Closed
Bug 1371982
Opened 7 years ago
Closed 7 years ago
Intermittent AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:867:5 in mozilla::MozPromise<mozilla::UniquePtr<int, mozilla::DefaultDelete<int> >, bool, true>::ThenInternal(mozilla::Abstra
Categories
(Core :: XPCOM, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: aryx, Assigned: jwwang)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [adv-main55+][post-critsmash-triage])
Attachments
(2 files)
941 bytes,
patch
|
mozbugz
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
941 bytes,
patch
|
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
https://treeherder.mozilla.org/logviewer.html#?job_id=106133372&repo=autoland Bug 1342494 is another heap-use-after-free in the vicinity of that code [task 2017-06-11T01:26:06.845901Z] 01:26:06 INFO - TEST-START | MozPromise.ResolveOrRejectValue [task 2017-06-11T01:26:06.845973Z] 01:26:06 INFO - TEST-PASS | MozPromise.ResolveOrRejectValue | test completed (time: 0ms) [task 2017-06-11T01:26:06.846027Z] 01:26:06 INFO - TEST-START | MozPromise.MoveOnlyType [task 2017-06-11T01:26:06.846088Z] 01:26:06 INFO - TEST-PASS | MozPromise.MoveOnlyType | test completed (time: 1ms) [task 2017-06-11T01:26:06.846134Z] 01:26:06 INFO - TEST-START | MozPromise.HeterogeneousChaining [task 2017-06-11T01:26:06.846166Z] 01:26:06 INFO - ================================================================= [task 2017-06-11T01:26:06.846209Z] 01:26:06 INFO - ==1006==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0001eea50 at pc 0x7f0318ff227e bp 0x7ffc21713090 sp 0x7ffc21713088 [task 2017-06-11T01:26:06.846252Z] 01:26:06 INFO - READ of size 4 at 0x60d0001eea50 thread T0 [task 2017-06-11T01:26:07.750791Z] 01:26:07 INFO - #0 0x7f0318ff227d in mozilla::MozPromise<mozilla::UniquePtr<int, mozilla::DefaultDelete<int> >, bool, true>::ThenInternal(mozilla::AbstractThread*, already_AddRefed<mozilla::MozPromise<mozilla::UniquePtr<int, mozilla::DefaultDelete<int> >, bool, true>::ThenValueBase>, char const*) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:867:5 [task 2017-06-11T01:26:07.751059Z] 01:26:07 INFO - #1 0x7f0318f86667 in ~ThenCommand /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:925:20 [task 2017-06-11T01:26:07.751445Z] 01:26:07 INFO - #2 0x7f0318f86667 in MozPromise_HeterogeneousChaining_Test::TestBody() /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:382 [task 2017-06-11T01:26:07.754351Z] 01:26:07 INFO - #3 0x7f031894f51c in HandleExceptionsInMethodIfSupported<testing::Test, void> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12 [task 2017-06-11T01:26:07.754630Z] 01:26:07 INFO - #4 0x7f031894f51c in testing::Test::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2474 [task 2017-06-11T01:26:07.755053Z] 01:26:07 INFO - #5 0x7f0318951a44 in testing::TestInfo::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2656:11 [task 2017-06-11T01:26:07.755492Z] 01:26:07 INFO - #6 0x7f03189525a4 in testing::TestCase::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2774:28 [task 2017-06-11T01:26:07.755943Z] 01:26:07 INFO - #7 0x7f0318967b29 in testing::internal::UnitTestImpl::RunAllTests() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4649:43 [task 2017-06-11T01:26:07.756350Z] 01:26:07 INFO - #8 0x7f03189670bf in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12 [task 2017-06-11T01:26:07.756741Z] 01:26:07 INFO - #9 0x7f03189670bf in testing::UnitTest::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4257 [task 2017-06-11T01:26:07.757126Z] 01:26:07 INFO - #10 0x7f031898ab67 in RUN_ALL_TESTS /home/worker/workspace/build/src/obj-firefox/dist/include/gtest/gtest.h:2233:46 [task 2017-06-11T01:26:07.757501Z] 01:26:07 INFO - #11 0x7f031898ab67 in mozilla::RunGTestFunc(int*, char**) /home/worker/workspace/build/src/testing/gtest/mozilla/GTestRunner.cpp:117 [task 2017-06-11T01:26:07.760493Z] 01:26:07 