Closed Bug 1458270 Opened 2 years ago Closed 2 years ago

ASan use-after-free in GfxInfo::GetFeatureStatus

Categories

(Core :: Graphics, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox-esr52 61+ fixed
firefox-esr60 61+ fixed
firefox60 --- wontfix
firefox61 + fixed
firefox62 + fixed

People

(Reporter: dmajor, Assigned: dmajor)

Details

(Keywords: csectype-uaf, sec-moderate, Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage])

Attachments

(2 files, 1 obsolete file)

This is likely a recent regression as I ran a Windows ASan try build a couple weeks ago where this did not come up.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=afb4b7b94bac96f8fab102f6f25dd54cfa5aa46e&filter-tier=1&filter-tier=2&filter-tier=3&selectedJob=176333621


20:36:16     INFO -  GECKO(6128) | =================================================================
20:36:16    ERROR -  GECKO(6128) | ==5392==ERROR: AddressSanitizer: heap-use-after-free on address 0x1232fcb496d8 at pc 0x7ff9b0a92c3e bp 0x0066403f2c00 sp 0x0066403f2c48
20:36:16     INFO -  GECKO(6128) | READ of size 4 at 0x1232fcb496d8 thread T0
20:36:17     INFO -  GECKO(6128) |     #0 0x7ff9b0a92c3d in mozilla::detail::nsTStringRepr<char>::Equals(class mozilla::detail::nsTStringRepr<char> const &,class nsTStringComparator<char> const &)const  z:\build\build\src\xpcom\string\nsTSubstring.cpp:874
20:36:17     INFO -  GECKO(6128) |     #1 0x7ff9b9a36216 in mozilla::widget::GfxInfo::GetFeatureStatusImpl(int,int *,class nsTSubstring<UNKNOWN> &,class nsTArray<struct mozilla::widget::GfxDriverInfo> const &,class nsTSubstring<char> &,enum mozilla::widget::OperatingSystem *) z:\build\build\src\widget\windows\GfxInfo.cpp:1440
20:36:17     INFO -  GECKO(6128) |     #2 0x7ff9b98f343a in mozilla::widget::GfxInfoBase::GetFeatureStatus(int,class nsTSubstring<char> &,int *) z:\build\build\src\widget\GfxInfoBase.cpp:643
20:36:17     INFO -  GECKO(6128) |     #3 0x7ff9b98fc67e in mozilla::widget::GfxInfoBase::InitFeatureObject(struct JSContext *,class JS::Handle<class JSObject *>,char const *,int,class mozilla::Maybe<enum mozilla::gfx::FeatureStatus> const &,class JS::MutableHandle<class JSObject *>) z:\build\build\src\widget\GfxInfoBase.cpp:1417
20:36:17     INFO -  GECKO(6128) |     #4 0x7ff9b98fbe9d in mozilla::widget::GfxInfoBase::DescribeFeatures(struct JSContext *,class JS::Handle<class JSObject *>) z:\build\build\src\widget\GfxInfoBase.cpp:1387
20:36:17     INFO -  GECKO(6128) |     #5 0x7ff9b9a37d45 in mozilla::widget::GfxInfo::DescribeFeatures(struct JSContext *,class JS::Handle<class JSObject *>) z:\build\build\src\widget\windows\GfxInfo.cpp:1523
20:36:17     INFO -  GECKO(6128) |     #6 0x7ff9b98fac63 in mozilla::widget::GfxInfoBase::GetFeatures(struct JSContext *,class JS::MutableHandle<union JS::Value>) z:\build\build\src\widget\GfxInfoBase.cpp:1269
20:36:17     INFO -  GECKO(6128) |     #7 0x7ff9c0619d61 in XPTC__InvokebyIndex (Z:\task_1525119914\build\application\firefox\xul.dll+0x18fc09d61)
20:36:17     INFO -  GECKO(6128) |     #8 0x7ff9b283baf4 in XPCWrappedNative::CallMethod(class XPCCallContext &,enum XPCWrappedNative::CallMode) z:\build\build\src\js\xpconnect\src\XPCWrappedNative.cpp:1235
20:36:17     INFO -  GECKO(6128) |     #9 0x7ff9b2844818 in XPC_WN_CallMethod(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\js\xpconnect\src\XPCWrappedNativeJSOps.cpp:911
20:36:17     INFO -  GECKO(6128) |     #10 0x7ff9bf132b18 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:467
20:36:17     INFO -  GECKO(6128) |     #11 0x7ff9bf134565 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:516
20:36:17     INFO -  GECKO(6128) |     #12 0x7ff9bf1179ef in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3086
