Closed Bug 1480226 Opened 6 years ago Closed 6 years ago

AddressSanitizer: heap-use-after-free [@ nsVariant] with READ of size 8 through [@ nsNSSDialogs::ChooseCertificate]

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1480517
Tracking Flags:
Tracking Status
firefox62 --- fixed
firefox63 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, csectype-uaf, regression)

Attachments

(1 file)

Detailed Crash Information
14.01 KB, text/plain
Details 
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 63.0a1-20180731105217-https://hg.mozilla.org/mozilla-central/rev/0d72c7996d60a7c07e35c5f90d78b02a47d17460.

For detailed crash information, see attachment.
This stack doesn't look right -- doing things inside AnnotateMozCrashReason ?  nsNSSDialogs::ChooseCertificate inside a destructor (many frames higher)?

To the extent a lot of dialog code is involved these things would only come up through user interaction so I would guess a sec-moderate perhaps?

Keeler: does any of this make sense to you?

decoder: Not sure why this is marked as a "regression". We have no idea if this is new or old. Especially if cert dialogs are involved that's not used too much and wouldn't be hit by our non-interactive fuzzers.
Flags: needinfo?(dkeeler)
Flags: needinfo?(choller)
Keywords: csectype-uaf
Those stacks look trashed. e.g.:

0x6040002778b0 is located 32 bytes inside of 48-byte region [0x604000277890,0x6040002778c0)
freed by thread T0 here:
    #0 0x4c1ac2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7fe18c256805 in nsNSSDialogs::ConfirmDownloadCACert(nsIInterfaceRequestor*, nsIX509Cert*, unsigned int*, bool*) /builds/worker/workspace/build/src/security/manager/pki/nsNSSDialogs.cpp:129:47
    #2 0x7fe18c259d6c in nsNSSDialogs::DisplayProtectedAuth(nsIInterfaceRequestor*, nsIProtectedAuthThread*) /builds/worker/workspace/build/src/security/manager/pki/nsNSSDialogs.cpp:425

DisplayProtectedAuth never calls ConfirmDownloadCACert.
Flags: needinfo?(dkeeler)
The same person also sent a second report that I filed as bug 1480517.

Both have in common that dbus is on the stack. Maybe dbus is trashing something?
Flags: needinfo?(choller)
See Also: → 1480517
Fedora 28, GNOME 3.28.2, dbus-1.12.8-1.fc28.src.rpm

If you need any other information, feel free to ask. I just don't know what could have caused it this Wednesday(?) (I guess reports are opened automatically?) or why Firefox crashed. Sorry, can't remember for three days ago…
Maybe also just my whole system froze, although I guess that in such a case Firefox cannot create a crash report…
Thanks for providing the info and no worries :) I assume this is the same bug as bug 1480517 because dbus is on both stacks and it is plausible that one of the stacks got trashed by this.

Marking as a duplicate for now.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: