Closed
Bug 1314027
Opened 8 years ago
Closed 8 years ago
Crash [@ mozilla::dom::DOMIntersectionObserver::Update ]
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox49 | --- | unaffected |
firefox-esr45 | --- | unaffected |
firefox50 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | fixed |
People
(Reporter: bc, Assigned: tschneider)
References
()
Details
(Keywords: crash, regression, sec-critical)
Crash Data
Attachments
(6 files)
Found on Bughunter as a highly exploitable crash on Windows x86. Reproduced on Nightly Windows 7, Windows 10, Fedora 24, Ubuntu 16 and reproduced locally on Linux x86_64 with bp-ead1d1a1-d7fb-48fe-96ed-b30f52161031 on Linux x86_64. Also crashes Linux asan builds.
Reproduced with http://www.cda.pl/gry-online/34264f0/Fabryka-Factory-Idle and 16 other urls with EXCEPTION_ACCESS_VIOLATION_EXEC and EXCEPTION_ACCESS_VIOLATION_READ
Other urls:
https://it.yahoo.com/
https://www.olx.pl/szczytno/q-radio/
http://www.bankier.pl/forum/forum_o_elektrim%2C6%2C21%2C56.html
Reporter | ||
Comment 1•8 years ago
|
||
opt asan crash report for http://video.thebiglead.com/feature/russell-westbrook-will-be-unleashed-like-never-before-.html
Updated•8 years ago
|
Flags: needinfo?(tschneider)
Updated•8 years ago
|
status-firefox49:
--- → unaffected
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
status-firefox-esr45:
--- → unaffected
Keywords: regression
Comment 2•8 years ago
|
||
The ASan report just says this is a null deref crash, so I'm clearing the sec-critical flag for now.
Keywords: sec-critical
Reporter | ||
Comment 3•8 years ago
|
||
exploitable reported high for the Windows 32bit crashes combined with the EXCEPTION_ACCESS_VIOLATION_EXEC reason leads me to think this is sec-critical.
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → tschneider
Flags: needinfo?(tschneider)
Assignee | ||
Comment 4•8 years ago
|
||
Should have been fixed via bug 1314032. Bob, can you confirm?
Flags: needinfo?(bob)
Reporter | ||
Comment 5•8 years ago
|
||
Still getting asan crashes along with null ptr crashes. No exploitable high crashes but still see some exploitable low on debug Windows 32 bit builds.
Flags: needinfo?(bob)
Reporter | ||
Comment 6•8 years ago
|
||
url for last asan report was:
https://www.olx.pl/oferty/q-gospodarstwo/?page=8
Reporter | ||
Comment 7•8 years ago
|
||
http://www.dagbladet.no/kultur/bergensere-har-en-veldig-pastaelig-dialekt-mange-hoyprofilerte-bergensere-som-hans-wilhelm-steinfeld-og-davy-wathne-er-jo-litt-brautende/64031140 also crashes asan and shows a low exploitable on windows 10 32bit debug build.
Reporter | ||
Comment 8•8 years ago
|
||
Windows 7 32bit debug
Assertion failure: mRawPtr != 0 (You can't dereference a NULL RefPtr with operator->().), at c:\builds\moz2_slave\m-cen-w32-d-000000000000000000\build\src\obj-firefox\dist\include\mozilla/RefPtr.h:307
https://www.olx.pl/dom-ogrod/krakow/q-rolety/?page=2
Comment 9•8 years ago
|
||
The ASan report after is crashing on 0x0187c005e338, which is not null any more, so I'll bump this back up to critical. ;)
Keywords: sec-critical
Assignee | ||
Comment 10•8 years ago
|
||
Fixes crash by making sure pointers are initialized properly.
Comment 11•8 years ago
|
||
http://www.b.dk/ is another live web example where the topsite tests crashed today with this signature
Assignee | ||
Updated•8 years ago
|
Attachment #8806616 -
Flags: review?(mstange)
Comment 12•8 years ago
|
||
Comment on attachment 8806616 [details] [diff] [review]
Avoid uninitialized pointers
Review of attachment 8806616 [details] [diff] [review]:
-----------------------------------------------------------------
I can't believe I didn't catch that.
Attachment #8806616 -
Flags: review?(mstange) → review+
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Comment 13•8 years ago
|
||
Keywords: checkin-needed
Updated•8 years ago
|
Crash Signature: [@ mozilla::dom::DOMIntersectionObserver::Update ] → [@ mozilla::dom::DOMIntersectionObserver::Update ] [@ mozilla::dom::CheckSimilarOrigin]
Comment 14•8 years ago
|
||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Updated•8 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•