Opened 9 months ago

Closed 7 months ago

#28711 closed defect (fixed)

Store Arraybuffer Metadata in its own Arena

Reported by: tom Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, TorBrowserTeam201901R, GeorgKoppen201901
Cc: Actual Points:
Parent ID: #28707 Points:
Reviewer: Sponsor:

Description

The bug tracks backporting and landing https://bugzilla.mozilla.org/show_bug.cgi?id=1474659 to move ArrayBuffer metadata (including length) into its own jemalloc arena. This will hopefully make it harder to write exploits that fiddle the length of ArrayBuffers.

Child Tickets

Change History (6)

comment:2 Changed 8 months ago by gk

Keywords: tbb-security TorBrowserTeam201812 added

Thanks. We should ship this in the next alpha unless anything explodes in our nightly builds earlier on.

comment:3 Changed 8 months ago by gk

Keywords: TorBrowserTeam201901 GeorgKoppen201901 added; TorBrowserTeam201812 removed

comment:4 Changed 8 months ago by gk

Keywords: TorBrowserTeam201901R added; TorBrowserTeam201901 removed
Status: newneeds_review

Okay, bug_28711_v2 (https://gitweb.torproject.org/user/gk/tor-browser.git/log/?h=bug_28711_v2) has two commits that contain the backport. I tested resulting builds a bit on Windows, Linux, and Android and nothing exploded.

comment:5 Changed 7 months ago by pospeselr

These patches look good to me.

comment:6 Changed 7 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks! Merged to tor-browser60.4.0esr-8.5-1 (commit f1381907e4a9a586e38c322dcb8f1bd02315d691 and 4aa3f9efbdfa62123ed657ce27231ff27d36d9d2).

Note: See TracTickets for help on using tickets.