Closed Bug 1328840 Opened 8 years ago Closed 8 years ago

[@ mozilla::dom::icc::PIccRequestChild::DestroySubtree ]

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Version:
50 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox50 --- wontfix
firefox51 --- unaffected

People

(Reporter: mishra.dhiraj95, Unassigned)

References

Details

(5 keywords)

Crash Data

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20161208153507 Steps to reproduce: Crash ID : bp-2a1e12fd-9f48-4fb2-8996-ee83d2170105 https://crash-stats.mozilla.com/report/index/2a1e12fd-9f48-4fb2-8996-ee83d2170105 Name Firefox Version 50.1.0 Build ID 20161208153507 Update History Update Channel release User Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 OS Windows_NT 6.1
Can you provide steps to reproduce?
Flags: needinfo?(mishra.dhiraj95)
I just simply open Mozilla where it got crash and generated a crash ID. Me to figuring it out :D
Flags: needinfo?(mishra.dhiraj95)
UAF in interprocess communication, looks like.
Group: firefox-core-security → dom-core-security
Crash Signature: [@ mozilla::dom::icc::PIccRequestChild::DestroySubtree ]
Component: Untriaged → IPC
Keywords: csectype-uaf
Product: Firefox → Core
this crash signature first appears on Dec 13, regression from something? That's when we released 50.1 so it could be unique to security fixes in that release.
Keywords: regression
David, does this look like anything to you?
Flags: needinfo?(dvander)
It looks like this code (dom/icc) was removed in bug 1310864 as of Firefox 52, and it seems to have been for exposing SIM cards to privileged script on B2G (bug 744714 and https://developer.mozilla.org/en-US/docs/Mozilla/B2G_OS/API/MozIccManager).
…except that doesn't make sense, because even if there were some way to activate that code on desktop, it wouldn't be a subactor of a PImageBridge. Maybe this is a case where the linker merged bitwise-identical functions and the crash processor doesn't know enough to pick the right name.
It looks like ImageBridge is trying to destroy an actor that's already freed. ImageBridge had lots of race conditions, especially related to shutdown, that we fixed with a big refactoring in Firefox 51. bug 1298938 was where a lot of this happened. We've seen other sec bugs and top crashes go away after that landed, and this bug appears to be Firefox 50 only.
Flags: needinfo?(dvander)
If both the free and the re-use happen during a shutdown process it would be pretty hard to exploit. Given that it's gotten fixed in Firefox 51 we don't need to fix it only for 50.1 since we're shipping 51 in two weeks anyway.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
status-firefox50: --- → wontfix
status-firefox51: --- → unaffected
status-firefox-esr45: --- → unaffected
Depends on: 1298938
Keywords: crash, sec-moderate, testcase-wanted
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.