Closed
Bug 1830190
Opened 1 year ago
Closed 1 year ago
Hit MOZ_CRASH(*** Compartment mismatch 55d34358c890 vs. 55d3434d80b0 at argument 2) at /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:55
Categories
(Core :: DOM: Streams, defect, P2)
Core
DOM: Streams
Tracking
()
People
(Reporter: tsmith, Assigned: saschanaz)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed][adv-main114+r][adv-esr102.12+r])
Attachments
(4 files)
|
506 bytes,
text/html
|
Details | |
|
380 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
Details | Review |
Found while fuzzing m-c 20230424-83bbf217916b (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(*** Compartment mismatch 55d34358c890 vs. 55d3434d80b0 at argument 2) at /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:55
#0 0x7fd5426c7599 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fd5426c7599 in fail /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:54:5
#2 0x7fd5426c7599 in check /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:70:7
#3 0x7fd5426c7599 in js::ContextChecks::check(JSObject*, int) /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:83:7
#4 0x7fd54297a68f in void JSContext::checkImpl<JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>>(JS::Handle<JSObject*> const&, JS::Handle<JS::PropertyKey> const&, JS::Handle<JS::Value> const&) /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:206:33
#5 0x7fd542988313 in check<JS::Handle<JSObject *>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value> > /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:213:5
#6 0x7fd542988313 in DefineDataPropertyById(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/PropertyAndElement.cpp:74:7
#7 0x7fd542988f2a in DefineDataProperty(JSContext*, JS::Handle<JSObject*>, char const*, JS::Handle<JS::Value>, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/PropertyAndElement.cpp:231:10
#8 0x7fd53fdb298b in mozilla::dom::PackAndPostMessage(JSContext*, mozilla::dom::MessagePort*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/Transferable.cpp:58:8
#9 0x7fd53fdb34cb in mozilla::dom::PackAndPostMessageHandlingError(JSContext*, mozilla::dom::MessagePort*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/dom/streams/Transferable.cpp:281:3
#10 0x7fd53fdae492 in mozilla::dom::CrossRealmReadableUnderlyingSourceAlgorithms::CancelCallback(JSContext*, mozilla::dom::Optional<JS::Handle<JS::Value>> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/Transferable.cpp:725:19
#11 0x7fd53fd98fb8 in mozilla::dom::ReadableStreamDefaultController::CancelSteps(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamDefaultController.cpp:590:40
#12 0x7fd53fd90106 in mozilla::dom::streams_abstract::ReadableStreamCancel(JSContext*, mozilla::dom::ReadableStream*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStream.cpp:402:19
#13 0x7fd53fdb06f5 in operator() /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:878:22
#14 0x7fd53fdb06f5 in mozilla::dom::PipeToPump::OnDestErrored(JSContext*, JS::Handle<JS::Value>)::$_0::__invoke(JSContext*, mozilla::dom::PipeToPump*, JS::Handle<mozilla::Maybe<JS::Value>>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:873:9
#15 0x7fd53fd9cd48 in mozilla::dom::PipeToPump::ShutdownWithActionAfterFinishedWrite(JSContext*, already_AddRefed<mozilla::dom::Promise> (*)(JSContext*, mozilla::dom::PipeToPump*, JS::Handle<mozilla::Maybe<JS::Value>>, mozilla::ErrorResult&), JS::Handle<mozilla::Maybe<JS::Value>>) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:503:23
#16 0x7fd53fd9b6f8 in mozilla::dom::PipeToPump::ShutdownWithAction(JSContext*, already_AddRefed<mozilla::dom::Promise> (*)(JSContext*, mozilla::dom::PipeToPump*, JS::Handle<mozilla::Maybe<JS::Value>>, mozilla::ErrorResult&), JS::Handle<mozilla::Maybe<JS::Value>>) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:431:3
#17 0x7fd53fd9bcb6 in mozilla::dom::PipeToPump::OnDestErrored(JSContext*, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp
#18 0x7fd53fd9b928 in mozilla::dom::PipeToPump::SourceOrDestErroredOrClosed(JSContext*) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:271:5
#19 0x7fd53fd9c0ad in mozilla::dom::PipeToPump::Start(JSContext*, mozilla::dom::AbortSignal*) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:323:7
#20 0x7fd53fd90d15 in mozilla::dom::streams_abstract::ReadableStreamPipeTo(mozilla::dom::ReadableStream*, mozilla::dom::WritableStream*, bool, bool, bool, mozilla::dom::AbortSignal*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:970:9
#21 0x7fd53fda301e in mozilla::dom::WritableStream::Transfer(JSContext*, mozilla::dom::UniqueMessagePortId&) /builds/worker/checkouts/gecko/dom/streams/Transferable.cpp:928:7
#22 0x7fd53cb5bda0 in mozilla::dom::StructuredCloneHolder::CustomWriteTransferHandler(JSContext*, JS::Handle<JSObject*>, unsigned int*, JS::TransferableOwnership*, void**, unsigned long*) /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:1444:22
