Crash in objc_msgSend | -[GeckoNSMenu performSuperKeyEquivalent:]

RESOLVED FIXED in Firefox 55

Status

()

defect
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: marcia, Assigned: spohl)

Tracking

(4 keywords)

55 Branch
mozilla55
Unspecified
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox53 unaffected, firefox54 unaffected, firefox55+ fixed)

Details

(crash signature)

Attachments

(1 attachment)

This bug was filed from the Socorro interface and is 
report bp-4a81ca5d-02ef-4d6c-80e1-7eefd0170518.
=============================================================

Seen while looking at nightly crash stats - crashes started on Mac using 20170516122050: 

Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3e166b6838931b3933ca274331f9e0e115af5cc0&tochange=6e3ca5b38f7173b214b10de49e58cb01890bf39d

Bug 429824 is in the range. ni on spohl.
Flags: needinfo?(spohl.mozilla.bugs)
Assignee

Updated

2 years ago
Duplicate of this bug: 1365880
(In reply to [:philipp] from comment #1)
> the crashing address of most of these reports indicates it's a UAF situation.
Group: core-security
Assignee

Updated

2 years ago
Assignee: nobody → spohl.mozilla.bugs
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(spohl.mozilla.bugs)
Resolution: --- → FIXED
:spohl, why did you close this bug ?
Assignee

Comment 4

2 years ago
Umm... I only meant to assign this bug to me. Looking into it now.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Tracking 55+ for this regression.
Assignee

Comment 6

2 years ago
Posted patch PatchSplinter Review
Attachment #8869144 - Flags: review?(mstange)
Attachment #8869144 - Flags: review?(mstange) → review+
Assignee

Comment 7

2 years ago
Comment on attachment 8869144 [details] [diff] [review]
Patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Unknown

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Yes

Which older supported branches are affected by this flaw?
None. This only affects nightly since this past Tuesday.

If not all supported branches, which bug introduced the flaw?
bug 429824

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
n/a

How likely is this patch to cause regressions; how much testing does it need?
No risk of regressions. There is no good way to test the fix.
Attachment #8869144 - Flags: sec-approval?
Comment on attachment 8869144 [details] [diff] [review]
Patch

This doesn't need sec approval since it only affects trunk. Land away!
Attachment #8869144 - Flags: sec-approval?
Assignee

Comment 9

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/9f160f5995bbd3c62fe44d45681dcdd3b04c04ee
Bug 1365825: Fix occasional crashes on OSX when handling custom shortcuts. r=mstange
Assignee

Comment 10

2 years ago
(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)
> Comment on attachment 8869144 [details] [diff] [review]
> Patch
> 
> This doesn't need sec approval since it only affects trunk. Land away!

Between closing the wrong bug as duplicate (bug 1365880, which was already marked as core-security, instead of this one), accidentally closing this bug here as fixed when I meant to only assign it to myself, and seeing "sec-approval required on patches before landing" and following that advice when it wasn't necessary, I clearly still need to get used to the new bugzilla... Thanks for bearing with me.
Crash Signature: [@ objc_msgSend | -[GeckoNSMenu performSuperKeyEquivalent:]] → [@ objc_msgSend | -[GeckoNSMenu performSuperKeyEquivalent:]] [@ objc_msgSend | -[NSMenu performKeyEquivalent:] ]
Group: core-security → layout-core-security
https://hg.mozilla.org/mozilla-central/rev/9f160f5995bb
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Group: layout-core-security
Duplicate of this bug: 1366626
You need to log in before you can comment on or make changes to this bug.