Closed
Bug 1277946
Opened 9 years ago
Closed 9 years ago
Possible use-after-free in PBlobChild::DestroySubtree
Categories
(Core :: IPC, defect, P1)
Core
IPC
Tracking
()
RESOLVED
DUPLICATE
of bug 1277614
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | affected |
People
(Reporter: mccr8, Assigned: gkrizsanits)
Details
(Keywords: csectype-uaf, sec-moderate, Whiteboard: btpp-active)
Looking at the crash reports for bug 1277614, a lot of the crash addresses contain jemalloc poison. PBlobChild is the second thing that PContentChild::DestroySubtree destroys. I don't see anything else in the top 300 with DestroySubtree, so I'm not sure why this in particular is where all of the crashes are.
|
Reporter | |
Comment 1•9 years ago
|
||
If the line numbers match up, then the crash is on the first line of PBlobChild::DestroySubtree, so maybe the |this| pointer for the PBlobChild is poisoned? I noticed that DestroySubtree() doesn't hold the actors alive, so maybe this is some kind of iterator invalidation? It also does not clear the array of child actors, so maybe this is getting called twice? Or maybe destroying one PBlobChild somehow destroys a sibling?
Could you look at this, Bill?
Flags: needinfo?(wmccloskey)
|
|
Reporter | |
Updated•9 years ago
|
Keywords: csectype-uaf
|
|
Reporter | |
Comment 2•9 years ago
|
||
Relevant is jld's bug 898006 comment 4, which links to an analysis of a similar-looking crash in another DestroySubtree in bug 1202887.
|
|
Reporter | |
Comment 3•9 years ago
|
||
Maybe it would make more sense for baku or somebody familiar with the PBlob ActorDestroy to audit that for possible things that are destroying other blobs.
Flags: needinfo?(wmccloskey) → needinfo?(amarchesini)
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
||
Comment 4•9 years ago
|
||
FYI these crashes occur during shutdown -
https://crash-stats.mozilla.com/search/?product=Firefox&signature=%3Dmozilla%3A%3Adom%3A%3APBlobChild%3A%3ADestroySubtree&_facets=signature&_facets=shutdown_progress&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-shutdown_progress
|
||
Updated•9 years ago
|
Flags: needinfo?(amarchesini)
|
||
Comment 5•9 years ago
|
||
Gabor is working on a related public bug.
Assignee: nobody → gkrizsanits
Whiteboard: btpp-active
|
|
Reporter | |
Comment 6•9 years ago
|
||
This is pretty deep in shutdown, so I'll mark this moderate for now.
Keywords: sec-moderate
Priority: -- → P1
|
|
Reporter | |
Comment 7•9 years ago
|
||
This is really just a dupe, and I ended up marking this sec-moderate, so I'll just dupe it over.
|
|
||
Updated•6 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•