Closed Bug 1123868 Opened 11 years ago Closed 10 years ago

crash in js::detail::HashTable<js::HashMapEntry<JSAddonId*, nsCOMPtr<nsIAddonInterposition> >, js::HashMap<JSAddonId*, nsCOMPtr<nsIAddonInterposition>, js::PointerHasher<JSAddonId*, int>, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::...

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox35 --- disabled
firefox36 --- disabled
firefox37 --- disabled
firefox38 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: aryx, Assigned: billm)

References

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

Attachments

(1 file)

clear-interpositions
1.10 KB, patch
mccr8
: review+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-e44c1c3f-97e6-48b0-bda5-8a6ce2150120. ============================================================= Windows 8.1 Firefox Nightly with e10s enabled and set to always use the private browsing mode Upgraded from 20150115030228 to 20150120030203 The browser crashes after clicking the Restart button in the update billboard window. Launching it again works without issues. Installed extensions: ADB Helper 0.7.3 true adbhelper@mozilla.org British English Dictionary 1.19.1 true en-GB@dictionaries.addons.mozilla.org DOM Inspector 2.0.15 true inspector@mozilla.org Firefox Developer Tools Adapters 0.2.3 true fxdevtools-adapters@mozilla.org LastPage 0.2.6 true lastpage@thelittlespark Console² 0.9 false {1280606b-2510-4fe0-97ef-9b5a22eafe80} Extension Test 2.15 false extension-test@dactyl.googlecode.com FlashGot 1.5.6.8 false {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} Microsoft .NET Framework Assistant 1.2.1 false {20a82645-c095-46ed-80e3-08825760534b}
Group: core-security
This is a read of a poisoned value, so we have some kind of use-after-free.
Keywords: csectype-uaf
It looks like the addon interposition map is involved.
Flags: needinfo?(wmccloskey)
Component: XPCOM → XPConnect
I guess it's possible we create a new scope after the shutdown notification. It's hard to tell from the stack. But it doesn't hurt to be defensive. I don't see anything else wrong with the code, so hopefully this will fix the problem.
Assignee: nobody → wmccloskey
Status: NEW → ASSIGNED
Flags: needinfo?(wmccloskey)
Attachment #8555531 - Flags: review?(continuation)
Attachment #8555531 - Flags: review?(continuation) → review+
Archaeopteryx, we're not entirely sure this fixes the issue, so let us know if you see this again after this gets into Nightly. Thanks.
Keywords: sec-high
https://hg.mozilla.org/mozilla-central/rev/130c3d209be1
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox38: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
How far back did this go? Did it affect ESR31?
This is disabled everywhere except trunk. I think the code didn't even land on 31.
status-firefox-esr31: --- → unaffected
Blocks: 1106671
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: