Closed Bug 1483905 Opened 6 years ago Closed 6 years ago

AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:316:32 in isSome

Categories

(Core :: DOM: Device Interfaces, defect, P1)

Product:
Core
Component:
DOM: Device Interfaces
Version:
63 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 63+ fixed
firefox62 --- wontfix
firefox63 + fixed
firefox64 + fixed

People

(Reporter: jkratzer, Assigned: keeler)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [webauthn][adv-main63+][adv-esr60.3+])

Attachments

(2 files)

trigger.html
367 bytes, text/html
Details
bug 1483905 - ensure the WebAuthnManager stays alive while WebAuthnTransactionChild is using it r?qdot
46 bytes, text/x-phabricator-request
qdot
: review+
pascalc
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr60+
abillings
: sec-approval+
Details | Review
Attached file trigger.html 
==25581==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000cdd78 at pc 0x7f7284dde639 bp 0x7ffddd9174c0 sp 0x7ffddd9174b8
READ of size 1 at 0x6070000cdd78 thread T0 (file:// Content)
    #0 0x7f7284dde638 in isSome /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:316:32
    #1 0x7f7284dde638 in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:497
    #2 0x7f7284dde638 in mozilla::dom::WebAuthnManager::ClearTransaction() /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManager.cpp:163
    #3 0x7f7284ddec4d in mozilla::dom::WebAuthnManager::RejectTransaction(nsresult const&) /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManager.cpp:174:3
    #4 0x7f7284df3779 in mozilla::dom::WebAuthnTransactionChild::RecvAbort(unsigned long const&, nsresult const&) /builds/worker/workspace/build/src/dom/webauthn/WebAuthnTransactionChild.cpp:55:13
    #5 0x7f727d4e0e7c in mozilla::dom::PWebAuthnTransactionChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PWebAuthnTransactionChild.cpp:315:20
    #6 0x7f727d289c80 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2214:28
    #7 0x7f727cad0a0e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2239:25
    #8 0x7f727cacc33e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2166:17
    #9 0x7f727cace79d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
    #10 0x7f727cacf4f7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
    #11 0x7f727b8f6c60 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1235:14
    #12 0x7f727b8ff9c5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #13 0x7f727cadaade in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #14 0x7f727c9dcbfc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #15 0x7f727c9dcbfc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #16 0x7f727c9dcbfc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #17 0x7f72854f03f6 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #18 0x7f728986575e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:937:22
    #19 0x7f727c9dcbfc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #20 0x7f727c9dcbfc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #21 0x7f727c9dcbfc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #22 0x7f7289864812 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:763:34
    #23 0x4f5b11 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #24 0x4f5b11 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #25 0x7f72a0d8cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #26 0x424ee8 in _start (/home/forb1dden/builds/mc-asan/firefox+0x424ee8)

