[tor-bugs] #21962 [Applications/Tor Browser]: Segmentation fault with "high" security when changing in about:addons to "Extensions" or "Appearance"

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 18 17:42:09 UTC 2017 

#21962: Segmentation fault with "high" security when changing in about:addons to
"Extensions" or "Appearance"
-------------------------------------------------+-------------------------
 Reporter:  viktorj                              |          Owner:
                                                 |  arthuredelstein
     Type:  defect                               |         Status:
                                                 |  accepted
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-crash, tbb-usability, ff52-esr,  |  Actual Points:
  tbb-7.0-must-alpha, TorBrowserTeam201704       |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by mcs):

 Kathy and I are also looking at this ticket. Arthur, please let us know if
 you are making progress so we are not duplicating work.

 We can reproduce the crash, and we believe that the immediate cause is the
 `static_cast` that is in this code from Element.cpp:
 {{{
 const nsAttrValue*
 nsIContent::DoGetClasses() const
 {
   MOZ_ASSERT(HasFlag(NODE_MAY_HAVE_CLASS), "Unexpected call");
   MOZ_ASSERT(IsElement(), "Only elements can have classes");

   if (IsSVGElement()) {
     const nsAttrValue* animClass =
       static_cast<const nsSVGElement*>(this)->GetAnimatedClassName();
     if (animClass) {
       return animClass;
     }
   }

   return AsElement()->GetParsedAttr(nsGkAtoms::_class);
 }
 }}}

 But the above code is not new. Our current working theory is that SVGs are
 being blocked in error early during creation of the about:addons document
 (and possibly in other cases) even though they should be allowed. If some
 time later SVGs are perceived as allowed, then Bad Things will occur such
 as doing a static_cast to the wrong kind of object.

 In theory, and hopefully in practice, the Mozilla patch to block SVGs is
 better than our approach because it assigns an alternate namespace for
 SVGs at element creation time, which should avoid these kinds of
 static_cast bugs.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21962#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list