Closed
Bug 1186435
Opened 10 years ago
Closed 10 years ago
crash in nsDNSRecord::GetNextAddr(unsigned short, mozilla::net::NetAddr*)
Categories
(Core :: Networking: DNS, defect)
Tracking
()
RESOLVED
FIXED
mozilla42
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | unaffected |
| firefox41 | --- | unaffected |
| firefox42 | --- | fixed |
| firefox-esr38 | --- | unaffected |
| b2g-master | --- | fixed |
People
(Reporter: kairo, Assigned: valentin)
References
Details
(Keywords: crash)
Crash Data
This bug was filed from the Socorro interface and is
report bp-64939acf-e72b-4211-85d4-b5f8c2150722.
=============================================================
Top Frames:
0 xul.dll nsDNSRecord::GetNextAddr(unsigned short, mozilla::net::NetAddr*) netwerk/dns/nsDNSService2.cpp
1 xul.dll nsSocketTransport::RecoverFromError() netwerk/base/nsSocketTransport2.cpp
2 xul.dll nsSocketTransport::OnSocketDetached(PRFileDesc*) netwerk/base/nsSocketTransport2.cpp
3 xul.dll nsSocketTransportService::DetachSocket(nsSocketTransportService::SocketContext*, nsSocketTransportService::SocketContext*) netwerk/base/nsSocketTransportService2.cpp
4 xul.dll nsSocketTransportService::DoPollIteration(bool, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) netwerk/base/nsSocketTransportService2.cpp
5 xul.dll nsSocketTransportService::Run() netwerk/base/nsSocketTransportService2.cpp
6 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
[...]
This crash signature started spiking in Nightly on 2015-07-20, a number of the addresses in 32bit like bp-1097f423-b6e1-4055-bd5f-5cd962150722 are 0x5a5a5a62 which is a small offset from our poison, pointing to use-after-free, so I'm marking this as a security bug. On 64bit crashes, the rax register has the poison value 0x5a5a5a5a5a5a5a5a as can be seen by looking at the "Raw Dump" tab on the report I'm filing this from.
This signature seems to happen on all OSes and older versions, but the spike on Nightly 42 is Windows-only so far: https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2015-07-21&signature=nsDNSRecord%3A%3AGetNextAddr%28unsigned+short%2C+mozilla%3A%3Anet%3A%3ANetAddr*%29&version=Firefox%3A42.0a1
Regression range: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9c919ce631ea&tochange=5df788c56ae7
Possibly Bug 1143922 or Bug 1175803?
Flags: needinfo?(mozilla)
|
||
Comment 2•10 years ago
|
||
No clue at the moment, and I am unfortunately not a network peer.
Dragana, you have worked on similar problems (Bug 955900, Bug 1132358) any ideas?
Is that the same problem as in Bug 1132358; maybe it's yet another cornercase?
Flags: needinfo?(mozilla) → needinfo?(dd.mozilla)
|
||
Comment 3•10 years ago
|
||
Valentin, could this be from the recent mem leak patch you landed?
Flags: needinfo?(valentin.gosu)
|
Assignee | |
Comment 4•10 years ago
|
||
It seems most likely that bug 1183781 is to blame.
Not sure why at the moment, but I think the safest thing is to back out the changeset.
Flags: needinfo?(valentin.gosu)
|
||
Comment 5•10 years ago
|
||
Bug 1183781 backed out.
Assignee: nobody → valentin.gosu
Blocks: 1183781
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(dd.mozilla)
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
|
|
||
Comment 6•10 years ago
|
||
Thanks Valentin!
|
|
||
Updated•10 years ago
|
status-b2g-master:
--- → fixed
status-firefox40:
--- → unaffected
status-firefox41:
--- → unaffected
status-firefox-esr38:
--- → unaffected
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•10 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•