Closed Bug 1421529 Opened 7 years ago Closed 7 years ago

Crash in PLDHashTable::Search | nsTHashtable<T>::Contains | mozilla::dom::ContentParent::EnsurePermissionsByKey

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Version:
55 Branch
Platform:
x86
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1415158
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- affected

People

(Reporter: jesup, Unassigned)

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

This bug was filed from the Socorro interface and is
report bp-e2c26d6f-d6fa-4281-88d1-8e88f0171128.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll PLDHashTable::Search xpcom/ds/PLDHashTable.cpp:531
1 xul.dll nsTHashtable&lt;nsCStringHashKey&gt;::Contains xpcom/ds/nsTHashtable.h:144
2 xul.dll mozilla::dom::ContentParent::EnsurePermissionsByKey dom/ipc/ContentParent.cpp:5173
3 xul.dll mozilla::dom::ContentParent::TransmitPermissionsForPrincipal dom/ipc/ContentParent.cpp:5154
4 xul.dll mozilla::dom::ContentParent::AboutToLoadHttpFtpWyciwygDocumentForChild dom/ipc/ContentParent.cpp:5133
5 xul.dll mozilla::net::WyciwygChannelParent::OnStartRequest netwerk/protocol/wyciwyg/WyciwygChannelParent.cpp:329
6 xul.dll nsWyciwygChannel::NotifyListener netwerk/protocol/wyciwyg/nsWyciwygChannel.cpp:807
7 xul.dll mozilla::detail::RunnableMethodImpl&lt;mozilla::net::CacheFileIOManager*, nsresult  xpcom/threads/nsThreadUtils.h:1192
8 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1039
9 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:97

=============================================================

First report in last 3 months was in 57.0b3

Does not appear to be the same as bug 1349634
crashes are all UAFs or nullptr+offset.  There are 3 or 4 different offsets though; I wonder if something is sometimes freeing this item on another thread while the code is looking at it from MainThread.  Probably notthe cause, though
Group: core-security
Group: core-security → dom-core-security
I looked at the proto signatures for these crashes, and they are all along the lines of the stack in comment 0, with Wyciwyg stuff. Nika, any ideas? It looks like you wrote this code. Thanks.
Flags: needinfo?(nika)
Pretty sure this is the same as bug 1415158
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(nika)
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.