Closed Bug 1406730 Opened 7 years ago Closed 7 years ago

Crash in WinSqmSetIfMaxDWORD NOT called from sowakeup

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Version:
54 Branch
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1400563
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- fix-optional
firefox63 --- fix-optional

People

(Reporter: philipp, Assigned: jesup)

Details

(4 keywords, Whiteboard: [necko-triaged])

Crash Data

This bug was filed from the Socorro interface and is report bp-0ab18326-da6d-4b97-90c1-559df0171008. ============================================================= Crashing Thread (31) Frame Module Signature Source 0 ntdll.dll WinSqmSetIfMaxDWORD 1 xul.dll sowakeup netwerk/sctp/src/user_socket.c:1479 2 xul.dll socantrcvmore_locked netwerk/sctp/src/user_socket.c:99 3 xul.dll sctp_notify_assoc_change netwerk/sctp/src/netinet/sctputil.c:2853 4 xul.dll sctp_ulp_notify netwerk/sctp/src/netinet/sctputil.c:3809 5 xul.dll sctp_abort_notification netwerk/sctp/src/netinet/sctputil.c:4046 6 xul.dll sctp_abort_an_association netwerk/sctp/src/netinet/sctputil.c:4215 7 xul.dll sctp_threshold_management netwerk/sctp/src/netinet/sctp_timer.c:167 8 xul.dll sctp_heartbeat_timer netwerk/sctp/src/netinet/sctp_timer.c:1405 9 xul.dll sctp_timeout_handler netwerk/sctp/src/netinet/sctputil.c:1777 10 xul.dll sctp_handle_tick netwerk/sctp/src/netinet/sctp_callout.c:155 11 xul.dll user_sctp_timer_iterate netwerk/sctp/src/netinet/sctp_callout.c:194 12 kernel32.dll BaseThreadInitThunk 13 mozglue.dll patched_BaseThreadInitThunk mozglue/build/WindowsDllBlocklist.cpp:824 14 ntdll.dll __RtlUserThreadStart 15 ntdll.dll _RtlUserThreadStart this crash signature is on the rise since firefox 54 on 32bit browser versions on win7. the crash address indicates a UAF situation.
Crash Signature: [@ WinSqmSetIfMaxDWORD] → [@ WinSqmSetIfMaxDWORD] [@ RtlpResetDriveEnvironment | sowakeup ]
98% of crashes are on UAF-poisoned addresses.
Keywords: csectype-uaf, sec-high
Group: core-security → network-core-security
Is this different from bug 1400563?
(In reply to Julien Cristau [:jcristau] from comment #2) > Is this different from bug 1400563?
Flags: needinfo?(rjesup)
Crash Signature: [@ WinSqmSetIfMaxDWORD] [@ RtlpResetDriveEnvironment | sowakeup ] → [@ WinSqmSetIfMaxDWORD]
Rethinking this: the volume on beta is low to begin with, and non-existent in Nightly, so waiting on nightly info won't be helpful. Given we aren't seeing any new crashes in Nightly, I think we should consider uplifting to beta. I'll make the decision in the next day or two.
Assigning to Randell since he seems to be on the hook for the next step. (trying to eliminate unowned high/crit security bugs)
Assignee: nobody → rjesup
Assigned, but no activity. Randell, are you working on this?
Flags: needinfo?(rjesup)
Priority: -- → P2
Whiteboard: [necko-triaged]
I am, but am looking for new ideas to attack it. Also I badly want to import the latest SCTP upstream library if/when it's in a state to be imported (was blocked on that).
Flags: needinfo?(rjesup)
(In reply to Randell Jesup [:jesup] from comment #8) > I am, but am looking for new ideas to attack it. Also I badly want to > import the latest SCTP upstream library if/when it's in a state to be > imported (was blocked on that). When _is it_ in a state to be imported? Is there a bug?
Flags: needinfo?(rjesup)
It has been imported. This really is a dup
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(rjesup)
Resolution: --- → DUPLICATE
Group: network-core-security
You need to log in before you can comment on or make changes to this bug.