20:36:17     INFO -  GECKO(6128) |     #13 0x7ff9bf0fb7d4 in js::RunScript(struct JSContext *,class js::RunState &) z:\build\build\src\js\src\vm\Interpreter.cpp:417
20:36:17     INFO -  GECKO(6128) |     #14 0x7ff9bf13329e in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:489
20:36:17     INFO -  GECKO(6128) |     #15 0x7ff9bf134565 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:516
20:36:17     INFO -  GECKO(6128) |     #16 0x7ff9bf134796 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:535
20:36:17     INFO -  GECKO(6128) |     #17 0x7ff9bea71ac2 in PromiseReactionJob z:\build\build\src\js\src\builtin\Promise.cpp:1237
20:36:17     INFO -  GECKO(6128) |     #18 0x7ff9bf132b18 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:467
20:36:17     INFO -  GECKO(6128) |     #19 0x7ff9bf134565 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:516
20:36:17     INFO -  GECKO(6128) |     #20 0x7ff9bf134796 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:535
20:36:17     INFO -  GECKO(6128) |     #21 0x7ff9be0a925a in JS::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::HandleValueArray const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\jsapi.cpp:2989
20:36:17     INFO -  GECKO(6128) |     #22 0x7ff9b52a33e7 in mozilla::dom::PromiseJobCallback::Call(struct JSContext *,class JS::Handle<union JS::Value>,class mozilla::ErrorResult &) z:\build\build\src\obj-firefox\dom\bindings\PromiseBinding.cpp:25
20:36:17     INFO -  GECKO(6128) |     #23 0x7ff9b0ae33c3 in mozilla::PromiseJobRunnable::Run(class mozilla::AutoSlowOperation &) z:\build\build\src\xpcom\base\CycleCollectedJSContext.cpp:205
20:36:17     INFO -  GECKO(6128) |     #24 0x7ff9b0ac3232 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(void) z:\build\build\src\xpcom\base\CycleCollectedJSContext.cpp:543
20:36:17     INFO -  GECKO(6128) |     #25 0x7ff9b791ac4a in mozilla::EventListenerManager::HandleEventSubType(struct mozilla::EventListenerManager::Listener *,class mozilla::dom::Event *,class mozilla::dom::EventTarget *) z:\build\build\src\dom\events\EventListenerManager.cpp:1123
20:36:17     INFO -  GECKO(6128) |     #26 0x7ff9b791c835 in mozilla::EventListenerManager::HandleEventInternal(class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event * *,class mozilla::dom::EventTarget *,enum nsEventStatus *) z:\build\build\src\dom\events\EventListenerManager.cpp:1288
20:36:17     INFO -  GECKO(6128) |     #27 0x7ff9b7903460 in mozilla::EventTargetChainItem::HandleEvent(class mozilla::EventChainPostVisitor &,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:348
20:36:17     INFO -  GECKO(6128) |     #28 0x7ff9b79024a0 in mozilla::EventTargetChainItem::HandleEventTargetChain(class nsTArray<class mozilla::EventTargetChainItem> &,class mozilla::EventChainPostVisitor &,class mozilla::EventDispatchingCallback *,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:528
20:36:17     INFO -  GECKO(6128) |     #29 0x7ff9b79064fa in mozilla::EventDispatcher::Dispatch(class nsISupports *,class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event *,enum nsEventStatus *,class mozilla::EventDispatchingCallback *,class nsTArray<class mozilla::dom::EventTarget *> *) z:\build\build\src\dom\events\EventDispatcher.cpp:934
20:36:17     INFO -  GECKO(6128) |     #30 0x7ff9b79093e3 in mozilla::EventDispatcher::DispatchDOMEvent(class nsISupports *,class mozilla::WidgetEvent *,class mozilla::dom::Event *,class nsPresContext *,enum nsEventStatus *) z:\build\build\src\dom\events\EventDispatcher.cpp:1013
20:36:17     INFO -  GECKO(6128) |     #31 0x7ff9b78c8395 in mozilla::DOMEventTargetHelper::DispatchEvent(class mozilla::dom::Event &,enum mozilla::dom::CallerType,class mozilla::ErrorResult &) z:\build\build\src\dom\events\DOMEventTargetHelper.cpp:184
