Crash [@ mozilla::detail::AtomicBaseIncDec<int, (mozilla::MemoryOrdering)2u>::operator-- ]

RESOLVED FIXED in Firefox 36, Firefox OS v2.2



4 years ago
2 years ago


(Reporter: ntroast, Assigned: Ben Turner (not reading bugmail, use the needinfo flag!))


({crash, regression, sec-high})

Gonk (Firefox OS)
crash, regression, sec-high

Firefox Tracking Flags

(blocking-b2g:2.2+, firefox35 wontfix, firefox36+ fixed, firefox37+ fixed, firefox38+ fixed, firefox-esr31 unaffected, b2g-v1.4 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 fixed, b2g-master fixed)


(Whiteboard: [b2g-crash][caf-crash 442][caf priority: p1][CR 782853][adv-main36-], crash signature)


(3 attachments)



4 years ago
We have been observing the following crash signature during monkey runs.

[@ mozilla::detail::AtomicBaseIncDec<int, (mozilla::MemoryOrdering)2u>::operator-- | mozilla::dom::BlobParent::IDTableEntry::Release | nsRefPtr<mozilla::dom::BlobParent::IDTableEntry>::~nsRefPtr | mozilla::dom::BlobParent::~BlobParent ]

STR not availiable. Cafbot will upload the minidump shortly.
Created attachment 8550566 [details]
EXTRA file attachment -
Created attachment 8550567 [details]
decoded minidump -
What branch is this based on?


4 years ago
Whiteboard: [CR 782853]


4 years ago
Whiteboard: [CR 782853] → [caf priority: p1][CR 782853]


4 years ago
Whiteboard: [caf priority: p1][CR 782853] → [b2g-crash][caf-crash 442][caf priority: p1][CR 782853]

Comment 4

4 years ago
(In reply to ben turner [:bent] (use the needinfo? flag!) from comment #3)
> What branch is this based on?

This is v2.2.  The last crash we saw was with 

Group: dom-core-security
Created attachment 8551430 [details] [diff] [review]
Patch, v1

Ugh, IPDL automatically destroys actors if the constructor message fails, so we're double-deleting at the moment...
Assignee: nobody → bent.mozilla
Attachment #8551430 - Flags: review?(khuey)
Looks like this was introduces in bug 994190.
status-b2g-v2.1: --- → unaffected
status-b2g-v2.2: --- → affected
status-b2g-master: --- → affected
status-firefox35: --- → affected
status-firefox36: --- → affected
status-firefox37: --- → affected
status-firefox38: --- → affected
This should be rare though... It requires a child process to die at just the right moment before sending one of these messages.
Blocks: 994190
Group: core-security
Keywords: regression, sec-high
status-firefox35: affected → wontfix
status-firefox-esr31: --- → unaffected
tracking-firefox36: --- → +
tracking-firefox37: --- → +
tracking-firefox38: --- → +
Comment on attachment 8551430 [details] [diff] [review]
Patch, v1

[Security approval request comment]
How easily could an exploit be constructed based on the patch? Hard, requires narrow timing between child process crash and parent process message being sent

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No, but the changes to the code make the problem pretty obvious...

Which older supported branches are affected by this flaw? See flags

If not all supported branches, which bug introduced the flaw? See above

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Should be identical for all branches

How likely is this patch to cause regressions; how much testing does it need? This is an obviously correct fix, I don't expect any regressions.
Attachment #8551430 - Flags: sec-approval?

Comment 9

4 years ago
ni for Bhavana at her request.
Flags: needinfo?(bbajaj)

Comment 11

4 years ago
Comment on attachment 8551430 [details] [diff] [review]
Patch, v1

sec-approval+ for trunk. Please make and nominate patches for affected branches.
Attachment #8551430 - Flags: sec-approval? → sec-approval+
Comment on attachment 8551430 [details] [diff] [review]
Patch, v1

Approval Request Comment

(See above)
Attachment #8551430 - Flags: approval-mozilla-beta?
Attachment #8551430 - Flags: approval-mozilla-aurora?


4 years ago
blocking-b2g: 2.2? → 2.2+
Flags: needinfo?(bbajaj)
Attachment #8551430 - Flags: approval-mozilla-beta?
Attachment #8551430 - Flags: approval-mozilla-beta+
Attachment #8551430 - Flags: approval-mozilla-aurora?
Attachment #8551430 - Flags: approval-mozilla-aurora+
This was merged to m-c:
Last Resolved: 4 years ago
status-b2g-v1.4: --- → unaffected
status-b2g-v2.0: --- → unaffected
status-b2g-v2.0M: --- → unaffected
status-b2g-v2.1S: --- → unaffected
status-b2g-master: affected → fixed
status-firefox36: affected → fixed
status-firefox37: affected → fixed
status-firefox38: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Group: dom-core-security

Comment 16

4 years ago
This bug was reported by IMO, we can enable QC confidential group.
Group: qualcomm-confidential
Kevin, I don't think this is necessary, there is no confidential information in this bug.
No longer blocks: 1063044
(In reply to Kevin Hu [:khu] from comment #16)
> This bug was reported by IMO, we can enable QC confidential
> group.

Just FYI, this group is not really needed in general.  QC confidential data has no place on bugzilla.

Comment 19

4 years ago
Could this bug be triggered outside of Firefox OS?
Flags: needinfo?(bent.mozilla)
Probably only in e10s mode.
Flags: needinfo?(bent.mozilla)


4 years ago
Whiteboard: [b2g-crash][caf-crash 442][caf priority: p1][CR 782853] → [b2g-crash][caf-crash 442][caf priority: p1][CR 782853][adv-main36-]


3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.