Closed
Bug 994907
Opened 10 years ago
Closed 10 years ago
imgDecoderObserver is refcounted on multiple threads
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
FIXED
mozilla32
People
(Reporter: khuey, Assigned: milan)
References
Details
(Keywords: sec-high, Whiteboard: [qa-][adv-main30+][adv-esr24.6+])
Attachments
(3 files, 2 obsolete files)
1.82 KB,
text/plain
|
Details | |
3.00 KB,
patch
|
milan
:
review+
abillings
:
feedback+
Sylvestre
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
2.84 KB,
patch
|
milan
:
review+
abillings
:
approval-mozilla-esr24+
|
Details | Diff | Splinter Review |
But it does not have threadsafe refcounting.
Comment 1•10 years ago
|
||
This is probably at least sec-high. Milan, is there somebody who can look into this?
Flags: needinfo?(milan)
Keywords: sec-high
Assignee | ||
Comment 2•10 years ago
|
||
I'm assuming security issue because of a possible UAF. I don't know if it's a surprise that imgDecoderObserver is doing reference counting on multiple threads, and if it is, then this patch doesn't make sense, and a proper solution is needed. On the off chance that we do want reference counting on multiple threads, the fix is simple and I thought I'd save everybody some time. I don't know if there are any performance implications with this.
Attachment #8407725 -
Flags: review?(seth)
Flags: needinfo?(milan)
Assignee | ||
Comment 3•10 years ago
|
||
CC-ing bjacob on the off chance that this is related to https://bugzilla.mozilla.org/show_bug.cgi?id=987010#c38
Assignee | ||
Comment 4•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=cbd6882a6e65
Comment 5•10 years ago
|
||
Milan, can you please use NS_INLINE_DECL_THREADSAFE_REFCOUNTING instead of deriving from AtomicRefCounted? We're switching away from using (Atomic)RefCounted in Gecko. Bonus points for making the destructor protected as well!
Comment 6•10 years ago
|
||
(Oh and BTW you can get rid of the MOZ_DECLARE_REFCOUNTED_TYPENAME macro there as well. thanks!)
Assignee | ||
Updated•10 years ago
|
Attachment #8407725 -
Flags: review?(seth)
Assignee | ||
Comment 7•10 years ago
|
||
Attachment #8407725 -
Attachment is obsolete: true
Attachment #8408343 -
Flags: review?(seth)
Attachment #8408343 -
Flags: review?(ehsan)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → milan
Updated•10 years ago
|
status-firefox31:
--- → affected
Comment 8•10 years ago
|
||
Comment on attachment 8408343 [details] [diff] [review] Use thread safe reference counting for imgDecoderObserver. Review of attachment 8408343 [details] [diff] [review]: ----------------------------------------------------------------- Looks great. Thanks!
Attachment #8408343 -
Flags: review?(ehsan) → review+
Reporter | ||
Comment 9•10 years ago
|
||
Are we confident there are no other thread safety issues here beyond the reference counting?
Comment 10•10 years ago
|
||
(In reply to (Away 4/19-5/7) from comment #9) > Are we confident there are no other thread safety issues here beyond the > reference counting? Milan, can you please help find someone who can answer this question? Thanks!
Flags: needinfo?(milan)
Assignee | ||
Comment 11•10 years ago
|
||
Seth is probably the right person. Once he reviews the existing patch, we can see if there are other issues to chase?
Flags: needinfo?(milan)
Assignee | ||
Comment 13•10 years ago
|
||
Seth, review ping and maybe answer to comment 9?
Flags: needinfo?(seth)
Updated•10 years ago
|
Group: gfx-core-security
Comment 14•10 years ago
|
||
seth: ping?
Comment 15•10 years ago
|
||
Comment on attachment 8408343 [details] [diff] [review] Use thread safe reference counting for imgDecoderObserver. Review of attachment 8408343 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for taking a look at this, Milan. It seems that the OMT reference counting is caused by nsICODecoder's use of a nested decoder, which is legitimate. It would be possible to restructure the code to avoid this, but that's a much bigger change and would probably result in a patch that would be hard to backport anywhere. I think this is the right fix for now. The commit message should read 'r=seth,ehsan'.