20:36:17     INFO -  GECKO(6128) |     #32 0x7ff9b792cd50 in mozilla::dom::EventTarget::DispatchEvent(class mozilla::dom::Event &) z:\build\build\src\dom\events\EventTarget.cpp:204
20:36:17     INFO -  GECKO(6128) |     #33 0x7ff9b9149bd9 in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(struct JSContext *,class mozilla::dom::WorkerPrivate *,class mozilla::DOMEventTargetHelper *,bool) z:\build\build\src\dom\workers\MessageEventRunnable.cpp:102
20:36:17     INFO -  GECKO(6128) |     #34 0x7ff9b914aede in mozilla::dom::MessageEventRunnable::WorkerRun(struct JSContext *,class mozilla::dom::WorkerPrivate *) z:\build\build\src\dom\workers\MessageEventRunnable.cpp:133
20:36:17     INFO -  GECKO(6128) |     #35 0x7ff9b91df78b in mozilla::dom::WorkerRunnable::Run(void) z:\build\build\src\dom\workers\WorkerRunnable.cpp:380
20:36:17     INFO -  GECKO(6128) |     #36 0x7ff9b0cafa3c in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable(void) z:\build\build\src\xpcom\threads\ThrottledEventQueue.cpp:188
20:36:17     INFO -  GECKO(6128) |     #37 0x7ff9b0caf643 in mozilla::ThrottledEventQueue::Inner::Executor::Run(void) z:\build\build\src\xpcom\threads\ThrottledEventQueue.cpp:72
20:36:17     INFO -  GECKO(6128) |     #38 0x7ff9b0c9bd6c in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1090
20:36:17     INFO -  GECKO(6128) |     #39 0x7ff9c0619d61 in XPTC__InvokebyIndex (Z:\task_1525119914\build\application\firefox\xul.dll+0x18fc09d61)
20:36:17     INFO -  GECKO(6128) |     #40 0x7ff9b283baf4 in XPCWrappedNative::CallMethod(class XPCCallContext &,enum XPCWrappedNative::CallMode) z:\build\build\src\js\xpconnect\src\XPCWrappedNative.cpp:1235
20:36:17     INFO -  GECKO(6128) |     #41 0x7ff9b2844818 in XPC_WN_CallMethod(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\js\xpconnect\src\XPCWrappedNativeJSOps.cpp:911
20:36:17     INFO -  GECKO(6128) |     #42 0x189f2ef8bcc  (<unknown module>)
20:36:17     INFO -  GECKO(6128) | 0x1232fcb496d8 is located 8 bytes inside of 16-byte region [0x1232fcb496d0,0x1232fcb496e0)
20:36:17     INFO -  GECKO(6128) | freed by thread T0 here:
20:36:17     INFO -  GECKO(6128) |     #0 0x7ff9b00b1cf0  (Z:\task_1525119914\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x180031cf0)
20:36:17     INFO -  GECKO(6128) |     #1 0x7ff9b9951368 in ShutdownObserver::Observe(class nsISupports *,char const *,UNKNOWN const *) z:\build\build\src\widget\GfxInfoBase.cpp:72
20:36:17     INFO -  GECKO(6128) |     #2 0x7ff9b0b73372 in nsObserverList::NotifyObservers(class nsISupports *,char const *,UNKNOWN const *) z:\build\build\src\xpcom\ds\nsObserverList.cpp:112
20:36:17     INFO -  GECKO(6128) |     #3 0x7ff9b0b77673 in nsObserverService::NotifyObservers(class nsISupports *,char const *,UNKNOWN const *) z:\build\build\src\xpcom\ds\nsObserverService.cpp:297
20:36:17     INFO -  GECKO(6128) |     #4 0x7ff9b0d1f70e in mozilla::ShutdownXPCOM(class nsIServiceManager *) z:\build\build\src\xpcom\build\XPCOMInit.cpp:837
20:36:17     INFO -  GECKO(6128) | previously allocated by thread T0 here:
20:36:17     INFO -  GECKO(6128) |     #0 0x7ff9b00b1de0  (Z:\task_1525119914\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x180031de0)
20:36:17     INFO -  GECKO(6128) |     #1 0x7ff9cfe9e54d in moz_xmalloc z:\build\build\src\memory\mozalloc\mozalloc.cpp:70
20:36:17     INFO -  GECKO(6128) |     #2 0x7ff9b98c387a in mozilla::widget::GfxDriverInfo::GetDeviceVendor(enum mozilla::widget::DeviceVendor) z:\build\build\src\widget\GfxDriverInfo.cpp:345
20:36:17     INFO -  GECKO(6128) |     #3 0x7ff9b9a231ac in mozilla::widget::GfxInfo::Init(void) z:\build\build\src\widget\windows\GfxInfo.cpp:626
20:36:17     INFO -  GECKO(6128) |     #4 0x7ff9b9a1848e in mozilla::widget::GfxInfoConstructor z:\build\build\src\widget\windows\nsWidgetFactory.cpp:152
20:36:17     INFO -  GECKO(6128) | SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\xpcom\string\nsTSubstring.cpp:874 in mozilla::detail::nsTStringRepr<char>::Equals(class mozilla::detail::nsTStringRepr<char> const &,class nsTStringComparator<char> const &)const
20:36:17     INFO -  GECKO(6128) | Shadow bytes around the buggy address:
20:36:17     INFO -  GECKO(6128) |   0x04755c469280: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
20:36:17     INFO -  GECKO(6128) |   0x04755c469290: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
20:36:17     INFO -  GECKO(6128) |   0x04755c4692a0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
20:36:17     INFO -  GECKO(6128) |   0x04755c4692b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
20:36:17     INFO -  GECKO(6128) |   0x04755c4692c0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
20:36:17     INFO -  GECKO(6128) | =>0x04755c4692d0: fa fa fd fd fa fa fd fd fa fa fd[fd]fa fa 00 00
20:36:17     INFO -  GECKO(6128) |   0x04755c4692e0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
20:36:17     INFO -  GECKO(6128) |   0x04755c4692f0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
20:36:17     INFO -  GECKO(6128) |   0x04755c469300: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
20:36:17     INFO -  GECKO(6128) |   0x04755c469310: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
20:36:17     INFO -  GECKO(6128) |   0x04755c469320: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
20:36:17     INFO -  GECKO(6128) | Shadow byte legend (one shadow byte represents 8 application bytes):
20:36:17     INFO -  GECKO(6128) |   Addressable:           00
20:36:17     INFO -  GECKO(6128) |   Partially addressable: 01 02 03 04 05 06 07
20:36:17     INFO -  GECKO(6128) |   Heap left redzone:       fa
20:36:17     INFO -  GECKO(6128) |   Freed heap region:       fd
20:36:17     INFO -  GECKO(6128) |   Stack left redzone:      f1
20:36:17     INFO -  GECKO(6128) |   Stack mid redzone:       f2
20:36:17     INFO -  GECKO(6128) |   Stack right redzone:     f3
20:36:17     INFO -  GECKO(6128) |   Stack after return:      f5
20:36:17     INFO -  GECKO(6128) |   Stack use after scope:   f8
20:36:17     INFO -  GECKO(6128) |   Global redzone:          f9
20:36:17     INFO -  GECKO(6128) |   Global init order:       f6
20:36:17     INFO -  GECKO(6128) |   Poisoned by user:        f7
20:36:17     INFO -  GECKO(6128) |   Container overflow:      fc
20:36:17     INFO -  GECKO(6128) |   Array cookie:            ac
20:36:17     INFO -  GECKO(6128) |   Intra object redzone:    bb
20:36:17     INFO -  GECKO(6128) |   ASan internal:           fe
20:36:17     INFO -  GECKO(6128) |   Left alloca redzone:     ca
20:36:17     INFO -  GECKO(6128) |   Right alloca redzone:    cb
20:36:17     INFO -  GECKO(6128) | ==5392==ABORTING
Bas, could you please take a look?
Flags: needinfo?(bas)
Milan, this appears to be us attempting to access driver info during shutdown after w've already shutdown the GfxInfo object itself. This is almost certainly not caused by the addition of new blacklisting entries itself. Do you have any idea what might have caused this? It appears to be JS code but I've never seen any JS code that accesses our blacklists, having said that I haven't been involved much in the blacklisting code.
Flags: needinfo?(bas) → needinfo?(milan)
about:support will indirectly access the blocklists because it's trying to find out what features we have.  That could be it.  Ryan, any chance your recent changes for OMTP triggered this?
I'll look a bit more.
Flags: needinfo?(milaninbugzilla) → needinfo?(rhunt)
My changes to about:support can't have affected this as they're not in that push or even central yet.