#23 0x7fd5426acb6c in JSStructuredCloneWriter::transferOwnership() /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:2316:12
#24 0x7fd54269da2e in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:2449:10
#25 0x7fd54269c7f5 in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*, JS::Value const&) /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:754:10
#26 0x7fd5426b708b in JS_WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:3882:10
#27 0x7fd5426b8629 in JSAutoStructuredCloneBuffer::write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:4003:13
#28 0x7fd53cb54a9a in mozilla::dom::StructuredCloneHolderBase::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&) /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:276:17
#29 0x7fd53cb553cb in mozilla::dom::StructuredCloneHolder::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:363:35
#30 0x7fd53c78d905 in nsContentUtils::StructuredClone(JSContext*, nsIGlobalObject*, JS::Handle<JS::Value>, mozilla::dom::StructuredSerializeOptions const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:10108:10
#31 0x7fd53db6119e in mozilla::dom::Window_Binding::structuredClone(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:20473:24
#32 0x7fd53e1808b2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3335:13
#33 0x7fd54271e5e5 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#34 0x7fd54271df63 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#35 0x7fd54271f38d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#36 0x7fd542c7215d in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/checkouts/gecko/js/src/proxy/Wrapper.cpp:168:10
#37 0x7fd542c54aff in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/checkouts/gecko/js/src/proxy/CrossCompartmentWrapper.cpp:229:19
#38 0x7fd542c63a5e in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:706:19
#39 0x7fd54271e33f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:560:14
#40 0x7fd54272efbd in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#41 0x7fd54272efbd in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3395:16
#42 0x7fd54271d3dd in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#43 0x7fd54271dddf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#44 0x7fd54271f38d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#45 0x7fd542a4f257 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1473:10
#46 0x7fd5427ce414 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:149:8
#47 0x7fd5429c30b0 in AsyncFunctionPromiseReactionJob /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2111:12
#48 0x7fd5429c30b0 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2174:12
#49 0x7fd54271e5e5 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#50 0x7fd54271df63 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#51 0x7fd54271f38d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
#52 0x7fd5427fbe92 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
#53 0x7fd53d35413c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
#54 0x7fd53ad9fd55 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
#55 0x7fd53ad9f5f3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
#56 0x7fd53ad9f5f3 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
#57 0x7fd53ad8bb38 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
#58 0x7fd53ad8c9f9 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3
#59 0x7fd53bcc41a6 in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1491:28
#60 0x7fd53aeb6303 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1277:24
#61 0x7fd53aebc60d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#62 0x7fd53bb0be13 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#63 0x7fd53ba2bce1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#64 0x7fd53ba2bce1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#65 0x7fd540212878 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#66 0x7fd5424f2afb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#67 0x7fd53bb0cd26 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#68 0x7fd53ba2bce1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#69 0x7fd53ba2bce1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#70 0x7fd5424f23be in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
#71 0x55d3412c4396 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#72 0x55d3412c4396 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#73 0x7fd54ec29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#74 0x7fd54ec29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#75 0x55d34129b618 in _start (/home/user/workspace/browsers/m-c-20230424095046-fuzzing-debug/firefox-bin+0x58618) (BuildId: a7a8b7ef7cff627290ac831b92028f31e68bba39)
Flags: in-testsuite?
|
||
Comment 1•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230426170915-17ea6f29654b.
The bug appears to have been introduced in the following build range:
Start: 3dd4a5d6bef63c1ebc00ad93a9d43c864e07d673 (20230209053805)
End: e37ee30891caf11937efcddba0328e831018ccb8 (20230209094552)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3dd4a5d6bef63c1ebc00ad93a9d43c864e07d673&tochange=e37ee30891caf11937efcddba0328e831018ccb8
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•1 year ago
|
||
OPFS being preffed on is in that range. Can we try bisecting again with dom.fs.enabled set to true?
Flags: needinfo?(twsmith)
|
Reporter | |
Comment 3•1 year ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2)
OPFS being preffed on is in that range. Can we try bisecting again with
dom.fs.enabledset to true?
That's in release and we are looking at central when bisecting.
Flags: needinfo?(twsmith)
|
||
Comment 4•1 year ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #3)
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2)
OPFS being preffed on is in that range. Can we try bisecting again with
dom.fs.enabledset to true?That's in release and we are looking at central when bisecting.
In the same range Jari also checked in a fix for bug 1798513 that changed FileSystemWritableFileStream.cpp, and although I don't see that file in the captured stack, the stack shows a WritableStream is involved and the testcase is creating a writeable file stream. Not confirmed, but seems likely enough to track for now.
Flags: needinfo?(jjalkanen)
Regressed by: 1798513
|
||
Comment 5•1 year ago
|
||
Set release status flags based on info from the regressing bug 1798513
status-firefox112:
--- → affected
status-firefox113:
--- → affected
status-firefox-esr102:
--- → unaffected
|
||
Comment 6•1 year ago
|
||
This is probably a bug in the streams code. aValue needs to get wrapped or something.
Group: javascript-core-security → dom-core-security
Component: JavaScript Engine → DOM: Streams
|
|
||
Comment 7•1 year ago
|
||
These compartment mismatches indicate that there is a cross-compartment reference that does not go through a CCW, which can result in a UAF.
Keywords: csectype-uaf,
sec-high
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 9•1 year ago
|
||
These compartment mismatches indicate that there is a cross-compartment reference that does not go through a CCW, which can result in a UAF.
The created object here is used only to be immediately cloned via MessagePort and is then thrown away: https://searchfox.org/mozilla-central/rev/f32d5f3949a3f4f185122142b29f2e3ab776836e/dom/streams/Transferable.cpp#66
In this case can this still cause UAF?
Flags: needinfo?(continuation)
|
|
||
Comment 10•1 year ago
|
||
That does reduce the risk, but any JS allocation could potentially cause a GC.
Flags: needinfo?(continuation)
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 11•1 year ago
|
||
|
||
Updated•1 year ago
|
Assignee: nobody → krosylight
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 12•1 year ago
|
||
Depends on D176697
|
|
Assignee | |
Comment 13•1 year ago
|
||
Comment on attachment 9330705 [details]
Bug 1830190 - Wrap before posting a message r=mgaudet
Security Approval Request
- How easily could an exploit be constructed based on the patch?: One would need to have background knowledge that lack of wrapping can cause UAF in cross-realm case.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: 102+
- If not all supported branches, which bug introduced the flaw?: Bug 1659025
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Uplifting should be able to be done cleanly.
- How likely is this patch to cause regressions; how much testing does it need?: Not likely; it just wraps the object, nothing else.
- Is Android affected?: Yes
Attachment #9330705 -
Flags: sec-approval?
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
tracking-firefox114:
--- → +
tracking-firefox-esr102:
--- → 114+
|
||
Updated•1 year ago
|
Severity: -- → S2
Priority: -- → P2
|
|
||
Updated•1 year ago
|
status-firefox115:
--- → affected
tracking-firefox115:
--- → +
|
||
Comment 14•1 year ago
|
||
Comment on attachment 9330705 [details]
Bug 1830190 - Wrap before posting a message r=mgaudet
Approved to land and uplift
Attachment #9330705 -
Flags: sec-approval? → sec-approval+
|
|
||
Updated•1 year ago
|
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][reminder-test 2023-07-18]
|
||
Comment 15•1 year ago
|
||
Wrap before posting a message r=mgaudet
https://hg.mozilla.org/integration/autoland/rev/e4b7e13f4cb38386053f996aa03d336aa50b8839
https://hg.mozilla.org/mozilla-central/rev/e4b7e13f4cb3
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch
|
|
||
Comment 16•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230511213213-375c5940c253.
Status: RESOLVED → VERIFIED
|
|
||
Comment 17•1 year ago
|
||
The patch landed in nightly and beta is affected.
:saschanaz, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox114towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(krosylight)
|
|
Assignee | |
Comment 18•1 year ago
|
||
Hi Tom, per the sec approval document:
Security team marks tracking flags to ? for all affected versions when approved for central. (This allows release management to decide whether to uplift to branches just like always.)
I guess I don't need to do anything in that case for comment #17, am I right?
Flags: needinfo?(krosylight) → needinfo?(tom)
|
|
||
Comment 19•1 year ago
|
||
The tracking flag skipped the ? step, because Ryan automatically marked it as tracked for Beta. So yes, please request uplift of the patch to Beta.
Flags: needinfo?(tom)
|
|
Assignee | |
Comment 20•1 year ago
|
||
Comment on attachment 9330705 [details]
Bug 1830190 - Wrap before posting a message r=mgaudet
Beta/Release Uplift Approval Request
- User impact if declined: Potential security issue with use-after-free
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This only wraps the JS object and nothing else.
- String changes made/needed:
- Is Android affected?: Yes
Attachment #9330705 -
Flags: approval-mozilla-beta?
|
|
||
Updated•1 year ago
|
Attachment #9330705 -
Flags: approval-mozilla-esr102?
|
||
Comment 21•1 year ago
|
||
Comment on attachment 9330705 [details]
Bug 1830190 - Wrap before posting a message r=mgaudet
Approved for 114.0b6.
Attachment #9330705 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 22•1 year ago
|
||
| uplift | ||
|
|
||
Comment 23•1 year ago
|
||
Comment on attachment 9330705 [details]
Bug 1830190 - Wrap before posting a message r=mgaudet
Approved for 102.12esr.
Attachment #9330705 -
Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
|
|
||
Comment 24•1 year ago
|
||
| uplift | ||
|
||
Updated•1 year ago
|
Flags: qe-verify-
|
|
||
Updated•1 year ago
|
Whiteboard: [bugmon:bisected,confirmed][reminder-test 2023-07-18] → [bugmon:bisected,confirmed][reminder-test 2023-07-18][adv-main114+r]
|
|
||
Updated•1 year ago
|
Whiteboard: [bugmon:bisected,confirmed][reminder-test 2023-07-18][adv-main114+r] → [bugmon:bisected,confirmed][reminder-test 2023-07-18][adv-main114+r][adv-esr102.12+r]
|
|
||
Comment 25•11 months ago
|
||
2 months ago, tjr placed a reminder on the bug using the whiteboard tag [reminder-test 2023-07-18] .
saschanaz, please refer to the original comment to better understand the reason for the reminder.
Flags: needinfo?(krosylight)
Whiteboard: [bugmon:bisected,confirmed][reminder-test 2023-07-18][adv-main114+r][adv-esr102.12+r] → [bugmon:bisected,confirmed][adv-main114+r][adv-esr102.12+r]
|
|
Assignee | |
Comment 26•11 months ago
|
||
Hmm, my understanding was that I can push the test only after the sec bug becomes public, but the doc says:
Tests can be landed once the release containing fixes has been live at least 4 weeks.
Sounds like it's okay to land it now.
Flags: needinfo?(krosylight)
|
||
Comment 27•11 months ago
|
||
Pushed by krosylight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6a55c2390d7b Add test r=mgaudet
|
|
||
Comment 28•11 months ago
|
||
Flags: in-testsuite? → in-testsuite+
|
|
||
Updated•8 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•