INFO - #12 0x7f03179f9286 in XREMain::XRE_mainStartup(bool*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:3817:16 [task 2017-06-11T01:26:07.760987Z] 01:26:07 INFO - #13 0x7f0317a06d58 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4734:12 [task 2017-06-11T01:26:07.761482Z] 01:26:07 INFO - #14 0x7f0317a081d1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4844:21 [task 2017-06-11T01:26:07.763804Z] 01:26:07 INFO - #15 0x4eb5a3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:237:22 [task 2017-06-11T01:26:07.764079Z] 01:26:07 INFO - #16 0x4eb5a3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:310 [task 2017-06-11T01:26:07.805637Z] 01:26:07 INFO - #17 0x7f032b8cb82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291 [task 2017-06-11T01:26:07.805925Z] 01:26:07 INFO - #18 0x41d0f8 in _start (/home/worker/workspace/build/application/firefox/firefox+0x41d0f8) [task 2017-06-11T01:26:07.817036Z] 01:26:07 INFO - 0x60d0001eea50 is located 80 bytes inside of 144-byte region [0x60d0001eea00,0x60d0001eea90) [task 2017-06-11T01:26:07.817325Z] 01:26:07 INFO - freed by thread T0 here: [task 2017-06-11T01:26:07.817613Z] 01:26:07 INFO - #0 0x4bb62b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3 [task 2017-06-11T01:26:07.818149Z] 01:26:07 INFO - #1 0x7f0318f86635 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:146:3 [task 2017-06-11T01:26:07.818633Z] 01:26:07 INFO - #2 0x7f0318f86635 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:40 [task 2017-06-11T01:26:07.818927Z] 01:26:07 INFO - #3 0x7f0318f86635 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:395 [task 2017-06-11T01:26:07.819276Z] 01:26:07 INFO - #4 0x7f0318f86635 in ~RefPtr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:78 [task 2017-06-11T01:26:07.819707Z] 01:26:07 INFO - #5 0x7f0318f86635 in Then<RefPtr<mozilla::TaskQueue> &, char const (&)[9], (lambda at /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:394:12), (lambda at /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:395:12)> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:954 [task 2017-06-11T01:26:07.820228Z] 01:26:07 INFO - #6 0x7f0318f86635 in MozPromise_HeterogeneousChaining_Test::TestBody() /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:392 [task 2017-06-11T01:26:07.820975Z] 01:26:07 INFO - #7 0x7f031894f51c in HandleExceptionsInMethodIfSupported<testing::Test, void> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12 [task 2017-06-11T01:26:07.821368Z] 01:26:07 INFO - #8 0x7f031894f51c in testing::Test::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2474 [task 2017-06-11T01:26:07.821835Z] 01:26:07 INFO - #9 0x7f0318951a44 in testing::TestInfo::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2656:11 [task 2017-06-11T01:26:07.822191Z] 01:26:07 INFO - #10 0x7f03189525a4 in testing::TestCase::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2774:28 [task 2017-06-11T01:26:07.822629Z] 01:26:07 INFO - #11 0x7f0318967b29 in testing::internal::UnitTestImpl::RunAllTests() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4649:43 [task 2017-06-11T01:26:07.822909Z] 01:26:07 INFO - #12 0x7f03189670bf in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12 [task 2017-06-11T01:26:07.823337Z] 01:26:07 INFO - #13 0x7f03189670bf in testing::UnitTest::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4257 [task 2017-06-11T01:26:07.823621Z] 01:26:07 INFO - #14 0x7f031898ab67 in RUN_ALL_TESTS /home/worker/workspace/build/src/obj-firefox/dist/include/gtest/gtest.h:2233:46 [task 2017-06-11T01:26:07.824012Z] 01:26:07 INFO - #15 0x7f031898ab67 in mozilla::RunGTestFunc(int*, char**) /home/worker/workspace/build/src/testing/gtest/mozilla/GTestRunner.cpp:117 [task 2017-06-11T01:26:07.824413Z] 01:26:07 INFO - #16 0x7f03179f9286 in XREMain::XRE_mainStartup(bool*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:3817:16 [task 