Closed
Bug 508752
Opened 15 years ago
Closed 15 years ago
COW can be circumvented
Categories
(Core :: XPConnect, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla1.9.2
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta4-fixed |
status1.9.1 | --- | unaffected |
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
Details
(Whiteboard: [sg:critical])
Attachments
(3 files, 2 obsolete files)
(deleted),
text/html
|
Details | |
(deleted),
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
Details | Diff | Splinter Review |
feedWriter.onPageChanged({}, 0, obj);
When obj is converted to a string, obj.toString method can access the original
native onPageChanged method.
Reporter | ||
Comment 1•15 years ago
|
||
This uses bug 344495's trick.
Assignee | ||
Comment 2•15 years ago
|
||
This closes the hole in wrapperization by not exposing the caller of a function that was called through a SJOW.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #393052 -
Flags: superreview?(jst)
Attachment #393052 -
Flags: review?(jst)
Updated•15 years ago
|
Attachment #393052 -
Flags: superreview?(jst)
Attachment #393052 -
Flags: superreview+
Attachment #393052 -
Flags: review?(jst)
Attachment #393052 -
Flags: review+
Assignee | ||
Comment 3•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 4•15 years ago
|
||
I had to back this out. It caused mochitest-chrome failure.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 5•15 years ago
|
||
This works, but is there a better way?
diff --git a/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp b/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp
--- a/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp
+++ b/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp
@@ -527,17 +527,20 @@ static inline JSBool
CallWithoutStatics(JSContext *cx, JSObject *obj, jsval fval, uintN argc,
jsval *argv, jsval *rval)
{
JSRegExpStatics statics;
JSTempValueRooter tvr;
js_SaveRegExpStatics(cx, &statics, &tvr);
JS_ClearRegExpStatics(cx);
JSStackFrame *fp = JS_SaveFrameChain(cx);
+ uint32 options =
+ JS_SetOptions(cx, JS_GetOptions(cx) | JSOPTION_DONT_REPORT_UNCAUGHT);
JSBool ok = ::JS_CallFunctionValue(cx, obj, fval, argc, argv, rval);
+ JS_SetOptions(cx, options);
JS_RestoreFrameChain(cx, fp);
js_RestoreRegExpStatics(cx, &statics, &tvr);
return ok;
}
// Call wrapper to help with wrapping calls to functions or callable
// objects in a scripted function (see XPC_SJOW_Call()). The first
// argument passed to this method is the unsafe function to call, the
Attachment #393052 -
Attachment is obsolete: true
Attachment #393709 -
Flags: superreview?(jst)
Attachment #393709 -
Flags: review?(jst)
Assignee | ||
Comment 6•15 years ago
|
||
Comment on attachment 393709 [details] [diff] [review]
Passing mochichrome
Brendan, I'd appreciate your comments on this, as well.
Attachment #393709 -
Flags: review?(brendan)
Updated•15 years ago
|
Attachment #393709 -
Flags: review?(brendan) → review+
Comment 7•15 years ago
|
||
Comment on attachment 393709 [details] [diff] [review]
Passing mochichrome
That seems necessary and minimal (new API could make it smaller yet -- a followup bug if necessary, but we could wait until there's a second use-case in the wild).
/be
Updated•15 years ago
|
Attachment #393709 -
Flags: superreview?(jst)
Attachment #393709 -
Flags: superreview+
Attachment #393709 -
Flags: review?(jst)
Attachment #393709 -
Flags: review+
Reporter | ||
Comment 8•15 years ago
|
||
The proposed fix makes SJOW exploitable. With the fix, when an untrusted
function is called through XPC_SJOW_CallWrapper, there is no running script on
the stack, and thus a subject principal is computed from the global object of
the context that the function is running on. (When an untrusted function is
called through XPC_SJOW_GetOrSetProperty or XPC_SJOW_toString, there is a
scripted caller created by SJOW on the stack properly.)
Reporter | ||
Comment 9•15 years ago
|
||
This works with "Passing mochichrome" patch.
Assignee | ||
Updated•15 years ago
|
Attachment #393709 -
Attachment is obsolete: true
Attachment #393709 -
Flags: superreview+
Attachment #393709 -
Flags: review+
Assignee | ||
Comment 10•15 years ago
|
||
I stared at this for a while and could not figure out what XPC_SJOW_CallWrapper gains us. All it does is check for less than 1 arg and strip off the first parameter (which is the actual function we want to call). We don't have to worry about the regexp static stuff because this is already on the right side of the firewall: we've already made the transition to unprivileged code.
Attachment #394311 -
Flags: superreview?(jst)
Attachment #394311 -
Flags: review?(jst)
Updated•15 years ago
|
Attachment #394311 -
Flags: superreview?(jst)
Attachment #394311 -
Flags: superreview+
Attachment #394311 -
Flags: review?(jst)
Attachment #394311 -
Flags: review+
Assignee | ||
Comment 11•15 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
Comment 12•15 years ago
|
||
arg, this should have been a 1.9.2 blocker. Didn't notice it just missed the branch.
Flags: blocking1.9.2?
Whiteboard: [sg:critical]
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Updated•15 years ago
|
Priority: -- → P2
Target Milestone: --- → mozilla1.9.2
Assignee | ||
Comment 13•15 years ago
|
||
This is ready to be pushed to the 1.9.2 branch.
Assignee | ||
Comment 14•15 years ago
|
||
This was fixed by the patch I checked in for bug 504021.
status1.9.2:
--- → final-fixed
Updated•14 years ago
|
Attachment #392890 -
Attachment is private: true
Updated•14 years ago
|
Group: core-security
status1.9.1:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•