Crash [@ mozilla::detail::AtomicBaseIncDec<int, (mozilla::MemoryOrdering)2u>::operator-- ]

RESOLVED FIXED in Firefox 36

Status

()

defect
--
critical
RESOLVED FIXED
4 years ago
a month ago

People

(Reporter: ntroast, Assigned: bent.mozilla)

Tracking

({crash, regression, sec-high})

unspecified
mozilla38
ARM
Gonk (Firefox OS)
Points:
---

Firefox Tracking Flags

(blocking-b2g:2.2+, firefox35 wontfix, firefox36+ fixed, firefox37+ fixed, firefox38+ fixed, firefox-esr31 unaffected, b2g-v1.4 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 fixed, b2g-master fixed)

Details

(Whiteboard: [b2g-crash][caf-crash 442][caf priority: p1][CR 782853][adv-main36-], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

4 years ago
We have been observing the following crash signature during monkey runs.

[@ mozilla::detail::AtomicBaseIncDec<int, (mozilla::MemoryOrdering)2u>::operator-- | mozilla::dom::BlobParent::IDTableEntry::Release | nsRefPtr<mozilla::dom::BlobParent::IDTableEntry>::~nsRefPtr | mozilla::dom::BlobParent::~BlobParent ]

STR not availiable. Cafbot will upload the minidump shortly.
What branch is this based on?
Whiteboard: [CR 782853]
Whiteboard: [CR 782853] → [caf priority: p1][CR 782853]
Whiteboard: [caf priority: p1][CR 782853] → [b2g-crash][caf-crash 442][caf priority: p1][CR 782853]

Comment 4

4 years ago
(In reply to ben turner [:bent] (use the needinfo? flag!) from comment #3)
> What branch is this based on?

This is v2.2.  The last crash we saw was with 

Gaia:  http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=69ac77cfa938fae2763ac426a80ca6e5feb6ad25
Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=16a3a81985429f9831283b38a1d79af3a741dedb
Group: dom-core-security
Posted patch Patch, v1Splinter Review
Ugh, IPDL automatically destroys actors if the constructor message fails, so we're double-deleting at the moment...
Assignee: nobody → bent.mozilla
Status: NEW → ASSIGNED
Attachment #8551430 - Flags: review?(khuey)
This should be rare though... It requires a child process to die at just the right moment before sending one of these messages.
Group: core-security
Keywords: regression, sec-high
Comment on attachment 8551430 [details] [diff] [review]
Patch, v1

[Security approval request comment]
How easily could an exploit be constructed based on the patch? Hard, requires narrow timing between child process crash and parent process message being sent

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No, but the changes to the code make the problem pretty obvious...

Which older supported branches are affected by this flaw? See flags

If not all supported branches, which bug introduced the flaw? See above

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Should be identical for all branches

How likely is this patch to cause regressions; how much testing does it need? This is an obviously correct fix, I don't expect any regressions.
Attachment #8551430 - Flags: sec-approval?

Comment 9

4 years ago
ni for Bhavana at her request.
Flags: needinfo?(bbajaj)
Comment on attachment 8551430 [details] [diff] [review]
Patch, v1

sec-approval+ for trunk. Please make and nominate patches for affected branches.
Attachment #8551430 - Flags: sec-approval? → sec-approval+
Comment on attachment 8551430 [details] [diff] [review]
Patch, v1

Approval Request Comment

(See above)
Attachment #8551430 - Flags: approval-mozilla-beta?
Attachment #8551430 - Flags: approval-mozilla-aurora?
blocking-b2g: 2.2? → 2.2+
Flags: needinfo?(bbajaj)
Attachment #8551430 - Flags: approval-mozilla-beta?
Attachment #8551430 - Flags: approval-mozilla-beta+
Attachment #8551430 - Flags: approval-mozilla-aurora?
Attachment #8551430 - Flags: approval-mozilla-aurora+
Group: dom-core-security
This bug was reported by codeaurora.org. IMO, we can enable QC confidential group.
Group: qualcomm-confidential
Kevin, I don't think this is necessary, there is no confidential information in this bug.
(In reply to Kevin Hu [:khu] from comment #16)
> This bug was reported by codeaurora.org. IMO, we can enable QC confidential
> group.

Just FYI, this group is not really needed in general.  QC confidential data has no place on bugzilla.
Could this bug be triggered outside of Firefox OS?
Flags: needinfo?(bent.mozilla)
Probably only in e10s mode.
Flags: needinfo?(bent.mozilla)
Whiteboard: [b2g-crash][caf-crash 442][caf priority: p1][CR 782853] → [b2g-crash][caf-crash 442][caf priority: p1][CR 782853][adv-main36-]

Updated

4 years ago
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.