Closed Bug 1314027 Opened 3 years ago Closed 3 years ago

Crash [@ mozilla::dom::DOMIntersectionObserver::Update ]

Categories

(Core :: Layout, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox49 --- unaffected
firefox-esr45 --- unaffected
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- fixed

People

(Reporter: bc, Assigned: tschneider)

References

(Blocks 1 open bug, )

Details

(Keywords: crash, regression, sec-critical)

Crash Data

Attachments

(6 files)

Found on Bughunter as a highly exploitable crash on Windows x86. Reproduced on Nightly Windows 7, Windows 10, Fedora 24, Ubuntu 16 and reproduced locally on Linux x86_64 with bp-ead1d1a1-d7fb-48fe-96ed-b30f52161031 on Linux x86_64. Also crashes Linux asan builds.

Reproduced with http://www.cda.pl/gry-online/34264f0/Fabryka-Factory-Idle and 16 other urls with EXCEPTION_ACCESS_VIOLATION_EXEC and EXCEPTION_ACCESS_VIOLATION_READ

Other urls:

https://it.yahoo.com/
https://www.olx.pl/szczytno/q-radio/
http://www.bankier.pl/forum/forum_o_elektrim%2C6%2C21%2C56.html
Flags: needinfo?(tschneider)
The ASan report just says this is a null deref crash, so I'm clearing the sec-critical flag for now.
Keywords: sec-critical
exploitable reported high for the Windows 32bit crashes combined with the EXCEPTION_ACCESS_VIOLATION_EXEC reason leads me to think this is sec-critical.
Assignee: nobody → tschneider
Flags: needinfo?(tschneider)
Depends on: 1314032
Should have been fixed via bug 1314032. Bob, can you confirm?
Flags: needinfo?(bob)
Still getting asan crashes along with null ptr crashes. No exploitable high crashes but still see some exploitable low on debug Windows 32 bit builds.
Flags: needinfo?(bob)
url for last asan report was:
https://www.olx.pl/oferty/q-gospodarstwo/?page=8
Windows 7 32bit debug

Assertion failure: mRawPtr != 0 (You can't dereference a NULL RefPtr with operator->().), at c:\builds\moz2_slave\m-cen-w32-d-000000000000000000\build\src\obj-firefox\dist\include\mozilla/RefPtr.h:307

https://www.olx.pl/dom-ogrod/krakow/q-rolety/?page=2
The ASan report after is crashing on 0x0187c005e338, which is not null any more, so I'll bump this back up to critical. ;)
Keywords: sec-critical
Fixes crash by making sure pointers are initialized properly.
http://www.b.dk/ is another live web example where the topsite tests crashed today with this signature
Attachment #8806616 - Flags: review?(mstange)
Comment on attachment 8806616 [details] [diff] [review]
Avoid uninitialized pointers

Review of attachment 8806616 [details] [diff] [review]:
-----------------------------------------------------------------

I can't believe I didn't catch that.
Attachment #8806616 - Flags: review?(mstange) → review+
Keywords: checkin-needed
Crash Signature: [@ mozilla::dom::DOMIntersectionObserver::Update ] → [@ mozilla::dom::DOMIntersectionObserver::Update ] [@ mozilla::dom::CheckSimilarOrigin]
https://hg.mozilla.org/mozilla-central/rev/9beb0764b238
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.