2017-06-11T01:26:07.824801Z] 01:26:07 INFO - #17 0x7f0317a06d58 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4734:12 [task 2017-06-11T01:26:07.825163Z] 01:26:07 INFO - #18 0x7f0317a081d1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4844:21 [task 2017-06-11T01:26:07.825521Z] 01:26:07 INFO - #19 0x4eb5a3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:237:22 [task 2017-06-11T01:26:07.825782Z] 01:26:07 INFO - #20 0x4eb5a3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:310 [task 2017-06-11T01:26:07.826066Z] 01:26:07 INFO - #21 0x7f032b8cb82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291 [task 2017-06-11T01:26:07.826269Z] 01:26:07 INFO - previously allocated by thread T0 here: [task 2017-06-11T01:26:07.826617Z] 01:26:07 INFO - #0 0x4bb97c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3 [task 2017-06-11T01:26:07.826993Z] 01:26:07 INFO - #1 0x4ece9d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17 [task 2017-06-11T01:26:07.827215Z] 01:26:07 INFO - #2 0x7f0318f862dd in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12 [task 2017-06-11T01:26:07.827465Z] 01:26:07 INFO - #3 0x7f0318f862dd in operator RefPtr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:942 [task 2017-06-11T01:26:07.827985Z] 01:26:07 INFO - #4 0x7f0318f862dd in Then<RefPtr<mozilla::TaskQueue> &, char const (&)[9], (lambda at /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:394:12), (lambda at /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:395:12)> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:954 [task 2017-06-11T01:26:07.828371Z] 01:26:07 INFO - #5 0x7f0318f862dd in MozPromise_HeterogeneousChaining_Test::TestBody() /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:392 [task 2017-06-11T01:26:07.828601Z] 01:26:07 INFO - #6 0x7f031894f51c in HandleExceptionsInMethodIfSupported<testing::Test, void> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12 [task 2017-06-11T01:26:07.828866Z] 01:26:07 INFO - #7 0x7f031894f51c in testing::Test::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2474 [task 2017-06-11T01:26:07.829211Z] 01:26:07 INFO - #8 0x7f0318951a44 in testing::TestInfo::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2656:11 [task 2017-06-11T01:26:07.829450Z] 01:26:07 INFO - #9 0x7f03189525a4 in testing::TestCase::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2774:28 [task 2017-06-11T01:26:07.829813Z] 01:26:07 INFO - #10 0x7f0318967b29 in testing::internal::UnitTestImpl::RunAllTests() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4649:43 [task 2017-06-11T01:26:07.830086Z] 01:26:07 INFO - #11 0x7f03189670bf in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12 [task 2017-06-11T01:26:07.830616Z] 01:26:07 INFO - #12 0x7f03189670bf in testing::UnitTest::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4257 [task 2017-06-11T01:26:07.830690Z] 01:26:07 INFO - #13 0x7f031898ab67 in RUN_ALL_TESTS /home/worker/workspace/build/src/obj-firefox/dist/include/gtest/gtest.h:2233:46 [task 2017-06-11T01:26:07.831135Z] 01:26:07 INFO - #14 0x7f031898ab67 in mozilla::RunGTestFunc(int*, char**) /home/worker/workspace/build/src/testing/gtest/mozilla/GTestRunner.cpp:117 [task 2017-06-11T01:26:07.831211Z] 01:26:07 INFO - #15 0x7f03179f9286 in XREMain::XRE_mainStartup(bool*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:3817:16 [task 2017-06-11T01:26:07.831426Z] 01:26:07 INFO - #16 0x7f0317a06d58 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4734:12 [task 2017-06-11T01:26:07.831714Z] 01:26:07 INFO - #17 0x7f0317a081d1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4844:21 [task 2017-06-11T01:26:07.831958Z] 01:26:07 INFO - #18 0x4eb5a3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:237:22 [task 2017-06-11T01:26:07.832310Z] 01:26:07 INFO - #19 0x4eb5a3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:310 [task 2017-06-11T01:26:07.832636Z] 01:26:07 INFO - #20 0x7f032b8cb82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291 [task 2017-06-11T01:26:07.833076Z] 01:26:07 INFO - SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:867:5 in mozilla::MozPromise<mozilla::UniquePtr<int, mozilla::DefaultDelete<int> >, bool, true>::ThenInternal(mozilla::AbstractThread*, already_AddRefed<mozilla::MozPromise<mozilla::UniquePtr<int, mozilla::DefaultDelete<int> >, bool, true>::ThenValueBase>, char const*) [task 2017-06-11T01:26:07.833241Z] 01:26:07 INFO - Shadow bytes around the buggy address: [task 2017-06-11T01:26:07.833480Z] 01:26:07 INFO - 0x0c1a80035cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [task 2017-06-11T01:26:07.833756Z] 01:26:07 INFO - 0x0c1a80035d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [task 2017-06-11T01:26:07.834002Z] 01:26:07 INFO - 0x0c1a80035d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [task 2017-06-11T01:26:07.834255Z] 01:26:07 INFO - 0x0c1a80035d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [task 2017-06-11T01:26:07.834492Z] 01:26:07 INFO - 0x0c1a80035d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [task 2017-06-11T01:26:07.834804Z] 01:26:07 INFO - =>0x0c1a80035d40: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd [task 2017-06-11T01:26:07.835171Z] 01:26:07 INFO - 0x0c1a80035d50: fd fd fa fa fa fa fa fa fa fa 00 00 00 00 00 00 [task 2017-06-11T01:26:07.835381Z] 01:26:07 INFO - 0x0c1a80035d60: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa [task 2017-06-11T01:26:07.835664Z] 01:26:07 INFO - 0x0c1a80035d70: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd [task 2017-06-11T01:26:07.835954Z] 01:26:07 INFO - 0x0c1a80035d80: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa [task 2017-06-11T01:26:07.836298Z] 01:26:07 INFO - 0x0c1a80035d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [task 2017-06-11T01:26:07.836523Z] 01:26:07 INFO - Shadow byte legend (one shadow byte represents 8 application bytes): [task 2017-06-11T01:26:07.836842Z] 01:26:07 INFO - Addressable: 00 [task 2017-06-11T01:26:07.837089Z] 01:26:07 INFO - Partially addressable: 01 02 03 04 05 06 07 [task 2017-06-11T01:26:07.837555Z] 01:26:07 INFO - Heap left redzone: fa [task 2017-06-11T01:26:07.837630Z] 01:26:07 INFO - Heap right redzone: fb [task 2017-06-11T01:26:07.837928Z] 01:26:07 INFO - Freed heap region: fd [task 2017-06-11T01:26:07.838162Z] 01:26:07 INFO - Stack left redzone: f1 [task 2017-06-11T01:26:07.838467Z] 01:26:07 INFO - Stack mid redzone: f2 [task 2017-06-11T01:26:07.838715Z] 01:26:07 INFO - Stack right redzone: f3 [task 2017-06-11T01:26:07.838997Z] 01:26:07 INFO - Stack partial redzone: f4 [task 2017-06-11T01:26:07.839227Z] 01:26:07 INFO - Stack after return: f5 [task 2017-06-11T01:26:07.839476Z] 01:26:07 INFO - Stack use after scope: f8 [task 2017-06-11T01:26:07.839736Z] 01:26:07 INFO - Global redzone: f9 [task 2017-06-11T01:26:07.840229Z] 01:26:07 INFO - Global init order: f6 [task 2017-06-11T01:26:07.840275Z] 01:26:07 INFO - Poisoned by user: f7 [task 2017-06-11T01:26:07.840523Z] 01:26:07 INFO - Container overflow: fc [task 2017-06-11T01:26:07.840839Z] 01:26:07 INFO - Array cookie: ac [task 2017-06-11T01:26:07.841149Z] 01:26:07 INFO - Intra object redzone: bb [task 2017-06-11T01:26:07.841445Z] 01:26:07 INFO - ASan internal: fe [task 2017-06-11T01:26:07.841675Z] 01:26:07 INFO - Left alloca redzone: ca [task 2017-06-11T01:26:07.841992Z] 01:26:07 INFO - Right alloca redzone: cb [task 2017-06-11T01:26:07.842214Z] 01:26:07 INFO - ==1006==ABORTING [task 2017-06-11T01:26:08.097044Z] 01:26:08 ERROR - gtest TEST-UNEXPECTED-FAIL | gtest | test failed with return code 1
Comment 1•7 years ago
|
||
It looks like this test was added recently in bug 1367679.
Blocks: 1367679
status-firefox55:
--- → affected
Flags: needinfo?(jwwang)
Keywords: csectype-uaf,
regression
Assignee | ||
Comment 2•7 years ago
|
||
checking.
