Closed
Bug 1141093
Opened 10 years ago
Closed 10 years ago
crash in PR_Unlock | mozilla::plugins::FinishInjectorInitTask::PostToMainThread() mostly at address 0x5a5a5a62
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(firefox38 unaffected, firefox39+ verified, firefox-esr31 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 unaffected)
VERIFIED
FIXED
mozilla39
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | unaffected |
| firefox39 | + | verified |
| firefox-esr31 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | unaffected |
People
(Reporter: kairo, Assigned: bugzilla)
References
Details
(4 keywords)
Crash Data
Attachments
(1 file)
|
1.09 KB,
patch
|
away
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-69261ff0-3c07-4512-82b1-8516d2150309.
=============================================================
Stack Frames:
0 nss3.dll PR_Unlock nsprpub/pr/src/threads/combined/prulock.c
1 xul.dll mozilla::plugins::FinishInjectorInitTask::PostToMainThread() dom/plugins/ipc/PluginModuleParent.cpp
2 xul.dll mozilla::plugins::PluginModuleChromeParent::GetToolhelpSnapshot(void*) dom/plugins/ipc/PluginModuleParent.cpp
3 ntdll.dll RtlpWorkerCallout
4 ntdll.dll RtlpExecuteWorkerRequest
5 ntdll.dll RtlpApcCallout
6 ntdll.dll RtlpExecuteWorkerRequest
7 kernel32.dll BaseThreadStart
This is new in the 2015-03-08 Nightly build and didn't happen before (but we already have few reports from the -03-09 build as well).
I'm marking this is security as almost all crashes here get high exploitability rating and have address 0x5a5a5a62 which is a small offset from the memory poisoning and therefore smells like use-after-free.
|
Reporter | |
Comment 1•10 years ago
|
||
[Tracking Requested - why for this release]:
Forgot to mention this is the #1 crash in yesterday's Nightly build with >50% of all crashes.
tracking-firefox39:
--- → ?
|
||
Comment 2•10 years ago
|
||
Regression from bug 1115438
|
||
Comment 3•10 years ago
|
||
Tracking for 39 since this is a regression, topcrash, probably security issue.
|
||
Updated•10 years ago
|
Keywords: csectype-uaf,
sec-critical
|
Assignee | |
Comment 4•10 years ago
|
||
The FinishInjectorInitTask is being destroyed in a way that we weren't expecting. It should be pretty easy for me to find that case and deal with it appropriately.
|
|
Assignee | |
Comment 5•10 years ago
|
||
Attachment #8574987 -
Flags: review?(dmajor)
Attachment #8574987 -
Flags: review?(dmajor) → review+
|
|
Assignee | |
Comment 6•10 years ago
|
||
|
||
Comment 7•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
|
|
||
Comment 9•10 years ago
|
||
We should check back on crash-stats to verify the fix in a day or so.
Flags: qe-verify+
|
||
Comment 10•10 years ago
|
||
No crashes reported with the first Nightly build (2015031103) after the fixed landed. Overall Nightly crash volume is dropping because of it. :-)
Status: RESOLVED → VERIFIED
|
||
Updated•10 years ago
|
Group: core-security
status-firefox-esr31:
--- → unaffected
|
||
Updated•10 years ago
|
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
|
||
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•