Closed
Bug 949940
Opened 11 years ago
Closed 11 years ago
Compartment mismatch: Object.create(frameWin).self
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
Tracking | Status | |
---|---|---|
firefox27 | --- | unaffected |
firefox28 | + | verified |
firefox29 | + | verified |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | unaffected |
b2g-v1.3 | --- | fixed |
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(4 keywords)
Crash Data
Attachments
(3 files, 1 obsolete file)
283 bytes,
text/html
|
Details | |
11.98 KB,
text/plain
|
Details | |
6.69 KB,
patch
|
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Comment 1•11 years ago
|
||
Nightly: bp-f4e93611-eac3-46ab-839a-36c5d2131213
![]() |
||
Updated•11 years ago
|
Crash Signature: [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*) ]
Comment 2•11 years ago
|
||
Looks potentially-related to the recent window changes...
Flags: needinfo?(peterv)
![]() |
Assignee | |
Comment 3•11 years ago
|
||
This is exciting. We land in nsOuterWindowProxy::get with id=="self" (called via js::CrossCompartmentWrapper::get etc). That eventually lands us in mozilla::dom::WindowBinding::genericCrossOriginGetter, which ends up throwing because the thisobj is not actually a window. But genericCrossOriginGetter enters the compartment of uncheckedObj. And throwing looks like this: return ThrowInvalidThis(cx, args, GetInvalidThisErrorForGetter(rv == NS_ERROR_XPC_SECURITY_MANAGER_VETO), "Window"); and ThrowInvalidThis will end up doing: JS::Rooted<JSFunction*> func(aCx, JS_ValueToFunction(aCx, aArgs.calleev())); which is where the compartment check fails. We need to either reenter the compartment of "obj" before doing ThrowInvalidThis or scope the entering of the compartment of uncheckedObj more narrowly. In fact, the only reason we need that compartment-entering behavior is for the UnwrapArg<nsGlobalWindow> call. So maybe we can just scope the autocompartment around that?
Blocks: 946067
Comment 4•11 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #3) > In fact, the only reason we need that compartment-entering > behavior is for the UnwrapArg<nsGlobalWindow> call. So maybe we can just > scope the autocompartment around that? Yes, this sounds like the right thing.
![]() |
Assignee | |
Updated•11 years ago
|
tracking-firefox28:
--- → ?
tracking-firefox29:
--- → ?
![]() |
Assignee | |
Comment 5•11 years ago
|
||
Attachment #8347365 -
Flags: review?(bobbyholley+bmo)
![]() |
Assignee | |
Updated•11 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
![]() |
Assignee | |
Comment 6•11 years ago
|
||
Comment 7•11 years ago
|
||
Comment on attachment 8347365 [details] [diff] [review] Only enter the uncheckedObj compartment in a crossOriginGetter/Setter/Method around the UnwrapArg call that needs us to be inthat compartment. Review of attachment 8347365 [details] [diff] [review]: ----------------------------------------------------------------- The generated code looks right, but I'm not up to speed enough on the Codegen to review what look like nontrivial changes. bouncing that part to peter.
Attachment #8347365 -
Flags: review?(peterv)
Attachment #8347365 -
Flags: review?(bobbyholley+bmo)
Attachment #8347365 -
Flags: feedback+
Comment 8•11 years ago
|
||
Setting sec-high for compartment mismatch, though I'm not sure how possible it would be to actually exploit this. Feel free to adjust.
Keywords: sec-high
![]() |
Assignee | |
Comment 9•11 years ago
|
||
I don't think it's possible to exploit this, fwiw.
Updated•11 years ago
|
Updated•11 years ago
|
status-firefox28:
--- → affected
status-firefox29:
--- → affected
Comment 10•11 years ago
|
||
Comment on attachment 8347365 [details] [diff] [review] Only enter the uncheckedObj compartment in a crossOriginGetter/Setter/Method around the UnwrapArg call that needs us to be inthat compartment. Review of attachment 8347365 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/bindings/Codegen.py @@ +2663,5 @@ > ${codeOnFailure} > } > }""").substitute(self.substitution, codeOnFailure=codeOnFailure) > > + def getXPConnectUnwrap(self, allowCrossOriginObj): Not sure why this needs to be a method, might be better to just store this in a string where you define self.substitution["uncheckedObjDecl"].
Attachment #8347365 -
Flags: review?(peterv) → review+
Updated•11 years ago
|
Flags: needinfo?(peterv)
![]() |
Assignee | |
Comment 11•11 years ago
|
||
![]() |
Assignee | |
Updated•11 years ago
|
Attachment #8347365 -
Attachment is obsolete: true
![]() |
Assignee | |
Comment 12•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/88f21d4b4c78
![]() |
Assignee | |
Comment 13•11 years ago
|
||
Comment on attachment 8349031 [details] [diff] [review] Updated to review comments [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 946067 User impact if declined: Can't land fix for bug 946067 on aurora, get web compat regressions. Testing completed (on m-c, etc.): Passes tests Risk to taking this patch (and alternatives if risky): Low risk, I believe. String or IDL/UUID changes made by this patch: None
Attachment #8349031 -
Flags: approval-mozilla-aurora?
![]() |
Assignee | |
Updated•11 years ago
|
Flags: in-testsuite+
Whiteboard: Needs to be uplifted on top of bug 946067
Target Milestone: --- → mozilla29
https://hg.mozilla.org/mozilla-central/rev/88f21d4b4c78
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Attachment #8349031 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 15•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/62d366143e50
Whiteboard: Needs to be uplifted on top of bug 946067
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → fixed
status-firefox27:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Comment 16•11 years ago
|
||
Confirmed crash, compartment mismatch in FF29, 2013-12-13. Verified fixed in FF28, FF29, 2014-01-18.
Updated•10 years ago
|
Group: core-security
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•