packages/mozjs78
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-22740

Browse Source
This commit is contained in:
sun_hai_10 2024-06-13 17:26:01 +08:00
parent 0e5f28c74f
commit 295dbdbe05
2 changed files with 130 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
CVE-2022-22740.patch Normal file
View File

@ -0,0 +1,125 @@
From c6649f32c4edf56f91541df6ae1d4bfe15d1179b Mon Sep 17 00:00:00 2001
From: Valentin Gosu <valentin.gosu@gmail.com>
Date: Wed, 29 May 2024 17:01:27 +0800
Subject: [PATCH] Make sure to null out ChannelEventQueue::mOwner when object is released
Conflict :NA
Reference:https://hg.mozilla.org/integration/autoland/rev/2c34e2c06639132ae6a00b440c8835b2a44f42ad
---
netwerk/ipc/ChannelEventQueue.cpp | 11 ++++++++++-
netwerk/ipc/ChannelEventQueue.h | 5 +++++
netwerk/protocol/http/HttpChannelChild.cpp | 1 +
netwerk/protocol/http/HttpChannelParent.cpp | 1 +
netwerk/protocol/http/HttpTransactionParent.cpp | 1 +
netwerk/protocol/websocket/WebSocketChannelChild.cpp | 1 +
.../extensions/webrequest/StreamFilterParent.cpp | 1 +
7 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/netwerk/ipc/ChannelEventQueue.cpp b/netwerk/ipc/ChannelEventQueue.cpp
index c02f892ba8..ba5235b62e 100644
--- a/netwerk/ipc/ChannelEventQueue.cpp
+++ b/netwerk/ipc/ChannelEventQueue.cpp
@@ -34,7 +34,12 @@ void ChannelEventQueue::FlushQueue() {
// Events flushed could include destruction of channel (and our own
// destructor) unless we make sure its refcount doesn't drop to 0 while this
// method is running.
- nsCOMPtr<nsISupports> kungFuDeathGrip(mOwner);
+ nsCOMPtr<nsISupports> kungFuDeathGrip;
+ {
+ MutexAutoLock lock(mMutex);
+ kungFuDeathGrip = mOwner;
+ }
+
mozilla::Unused << kungFuDeathGrip; // Not used in this function
#ifdef DEBUG
@@ -156,6 +161,10 @@ void ChannelEventQueue::ResumeInternal() {
nsCOMPtr<nsISupports> mOwner;
};
+ if (!mOwner) {
+ return;
+ }
+
// Worker thread requires a CancelableRunnable.
RefPtr<Runnable> event = new CompleteResumeRunnable(this, mOwner);
diff --git a/netwerk/ipc/ChannelEventQueue.h b/netwerk/ipc/ChannelEventQueue.h
index 650ee5b96f..aedbc00c63 100644
--- a/netwerk/ipc/ChannelEventQueue.h
+++ b/netwerk/ipc/ChannelEventQueue.h
@@ -171,6 +171,11 @@ class ChannelEventQueue final {
// dispatched in a new event on the current thread.
void Resume();
+ void NotifyReleasingOwner() {
+ MutexAutoLock lock(mMutex);
+ mOwner = nullptr;
+ }
+
private:
// Private destructor, to discourage deletion outside of Release():
~ChannelEventQueue() = default;
diff --git a/netwerk/protocol/http/HttpChannelChild.cpp b/netwerk/protocol/http/HttpChannelChild.cpp
index 2949f7f35c..ba06148c61 100644
--- a/netwerk/protocol/http/HttpChannelChild.cpp
+++ b/netwerk/protocol/http/HttpChannelChild.cpp
@@ -228,6 +228,7 @@ HttpChannelChild::~HttpChannelChild() {
mLoadInfo->RedirectChainIncludingInternalRedirects().Length(), flags);
}
#endif
+ mEventQ->NotifyReleasingOwner();
ReleaseMainThreadOnlyReferences();
}
diff --git a/netwerk/protocol/http/HttpChannelParent.cpp b/netwerk/protocol/http/HttpChannelParent.cpp
index 9ebae5fc7a..40ea4283cf 100644
--- a/netwerk/protocol/http/HttpChannelParent.cpp
+++ b/netwerk/protocol/http/HttpChannelParent.cpp
@@ -1058,6 +1058,7 @@ void HttpChannelParent::ContinueRedirect2Verify(const nsresult& aResult) {
mRedirectCallback->OnRedirectVerifyCallback(aResult);
mRedirectCallback = nullptr;
}
+ mEventQ->NotifyReleasingOwner();
}
mozilla::ipc::IPCResult HttpChannelParent::RecvDocumentChannelCleanup(
diff --git a/netwerk/protocol/http/HttpTransactionParent.cpp b/netwerk/protocol/http/HttpTransactionParent.cpp
index 041ecb804d..37d0e996c8 100644
--- a/netwerk/protocol/http/HttpTransactionParent.cpp
+++ b/netwerk/protocol/http/HttpTransactionParent.cpp
@@ -99,6 +99,7 @@ HttpTransactionParent::HttpTransactionParent(bool aIsDocumentLoad)
HttpTransactionParent::~HttpTransactionParent() {
LOG(("Destroying HttpTransactionParent @%p\n", this));
+ mEventQ->NotifyReleasingOwner();
}
//-----------------------------------------------------------------------------
diff --git a/netwerk/protocol/websocket/WebSocketChannelChild.cpp b/netwerk/protocol/websocket/WebSocketChannelChild.cpp
index a9b7a52bb7..e0d2b2137c 100644
--- a/netwerk/protocol/websocket/WebSocketChannelChild.cpp
+++ b/netwerk/protocol/websocket/WebSocketChannelChild.cpp
@@ -63,6 +63,7 @@ WebSocketChannelChild::WebSocketChannelChild(bool aEncrypted)
WebSocketChannelChild::~WebSocketChannelChild() {
LOG(("WebSocketChannelChild::~WebSocketChannelChild() %p\n", this));
+ mEventQ->NotifyReleasingOwner();
}
void WebSocketChannelChild::AddIPDLReference() {
diff --git a/toolkit/components/extensions/webrequest/StreamFilterParent.cpp b/toolkit/components/extensions/webrequest/StreamFilterParent.cpp
index 6632712fbf..aac58f2871 100644
--- a/toolkit/components/extensions/webrequest/StreamFilterParent.cpp
+++ b/toolkit/components/extensions/webrequest/StreamFilterParent.cpp
@@ -106,6 +106,7 @@ StreamFilterParent::~StreamFilterParent() {
NS_ReleaseOnMainThread("StreamFilterParent::mOrigListener",
mOrigListener.forget());
NS_ReleaseOnMainThread("StreamFilterParent::mContext", mContext.forget());
+ mQueue->NotifyReleasingOwner();
}
auto StreamFilterParent::Create(dom::ContentParent* aContentParent,
--
2.33.0

6
mozjs78.spec
View File

@ -2,7 +2,7 @@
Name: mozjs%{major} Name: mozjs%{major}
Version: 78.4.0 Version: 78.4.0
Release: 6 Release: 7
Summary: SpiderMonkey JavaScript library Summary: SpiderMonkey JavaScript library
License: MPLv2.0 and MPLv1.1 and BSD and GPLv2+ and GPLv3+ and LGPLv2+ and AFL and ASL 2.0 License: MPLv2.0 and MPLv1.1 and BSD and GPLv2+ and GPLv3+ and LGPLv2+ and AFL and ASL 2.0
URL: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey URL: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey
@ -29,6 +29,7 @@ Patch13: backport-CVE-2023-23602.patch
Patch14: CVE-2021-29946.patch Patch14: CVE-2021-29946.patch
Patch15: CVE-2022-34481.patch Patch15: CVE-2022-34481.patch
Patch16: CVE-2023-29532.patch Patch16: CVE-2023-29532.patch
Patch17: CVE-2022-22740.patch
BuildRequires: autoconf213 cargo clang-devel gcc gcc-c++ perl-devel pkgconfig(libffi) pkgconfig(zlib) BuildRequires: autoconf213 cargo clang-devel gcc gcc-c++ perl-devel pkgconfig(libffi) pkgconfig(zlib)
BuildRequires: python3-devel python3-six readline-devel zip nasm llvm llvm-devel icu rust BuildRequires: python3-devel python3-six readline-devel zip nasm llvm llvm-devel icu rust
@ -108,6 +109,9 @@ popd
%doc js/src/README.html %doc js/src/README.html
%changelog %changelog
* Thu Jun 13 2024 sunhai <sunhai10@huawei.com> - 78.4.0-7
- fix CVE-2022-22740
* Wed Jun 12 2024 technology208 <technology@208suo.com> - 78.4.0-6 * Wed Jun 12 2024 technology208 <technology@208suo.com> - 78.4.0-6
- fix CVE-2023-29532 - fix CVE-2023-29532