crash in PR_Unlock | mozilla::plugins::FinishInjectorInitTask::PostToMainThread() mostly at address 0x5a5a5a62

VERIFIED FIXED in Firefox 39

Status

()

Core
Plug-ins
--
critical
VERIFIED FIXED
3 years ago
3 years ago

People

(Reporter: Robert Kaiser, Assigned: aklotz)

Tracking

(4 keywords)

Trunk
mozilla39
x86
Windows NT
crash, csectype-uaf, regression, sec-critical
Points:
---
Bug Flags:
qe-verify +

Firefox Tracking Flags

(firefox38 unaffected, firefox39+ verified, firefox-esr31 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 unaffected)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
This bug was filed from the Socorro interface and is 
report bp-69261ff0-3c07-4512-82b1-8516d2150309.
=============================================================

Stack Frames:
0 	nss3.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c
1 	xul.dll 	mozilla::plugins::FinishInjectorInitTask::PostToMainThread() 	dom/plugins/ipc/PluginModuleParent.cpp
2 	xul.dll 	mozilla::plugins::PluginModuleChromeParent::GetToolhelpSnapshot(void*) 	dom/plugins/ipc/PluginModuleParent.cpp
3 	ntdll.dll 	RtlpWorkerCallout 	
4 	ntdll.dll 	RtlpExecuteWorkerRequest 	
5 	ntdll.dll 	RtlpApcCallout 	
6 	ntdll.dll 	RtlpExecuteWorkerRequest 	
7 	kernel32.dll 	BaseThreadStart 	

This is new in the 2015-03-08 Nightly build and didn't happen before (but we already have few reports from the -03-09 build as well).

I'm marking this is security as almost all crashes here get high exploitability rating and have address 0x5a5a5a62 which is a small offset from the memory poisoning and therefore smells like use-after-free.
(Reporter)

Comment 1

3 years ago
[Tracking Requested - why for this release]:

Forgot to mention this is the #1 crash in yesterday's Nightly build with >50% of all crashes.
tracking-firefox39: --- → ?

Comment 2

3 years ago
Regression from bug 1115438
Assignee: nobody → aklotz
Blocks: 1115438
Keywords: regression
Tracking for 39 since this is a regression, topcrash, probably security issue.
status-firefox38: --- → unaffected
status-firefox39: --- → affected
tracking-firefox39: ? → +
Keywords: csectype-uaf, sec-critical
(Assignee)

Comment 4

3 years ago
The FinishInjectorInitTask is being destroyed in a way that we weren't expecting. It should be pretty easy for me to find that case and deal with it appropriately.
(Assignee)

Comment 5

3 years ago
Created attachment 8574987 [details] [diff] [review]
Ensure that PostToMainThread is done before returning from Run
Attachment #8574987 - Flags: review?(dmajor)

Updated

3 years ago
Attachment #8574987 - Flags: review?(dmajor) → review+
(Assignee)

Comment 6

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/3b0e8c6dab68
https://hg.mozilla.org/mozilla-central/rev/3b0e8c6dab68
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox39: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
(Assignee)

Updated

3 years ago
Duplicate of this bug: 1142043
We should check back on crash-stats to verify the fix in a day or so.
Flags: qe-verify+
No crashes reported with the first Nightly build (2015031103) after the fixed landed.  Overall Nightly crash volume is dropping because of it.  :-)
Status: RESOLVED → VERIFIED
status-firefox39: fixed → verified
Group: core-security
status-firefox-esr31: --- → unaffected
status-b2g-v2.0: --- → unaffected
status-b2g-v2.0M: --- → unaffected
status-b2g-v2.1: --- → unaffected
status-b2g-v2.1S: --- → unaffected
status-b2g-v2.2: --- → unaffected
You need to log in before you can comment on or make changes to this bug.