Closed Bug 1213979 Opened 9 years ago Closed 9 years ago

Heap-use-after-free [@ mozilla::net::Http2Stream::AdjustInitialWindow]

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox41 --- wontfix
firefox42 + fixed
firefox43 + fixed
firefox44 + fixed
firefox-esr38 42+ fixed
b2g-v2.0 --- wontfix
b2g-v2.0M --- wontfix
b2g-v2.1 --- wontfix
b2g-v2.1S --- wontfix
b2g-v2.2 --- fixed
b2g-v2.2r --- fixed
b2g-master --- fixed
thunderbird_esr38 --- fixed

People

(Reporter: jruderman, Assigned: mcmanus)

References

Details

(5 keywords, Whiteboard: [post-critsmash-triage][adv-main42+][adv-esr38.4+])

Attachments

(3 files)

stack
12.70 KB, text/plain
Details
h2 packet formats
2.11 KB, patch
u408661
: review+
abillings
: approval-mozilla-aurora+
abillings
: approval-mozilla-beta+
Sylvestre
: approval-mozilla-release-
abillings
: approval-mozilla-esr38+
abillings
: approval‑mozilla‑b2g37_v2_2r+
abillings
: sec-approval+
Details | Diff | Splinter Review
patch for aurora, beta, esr38, b2g37_v2_2r
1.86 KB, patch
RyanVM
: checkin+
Details | Diff | Splinter Review
Attached file stack
My ASan build is crashing very frequently at [@ mozilla::net::Http2Stream::AdjustInitialWindow], especially when browsing Wikipedia. Today's nightly is also crashing frequently, at seemingly random locations, especially when browsing Twitter.
Judging by the number of people complaining about a very similar crash like this in #developers, I'm guessing this is going to be a Nightly topcrash.
[Tracking Requested - why for this release]: frequent crash
status-firefox43: --- → unaffected
tracking-firefox44: --- → ?
Probably it is bug 1211694 somehow triggered this. I will ask someone to back it out. And I will take a look tomorrow. (I am not sure why the patch triggers this)
I backed out bug 1211694 at Nick & Dragana's request to see if it fixes these crashes in tomorrow's nightly. https://hg.mozilla.org/mozilla-central/rev/11ff0ccb7d59
Keywords: regression
Group: network-core-security
I think this is a long standing h2 bug that dragana managed to bring to the surface but its not strictly dependent on 1211694 to trigger. (that patch makes it easier to trigger, because without it there is some extra space in the typical outgoing packet allocation - honestly, there probably is enough room 100% of the time, but I'm not certain of that analysis). Nick, Dragana, I'll upload a patch.. see if it makes sense to you and go ahead with getting it tested/fixed-up or merged if so (I haven't even tried to compile it on this laptop).. my availability before friday is quite limited.
Attachment #8672908 - Flags: review?(hurley)
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Code in question goes back to Fx29, so marking all supported branches as affected.
status-b2g-v2.0: --- → wontfix
status-b2g-v2.0M: --- → wontfix
status-b2g-v2.1: --- → wontfix
status-b2g-v2.1S: --- → wontfix
status-b2g-v2.2: --- → affected
status-b2g-v2.2r: --- → affected
status-b2g-master: --- → affected
status-firefox41: --- → affected
status-firefox42: --- → affected
status-firefox43: --- → affected
status-firefox-esr38: --- → affected
tracking-firefox42: --- → ?
tracking-firefox43: --- → ?
tracking-firefox-esr38: --- → ?
Comment on attachment 8672908 [details] [diff] [review] h2 packet formats Review of attachment 8672908 [details] [diff] [review]: ----------------------------------------------------------------- Ugh, nice catch. LGTM.
Attachment #8672908 - Flags: review?(hurley) → review+
Comment on attachment 8672908 [details] [diff] [review] h2 packet formats [Security approval request comment] How easily could an exploit be constructed based on the patch? It gives a concrete area to target - but I'm not actually sure you could trigger it due to sufficient slack allocation in the default buffer. But the code clearly identifies the potential problem. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? no Which older supported branches are affected by this flaw? release, beta, aurora, esr If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? patch applies universally How likely is this patch to cause regressions; how much testing does it need? very unlikely.
Attachment #8672908 - Flags: sec-approval?
Attachment #8672908 - Flags: approval-mozilla-release?
Attachment #8672908 - Flags: approval-mozilla-esr38?
Attachment #8672908 - Flags: approval-mozilla-beta?
Attachment #8672908 - Flags: approval-mozilla-aurora?
Comment on attachment 8672908 [details] [diff] [review] h2 packet formats [Triage Comment]
Attachment #8672908 - Flags: approval‑mozilla‑b2g37_v2_2r+
Attachment #8672908 - Flags: approval-mozilla-esr38?
Attachment #8672908 - Flags: approval-mozilla-esr38+
Attachment #8672908 - Flags: approval-mozilla-beta?
Attachment #8672908 - Flags: approval-mozilla-beta+
Attachment #8672908 - Flags: approval-mozilla-aurora?
Attachment #8672908 - Flags: approval-mozilla-aurora+
Failed to apply to 2.2r Tomcats-MacBook-Pro-2:mozilla-b2g37_v2_2r Tomcat$ hg qimport /sheriffs/patch/1213979.patch && hg qpush && hg qrefresh -e adding 1213979.patch to series file applying 1213979.patch patching file netwerk/protocol/http/Http2Stream.cpp Hunk #1 FAILED at 721 1 out of 2 hunks FAILED -- saving rejects to file netwerk/protocol/http/Http2Stream.cpp.rej patch failed, unable to continue (try -v) patch failed, rejects left in working directory Patrick could you take a look, thanks!
Flags: needinfo?(mcmanus)
also failed for beta and aurora
https://hg.mozilla.org/mozilla-central/rev/9af9f4f39b28
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Attachment #8672908 - Flags: sec-approval? → sec-approval+
this patch will apply to the older branches - a trivial logging line was added nearby in 44 that caused the conflict.
Flags: needinfo?(mcmanus)
Attachment #8674945 - Flags: checkin?
Keywords: checkin-needed
(In reply to Wes Kocher (:KWierso) from comment #20) > This seems to have caused xpcshell failures on 2.2: > https://treeherder.mozilla.org/logviewer.html#?job_id=171890&repo=mozilla- > b2g37_v2_2 doesn't pass the sniff test (the changed code isn't even run in that test) - but I've been wrong about stuff like that before. can you make new runs both with and without the patch? If the problem is linked to this patch we might need keeler's help
Flags: needinfo?(mcmanus)
That failure reeks of not running automated HSTS/HPKP updates on b2g37 to me.
Group: network-core-security → core-security-release
Attachment #8674945 - Flags: checkin? → checkin+
Whiteboard: [post-critsmash-triage]
tracking-firefox-esr38: --- → 42+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main42+][adv-esr38.4+]
Comment on attachment 8672908 [details] [diff] [review] h2 packet formats Not going take this patch in 41.
Attachment #8672908 - Flags: approval-mozilla-release? → approval-mozilla-release-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: