Closed
Bug 1347657
Opened 7 years ago
Closed 7 years ago
nsUrlClassifierStreamUpdater::FetchNextRequest has potential use-after-free issue
Categories
(Toolkit :: Safe Browsing, enhancement)
Toolkit
Safe Browsing
Tracking
()
RESOLVED
FIXED
mozilla55
| Tracking | Status | |
|---|---|---|
| firefox55 | --- | fixed |
People
(Reporter: hchang, Assigned: hchang)
References
Details
(Keywords: csectype-uaf)
Attachments
(1 file)
http://searchfox.org/mozilla-central/rev/ca7015fa45b30b29176fbaa70ba0a36fe9263c38/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp# nsresult nsUrlClassifierStreamUpdater::FetchNextRequest() { // PendingRequest &request = mPendingRequests[0]; DownloadUpdates(...) // (1) request.mSuccessCallback = nullptr; } At (1), mPendingRequests may be realloc'ed internally because of AppendElement [1][2]. If the realloc happens, |request| becomes a dangling reference. [1] http://searchfox.org/mozilla-central/rev/ca7015fa45b30b29176fbaa70ba0a36fe9263c38/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp#236 [2] http://searchfox.org/mozilla-central/rev/ca7015fa45b30b29176fbaa70ba0a36fe9263c38/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp#276
|
Assignee | |
Comment 1•7 years ago
|
||
https://public-artifacts.taskcluster.net/PNtHucRCRoOcK38JRpKplg/0/public/logs/live_backing.log Try run for Bug 1339050 hit this long-standing issue :(
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → hchang
|
|
Assignee | |
Comment 2•7 years ago
|
||
(In reply to Henry Chang [:henry][:hchang] from comment #0) > http://searchfox.org/mozilla-central/rev/ > ca7015fa45b30b29176fbaa70ba0a36fe9263c38/toolkit/components/url-classifier/ > nsUrlClassifierStreamUpdater.cpp# > > nsresult > nsUrlClassifierStreamUpdater::FetchNextRequest() > { > // > PendingRequest &request = mPendingRequests[0]; > DownloadUpdates(...) // (1) > request.mSuccessCallback = nullptr; > } > > At (1), mPendingRequests may be realloc'ed internally because of > AppendElement [1][2]. If the realloc happens, |request| becomes a dangling > reference. > What's actually caught by the address sanitizer is not "request.mSuccessCallback = nullptr" but http://searchfox.org/mozilla-central/rev/571c1fd0ba0617f83175ccc06ed6f3eb0a1a8b92/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp#237 because |aRequestTables| is the reference (const nsACString&) from a dangling reference.
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8847971 -
Flags: review?(francois)
|
||
Comment 4•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8847971 [details] Bug 1347657 - Use array entry as value instead of reference to avoid being invalidated by realloc. https://reviewboard.mozilla.org/r/120926/#review123216
Attachment #8847971 -
Flags: review?(francois) → review+
Pushed by hchang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2d4a86ef46e9 Use array entry as value instead of reference to avoid being invalidated by realloc. r=francois
|
||
Comment 6•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/2d4a86ef46e9
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
|
Assignee | |
Comment 7•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=75e2a3ffc1ee
|
|
Assignee | |
Comment 8•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=5350e77082b4
|
|
Assignee | |
Comment 9•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=7f27895a4552
|
|
Assignee | |
Comment 10•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=daf782c7da04
|
|
Assignee | |
Comment 11•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=dd3762b92f3b
|
||
Updated•7 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•