot.
Assignee | ||
Comment 1•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=a7c0ab7da92e
Assignee | ||
Comment 2•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=a3e3593fb902
Assignee | ||
Comment 3•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=2ce6bee06448
Assignee | ||
Comment 4•11 years ago
|
||
So, this is mostly green, but there are still some oranges to deal with. However, I realized that it doesn't solve all of the attack patterns here. In particular, while content cannot do: chromeFun(xolocation); chromeObject.foo = xolocation; It can still do: chromeFun({foopy: xolocation}); chromeObject.foo = {foopy: xolocation}; Fixing the latter case requires bug 856067. So I'm going to upload the patches, block on that, and give up hope that this will be a quick fix for bugs like bug 928415.
Assignee | ||
Comment 5•11 years ago
|
||
Assignee | ||
Comment 6•11 years ago
|
||
Assignee | ||
Comment 7•11 years ago
|
||
Comment 8•11 years ago
|
||
Is this ready for review? It has sat here for a month, and is blocking a sec-high bug. Thanks!
Assignee | ||
Comment 9•11 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #8) > Is this ready for review? It has sat here for a month, and is blocking a > sec-high bug. Thanks! No, and it's not the quick fix I was hoping for. See comment 4.
Assignee | ||
Comment 10•10 years ago
|
||
The right fix for this is bug 856067.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Assignee | ||
Comment 11•10 years ago
|
||
Actually, bug 856067 doesn't cover all the cases here. We need this as the COW analog of bug 1036214.
Assignee | ||
Comment 12•10 years ago
|
||
Comment on attachment 822902 [details] [diff] [review] Part 1 - Add opt-out mechanism for SpecialPowers. v1 This moved into bug 1038844.
Attachment #822902 -
Attachment is obsolete: true
Assignee | ||
Comment 13•10 years ago
|
||
The deps for this should now be in place. Hopefully we can get it in before the merge.
Attachment #822903 -
Attachment is obsolete: true
Attachment #822904 -
Attachment is obsolete: true
Attachment #8458439 -
Flags: review?(gkrizsanits)
Assignee | ||
Comment 14•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=b0d261a30bfd
Comment 15•10 years ago
|
||
Comment on attachment 8458439 [details] [diff] [review] Check objects at COW membranes. v2 Review of attachment 8458439 [details] [diff] [review]: ----------------------------------------------------------------- Patch looks great, if the failing tests are easy to be fixed then r=me. ::: js/xpconnect/wrappers/ChromeObjectWrapper.cpp @@ +115,5 @@ > + return true; > + > + // COWs are fine to pass back if and only if they have __exposedProps__, > + // since presumably content should never have a reason to pass an opaque > + // object back to chrome. Is this really needed / worth it? How far do you want to back-port this? Thinking about JS function objects...
Attachment #8458439 -
Flags: review?(gkrizsanits) → review+
Assignee | ||
Comment 16•10 years ago
|
||
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #15) > Comment on attachment 8458439 [details] [diff] [review] > Check objects at COW membranes. v2 > > Review of attachment 8458439 [details] [diff] [review]: > ----------------------------------------------------------------- > > Patch looks great, if the failing tests are easy to be fixed then r=me. > > ::: js/xpconnect/wrappers/ChromeObjectWrapper.cpp > @@ +115,5 @@ > > + return true; > > + > > + // COWs are fine to pass back if and only if they have __exposedProps__, > > + // since presumably content should never have a reason to pass an opaque > > + // object back to chrome. > > Is this really needed / worth it? At the very least, it's needed for the |this| on an __exposedProps__-implemented API object, right? i.e. fooAPI.bar(). > How far do you want to back-port this? This isn't really useful without bug 856067, so I'd only land it for this cycle (or backport to aurora if it lands next week). > Thinking about JS function objects... I don't follow.
Assignee | ||
Comment 17•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=01d92847b46a
Assignee | ||
Comment 18•10 years ago
|
||
The current setup causes the arguments object (which is modified from the sandbox) to be a COW, which causes problems with our new restrictions on COWs. According to jgriffin, these are should be JSON-serializable, so the clone should be fine.
Attachment #8458843 -
Flags: review?(mdas)
Comment 19•10 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #16) > > > + // COWs are fine to pass back if and only if they have __exposedProps__, > > > + // since presumably content should never have a reason to pass an opaque > > > + // object back to chrome. > > > > Is this really needed / worth it? > > At the very least, it's needed for the |this| on an > __exposedProps__-implemented API object, right? i.e. fooAPI.bar(). I get that, what I was curious about the "only if" part. It's hard for me to come up with a use case... Then again better safe than sorry, just was curious if we had any related bugs (out of general interest). > > Thinking about JS function objects... > > I don't follow. The only example I could come up with for the how/why could content have a reference to chrome object without __exposedProps__ case, is old style COW for function objects exported by an add-on. In which case it would be not _that_ far-fetched idea to pass it back to chrome at some point. That's why I asked the how far do you want to back-port this. Since now-days functions should get an xray anyway. Does this make any sense? Sorry if I'm mixing up something...
