Closed Bug 508752 Opened 15 years ago Closed 15 years ago

COW can be circumvented

Categories

(Core :: XPConnect, defect, P2)

x86
Windows XP
defect

Tracking

()

RESOLVED FIXED
mozilla1.9.2
Tracking Status
status1.9.2 --- beta4-fixed
status1.9.1 --- unaffected

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Whiteboard: [sg:critical])

Attachments

(3 files, 2 obsolete files)

feedWriter.onPageChanged({}, 0, obj); When obj is converted to a string, obj.toString method can access the original native onPageChanged method.
Attached file (deleted) —
This uses bug 344495's trick.
Attached patch Proposed fix (obsolete) (deleted) — Splinter Review
This closes the hole in wrapperization by not exposing the caller of a function that was called through a SJOW.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #393052 - Flags: superreview?(jst)
Attachment #393052 - Flags: review?(jst)
Attachment #393052 - Flags: superreview?(jst)
Attachment #393052 - Flags: superreview+
Attachment #393052 - Flags: review?(jst)
Attachment #393052 - Flags: review+
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
I had to back this out. It caused mochitest-chrome failure.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch Passing mochichrome (obsolete) (deleted) — Splinter Review
This works, but is there a better way? diff --git a/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp b/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp --- a/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp +++ b/js/src/xpconnect/src/XPCSafeJSObjectWrapper.cpp @@ -527,17 +527,20 @@ static inline JSBool CallWithoutStatics(JSContext *cx, JSObject *obj, jsval fval, uintN argc, jsval *argv, jsval *rval) { JSRegExpStatics statics; JSTempValueRooter tvr; js_SaveRegExpStatics(cx, &statics, &tvr); JS_ClearRegExpStatics(cx); JSStackFrame *fp = JS_SaveFrameChain(cx); + uint32 options = + JS_SetOptions(cx, JS_GetOptions(cx) | JSOPTION_DONT_REPORT_UNCAUGHT); JSBool ok = ::JS_CallFunctionValue(cx, obj, fval, argc, argv, rval); + JS_SetOptions(cx, options); JS_RestoreFrameChain(cx, fp); js_RestoreRegExpStatics(cx, &statics, &tvr); return ok; } // Call wrapper to help with wrapping calls to functions or callable // objects in a scripted function (see XPC_SJOW_Call()). The first // argument passed to this method is the unsafe function to call, the
Attachment #393052 - Attachment is obsolete: true
Attachment #393709 - Flags: superreview?(jst)
Attachment #393709 - Flags: review?(jst)
Comment on attachment 393709 [details] [diff] [review] Passing mochichrome Brendan, I'd appreciate your comments on this, as well.
Attachment #393709 - Flags: review?(brendan)
Attachment #393709 - Flags: review?(brendan) → review+
Comment on attachment 393709 [details] [diff] [review] Passing mochichrome That seems necessary and minimal (new API could make it smaller yet -- a followup bug if necessary, but we could wait until there's a second use-case in the wild). /be
Attachment #393709 - Flags: superreview?(jst)
Attachment #393709 - Flags: superreview+
Attachment #393709 - Flags: review?(jst)
Attachment #393709 - Flags: review+
The proposed fix makes SJOW exploitable. With the fix, when an untrusted function is called through XPC_SJOW_CallWrapper, there is no running script on the stack, and thus a subject principal is computed from the global object of the context that the function is running on. (When an untrusted function is called through XPC_SJOW_GetOrSetProperty or XPC_SJOW_toString, there is a scripted caller created by SJOW on the stack properly.)
Attached file testcase 2 - arbitrary code execution (deleted) —
This works with "Passing mochichrome" patch.
Attachment #393709 - Attachment is obsolete: true
Attachment #393709 - Flags: superreview+
Attachment #393709 - Flags: review+
Attached patch Fix for that too (deleted) — Splinter Review
I stared at this for a while and could not figure out what XPC_SJOW_CallWrapper gains us. All it does is check for less than 1 arg and strip off the first parameter (which is the actual function we want to call). We don't have to worry about the regexp static stuff because this is already on the right side of the firewall: we've already made the transition to unprivileged code.
Attachment #394311 - Flags: superreview?(jst)
Attachment #394311 - Flags: review?(jst)
Attachment #394311 - Flags: superreview?(jst)
Attachment #394311 - Flags: superreview+
Attachment #394311 - Flags: review?(jst)
Attachment #394311 - Flags: review+
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
arg, this should have been a 1.9.2 blocker. Didn't notice it just missed the branch.
Flags: blocking1.9.2?
Whiteboard: [sg:critical]
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Target Milestone: --- → mozilla1.9.2
Attached patch Applying to the 1.9.2 branch (deleted) — Splinter Review
This is ready to be pushed to the 1.9.2 branch.
This was fixed by the patch I checked in for bug 504021.
Attachment #392890 - Attachment is private: true
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: