Closed
Bug 1406730
Opened 7 years ago
Closed 6 years ago
Crash in WinSqmSetIfMaxDWORD NOT called from sowakeup
Categories
(Core :: Networking, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1400563
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox56 | --- | wontfix |
firefox57 | --- | wontfix |
firefox58 | --- | wontfix |
firefox59 | --- | wontfix |
firefox60 | --- | wontfix |
firefox61 | --- | wontfix |
firefox62 | --- | fix-optional |
firefox63 | --- | fix-optional |
People
(Reporter: philipp, Assigned: jesup)
Details
(4 keywords, Whiteboard: [necko-triaged])
Crash Data
This bug was filed from the Socorro interface and is report bp-0ab18326-da6d-4b97-90c1-559df0171008. ============================================================= Crashing Thread (31) Frame Module Signature Source 0 ntdll.dll WinSqmSetIfMaxDWORD 1 xul.dll sowakeup netwerk/sctp/src/user_socket.c:1479 2 xul.dll socantrcvmore_locked netwerk/sctp/src/user_socket.c:99 3 xul.dll sctp_notify_assoc_change netwerk/sctp/src/netinet/sctputil.c:2853 4 xul.dll sctp_ulp_notify netwerk/sctp/src/netinet/sctputil.c:3809 5 xul.dll sctp_abort_notification netwerk/sctp/src/netinet/sctputil.c:4046 6 xul.dll sctp_abort_an_association netwerk/sctp/src/netinet/sctputil.c:4215 7 xul.dll sctp_threshold_management netwerk/sctp/src/netinet/sctp_timer.c:167 8 xul.dll sctp_heartbeat_timer netwerk/sctp/src/netinet/sctp_timer.c:1405 9 xul.dll sctp_timeout_handler netwerk/sctp/src/netinet/sctputil.c:1777 10 xul.dll sctp_handle_tick netwerk/sctp/src/netinet/sctp_callout.c:155 11 xul.dll user_sctp_timer_iterate netwerk/sctp/src/netinet/sctp_callout.c:194 12 kernel32.dll BaseThreadInitThunk 13 mozglue.dll patched_BaseThreadInitThunk mozglue/build/WindowsDllBlocklist.cpp:824 14 ntdll.dll __RtlUserThreadStart 15 ntdll.dll _RtlUserThreadStart this crash signature is on the rise since firefox 54 on 32bit browser versions on win7. the crash address indicates a UAF situation.
Reporter | ||
Updated•7 years ago
|
Crash Signature: [@ WinSqmSetIfMaxDWORD] → [@ WinSqmSetIfMaxDWORD]
[@ RtlpResetDriveEnvironment | sowakeup ]
Comment 1•7 years ago
|
||
98% of crashes are on UAF-poisoned addresses.
Keywords: csectype-uaf,
sec-high
Updated•7 years ago
|
Group: core-security → network-core-security
Comment 2•7 years ago
|
||
Is this different from bug 1400563?
Comment 3•7 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #2) > Is this different from bug 1400563?
Flags: needinfo?(rjesup)
Assignee | ||
Comment 4•7 years ago
|
||
Yes - that's just the sowakeup calls leading to this signature. this is everything else: https://crash-stats.mozilla.com/signature/?proto_signature=%21~sowakeup&signature=WinSqmSetIfMaxDWORD&date=%3E%3D2017-07-11T16%3A38%3A12.000Z&date=%3C2017-10-11T16%3A38%3A12.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#reports
Flags: needinfo?(rjesup)
Summary: Crash in WinSqmSetIfMaxDWORD → Crash in WinSqmSetIfMaxDWORD NOT called from sowakeup
Assignee | ||
Updated•7 years ago
|
Crash Signature: [@ WinSqmSetIfMaxDWORD]
[@ RtlpResetDriveEnvironment | sowakeup ] → [@ WinSqmSetIfMaxDWORD]
Updated•7 years ago
|
Assignee | ||
Comment 5•7 years ago
|
||
Rethinking this: the volume on beta is low to begin with, and non-existent in Nightly, so waiting on nightly info won't be helpful. Given we aren't seeing any new crashes in Nightly, I think we should consider uplifting to beta. I'll make the decision in the next day or two.
Comment 6•7 years ago
|
||
Assigning to Randell since he seems to be on the hook for the next step. (trying to eliminate unowned high/crit security bugs)
Assignee: nobody → rjesup
Updated•7 years ago
|
Comment 7•7 years ago
|
||
Assigned, but no activity. Randell, are you working on this?
Flags: needinfo?(rjesup)
Priority: -- → P2
Whiteboard: [necko-triaged]
Assignee | ||
Comment 8•7 years ago
|
||
I am, but am looking for new ideas to attack it. Also I badly want to import the latest SCTP upstream library if/when it's in a state to be imported (was blocked on that).
Flags: needinfo?(rjesup)
Comment 9•6 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #8) > I am, but am looking for new ideas to attack it. Also I badly want to > import the latest SCTP upstream library if/when it's in a state to be > imported (was blocked on that). When _is it_ in a state to be imported? Is there a bug?
Flags: needinfo?(rjesup)
Assignee | ||
Comment 10•6 years ago
|
||
It has been imported. This really is a dup
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(rjesup)
Resolution: --- → DUPLICATE
Updated•6 years ago
|
status-firefox59:
--- → affected
status-firefox60:
--- → affected
Comment 11•6 years ago
|
||
Setting the flags to match bug 1400563.
Updated•6 years ago
|
status-firefox62:
--- → fix-optional
status-firefox63:
--- → fix-optional
Updated•3 years ago
|
Group: network-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•