Closed Bug 1231919 Opened 9 years ago Closed 9 years ago

crash in mozilla::a11y::DocAccessible::ValidateARIAOwned

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox45 --- wontfix
firefox46 --- fixed
firefox-esr38 --- unaffected
firefox-esr45 46+ fixed

People

(Reporter: davidb, Assigned: surkov)

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [post-critsmash-triage][adv-main46+][adv-esr45.1+])

Crash Data

Attachments

(1 file)

patch
1.66 KB, patch
davidb
: review+
Sylvestre
: approval-mozilla-esr45+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-1cee5aa5-a701-47f9-b19f-b134e2151210. ============================================================= More here: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Aa11y%3A%3ADocAccessible%3A%3AValidateARIAOwned
Attached patch patchSplinter Review
Assignee: nobody → surkov.alexander
Attachment #8697691 - Flags: review?(dbolter)
Attachment #8697691 - Flags: review?(dbolter) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/a88ff27e1aa921e27b918acbc7b966cd1c4e0e65 Bug 1231919 - crash in mozilla::a11y::DocAccessible::ValidateARIAOwned, r=davidb
https://hg.mozilla.org/mozilla-central/rev/a88ff27e1aa9
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox46: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
The crash in 44.0.x (featuring a lot of fffffffe5e5e5e5 crash addresses) is clearly a use-after-free. The crashes in 45.0.x are in a different spot (new code added in 45 by bug 1219299). None of the 45.0.x crashes show the jemalloc-poisoned values, but the patch still looks like UAF-prevention. We should land this patch on the ESR-45 branch.
Group: core-security-release
status-firefox45: --- → affected
status-firefox-esr38: --- → unaffected
status-firefox-esr45: --- → affected
tracking-firefox-esr45: --- → 46+
Keywords: csectype-uaf, sec-high
+NI Alex.
Flags: needinfo?(surkov.alexander)
It is indeed a low risk patch, it can be safely backported I think.
Flags: needinfo?(surkov.alexander)
Whiteboard: [post-critsmash-triage]
Comment on attachment 8697691 [details] [diff] [review] patch We need this in esr45 too.
Attachment #8697691 - Flags: approval-mozilla-esr45+
status-firefox45: affectedwontfix
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main46+][adv-esr45.1+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: