Closed
Bug 1228640
Opened 9 years ago
Closed 9 years ago
Spike in crashes @ nsDNSRecord::GetNextAddr starting 2015-11-25
Categories
(Core :: Networking: DNS, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | unaffected |
| firefox45 | + | fixed |
| firefox-esr38 | --- | unaffected |
People
(Reporter: u279076, Assigned: valentin)
References
Details
(5 keywords, Whiteboard: [fixed by backout])
Crash Data
[Tracking Requested - why for this release]: This bug was filed from the Socorro interface and is report bp-159b3a44-b7a9-4885-9ed6-5db262151127. ============================================================= 0 xul.dll nsDNSRecord::GetNextAddr(unsigned short, mozilla::net::NetAddr*) netwerk/dns/nsDNSService2.cpp 1 xul.dll nsSocketTransport::RecoverFromError() netwerk/base/nsSocketTransport2.cpp 2 xul.dll nsSocketTransport::OnSocketDetached(PRFileDesc*) netwerk/base/nsSocketTransport2.cpp 3 xul.dll nsSocketTransportService::DetachSocket(nsSocketTransportService::SocketContext*, nsSocketTransportService::SocketContext*) netwerk/base/nsSocketTransportService2.cpp 4 xul.dll nsSocketTransportService::DoPollIteration(bool, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) netwerk/base/nsSocketTransportService2.cpp 5 xul.dll nsSocketTransportService::Run() netwerk/base/nsSocketTransportService2.cpp 6 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 7 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp 8 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 9 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 10 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 11 xul.dll nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp 12 nss3.dll PR_NativeRunThread nsprpub/pr/src/threads/combined/pruthr.c 13 nss3.dll pr_root nsprpub/pr/src/md/windows/w95thred.c 14 msvcr120.dll _callthreadstartex f:\dd\vctools\crt\crtw32\startup\threadex.c:376 15 msvcr120.dll _threadstartex f:\dd\vctools\crt\crtw32\startup\threadex.c:354 16 kernel32.dll BaseThreadInitThunk 17 ntdll.dll RtlUserThreadStart 18 kernel32.dll BasepReportFault 19 kernel32.dll BasepReportFault ============================================================= More reports: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsDNSRecord%3A%3AGetNextAddr These are crashes going back as far as Firefox 30 but there's a definite spike in Firefox 45.0a1. Firefox Nightly has 356 crashes reported so far with zero reported against Aurora and Beta, 1 reported against Release. It currently accounts for 8% of all crashes on Nightly right now and ranks #2 overall. Note, I am hiding this as a security sensitive bug since all the reports are either rated with LOW or HIGH. Here is the pushlog based on when this first spiked in Nightly: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=45273bbed8efaface6f5ec56d984cb9faf4fbb6a&tochange=099f695d31326c39595264c34988a0f4b7cbc698 I suspect bug 1183781 is to blame, Valentin?
> I suspect bug 1183781 is to blame, Valentin?
Forgot to set the need-info flag. Valentin can you please have a look at this?Flags: needinfo?(valentin.gosu)
|
Assignee | |
Comment 2•9 years ago
|
||
Seems I haven't fixed all the kinks in bug 1183781 by using RefPtrs. I'll back out the patch and give it another try, maybe with some unit tests too.
Assignee: nobody → valentin.gosu
Flags: needinfo?(valentin.gosu)
|
|
Assignee | |
Comment 3•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a6237ee1e852dd8c964765e68b7a5675ab113ca4 Bug 1228640 - Backout bug 1183781 (changeset b9b6a1567ef6) for causing crash a=me
|
||
Comment 5•9 years ago
|
||
Crash addresses make this seem like a use after free.
Keywords: csectype-uaf,
sec-critical
This has risen to be the #1 topcrash in Nightly 45.0a1 accounting for 32.69% of the crashes.
|
||
Comment 7•9 years ago
|
||
is this still happening with builds after the backout in comment 3? That would be unexpected
|
|
Assignee | |
Comment 8•9 years ago
|
||
That is odd. This seems to have landed in m-c at https://hg.mozilla.org/mozilla-central/rev/a6237ee1e852 - pushed at 2015-11-30 12:19 The most recent crashing build is 20151130030228 - unless crashes occur in newer builds as well, I think it's safe to say it is fixed.
|
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → unaffected
status-firefox-esr38:
--- → unaffected
Resolution: --- → FIXED
Whiteboard: [fixed by backout]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•