Closed Bug 1186435 Opened 4 years ago Closed 4 years ago

crash in nsDNSRecord::GetNextAddr(unsigned short, mozilla::net::NetAddr*)

Categories

(Core :: Networking: DNS, defect, critical)

Unspecified
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla42
Tracking Status
firefox40 --- unaffected
firefox41 --- unaffected
firefox42 --- fixed
firefox-esr38 --- unaffected
b2g-master --- fixed

People

(Reporter: kairo, Assigned: valentin)

References

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-64939acf-e72b-4211-85d4-b5f8c2150722.
=============================================================

Top Frames:
0 	xul.dll 	nsDNSRecord::GetNextAddr(unsigned short, mozilla::net::NetAddr*) 	netwerk/dns/nsDNSService2.cpp
1 	xul.dll 	nsSocketTransport::RecoverFromError() 	netwerk/base/nsSocketTransport2.cpp
2 	xul.dll 	nsSocketTransport::OnSocketDetached(PRFileDesc*) 	netwerk/base/nsSocketTransport2.cpp
3 	xul.dll 	nsSocketTransportService::DetachSocket(nsSocketTransportService::SocketContext*, nsSocketTransportService::SocketContext*) 	netwerk/base/nsSocketTransportService2.cpp
4 	xul.dll 	nsSocketTransportService::DoPollIteration(bool, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) 	netwerk/base/nsSocketTransportService2.cpp
5 	xul.dll 	nsSocketTransportService::Run() 	netwerk/base/nsSocketTransportService2.cpp
6 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
[...]

This crash signature started spiking in Nightly on 2015-07-20, a number of the addresses in 32bit like bp-1097f423-b6e1-4055-bd5f-5cd962150722 are 0x5a5a5a62 which is a small offset from our poison, pointing to  use-after-free, so I'm marking this as a security bug. On 64bit crashes, the rax register has the poison value 0x5a5a5a5a5a5a5a5a as can be seen by looking at the "Raw Dump" tab on the report I'm filing this from.

This signature seems to happen on all OSes and older versions, but the spike on Nightly 42 is Windows-only so far: https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2015-07-21&signature=nsDNSRecord%3A%3AGetNextAddr%28unsigned+short%2C+mozilla%3A%3Anet%3A%3ANetAddr*%29&version=Firefox%3A42.0a1
No clue at the moment, and I am unfortunately not a network peer.

Dragana, you have worked on similar problems (Bug 955900, Bug 1132358) any ideas?
Is that the same problem as in Bug 1132358; maybe it's yet another cornercase?
Flags: needinfo?(mozilla) → needinfo?(dd.mozilla)
Valentin, could this be from the recent mem leak patch you landed?
Flags: needinfo?(valentin.gosu)
It seems most likely that bug 1183781 is to blame.
Not sure why at the moment, but I think the safest thing is to back out the changeset.
Flags: needinfo?(valentin.gosu)
Bug 1183781 backed out.
Assignee: nobody → valentin.gosu
Blocks: 1183781
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(dd.mozilla)
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Thanks Valentin!
The backout seems to have worked. No crashes from nightly 0723.
Group: core-security → core-security-release
Group: core-security-release
See Also: → 1422173
You need to log in before you can comment on or make changes to this bug.