Null Pointer Exception in IndexedDB - mozilla::dom::indexedDB::(anonymous namespace)::DatabaseConnection::GetCachedStatement

RESOLVED DUPLICATE of bug 1195149

Status

()

Core
DOM: IndexedDB
RESOLVED DUPLICATE of bug 1195149
2 years ago
2 years ago

People

(Reporter: Nicholas Starke, Unassigned)

Tracking

({crash, csectype-nullptr, testcase})

44 Branch
crash, csectype-nullptr, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8727178 [details]
poc.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

Steps to reproduce:

Please see the PoC to reproduce the issue.


Actual results:

The browser crashed citing a null pointer dereference.


Expected results:

A race condition in IndexedDB leads to a null pointer exception. By repeatedly opening, performing operations, and closing IndexedDB database connections, it is possible to trigger a null pointer exception that crashes the browser.  The PoC was tested on Mac OS X 10.11 with the release binary of FireFox 44.0.2 and can cause a crash within a few minutes of opening the poc.  Attempts to reproduce the issue on Ubuntu 15.10 and Windows 7 were unsuccessful.  

The offending line is:

dom/indexedDB/ActorsParent.cpp:6700

This becomes an issue when “mStorageConnection” is set to “nullptr” in dom/indexedDB/ActorsParent.cpp:10300.  

A crash report is available at: https://crash-stats.mozilla.com/report/index/e8160559-442f-413c-a294-444852160306

I'm not certain if this represents a significant security threat, but I will mark is as so just in case.

Comment 1

2 years ago
Does this still reproduce using Nightly (v47, https://nightly.mozilla.org/ ) ?
Group: firefox-core-security → core-security
Component: Untriaged → DOM: IndexedDB
Flags: needinfo?(nick)
Product: Firefox → Core
(Reporter)

Comment 2

2 years ago
I just ran my PoC on nightly for about two hours without a crash.  I'll let it run until tomorrow AM, but it seems like this issue is fixed in nightly.
Flags: needinfo?(nick)
I couldn't reproduce on Mac Fx 44.0.2
Keywords: crash, csectype-nullptr, testcase
Group: core-security → dom-core-security
(Reporter)

Comment 4

2 years ago
I never saw any additional crashes on the nightly version.

Is there any information I can provide that might assist in helping you reproduce this problem?
(Reporter)

Comment 5

2 years ago
I retested with firefox 45 and can't reproduce the crash.  My guess is this is fixed now, and may have only been a problem on very specific setups.
I ran this overnight on trunk with no success.

It certainly happens in the wild, because this is bug 1195149 and bug 1172822.
Group: dom-core-security
Kyle, should we dupe this to either bug 1195149 or bug 1172822?
Flags: needinfo?(khuey)
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(khuey)
Resolution: --- → DUPLICATE
Duplicate of bug: 1195149
You need to log in before you can comment on or make changes to this bug.