Re: [tor-bugs] #21962 [Applications/Tor Browser]: Segmentation fault with "high" security when changing in about:addons to "Extensions" or "Appearance"

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#21962: Segmentation fault with "high" security when changing in about:addons to
"Extensions" or "Appearance"
-------------------------------------------------+-------------------------
 Reporter:  viktorj                              |          Owner:
                                                 |  arthuredelstein
     Type:  defect                               |         Status:
                                                 |  accepted
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-crash, tbb-usability, ff52-esr,  |  Actual Points:
  tbb-7.0-must-alpha, TorBrowserTeam201704       |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by mcs):

 Kathy and I are also looking at this ticket. Arthur, please let us know if
 you are making progress so we are not duplicating work.

 We can reproduce the crash, and we believe that the immediate cause is the
 `static_cast` that is in this code from Element.cpp:
 {{{
 const nsAttrValue*
 nsIContent::DoGetClasses() const
 {
   MOZ_ASSERT(HasFlag(NODE_MAY_HAVE_CLASS), "Unexpected call");
   MOZ_ASSERT(IsElement(), "Only elements can have classes");

   if (IsSVGElement()) {
     const nsAttrValue* animClass =
       static_cast<const nsSVGElement*>(this)->GetAnimatedClassName();
     if (animClass) {
       return animClass;
     }
   }

   return AsElement()->GetParsedAttr(nsGkAtoms::_class);
 }
 }}}

 But the above code is not new. Our current working theory is that SVGs are
 being blocked in error early during creation of the about:addons document
 (and possibly in other cases) even though they should be allowed. If some
 time later SVGs are perceived as allowed, then Bad Things will occur such
 as doing a static_cast to the wrong kind of object.

 In theory, and hopefully in practice, the Mozilla patch to block SVGs is
 better than our approach because it assigns an alternate namespace for
 SVGs at element creation time, which should avoid these kinds of
 static_cast bugs.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21962#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs