crash in arena_dalloc | je_free | nsACString_internal::SetLength(unsigned int)

RESOLVED DUPLICATE of bug 1035075

Status

()

--
critical
RESOLVED DUPLICATE of bug 1035075
4 years ago
2 years ago

People

(Reporter: davidb, Unassigned)

Tracking

({crash, sec-high})

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

This bug was filed from the Socorro interface and is 
report bp-07d14514-5697-4a15-a907-7d3872140531.
=============================================================

Filing in networking to start; I'm not sure where this belongs.

Note crash dump analysis rates exploitability high.

More reports are here: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=arena_dalloc+|+je_free+|+nsACString_internal%3A%3ASetLength%28unsigned+int%29
Something has messed up the allocator's memory, we need to find and fix it.
Component: Networking → jemalloc
Keywords: sec-high

Comment 2

4 years ago
I'm pretty sure this is actually a Networking issue, my guess is jemalloc is being handed junk memory. A random sampling of the stacks indicates the same path each time with the most likely root cause being the call to |mPAC.GetProxyForURI| [1] in |nsPACMan::ProcessPending|.

[1] http://hg.mozilla.org/releases/mozilla-release/annotate/529a45c94e5a/netwerk/base/src/nsPACMan.cpp#l550
Component: jemalloc → Networking
Patrick, you know the PAC code best, but we can also hand this to Valentin or Dragana, etc.
Flags: needinfo?(mcmanus)
1035075 might be similar.. a uaf in the pac code.. not sure exactly what has changed in that space - some of the js team made some updates for api changes with js that might be causing the issue. I asked steve if he wanted to look at 1035075
Flags: needinfo?(mcmanus)
Group: network-core-security
FWIW, a bunch of crash reporter comments are about crashing during shutdown (but not exclusively).
davidb - I think based on 1035075 it is a shutdown issue and I've got a patch to address that. So I'm going to dup it.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1035075

Updated

3 years ago
Group: core-security → core-security-release
Group: network-core-security, core-security-release
You need to log in before you can comment on or make changes to this bug.