Assignee | ||
Comment 20•10 years ago
|
||
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #19) > (In reply to Bobby Holley (:bholley) from comment #16) > > > > + // COWs are fine to pass back if and only if they have __exposedProps__, > > > > + // since presumably content should never have a reason to pass an opaque > > > > + // object back to chrome. > > > > > > Is this really needed / worth it? > > > > At the very least, it's needed for the |this| on an > > __exposedProps__-implemented API object, right? i.e. fooAPI.bar(). > > I get that, what I was curious about the "only if" part. Ah, sorry - I misunderstood. Yeah, it's a general defense-in-depth thing. It's causing a couple of scattered failures, mostly from COWs that are implicitly usable without __exposedProps__ (i.e. Function and Array). It looks tractable though, so I'd rather do that if we can. > The only example I could come up with for the how/why could content have a > reference to chrome object without __exposedProps__ case, is old style COW > for function objects exported by an add-on. Yeah, that matches the two failures I ran into (one in the devtools tests, and one in the marionette harness). > In which case it would be not > _that_ far-fetched idea to pass it back to chrome at some point. That's why > I asked the how far do you want to back-port this. Since now-days functions > should get an xray anyway. No, because we ForceCOWBehavior for Functions. :-( > Does this make any sense? Sorry if I'm mixing up > something... Makes total sense. We should definitely leave the option open to special-case Functions here if we encounter breakage.
Assignee | ||
Comment 21•10 years ago
|
||
Talking to mdas, it sounds like we need wrapReflectors: true here.
Attachment #8458843 -
Attachment is obsolete: true
Attachment #8458843 -
Flags: review?(mdas)
Attachment #8458876 -
Flags: review?(mdas)
Assignee | ||
Comment 22•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=dab81a09718a
Comment 23•10 years ago
|
||
Comment on attachment 8458876 [details] [diff] [review] Clone marionette args into the sandbox rather than using a COW. v2 Review of attachment 8458876 [details] [diff] [review]: ----------------------------------------------------------------- ::: testing/marionette/marionette-listener.js @@ +646,5 @@ > } > else { > try { > + sandbox.__marionetteParams = Cu.cloneInto(elementManager.convertWrappedArguments( > + msg.json.args, curFrame), sandbox, { wrapReflectors: true }); This should be applied on line 515 too, it's similar code. I tested locally with both the line changes, and it works as I expect.
Attachment #8458876 -
Flags: review?(mdas) → review+
Comment 24•10 years ago
|
||
oops, I mean r+ provided you add it to the second instance of that line as well. Thanks!
Assignee | ||
Comment 25•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=55d2b36a0f91
Assignee | ||
Comment 26•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=8652469912ab
Assignee | ||
Comment 27•10 years ago
|
||
Union of the last two try pushes is green: remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/030adb40ad19 remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/2eddd81bb167
Comment 28•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/030adb40ad19 https://hg.mozilla.org/mozilla-central/rev/2eddd81bb167
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
status-b2g-v2.1:
--- → fixed
status-firefox33:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Comment 29•10 years ago
|
||
Does this need to be back ported to ESR31?
Assignee | ||
Comment 30•10 years ago
|
||
(In reply to Al Billings [:abillings] from comment #29) > Does this need to be back ported to ESR31? This part of a large body of slaughterhouse work that would probably have to all be uplifted together (on the order of 100 patches). We can consider that at some point, but I want to get everything smoothed out and shipping on release first.
Comment 31•10 years ago
|
||
Is there a test, or other way to both reproduce the problem and verify that it's been fixed? I see that Bobby's away til 10/12, but that still gives us a chance to verify pre-release if we have more info on his return.
Flags: needinfo?(bobbyholley)
Updated•10 years ago
|
Whiteboard: [adv-main33-]
Updated•10 years ago
|
status-firefox-esr31:
--- → wontfix
Comment 32•10 years ago
|
||
Actually, on second thought, I'm going to mark this [qe-verify-] in the interim. If there are tests to be run that can verify this bug fix, just get in touch and I'm happy to look at them. Thanks.
Flags: needinfo?(bobbyholley) → qe-verify-
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•