Crash in objc_msgSend | -[GeckoNSMenu performSuperKeyEquivalent:]

RESOLVED FIXED in Firefox 55

Status

()

Core
Widget: Cocoa
--
critical
RESOLVED FIXED
9 months ago
9 months ago

People

(Reporter: marcia, Assigned: spohl)

Tracking

(4 keywords)

55 Branch
mozilla55
Unspecified
Mac OS X
crash, csectype-uaf, regression, sec-high
Points:
---

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox53 unaffected, firefox54 unaffected, firefox55+ fixed)

Details

(crash signature)

Attachments

(1 attachment)

This bug was filed from the Socorro interface and is 
report bp-4a81ca5d-02ef-4d6c-80e1-7eefd0170518.
=============================================================

Seen while looking at nightly crash stats - crashes started on Mac using 20170516122050: 

Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3e166b6838931b3933ca274331f9e0e115af5cc0&tochange=6e3ca5b38f7173b214b10de49e58cb01890bf39d

Bug 429824 is in the range. ni on spohl.
Flags: needinfo?(spohl.mozilla.bugs)
(Assignee)

Updated

9 months ago
Duplicate of this bug: 1365880
status-firefox53: --- → unaffected
status-firefox-esr52: --- → unaffected
tracking-firefox55: --- → ?
(In reply to [:philipp] from comment #1)
> the crashing address of most of these reports indicates it's a UAF situation.
Group: core-security
(Assignee)

Updated

9 months ago
Assignee: nobody → spohl.mozilla.bugs
Status: NEW → RESOLVED
Last Resolved: 9 months ago
Flags: needinfo?(spohl.mozilla.bugs)
Resolution: --- → FIXED
:spohl, why did you close this bug ?
(Assignee)

Comment 4

9 months ago
Umm... I only meant to assign this bug to me. Looking into it now.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Reporter)

Comment 5

9 months ago
Tracking 55+ for this regression.
tracking-firefox55: ? → +
Keywords: csectype-uaf, sec-high
Blocks: 429824
(Assignee)

Comment 6

9 months ago
Created attachment 8869144 [details] [diff] [review]
Patch
Attachment #8869144 - Flags: review?(mstange)
Attachment #8869144 - Flags: review?(mstange) → review+
(Assignee)

Comment 7

9 months ago
Comment on attachment 8869144 [details] [diff] [review]
Patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Unknown

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Yes

Which older supported branches are affected by this flaw?
None. This only affects nightly since this past Tuesday.

If not all supported branches, which bug introduced the flaw?
bug 429824

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
n/a

How likely is this patch to cause regressions; how much testing does it need?
No risk of regressions. There is no good way to test the fix.
Attachment #8869144 - Flags: sec-approval?
Comment on attachment 8869144 [details] [diff] [review]
Patch

This doesn't need sec approval since it only affects trunk. Land away!
Attachment #8869144 - Flags: sec-approval?
(Assignee)

Comment 9

9 months ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/9f160f5995bbd3c62fe44d45681dcdd3b04c04ee
Bug 1365825: Fix occasional crashes on OSX when handling custom shortcuts. r=mstange
(Assignee)

Comment 10

9 months ago
(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)
> Comment on attachment 8869144 [details] [diff] [review]
> Patch
> 
> This doesn't need sec approval since it only affects trunk. Land away!

Between closing the wrong bug as duplicate (bug 1365880, which was already marked as core-security, instead of this one), accidentally closing this bug here as fixed when I meant to only assign it to myself, and seeing "sec-approval required on patches before landing" and following that advice when it wasn't necessary, I clearly still need to get used to the new bugzilla... Thanks for bearing with me.
Crash Signature: [@ objc_msgSend | -[GeckoNSMenu performSuperKeyEquivalent:]] → [@ objc_msgSend | -[GeckoNSMenu performSuperKeyEquivalent:]] [@ objc_msgSend | -[NSMenu performKeyEquivalent:] ]
Group: core-security → layout-core-security
https://hg.mozilla.org/mozilla-central/rev/9f160f5995bb
Status: REOPENED → RESOLVED
Last Resolved: 9 months ago9 months ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Group: layout-core-security
Duplicate of this bug: 1366626
You need to log in before you can comment on or make changes to this bug.