As for other OMTP changes, I don't think so. None of them changed any calls to gfxInfo. There were some changes to how we compute the feature status for OMTP, but nothing that I think could manifest itself this way.
Flags: needinfo?(rhunt)
I have no idea if this is 'the' correct fix, but it fixes the ASan complaint, matches the delete code a few lines higher, and seems to be generally good code hygiene anyway.
Attachment #8972701 - Flags: review?(milaninbugzilla)
Comment on attachment 8972701 [details] [diff] [review]
null out the strings after deleting

Review of attachment 8972701 [details] [diff] [review]:
-----------------------------------------------------------------

I like this change, because it certainly saves us from UAF.  I think it will probably trigger a memory leak on that static array, and looking at it more, probably what we want to do is add this:
  if (mShutdownOccurred) {
    return NS_OK;
  }
to all :GetFeatureStatusImpl functions at the top, instead of just the base class.  And definitely keep the nulling out of the deleted pointers.
Attachment #8972701 - Flags: review?(milaninbugzilla) → review+
Group: core-security → gfx-core-security
Resetting review since the X11 file was nontrivial -- I moved `GetData` down so that we still fill in *aOS if we return early.
Assignee: nobody → dmajor
Attachment #8972701 - Attachment is obsolete: true
Attachment #8973049 - Flags: review?(milaninbugzilla)
Comment on attachment 8973049 [details] [diff] [review]
null out the strings and return if mShutdownOccurred

Review of attachment 8973049 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8973049 - Flags: review?(milaninbugzilla) → review+
To my knowledge nobody has been able to point to a recent change and say "this is where the bug was introduced." I'm concerned that the underlying issue may have been present for a long time and was just unmasked recently. What's our policy for landing these types of sec bugs? Do I need to wait for approval before landing on trunk? Should I request uplift?
Flags: needinfo?(dveditz)
You don't technically need sec-approval for a sec-moderate, but this could be a borderline sec-high so we will want to request uplift. I've added branch tracking flags for that.
https://hg.mozilla.org/mozilla-central/rev/74cb61ae46ee
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Comment on attachment 8973049 [details] [diff] [review]
null out the strings and return if mShutdownOccurred

Approval Request Comment
[Feature/Bug causing the regression]: Uncertain. It's possible that this issue has been present (masked) for a long time. This uplift is a precaution.
[User impact if declined]: unsafe memory access
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: Because our test coverage only hits this on ASan builds, it's not possible to test on a proper Nightly. But I have tested it on ASan builds of m-c.
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: common code idiom of nulling out a pointer after deleting.
[String changes made/needed]: no
Attachment #8973049 - Flags: approval-mozilla-beta?
Comment on attachment 8973049 [details] [diff] [review]
null out the strings and return if mShutdownOccurred

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: borderline sec-high per comment 10
User impact if declined: unsafe memory access
Fix Landed on Version: 62
Risk to taking this patch (and alternatives if risky): low risk
String or UUID changes made by this patch: no

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8973049 - Flags: approval-mozilla-esr60?
Attachment #8973049 - Flags: approval-mozilla-esr52?
Comment on attachment 8973049 [details] [diff] [review]
null out the strings and return if mShutdownOccurred

This needs a rebased patch for ESR52. Please attach the patch an re-request approval then.
Flags: needinfo?(dmajor)
Attachment #8973049 - Flags: approval-mozilla-esr52?
Comment on attachment 8973049 [details] [diff] [review]
null out the strings and return if mShutdownOccurred

Approved for 61.0b4. We'll look at the ESR60 nomination later in the cycle.
Attachment #8973049 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
`mShutdownOccurred` was introduced in Firefox 53 in https://hg.mozilla.org/mozilla-central/rev/b5e0bcbb12dd, which will have to be partially backported in the esr52 patch. (I'll take only the hunks referencing mShutdownOccurred)
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: borderline sec-high per comment 10
User impact if declined: unsafe memory access
Fix Landed on Version: 62
Risk to taking this patch (and alternatives if risky): low risk
String or UUID changes made by this patch: no

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Flags: needinfo?(dmajor)
Attachment #8974797 - Flags: approval-mozilla-esr52?
Comment on attachment 8974797 [details] [diff] [review]
rebased for esr52

sec fix for 52.9esr
Attachment #8974797 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Comment on attachment 8973049 [details] [diff] [review]
null out the strings and return if mShutdownOccurred

sec fix for 60.1esr
Attachment #8973049 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+]
Flags: qe-verify-
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+] → [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.