Closed Bug 1467574 Opened 8 years ago Closed 5 years ago

[10.13.4+] Crash in objc_release | __CFBundleCopyDescription

Categories

(Core :: Widget: Cocoa, defect)

Product:
Core
Component:
Widget: Cocoa
Platform:
Unspecified
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix

People

(Reporter: philipp, Unassigned)

Details

(4 keywords)

Crash Data

This bug was filed from the Socorro interface and is report bp-82efcdda-1443-4381-8b38-1b0490180607. ============================================================= Top 10 frames of crashing thread: 0 libobjc.A.dylib objc_release 1 CoreFoundation __CFBundleCopyDescription 2 CoreFoundation _CFBundleGrokFileType 3 CoreFoundation _CFURLCreateFromPropertyListRepresentation 4 CoreFoundation -[_CFXNotificationRegistrar match:object:observer:enumerator:] 5 CoreFoundation -[NSTaggedPointerString uppercaseStringWithLocale:] 6 HIToolbox RunCurrentEventLoopInMode 7 HIToolbox ReceiveNextEventCommon 8 HIToolbox _BlockUntilNextEventMatchingListInModeWithFilter 9 AppKit _DPSNextEvent ============================================================= the macos signature [@ objc_release] covers multiple different issues. i'm filing this report for crashes similar to the stack above - this crash-stats query should cover them: https://crash-stats.mozilla.com/search/?signature=%3Dobjc_release&proto_signature=~objc_release%20%7C%20__CFBundleCopyDescription&date=%3E%3D2018-01-01&_facets=signature&_facets=version&_facets=user_comments&_facets=uptime&_facets=adapter_vendor_id&_facets=build_id&_facets=platform_pretty_version&_facets=useragent_locale&_facets=release_channel&_facets=moz_crash_reason&_facets=address&_facets=proto_signature&_facets=platform_version#facet-proto_signature these browser crash reports started appearing after macos 10.13.4 and most reports have a crashing address indicating an uaf. many of the comments are stating that the crash happened while they were trying to print a page.
The predominant address here (0xffffffffe5e5e600 -- 80% of the above query) is the only address for crashes in bug 1467568. Same underlying cause?
Group: core-security → layout-core-security
Summary: Crash in objc_release | __CFBundleCopyDescription → [10.13.4+] Crash in objc_release | __CFBundleCopyDescription
I only looked at a random sample here, but they were all doing printing up in our code.
Keywords: sec-moderate, sec-vector
bug 1469056 improved the crash signature for this case
Crash Signature: [@ objc_release] → [@ objc_release | __CFBundleCopyDescription]
Group: layout-core-security → core-security-release

I can't seem to be able to pull up any reports for any recent buildids for Firefox. I'm going to close as such, but please reopen if I missed something.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.