0x6070000cdd78 is located 72 bytes inside of 80-byte region [0x6070000cdd30,0x6070000cdd80)
freed by thread T0 (file:// Content) here:
    #0 0x4c52f2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f7284ddc79c in mozilla::dom::WebAuthnManager::Release() /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManager.cpp:34:1
    #2 0x7f728314759a in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/CallbackObject.h:584:5
    #3 0x7f7283161877 in RemoveEventListener /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1476:3
    #4 0x7f7283161877 in RemoveEventListener /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:291
    #5 0x7f7283161877 in mozilla::dom::EventTarget::RemoveEventListener(nsTSubstring<char16_t> const&, nsIDOMEventListener*, bool) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:112
    #6 0x7f7284dde44c in StopListeningForVisibilityEvents /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManagerBase.cpp:117:15
    #7 0x7f7284dde44c in mozilla::dom::WebAuthnManager::ClearTransaction() /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManager.cpp:160
    #8 0x7f7284ddec4d in mozilla::dom::WebAuthnManager::RejectTransaction(nsresult const&) /builds/worker/workspace/build/src/dom/webauthn/WebAuthnManager.cpp:174:3
    #9 0x7f7284df3779 in mozilla::dom::WebAuthnTransactionChild::RecvAbort(unsigned long const&, nsresult const&) /builds/worker/workspace/build/src/dom/webauthn/WebAuthnTransactionChild.cpp:55:13
    #10 0x7f727d4e0e7c in mozilla::dom::PWebAuthnTransactionChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PWebAuthnTransactionChild.cpp:315:20
    #11 0x7f727d289c80 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2214:28
    #12 0x7f727cad0a0e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2239:25
    #13 0x7f727cacc33e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2166:17
    #14 0x7f727cace79d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
    #15 0x7f727cacf4f7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
    #16 0x7f727b8f6c60 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1235:14
    #17 0x7f727b8ff9c5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #18 0x7f727cadaade in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #19 0x7f727c9dcbfc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #20 0x7f727c9dcbfc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #21 0x7f727c9dcbfc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #22 0x7f72854f03f6 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #23 0x7f728986575e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:937:22
    #24 0x7f727c9dcbfc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #25 0x7f727c9dcbfc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #26 0x7f727c9dcbfc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c5633 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x51a34d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7f7282ffaff9 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:136:12
    #3 0x7f7282ffaff9 in EnsureWebAuthnManager /builds/worker/workspace/build/src/dom/credentialmanagement/CredentialsContainer.cpp:140
    #4 0x7f7282ffaff9 in mozilla::dom::CredentialsContainer::Get(mozilla::dom::CredentialRequestOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/credentialmanagement/CredentialsContainer.cpp:158
    #5 0x7f7281dd0e45 in get /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CredentialManagementBinding.cpp:710:45
    #6 0x7f7281dd0e45 in mozilla::dom::CredentialsContainer_Binding::get_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CredentialsContainer*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CredentialManagementBinding.cpp:724
    #7 0x7f72828da5ca in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3311:13
    #8 0x7f7289b8ec62 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:445:15
    #9 0x7f7289b8ec62 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:533
    #10 0x7f7289b78500 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:12
    #11 0x7f7289b78500 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3239
    #12 0x7f7289b5eaee in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:12
    #13 0x7f7289b8f73a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:557:15
    #14 0x7f7289b914c2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:603:10
    #15 0x7f728a62304a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2915:12
    #16 0x7f7281ee0b5e in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
    #17 0x7f728314da3e in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #18 0x7f728314da3e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1108
    #19 0x7f728314fb97 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1342:20
    #20 0x7f72831337c9 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #21 0x7f72831337c9 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:418
    #22 0x7f7283131a83 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:635:16
    #23 0x7f72831382de in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1110:9
    #24 0x7f7285d5dd4f in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1169:7
    #25 0x7f7288ad258c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7054:21
    #26 0x7f7288acd16a in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6847:7

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:316:32 in isSome
Shadow bytes around the buggy address:
  0x0c0e80011b50: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e80011b60: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x0c0e80011b70: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0e80011b80: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e80011b90: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0e80011ba0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]
  0x0c0e80011bb0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e80011bc0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e80011bd0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
  0x0c0e80011be0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x0c0e80011bf0: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25581==ABORTING
Flags: in-testsuite?
Testcase found while fuzzing mozilla-central rev 161817e6d127.
Version: 59 Branch → 63 Branch
Group: core-security → dom-core-security
Flags: needinfo?(continuation)
Keywords: csectype-uaf, sec-high
Maybe JC can take a look here due to it being related WebAuthn.
Flags: needinfo?(jjones)
This looks like a lifetime issue with WebAuthnManager, it mTransaction, and unlinking upon an event (almost certainly an AbortSignal).

The WebAuthn code here has been in place since Firefox 60. That said, I think Smaug was saying the other day that unlinking AbortFollowers is relatively new, so this might be only in 63. We'd have to test the testcase on earlier fuzzing-asan builds to be sure.

I'm going to assign this to myself for the moment, but I'm not sure if it'll be me that solves it.
Assignee: nobody → jjones
Status: NEW → ASSIGNED
Flags: needinfo?(jjones)
Priority: -- → P1
Whiteboard: [webauthn]
Traversing/Unlinking mFollowingSignal needs to be done explicitly by subclasses. That part is new.
WebAuthnManager isn't cycle collectable, so it doesn't do that.

But there were some other changes in bug 1478101. I don't know if those could have affected this.
I think not.

WebAuthnManager::ClearTransaction() ends up removing events listeners, where 'this' is the listener. And those listeners are the last references to keep 'this' alive.
Then ClearTransaction() continues execution, although 'this' has been already deleted.
Flags: needinfo?(continuation)
J.C. asked me to work on this.
Assignee: jjones → dkeeler
WebAuthnTransactionChild doesn't own the reference to its WebAuthnManager.
WebAuthnManager::ClearTransaction calls StopListeningForVisibilityEvents, which
can decrease the refcount on the WebAuthnManager. Thus WebAuthnTransactionChild
must hold a reference to keep the manager alive while using it.
Comment on attachment 9007339 [details]
bug 1483905 - ensure the WebAuthnManager stays alive while WebAuthnTransactionChild is using it r?qdot

Kyle Machulis [:qdot] [:kmachulis] (if a patch has no decent commit message, automatic r-) has approved the revision.
Attachment #9007339 - Flags: review+
The testcase reproduces on esr60 and release (62).
status-firefox62: --- → affected
status-firefox63: --- → affected
status-firefox64: --- → affected
status-firefox-esr60: --- → affected
tracking-firefox62: --- → ?
tracking-firefox63: --- → ?
tracking-firefox64: --- → ?
tracking-firefox-esr60: --- → ?
Comment on attachment 9007339 [details]
bug 1483905 - ensure the WebAuthnManager stays alive while WebAuthnTransactionChild is using it r?qdot

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Probably relatively easily (it's pretty clear it's a use-after-free, and the rest is just details).

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Yes. We could potentially prepare a patch that includes only the fix(es), but it's still pretty clear what's going on.

Which older supported branches are affected by this flaw?

all

If not all supported branches, which bug introduced the flaw?

n/a

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

This patch applies cleanly to all affected branches.

How likely is this patch to cause regressions; how much testing does it need?

Not very likely - the fix is small, localized, and unlikely to introduce other problems. It also includes an automated test.
Attachment #9007339 - Flags: sec-approval?
I really don't want to check this in before October 1, to avoid exposure. At that point, we'd want Beta and ESR60 patches made and nominated as well.

So sec-approval+ for checkin but not until October 1.
status-firefox62: affectedwontfix
tracking-firefox62: ? → ---
tracking-firefox63: ?+
tracking-firefox64: ?+
tracking-firefox-esr60: ?63+
Whiteboard: [webauthn] → [webauthn][checkin on 10/1]
Attachment #9007339 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/integration/mozilla-inbound/rev/a653a439a39b5513169c2bf31353c49b57922a81
Flags: in-testsuite? → in-testsuite+
Whiteboard: [webauthn][checkin on 10/1] → [webauthn]
This was backed out for build bustage.
https://hg.mozilla.org/integration/mozilla-inbound/rev/e6bcb33bea54

https://treeherder.mozilla.org/logviewer.html#?job_id=202575555&repo=mozilla-inbound

dom/webauthn/WebAuthnTransactionChild.cpp:35:3: error: Unused "kungFuDeathGrip" 'RefPtr<mozilla::dom::WebAuthnManagerBase>' objects constructed from members are prohibited
Flags: needinfo?(dkeeler)
I updated the patch to "use" the kfdg.
Flags: needinfo?(dkeeler)
https://hg.mozilla.org/mozilla-central/rev/88ebd0e4c45e

Please request Beta and ESR60 approval on this when you get a chance. It grafts cleanly as-landed.
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox64: affectedfixed
Flags: needinfo?(dkeeler)
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Comment on attachment 9007339 [details]
bug 1483905 - ensure the WebAuthnManager stays alive while WebAuthnTransactionChild is using it r?qdot

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
User impact if declined: potential exploits via uaf
Fix Landed on Version: 64
Risk to taking this patch (and alternatives if risky): taking this patch is almost certainly not worse than not taking it
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Approval Request Comment
[Feature/Bug causing the regression]: maybe bug 1478101?
[User impact if declined]: potential exploits via uaf
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: we're adding a reference-counting pointer onto the stack - it practically can't go wrong
[String changes made/needed]: none
Flags: needinfo?(dkeeler)
Attachment #9007339 - Flags: approval-mozilla-esr60?
Attachment #9007339 - Flags: approval-mozilla-beta?
Comment on attachment 9007339 [details]
bug 1483905 - ensure the WebAuthnManager stays alive while WebAuthnTransactionChild is using it r?qdot

Uplift approved for 63 beta 12, thanks.
Attachment #9007339 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 9007339 [details]
bug 1483905 - ensure the WebAuthnManager stays alive while WebAuthnTransactionChild is using it r?qdot

Fixes a sec-high, approved for ESR 60.3.
Attachment #9007339 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Whiteboard: [webauthn] → [webauthn][adv-main63=
Whiteboard: [webauthn][adv-main63= → [webauthn][adv-main63+
Whiteboard: [webauthn][adv-main63+ → [webauthn][adv-main63+][adv-esr60.3+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: