Closed
Bug 584180
(CVE-2010-2762)
Opened 14 years ago
Closed 14 years ago
SJOWs create scope chains ending in outer objects
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
| status2.0 | --- | ? |
| blocking1.9.2 | --- | .9+ |
| status1.9.2 | --- | .9-fixed |
| status1.9.1 | --- | unaffected |
People
(Reporter: mrbkap, Assigned: mrbkap)
References
(Blocks 1 open bug)
Details
(Keywords: verified1.9.2, Whiteboard: [sg:critical?])
Attachments
(3 files, 2 obsolete files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
|
(deleted),
patch
|
mrbkap
:
review+
christian
:
approval1.9.2.9+
|
Details | Diff | Splinter Review |
A SJOW around an outer window creates a scope function parented directly to the outer window's global object, which is... the outer window. I don't know if this is exploitable, but it's definitely hitting us on bug 581539, because window.postMessage indirectly depends on the scope chain ending in an inner object.
|
Assignee | |
Comment 1•14 years ago
|
||
We'll need this on the 1.9.2 branch as well.
|
|
Assignee | |
Comment 2•14 years ago
|
||
This aborts Firefox on load.
|
||
Comment 3•14 years ago
|
||
(In reply to comment #1) > We'll need this on the 1.9.2 branch as well. Is 1.9.1 affected?
|
|
Assignee | |
Comment 4•14 years ago
|
||
No, it isn't.
|
||
Updated•14 years ago
|
Attachment #462513 -
Flags: review?(jst) → review+
|
||
Comment 5•14 years ago
|
||
Loading the testcase in an opt build doesn't do anything obviously bad, but in a debug build I get: ###!!! ABORT: should have gotten an inner window here: 'callerInnerWin->IsInnerWindow()', file /Users/jruderman/mozilla-central/dom/base/nsGlobalWindow.cpp, line 5442
|
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
|
||
Updated•14 years ago
|
Whiteboard: [sg:critical?]
|
|
Assignee | |
Comment 6•14 years ago
|
||
Need to make sure we update the scope object if we're around an outer window that navigates.
Attachment #462513 -
Attachment is obsolete: true
Attachment #464611 -
Flags: review?(jst)
|
|
||
Comment 7•14 years ago
|
||
Comment on attachment 464611 [details] [diff] [review] Better fix + if (JSVAL_IS_OBJECT(v)) { + JSObject *funobj = JSVAL_TO_OBJECT(v); + if (JS_GetGlobalForObject(cx, funobj) != scopeobj && + !JS_SetParent(cx, funobj, scopeobj)) { + return nsnull; + } + + return funobj; I think I'd rather see us create a new function in this case than to change the existing function's scope in this rare case, just in case there's a way to exploit this function whose scope ends up changing through some bizarre way. r=jst with that.
Attachment #464611 -
Flags: review?(jst) → review+
|
|
Assignee | |
Comment 8•14 years ago
|
||
Attachment #464611 -
Attachment is obsolete: true
Attachment #465441 -
Flags: review+
|
|
Assignee | |
Comment 9•14 years ago
|
||
Trivial merge.
Attachment #465443 -
Flags: review+
Attachment #465443 -
Flags: approval1.9.2.9?
|
|
||
Comment 10•14 years ago
|
||
Pushed to mozilla-central. http://hg.mozilla.org/mozilla-central/rev/11ca949a6aff
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 11•14 years ago
|
||
Comment on attachment 465443 [details] [diff] [review] For 1.9.2 a=LegNeato for 1.9.2.9. This needs to be landed as soon as possible.
Attachment #465443 -
Flags: approval1.9.2.9? → approval1.9.2.9+
|
|
Assignee | |
Comment 12•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/29fac3124689
|
||
Comment 13•14 years ago
|
||
Verified fixed in 1.9.2 using my own debug build (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9pre) Gecko/20100818 Namoroka/3.6.9pre ( .NET CLR 3.5.30729)).
Keywords: verified1.9.2
|
||
Updated•14 years ago
|
Alias: CVE-2010-2762
|
|
||
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•