Closed
Bug 935228
Opened 11 years ago
Closed 11 years ago
JSD.pause and unPause can attempt to toggle debug traps on non-debug mode Baseline scripts
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla28
Tracking | Status | |
---|---|---|
firefox25 | --- | wontfix |
firefox26 | --- | wontfix |
firefox27 | --- | fixed |
firefox28 | --- | fixed |
firefox-esr24 | --- | wontfix |
b2g18 | --- | unaffected |
b2g-v1.2 | --- | unaffected |
People
(Reporter: shu, Assigned: shu)
References
Details
(Keywords: sec-moderate, Whiteboard: [adv-main27-] exploit requires Firebug plus a malicious addon that uses Firebug)
Attachments
(2 files)
3.20 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
3.17 KB,
patch
|
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta-
|
Details | Diff | Splinter Review |
JSD.pause and unPause promise to persist any breakpoints set on JSScripts [1], but we need to invalidate JIT code when toggling debug mode. This can get into a inconsistent state where we try to patch toggled calls on a non-debug mode BaselineScript.
Setting s-s because the patching is only guarded by an assert, and it could corrupt the instruction stream.
Assignee | ||
Comment 1•11 years ago
|
||
Assignee | ||
Comment 2•11 years ago
|
||
We need to check this because something like JSCompartment::clearTraps tries to
toggle debug traps if hasBaselineScript(), without regard for whether or not
that BL script is in debug mode.
Attachment #827821 -
Flags: review?(jdemooij)
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → shu
Status: NEW → ASSIGNED
Comment 3•11 years ago
|
||
Comment on attachment 827821 [details] [diff] [review]
Toggle debug traps only in debug mode. (r=?)
Review of attachment 827821 [details] [diff] [review]:
-----------------------------------------------------------------
Good catch.
Attachment #827821 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 4•11 years ago
|
||
Backed out as part of https://hg.mozilla.org/integration/mozilla-inbound/rev/67f5d934127c because something in the push caused various test bustage on Linux ASAN's browser-chrome suite:
https://tbpl.mozilla.org/php/getParsedLog.php?id=30444281&tree=Mozilla-Inbound
https://tbpl.mozilla.org/php/getParsedLog.php?id=30444457&tree=Mozilla-Inbound
https://tbpl.mozilla.org/php/getParsedLog.php?id=30445445&tree=Mozilla-Inbound
https://tbpl.mozilla.org/php/getParsedLog.php?id=30445739&tree=Mozilla-Inbound
https://tbpl.mozilla.org/php/getParsedLog.php?id=30445414&tree=Mozilla-Inbound
https://tbpl.mozilla.org/php/getParsedLog.php?id=30446297&tree=Mozilla-Inbound
https://tbpl.mozilla.org/php/getParsedLog.php?id=30446502&tree=Mozilla-Inbound
Shu and RyanVM both suspect that https://hg.mozilla.org/integration/mozilla-inbound/rev/ce4011f33422 was the cause for the failures, but I backed out the whole push just to be sure.
Comment 6•11 years ago
|
||
Merge of backout:
https://hg.mozilla.org/mozilla-central/rev/77be849d81e7
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox28:
--- → fixed
Resolution: --- → FIXED
Comment 9•11 years ago
|
||
I'm going to guess this affects everything aside from b2g18.
status-b2g18:
--- → unaffected
status-firefox25:
--- → wontfix
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox-esr24:
--- → affected
Assignee | ||
Updated•11 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 10•11 years ago
|
||
Is this sec-high if it can only be caused by Firebug?
Comment 11•11 years ago
|
||
I was using the heuristic of bumping it down a level (from sec-critical) because it is Firebug related.
Is this something that can happen during the normal operation of Firebug, or something that would require a malicious Firebug-like addon?
Comment 12•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/de3dd3c48114 landed on central
Flags: in-testsuite?
Assignee | ||
Comment 13•11 years ago
|
||
Assignee | ||
Comment 14•11 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #11)
> I was using the heuristic of bumping it down a level (from sec-critical)
> because it is Firebug related.
>
> Is this something that can happen during the normal operation of Firebug, or
> something that would require a malicious Firebug-like addon?
It would require a malicious addon that uses JSD. Which... is nonexistent AFAIK.
Assignee | ||
Comment 15•11 years ago
|
||
Comment on attachment 8341334 [details] [diff] [review]
Toggle debug traps only in debug mode. (
[Approval Request Comment]
Bug caused by (feature/regressing bug #):
Bug 754201 most recently. Not sure what introduced AutoDebugModeGC initially.
User impact if declined:
Firebug unusable with many tabs. Firebug has worked around this by disabling JITs permanently if it's on, which is in some ways worse since it slows down *all* tabs.
Testing completed (on m-c, etc.):
On m-c.
Risk to taking this patch (and alternatives if risky):
GC behavior changes surfacing existing leaks/OOMs. When landing on m-c new leaks were surfaced (and eventually fixed). I am nominating those fixes for uplift also.
String or IDL/UUID changes made by this patch:
None
The Firebug slowness metabug is bug 815603. List of bugs I'm nominating for uplift in this batch:
- bug 936143
- bug 935228
- bug 933882
- bug 935470
- bug 942346
- bug 934799
Attachment #8341334 -
Flags: approval-mozilla-beta?
Attachment #8341334 -
Flags: approval-mozilla-aurora?
Comment 16•11 years ago
|
||
Thanks for the explanation. sec-moderate makes more sense then.
Keywords: sec-high → sec-moderate
Comment 17•11 years ago
|
||
Comment on attachment 8341334 [details] [diff] [review]
Toggle debug traps only in debug mode. (
We can take this on Aurora and thus it will be on Beta in a week, but we're way past the point of taking untracked, major change to Firefox 26 as we are going to build our final candidate today as well as the RC.
Attachment #8341334 -
Flags: approval-mozilla-beta?
Attachment #8341334 -
Flags: approval-mozilla-beta-
Attachment #8341334 -
Flags: approval-mozilla-aurora?
Attachment #8341334 -
Flags: approval-mozilla-aurora+
Updated•11 years ago
|
Assignee | ||
Comment 18•11 years ago
|
||
Updated•11 years ago
|
Updated•11 years ago
|
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 20•11 years ago
|
||
Actually I'm not sure why it stayed open anyways, because it was REOPENED?
Flags: needinfo?(shu)
Comment 21•11 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #20)
> Actually I'm not sure why it stayed open anyways, because it was REOPENED?
Security bugs are resolved manually. He probably just forgot.
Updated•11 years ago
|
Updated•11 years ago
|
Whiteboard: [adv-main27-]
Updated•11 years ago
|
Whiteboard: [adv-main27-] → [adv-main27-] exploit requires Firebug plus a malicious addon that uses Firebug
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•