Closed
Bug 1408485
Opened 7 years ago
Closed 5 years ago
Crash in m_free | m_freem | sctp_release_pr_sctp_chunk
Categories
(Core :: WebRTC: Networking, defect, P1)
Tracking
()
People
(Reporter: jesup, Assigned: ng)
References
Details
(4 keywords)
Crash Data
User Story
Waiting to see if updating libsctp in bug 1297418 will fix this problem.
This bug was filed from the Socorro interface and is
report bp-f86d2cfe-bf49-404e-94b8-839520171004.
=============================================================
UAF freeing buffers on a timeout -- may be the same as bug 1400563, or may be an independent bug. It appears an e5e5 ptr was passed to m_free -- possible locking issue (or lack of locking)?
2 crashes in 57beta in the last month; 28 across all versions in the last week.
First crash may be in 44 (or earlier).
|
Reporter | |
Comment 1•7 years ago
|
||
Michael - this is slightly different - same as the other bug, or a different cause?
Flags: needinfo?(tuexen)
|
|
Reporter | |
Updated•7 years ago
|
status-firefox56:
--- → wontfix
status-firefox57:
--- → affected
status-firefox58:
--- → affected
status-firefox-esr52:
--- → affected
|
|
Reporter | |
Comment 2•7 years ago
|
||
Adding another signature that seems related - michael, please look at that signature too
Crash Signature: [@ m_free | m_freem | sctp_release_pr_sctp_chunk] → [@ m_free | m_freem | sctp_release_pr_sctp_chunk]
[@ mb_free_ext | m_free | m_freem | sctp_service_reassembly ]
|
|
Reporter | |
Comment 3•7 years ago
|
||
The service_reassembly crash goes back to at least 43.0.1, may be older
|
||
Comment 4•7 years ago
|
||
Not sure what happens. Possibly a double free? If I remember correctly, I fixed such bugs a while ago. Without being able to reproduce it, it is hard to say... The reassembly part has been substantially improved to support I-DATA using the same code path also for DATA chunks.
Flags: needinfo?(tuexen)
|
||
Comment 6•7 years ago
|
||
Nils: please find an assignee for P1 bugs (or assign to a manager to do so. Picked you because you're "triage owner" for this component)
Assignee: nobody → drno
Flags: needinfo?(drno)
|
||
Comment 7•7 years ago
|
||
Lennart I believe you started already to take a look at this. Can I assign this to you?
Let me know if I should find someone else.
Assignee: drno → lennart.grahl
Flags: needinfo?(drno) → needinfo?(lennart.grahl)
|
||
Comment 8•7 years ago
|
||
Sorry, not really, this sounds like usrsctp internals and I wouldn't know where to look to be honest. But with Michael's comment I think it's reasonable to update the usrsctp code first and then see if it still happens.
Flags: needinfo?(lennart.grahl)
|
|
||
Updated•7 years ago
|
Assignee: lennart.grahl → drno
|
|
||
Comment 9•7 years ago
|
||
As this is pretty hard to figure, but is pretty low frequency lets wait if the workaround landed in bug 1400563 changes anything for this bug.
|
|
||
Updated•7 years ago
|
User Story: (updated)
|
|
||
Updated•7 years ago
|
|
|
||
Updated•7 years ago
|
User Story: (updated)
|
|
||
Comment 11•7 years ago
|
||
> Waiting to see if updating libsctp in bug 1297418 will fix this problem.
That landed in 59.
(In reply to Randell Jesup [:jesup] from comment #10)
> Bug 1421963 may solve this
Also landed in 59.
I'm not seeing crashes with this signature in 59 so I guess this is fixed?
Still lots of UAF crashes on ESR-52. Are either of those suitable for a back-port?
Flags: needinfo?(rjesup)
Flags: needinfo?(drno)
|
|
Reporter | |
Comment 12•7 years ago
|
||
I think the sctp_service_reassembly crashes are fixed by bug 1421963.
The sctp_release_pr_sctp_chunk crashes appear to be the same issue as bug 1400563; with sctp timer firings triggering processing
Uplifting bug 1421963 may make a small help with ESR52, though note we also updated the entire library; it's always possible that eSR52 might react poorly (deadlocks) -- likely not, but it's not impossible.
Flags: needinfo?(rjesup)
|
|
||
Comment 13•7 years ago
|
||
I still see these two:
https://crash-stats.mozilla.com/report/index/b582d576-90f8-43b3-889e-2cb760180212
https://crash-stats.mozilla.com/report/index/f58ab31a-423c-4c8f-8692-184d30180208
in 59.0b6 and 59.0b7. Not sure what to make of them.
Flags: needinfo?(drno)
|
|
Reporter | |
Comment 14•7 years ago
|
||
> I still see these two:
> in 59.0b6 and 59.0b7. Not sure what to make of them.
That's what I said in comment 12 - those appear to be a different symptom of the bug that causes bug 1400563 (probably a missing lock on timer_iterate's processing)
Uplifting the other patch to 52esr may fix the sctp_service_reassembly crashes
|
|
||
Comment 15•6 years ago
|
||
Interesting that there are so far no crash reports for 61 desktop at all.
Dan can I ask you to become the owner since I don't have cycles available.
Assignee: drno → dminor
|
||
Comment 16•6 years ago
|
||
Transferring to Nico as it sounds like is taking over data channel work.
Assignee: dminor → na-g
|
|
||
Comment 17•6 years ago
|
||
This might be fixed through bug 1521304, at least it appears to be related.
|
||
Comment 18•5 years ago
|
||
60.9.0esr still has some reports with this signature, so maybe not fixed by bug 1521304. On the other hand, there are no reports from anything newer than that, so I don't think we need to leave this bug open anymore with ESR60 being EOL.
Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE
|
||
Comment 19•5 years ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Keywords: stalled
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•