Closed Bug 1123868 Opened 7 years ago Closed 7 years ago

crash in js::detail::HashTable<js::HashMapEntry<JSAddonId*, nsCOMPtr<nsIAddonInterposition> >, js::HashMap<JSAddonId*, nsCOMPtr<nsIAddonInterposition>, js::PointerHasher<JSAddonId*, int>, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::...

Categories

(Core :: XPConnect, defect)

x86
Windows 8.1
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla38
Tracking Status
firefox35 --- disabled
firefox36 --- disabled
firefox37 --- disabled
firefox38 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: aryx, Assigned: billm)

References

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-e44c1c3f-97e6-48b0-bda5-8a6ce2150120.
=============================================================

Windows 8.1
Firefox Nightly with e10s enabled and set to always use the private browsing mode
Upgraded from 20150115030228 to 20150120030203

The browser crashes after clicking the Restart button in the update billboard window. Launching it again works without issues.

Installed extensions:
ADB Helper	0.7.3	true	adbhelper@mozilla.org
British English Dictionary	1.19.1	true	en-GB@dictionaries.addons.mozilla.org
DOM Inspector	2.0.15	true	inspector@mozilla.org
Firefox Developer Tools Adapters	0.2.3	true	fxdevtools-adapters@mozilla.org
LastPage	0.2.6	true	lastpage@thelittlespark
Console²	0.9	false	{1280606b-2510-4fe0-97ef-9b5a22eafe80}
Extension Test	2.15	false	extension-test@dactyl.googlecode.com
FlashGot	1.5.6.8	false	{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
Microsoft .NET Framework Assistant	1.2.1	false	{20a82645-c095-46ed-80e3-08825760534b}
Group: core-security
This is a read of a poisoned value, so we have some kind of use-after-free.
Keywords: csectype-uaf
It looks like the addon interposition map is involved.
Flags: needinfo?(wmccloskey)
Component: XPCOM → XPConnect
I guess it's possible we create a new scope after the shutdown notification. It's hard to tell from the stack. But it doesn't hurt to be defensive.

I don't see anything else wrong with the code, so hopefully this will fix the problem.
Assignee: nobody → wmccloskey
Status: NEW → ASSIGNED
Flags: needinfo?(wmccloskey)
Attachment #8555531 - Flags: review?(continuation)
Attachment #8555531 - Flags: review?(continuation) → review+
Archaeopteryx, we're not entirely sure this fixes the issue, so let us know if you see this again after this gets into Nightly.  Thanks.
Keywords: sec-high
https://hg.mozilla.org/mozilla-central/rev/130c3d209be1
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
How far back did this go? Did it affect ESR31?
This is disabled everywhere except trunk.  I think the code didn't even land on 31.
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.