Closed
Bug 1158601
Opened 9 years ago
Closed 9 years ago
Firefox crash opening large window, system crash on Windows 10
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: dveditz, Unassigned)
References
()
Details
(Keywords: crash)
Attachments
(1 file)
|
1.13 KB,
text/html
|
Details |
Found links to this exploit PoC online, can't confirm on Mac: http://siph0n.in/exploits.php?id=3758 Will try on Windows next but wanted to get this logged in case others report it too.
|
Reporter | |
Comment 1•9 years ago
|
||
I can't reproduce on Windows 7. Trying to open a huge window rings a bell but I couldn't find a bug or advisory for it with minimal searching. Tried the PoC on the oldest windows build I had handy (24.6, roughly a year old) and couldn't reproduce their either.
|
|
Reporter | |
Updated•9 years ago
|
Group: firefox-core-security → core-security
|
|
Reporter | |
Comment 2•9 years ago
|
||
Jim, since you mentioned having a Win10 machine would you mind trying this PoC and seeing if it does crash your system? If you view-source the attachment you can verify that there's nothing malicious behind the (potential) crash.
Flags: needinfo?(jmathies)
|
||
Comment 3•9 years ago
|
||
This crashes for me on win7 w/nightly: https://crash-stats.mozilla.com/report/index/d83d0c6f-e6df-44a4-8b30-332b42150505
Flags: needinfo?(jmathies)
|
|
||
Updated•9 years ago
|
Flags: needinfo?(jmathies)
|
|
||
Comment 4•9 years ago
|
||
Note I'm in the middle of a move and as such do not have access to windows 10.
Flags: needinfo?(jmathies)
|
||
Comment 5•9 years ago
|
||
Top frame of the crash is mozilla::layers::CompositorD3D11::HandleError(), so I'm going to guess this is Windows graphics related.
Component: Untriaged → Graphics: Layers
Product: Firefox → Core
HandleError first reports E_INVALIDARG (I don't know the stack), then it looks like another BeingFrame happens and the subsequent HandleError reports DXGI_ERROR_INVALID_CALL and calls MOZ_CRASH, as a result of mSwapChain->GetBuffer() inside of UpdateRenderTarget(). And doesn't look like TDR was reported. Looks like we "just" need to catch this scenario, where invalid sizes meant we didn't set things up for GetBuffer()? Bas, something Kyle & Andrew can take a look at?
Flags: needinfo?(bas)
OS: Windows 7 → Windows 10
|
||
Comment 7•9 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #6) > HandleError first reports E_INVALIDARG (I don't know the stack), then it > looks like another BeingFrame happens and the subsequent HandleError reports > DXGI_ERROR_INVALID_CALL and calls MOZ_CRASH, as a result of > mSwapChain->GetBuffer() inside of UpdateRenderTarget(). And doesn't look > like TDR was reported. > > Looks like we "just" need to catch this scenario, where invalid sizes meant > we didn't set things up for GetBuffer()? > > Bas, something Kyle & Andrew can take a look at? Probably yes. I can probably take a couple of minutes tonight or tomorrow and fix it as well. I'm not clear on how calling a MOZ_CRASH would lead to an exploitable error though. I'd really like MOZ_CRASH to be a safe abort, isn't it?
Flags: needinfo?(bas)
|
|
||
Comment 8•9 years ago
|
||
The description just says "Windows10 Logout The User Via firefox Null Pointer Dereference Vulnerability", so it doesn't really even seem to claim to cause a dangerous crash. I have no idea how a crash ends up logging somebody out of Facebook. Maybe it somehow trashes the cookies?
|
|
||
Comment 9•9 years ago
|
||
I just tested with win10 preview release 10074 and I can't reproduce.
|
|
Reporter | |
Comment 10•9 years ago
|
||
Thanks for checking, everyone (esp jimm).
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•