Closed Bug 1306223 Opened 9 years ago Closed 9 years ago

Crash in nsCOMPtr_base::assign_from_qi | imgRequestProxy::UnblockOnload

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Version:
48 Branch
Platform:
Unspecified
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
mozilla49
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected

People

(Reporter: kanru, Assigned: aosmond)

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

Attachments

(1 obsolete file)

This bug was filed from the Socorro interface and is report bp-4d0826c7-be9a-4d0d-8e00-636402160929. ============================================================= Crashed today on 48.0.2, most other crashes are also on Linux with crashing address 0x0 or 0xe5e5e5e5 Seems low volume. stack: nsCOMPtr_base::assign_from_qi imgRequestProxy::UnblockOnload mozilla::image::SyncNotifyInternal<const mozilla::image::ObserverTable*> mozilla::image::ProgressTracker::SyncNotifyProgress mozilla::image::RasterImage::NotifyProgress mozilla::image::RasterImage::FinalizeDecoder mozilla::image::NotifyDecodeCompleteWorker::Run nsThread::ProcessNextEvent ... js stacks ... nsXPCWrappedJSClass::CallMethod PrepareAndDispatch nsGlobalWindow::AlertOrConfirm mozilla::dom::WindowBinding::alert mozilla::dom::WindowBinding::genericMethod ... js stacks ... nsGlobalWindow::RunTimeoutHandler nsGlobalWindow::RunTimeout nsGlobalWindow::TimerCallback nsTimerImpl::Fire nsTimerEvent::Run nsThread::ProcessNextEvent
The above is a null deref, here's a UAF address crash that apparently happened on YouTube bp-467dd08a-5e85-4ef7-953c-9e6e52160923
Out of 28 crashes at the following query, 6 show UAF-ness the rest are null derefs. All but one Mac Fx38 crash are on Linux.
Group: core-security → gfx-core-security
Keywords: csectype-uaf, sec-high
Assignee: nobody → aosmond
My first thought is that somehow, something is going wrong with the imgRequestProxy::mListener pointer, such that we lost the strong reference but we are still executing events and mListener did not get cleared. I am not convinced it is a simple null pointer dereference (secondary issue perhaps). In all of the reports I have looked at thus far, it seems that for 32-bit crash reports, rax is 0xe5e5e5e5 (the pointer we crash on). For 64-bit crash reports, no registers contain 0x0 but rcx (probably the this pointer...) is 0xe5e5e5e5e5e5e5e5 which is probably not a coincidence. I've changed imgRequestProxy is contain an nsCOMPtr and nsWeakPtr for its strong and weak references respectively, and updated all of the classes implementing nsINotificationObserver to support weak references. This is a much safer way of using that previously raw pointer. try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=c3aa9ac45b2d
Attachment #8796655 - Attachment is obsolete: true
On further consideration, this crash signature will not be reproducible due to the changes in bug 1282259 which altered this code path substantially.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Andrew: don't mark real security bugs as INVALID. FIXED and "depends on" the bug you think fixed it might have been best. There was a real fix here, and INVALID hides it from evaluation about whether we need to ship a fix sooner, or perhaps backport a cherry-picked part of it, and from any kind of advisory.
status-firefox-esr45: --- → unaffected
Depends on: 1282259
Flags: needinfo?(aosmond)
Resolution: INVALID → FIXED
Whiteboard: Probably fixed by 1282259
Target Milestone: --- → mozilla50
The guess in comment 4 is unlikely -- the UAF crash only ever appeared in versions 47.x and 48.x. Most likely something else fixed it in 49.
No longer depends on: 1282259
Resolution: FIXED → WORKSFORME
Whiteboard: Probably fixed by 1282259
Target Milestone: mozilla50 → mozilla49
Flags: needinfo?(aosmond)
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: