Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upscript: Ban `FnBox<()>` and lock down the dangerous generic `no_jsmanaged_fields!` implementations. #14443
Conversation
highfive
commented
Dec 3, 2016
|
Heads up! This PR modifies the following files:
|
highfive
commented
Dec 3, 2016
|
|
pcwalton
changed the title
| @@ -395,6 +457,7 @@ impl<'a> JSTraceable for &'a str { | |||
| } | |||
| } | |||
|
|
|||
| // Safe because | |||
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Manishearth
Dec 3, 2016
Member
(safe because fn pointers don't contain data and thus can't contain roots)
| #[inline] | ||
| fn trace(&self, _: *mut JSTracer) { | ||
| // Do nothing | ||
| } | ||
| } | ||
|
|
||
| impl JSTraceable for () { | ||
| impl<T: Reflectable> JSTraceable for Trusted<T> { |
This comment has been minimized.
This comment has been minimized.
| } | ||
| } | ||
|
|
||
| impl JSTraceable for Mutex<Option<SharedRt>> { |
This comment has been minimized.
This comment has been minimized.
Manishearth
Dec 3, 2016
Member
feel like we should be using the macro for these so that we can later lint that the impl is on a type that exists completely outside of this crate
This comment has been minimized.
This comment has been minimized.
pcwalton
Dec 3, 2016
Author
Contributor
Well, I removed the ability of the macro to parse <> entirely, just to be on the safe side. Would you prefer I add it back or is this OK?
This comment has been minimized.
This comment has been minimized.
Manishearth
Dec 3, 2016
Member
We should be able to implement it on concrete types, just not generic ones (impl<T> JSTraceable for Foo<T>). When we add the lint check it can recurse type parameters of the concrete types.
|
Overall looks good |
| } | ||
| } | ||
|
|
||
| impl JSTraceable for Matrix4D<f64> { |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
pcwalton
Dec 3, 2016
•
Author
Contributor
Well, then I'd have to trace all the elements of the matrix. This ends up being shorter. I can do that if you prefer though.
This comment has been minimized.
This comment has been minimized.
|
I kinda want to clean up that PR, because you did many unrelated changes in a single commit. |
|
Please land this very soon if you do. Remote code execution fixes must land as soon as possible. Do not bikeshed on them. Do not delay them. Just land them. It sets a very very bad precedent if we do not. |
|
|
|
Superseded by #14473. |
pcwalton commentedDec 3, 2016
•
edited by larsbergstrom
Closes #14416.
The basic cause for that UAF was the unsafe use of
FnBox<()>in the rooting protocol for the JS engine integration. This patch fixes that bug and removes all generics and existentials from the no-op tracing, as they were all dangerous. There should be no more ways to get UAF from DOM heap rooting without writing custom trace hooks.r? @nox
This change is