Closed
Bug 1452763
Opened 7 years ago
Closed 3 years ago
UAF Crash in libobjc.A.dylib@0x9174
Categories
(Core :: Widget: Cocoa, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox61 | --- | affected |
People
(Reporter: marcia, Unassigned)
References
Details
(Keywords: crash, csectype-uaf, sec-moderate)
Crash Data
This bug was filed from the Socorro interface and is
report bp-a0a4a64f-63d1-4185-92fa-7b6a40180408.
=============================================================
Seen while looking at nightly crash stats - only one crash but it appears to be potentially exploitable. Not sure whether this component is correct or not.
Top 10 frames of crashing thread:
0 libobjc.A.dylib libobjc.A.dylib@0x9174
1 SkyLight CGSWindowInvalidateCache
2 SkyLight CGSWindowGetShapeBounds
3 SkyLight CGSWindowGetSize
4 SkyLight SLSGetWindowSize
5 AppKit -[_NSCGSWindow size]
6 AppKit -[_NSCGSWindow setDragShape:]
7 AppKit _NSClearDragRectsInWindow
8 AppKit -[NSNextStepFrame _resetDragMargins]
9 AppKit -[NSNextStepFrame setFrameSize:]
=============================================================
|
||
Comment 1•7 years ago
|
||
This is some kind of OSX widget crash. Bug 1447056 changed this recently and it involves resizing, as does the widget code in the stack, so maybe they are related?
Component: WebRTC → Widget
Flags: needinfo?(xidorn+moz)
|
||
Comment 2•7 years ago
|
||
That change invokes resize from SetSizeConstraints, which isn't in the stack here, so it doesn't seem related to the code changed in bug 1447056.
Flags: needinfo?(xidorn+moz)
|
||
Comment 3•7 years ago
|
||
If you look at a longer time horizon UAF crashes go back to at least 57, and the ESR-52 branch if you include Thunderbird crashes. (There's also non-UAF Firefox ESR-52 crashes).
spohl: any ideas on whether this is something we could figure out and fix?
Flags: needinfo?(spohl.mozilla.bugs)
Keywords: csectype-uaf
Summary: Crash in libobjc.A.dylib@0x9174 → UAF Crash in libobjc.A.dylib@0x9174
|
||
Comment 4•7 years ago
|
||
There is nothing that jumps out at me based on the crash reports, but I will keep this bug in mind while working on related bugs.
Component: Widget → Widget: Cocoa
Flags: needinfo?(spohl.mozilla.bugs)
Priority: -- → P3
|
|
||
Updated•7 years ago
|
Group: core-security → layout-core-security
|
|
||
Updated•7 years ago
|
Keywords: sec-moderate
|
||
Comment 5•7 years ago
|
||
This stack looks very much like the one in bug 1467568, so I strongly
suspect they are the same underlying problem. The crash reports in
this bug are from platforms version:
10.13.3 17D47
10.13.3 17D102
10.13.1 17B1003
10.13.2 17C88
10.13.3 17D47
10.13.1 17B1003
10.13.2 17C88
10.13.1 17B1003
10.13.3 17D47
10.13.2 17C88
10.13.2 17C88
10.13.3 17D47
10.13.3 17D47
10.13.2 17C205
10.13.1 17B1003
10.13.3 17D102
10.13.3 17D47
10.13.3 17D47
10.13.0 17A365
10.13.3 17D47
10.13.3 17D102
10.13.3 17D102
10.13.3 17D102
10.13.3 17D102
10.13.1 17B1003
10.13.1 17B1003
whereas the signature in bug 1467568 started with 10.13.4.
|
|
||
Comment 7•7 years ago
|
||
The deallocation (objc_release) here seems to be for some internal
object in some CGS related cache. This looks like an OSX bug to me.
We should report it to Apple.
Crash Signature: [@ libobjc.A.dylib@0x9174] → [@ libobjc.A.dylib@0x9174]
[@ objc_release | CGSWindowInvalidateCache]
Flags: needinfo?(mstange)
|
|
||
Updated•6 years ago
|
Group: layout-core-security → core-security-release
|
||
Updated•3 years ago
|
Severity: critical → S2
|
||
Comment 8•3 years ago
|
||
This seems very rare / fixed now.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(mstange.moz)
Resolution: --- → WORKSFORME
|
|
||
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•