Re: [w3c/IndexedDB] Transactions should be marked as inactive during key serialization (Issue #476)

asutherland left a comment (w3c/IndexedDB#476)

Firefox had a use-after-free (Gecko [CVE Bug 1501152 with the nefarious test case](https://bugzilla.mozilla.org/show_bug.cgi?id=1501152) but with [Bug 1544750](https://bugzilla.mozilla.org/show_bug.cgi?id=1544750) being the "cover" bug due to the rare complexity of the fix) in this area that I believe helped motivate the spec change in https://github.com/w3c/IndexedDB/pull/310 following TPAC 2019 discussion, with [Gecko bug 1598164 fixed in 2019](https://bugzilla.mozilla.org/show_bug.cgi?id=1598164) being where we made those changes.

While it's my hope that any new browser engines adding IDB support would be written in a way that makes UAFs impossible, I think it would be nice to expand the clone-invariant to key serialization as well in the interest of sanity.

There are some API choices that feel like a jobs program for security researchers, and explicitly allowing the IDB API to be re-entrant during structured serialization or anything that looks like structured serialization seems like it would be one too.  I don't think there's any reasonable situation where application code would intentionally want to reentrantly call IDB in a case like this other than trying to fashion a security exploit (and any other case is likely to involve a serious application logic bug).  Given that I believe Firefox has constrained key serialization for 6 years, hopefully we would have uncovered any application breakage that did depend on it during this extensive time period.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/IndexedDB/issues/476#issuecomment-3423707216
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/IndexedDB/issues/476/3423707216@github.com>