Attachment #8408343 -
Flags: review?(seth) → review+
Assignee | ||
Comment 16•10 years ago
|
||
Just change the commit message.
Attachment #8408343 -
Attachment is obsolete: true
Attachment #8418202 -
Flags: review+
Assignee | ||
Comment 17•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/656d626d8fd1
Flags: needinfo?(seth)
Assignee | ||
Comment 18•10 years ago
|
||
Comment on attachment 8418202 [details] [diff] [review] Use thread safe reference counting for imgDecoderObserver. Carry r=seth,ehsan Sorry! Sent this to inbound and then realized I should have asked for security approval. [Security approval request comment] How easily could an exploit be constructed based on the patch? Very difficult. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? I suppose they do. Which older supported branches are affected by this flaw? All of them. If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Easy to do. How likely is this patch to cause regressions; how much testing does it need? Not likely.
Attachment #8418202 -
Flags: sec-approval?
Comment 19•10 years ago
|
||
Comment on attachment 8418202 [details] [diff] [review] Use thread safe reference counting for imgDecoderObserver. Carry r=seth,ehsan Well, too late to back out now, so sec-approval+. Let's get Aurora, Beta, and ESR24 patches.
Updated•10 years ago
|
status-firefox29:
--- → wontfix
status-firefox30:
--- → affected
status-firefox32:
--- → affected
status-firefox-esr24:
--- → affected
tracking-firefox32:
--- → +
Comment 20•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/656d626d8fd1
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Updated•10 years ago
|
Attachment #8418202 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Comment 21•10 years ago
|
||
Comment on attachment 8418202 [details] [diff] [review] Use thread safe reference counting for imgDecoderObserver. Carry r=seth,ehsan [Approval Request Comment] Bug caused by (feature/regressing bug #): User impact if declined: Very difficult to implement security attack. Testing completed (on m-c, etc.): Yes Risk to taking this patch (and alternatives if risky): I guess we are open to the attack. String or IDL/UUID changes made by this patch: None. ESR24 version requires a different patch, aurora and beta can use the existing patch.
Attachment #8418202 -
Flags: approval-mozilla-beta?
Attachment #8418202 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 22•10 years ago
|
||
[Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: It would be a very difficult way to attack through this, so I guess a theoretical impact? Fix Landed on Version: 32 Risk to taking this patch (and alternatives if risky): Low risk String or UUID changes made by this patch: None See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8418919 -
Flags: review+
Attachment #8418919 -
Flags: approval-mozilla-esr24?
Updated•10 years ago
|
Attachment #8418202 -
Flags: feedback+
Attachment #8418202 -
Flags: approval-mozilla-beta?
Attachment #8418202 -
Flags: approval-mozilla-beta+
Updated•10 years ago
|
Attachment #8418919 -
Flags: approval-mozilla-esr24? → approval-mozilla-esr24+
Comment 23•10 years ago
|
||
I assume that the Aurora approval was meant to be set along with the others, but can we do so officially please? :)
status-b2g-v1.2:
--- → affected
status-b2g-v1.3:
--- → affected
status-b2g-v1.4:
--- → affected
status-b2g-v2.0:
--- → fixed
Comment 24•10 years ago
|
||
Comment on attachment 8418202 [details] [diff] [review] Use thread safe reference counting for imgDecoderObserver. Carry r=seth,ehsan Right!
Attachment #8418202 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 26•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/4c247bfe9d75 https://hg.mozilla.org/releases/mozilla-beta/rev/adafd31af170 https://hg.mozilla.org/releases/mozilla-b2g28_v1_3/rev/655771204329 https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/f8f1bcd48c9a
Updated•10 years ago
|
status-b2g-v1.3T:
--- → fixed
Updated•10 years ago
|
Group: gfx-core-security
Updated•10 years ago
|
tracking-firefox-esr24:
--- → 30+
Updated•10 years ago
|
Whiteboard: [qa-] → [qa-][adv-main30+][adv-esr24.6+]
Comment 29•10 years ago
|
||
This was crashing on all platforms on me during transplant attempt --- so wontfix for SeaMonkey 2.26.1
status-seamonkey2.26:
--- → wontfix
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•