Closed
Bug 1347657
Opened 9 years ago
Closed 9 years ago
nsUrlClassifierStreamUpdater::FetchNextRequest has potential use-after-free issue
Categories
(Toolkit :: Safe Browsing, enhancement)
Toolkit
Safe Browsing
Tracking
()
RESOLVED
FIXED
mozilla55
| Tracking | Status | |
|---|---|---|
| firefox55 | --- | fixed |
People
(Reporter: hchang, Assigned: hchang)
References
Details
(Keywords: csectype-uaf)
Attachments
(1 file)
http://searchfox.org/mozilla-central/rev/ca7015fa45b30b29176fbaa70ba0a36fe9263c38/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp#
nsresult
nsUrlClassifierStreamUpdater::FetchNextRequest()
{
//
PendingRequest &request = mPendingRequests[0];
DownloadUpdates(...) // (1)
request.mSuccessCallback = nullptr;
}
At (1), mPendingRequests may be realloc'ed internally because of AppendElement [1][2]. If the realloc happens, |request| becomes a dangling reference.
[1] http://searchfox.org/mozilla-central/rev/ca7015fa45b30b29176fbaa70ba0a36fe9263c38/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp#236
[2] http://searchfox.org/mozilla-central/rev/ca7015fa45b30b29176fbaa70ba0a36fe9263c38/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp#276
|
Assignee | |
Comment 1•9 years ago
|
||
https://public-artifacts.taskcluster.net/PNtHucRCRoOcK38JRpKplg/0/public/logs/live_backing.log
Try run for Bug 1339050 hit this long-standing issue :(
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → hchang
|
|
Assignee | |
Comment 2•9 years ago
|
||
(In reply to Henry Chang [:henry][:hchang] from comment #0)
> http://searchfox.org/mozilla-central/rev/
> ca7015fa45b30b29176fbaa70ba0a36fe9263c38/toolkit/components/url-classifier/
> nsUrlClassifierStreamUpdater.cpp#
>
> nsresult
> nsUrlClassifierStreamUpdater::FetchNextRequest()
> {
> //
> PendingRequest &request = mPendingRequests[0];
> DownloadUpdates(...) // (1)
> request.mSuccessCallback = nullptr;
> }
>
> At (1), mPendingRequests may be realloc'ed internally because of
> AppendElement [1][2]. If the realloc happens, |request| becomes a dangling
> reference.
>
What's actually caught by the address sanitizer is not
"request.mSuccessCallback = nullptr"
but
http://searchfox.org/mozilla-central/rev/571c1fd0ba0617f83175ccc06ed6f3eb0a1a8b92/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp#237
because |aRequestTables| is the reference (const nsACString&) from a dangling reference.
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8847971 -
Flags: review?(francois)
|
||
Comment 4•9 years ago
|
||
| mozreview-review | ||
Comment on attachment 8847971 [details]
Bug 1347657 - Use array entry as value instead of reference to avoid being invalidated by realloc.
https://reviewboard.mozilla.org/r/120926/#review123216
Attachment #8847971 -
Flags: review?(francois) → review+
Pushed by hchang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2d4a86ef46e9
Use array entry as value instead of reference to avoid being invalidated by realloc. r=francois
|
||
Comment 6•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
|
Assignee | |
Comment 7•9 years ago
|
||
|
|
Assignee | |
Comment 8•9 years ago
|
||
|
|
Assignee | |
Comment 9•9 years ago
|
||
|
|
Assignee | |
Comment 10•9 years ago
|
||
|
|
Assignee | |
Comment 11•9 years ago
|
||
|
||
Updated•9 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•