Closed
Bug 1350882
Opened 7 years ago
Closed 7 years ago
Crash in mozilla::layers::BasicDisplayItemLayer::Paint
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1351114
Tracking | Status | |
---|---|---|
firefox55 | --- | affected |
People
(Reporter: marcia, Unassigned)
Details
(Keywords: crash, csectype-uaf, sec-high)
Crash Data
This bug was filed from the Socorro interface and is report bp-6c576a70-1e3c-4ede-83ff-688102170325. ============================================================= Seen while looking at nightly crash stats. Crashes started using 20170323030203 and occur on Windows, Mac and Linux. The Windows signature has an address that looks potentially exploitable so I closed this one off to the Security group. http://bit.ly/2n9L2Yz is the link to the crashes. Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=201231223cd4354a450c3e5d80959f35b8e4cf0c&tochange=7513b3f42058e9bcf9950d4acf4647d4ad2240f0
Reporter | ||
Comment 1•7 years ago
|
||
Some comments from the Mac crashes: webrender: klick on burger menu > (?) to get to the updates, but crash then. have to disable webreder .... for today ;-) one tab: about:newtab, clicked on Downloads > Show all downloads. Crash. Bug 1337130 seems to have touched some code in this area. ni on Mason in case he has some insight.
Flags: needinfo?(mchang)
OS: Windows 10 → All
Hardware: x86 → All
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(mchang)
Resolution: --- → DUPLICATE
Comment 3•7 years ago
|
||
Just an FYI, webrender isn't enabled by default, so these shouldn't be critical.
Reporter | ||
Comment 4•7 years ago
|
||
(In reply to Mason Chang [:mchang] from comment #3) > Just an FYI, webrender isn't enabled by default, so these shouldn't be > critical. Is there any reason that some of the reports would show high exploitability - such as https://crash-stats.mozilla.com/report/index/a34c3e32-65b4-47d2-8894-0ce352170325?
Comment 5•7 years ago
|
||
(In reply to Marcia Knous [:marcia - use ni] from comment #4) > (In reply to Mason Chang [:mchang] from comment #3) > > Just an FYI, webrender isn't enabled by default, so these shouldn't be > > critical. > > Is there any reason that some of the reports would show high exploitability > - such as > https://crash-stats.mozilla.com/report/index/a34c3e32-65b4-47d2-8894- > 0ce352170325? Sorry, I'm confused. How are you gauging high exploitability?
Reporter | ||
Comment 6•7 years ago
|
||
(In reply to Mason Chang [:mchang] from comment #5) > (In reply to Marcia Knous [:marcia - use ni] from comment #4) > > (In reply to Mason Chang [:mchang] from comment #3) > > > Just an FYI, webrender isn't enabled by default, so these shouldn't be > > > critical. > > > > Is there any reason that some of the reports would show high exploitability > > - such as > > https://crash-stats.mozilla.com/report/index/a34c3e32-65b4-47d2-8894- > > 0ce352170325? > > Sorry, I'm confused. How are you gauging high exploitability? By the crash address. Randell gave us a presentation and noted that that address is often exploitable. Adding him for clarity.
Flags: needinfo?(rjesup)
Comment 7•7 years ago
|
||
https://crash-stats.mozilla.com/report/index/6dc59cd3-730d-4780-b95f-d4eab2170327 is a clear UAF
Flags: needinfo?(rjesup)
Keywords: csectype-uaf,
sec-high
Comment 8•7 years ago
|
||
Note this means the bug this is a dup of is also a sec bug. However, it was a new regression, so didn't need s-a to land.
Updated•4 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•