Assignee: nobody → jwwang
Flags: needinfo?(jwwang)
Priority: -- → P1
Assignee | ||
Comment 3•7 years ago
|
||
http://searchfox.org/mozilla-central/rev/61054508641ee76f9c49bcf7303ef3cfb6b410d2/xpcom/threads/MozPromise.h#941-947 The ref-count of the temp object (RefPtr<PromiseType>) returned by the conversion operator might drop to 0 when exiting the scope. It is not safe for ThenCommand::mReceiver to hold a raw pointer since it outlives the temp RefPtr<PromiseType>.
Assignee | ||
Comment 4•7 years ago
|
||
This bug is regressed by bug 1321744 which introduced ThenCommand.
Assignee | ||
Comment 5•7 years ago
|
||
Attachment #8876953 -
Flags: review?(gsquelart)
Updated•7 years ago
|
status-firefox54:
--- → affected
status-firefox56:
--- → affected
status-firefox-esr52:
--- → unaffected
Attachment #8876953 -
Flags: review?(gsquelart) → review+
Assignee | ||
Comment 6•7 years ago
|
||
Thanks! Hope this will fix most memory corruption bugs in MozPromise.
Assignee | ||
Updated•7 years ago
|
Keywords: checkin-needed
Comment 7•7 years ago
|
||
(In reply to JW Wang [:jwwang] [:jw_wang] from comment #6) > Thanks! Hope this will fix most memory corruption bugs in MozPromise. This needs sec-approval. The bug sounds bad so I have marked it sec-critical.
Flags: needinfo?(jwwang)
Keywords: checkin-needed → sec-critical
Assignee | ||
Comment 8•7 years ago
|
||
Comment on attachment 8876953 [details] [diff] [review] 1371982_fix.patch [Security approval request comment] How easily could an exploit be constructed based on the patch? Very unlikely. It depends on the specific context switch timing. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? 53 and the later. If not all supported branches, which bug introduced the flaw? 1321744. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Yes. How likely is this patch to cause regressions; how much testing does it need? Very unlikely. It is as simple as a one-line change. It is very hard to construct a test to repro this issue. So Try is sufficient to ensure no obvious regressions from this fix.
Flags: needinfo?(jwwang)
Attachment #8876953 -
Flags: sec-approval?
Updated•7 years ago
|
Comment 10•7 years ago
|
||
sec-approval+ for checkin on trunk on June 26. We'll want a Beta patch made and nominated to go in after it lands on trunk as well.
Whiteboard: [checkin on 6/26]
Updated•7 years ago
|
Attachment #8876953 -
Flags: sec-approval? → sec-approval+
Updated•7 years ago
|
Group: core-security → dom-core-security
Comment 11•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/fdbaaf9168ee5e8c447966ef352a013524b084e9 I've confirmed that this grafts cleanly to Beta, so please nominate it for approval when you get a chance.
Flags: needinfo?(jwwang)
Whiteboard: [checkin on 6/26]
Comment 13•7 years ago
|
||
JW, I need an approval request, not a rebased patch :)
Flags: needinfo?(jwwang)
Assignee | ||
Comment 14•7 years ago
|
||
yeah, I am waiting for Try to ensure the patch is good.
Assignee | ||
Comment 15•7 years ago
|
||
Comment on attachment 8881326 [details] [diff] [review] 1371982_fix_beta_55.patch Approval Request Comment [Feature/Bug causing the regression]:1321744 [User impact if declined]:memory corruption crash. [Is this code covered by automated tests?]:yes [Has the fix been verified in Nightly?]:yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]:none [Is the change risky?]:no [Why is the change risky/not risky?]:a simple one-line change. [String changes made/needed]:none
Flags: needinfo?(jwwang)
Attachment #8881326 -
Flags: approval-mozilla-beta?
Comment 16•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fdbaaf9168ee
Target Milestone: --- → mozilla56
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Comment 17•7 years ago
|
||
Comment on attachment 8881326 [details] [diff] [review] 1371982_fix_beta_55.patch sec-crit fix for 55.0b6
Attachment #8881326 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 18•7 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/79a937693943
Updated•7 years ago
|
Group: dom-core-security → core-security-release
Updated•7 years ago
|
Whiteboard: [adv-main55+]
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main55+] → [adv-main55+][post-critsmash-triage]
Updated•6 years ago
|
Group: core-security-release
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•