Use-After-Free Crash in MergeState::UpdateContainerASR
Categories
(Core :: Web Painting, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox63 | --- | wontfix |
firefox64 | --- | wontfix |
firefox65 | --- | fix-optional |
firefox66 | --- | fix-optional |
firefox67 | --- | fix-optional |
People
(Reporter: philipp, Unassigned)
References
(Blocks 1 open bug)
Details
(5 keywords)
Crash Data
This bug was filed from the Socorro interface and is report bp-0d0d51e1-ab73-440a-bc57-b4fb70181123. ============================================================= Top 10 frames of crashing thread: 0 xul.dll void MergeState::UpdateContainerASR layout/painting/RetainedDisplayListBuilder.cpp:483 1 xul.dll void MergeState::ProcessOldNode layout/painting/RetainedDisplayListBuilder.cpp:539 2 xul.dll class RetainedDisplayList MergeState::Finalize layout/painting/RetainedDisplayListBuilder.cpp:437 3 xul.dll bool RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:663 4 xul.dll void MergeState::ProcessOldNode layout/painting/RetainedDisplayListBuilder.cpp:524 5 xul.dll class RetainedDisplayList MergeState::Finalize layout/painting/RetainedDisplayListBuilder.cpp:437 6 xul.dll bool RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:663 7 xul.dll struct Index<MergedListUnits> MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:335 8 xul.dll bool RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:659 9 xul.dll RetainedDisplayListBuilder::AttemptPartialUpdate layout/painting/RetainedDisplayListBuilder.cpp:1419 ============================================================= this content crash signature is newly showing up since firefox 61, presumably due to bug 1443027. most reports appear to be security sensitive.
Comment 1•6 years ago
|
||
wontfix for 63 as we have no plan for another dot release before 64 ships in 2 weeks from now.
Comment 2•6 years ago
|
||
Miko, can you please take a look at the crash stacks to see if anything stands out?
Comment 3•5 years ago
|
||
This looks a bit similar to other crashes we have, where DisplayItemClipChain of a display item is corrupted.
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 4•5 years ago
|
||
There could be multiple causes here, but the use-after-free crashes are sec-high
Updated•5 years ago
|
Reporter | ||
Updated•5 years ago
|
Updated•5 years ago
|
Comment 7•5 years ago
•
|
||
(In reply to Jessie [:jbonisteel] plz needinfo from comment #6)
Miko, does this bug look actionable?
Sadly, no. This looks like it belongs to a class of stalled bugs where display item/display item clip chain arena gets bogus/corrupted entries. The only lead we have here, is that it seems to happen more often with Windows 7.
Updated•5 years ago
|
Comment 8•4 years ago
|
||
Removing employee no longer with company from CC list of private bugs.
Updated•2 years ago
|
Comment 10•2 years ago
|
||
The severity field for this bug is set to S3. However, the bug is flagged with the sec-high
keyword.
:tnikkel, could you consider increasing the severity of this security bug?
For more information, please visit auto_nag documentation.
Updated•2 years ago
|
Comment 11•10 months ago
|
||
There are only two crashes with this signature in the last 6 months. One in Fenix 86 that's crashing on the UAF poison value (consistent with the original report), and one in ESR 102.8 on Linux that looks like a bit-flip
bp-1bbee9b8-8a67-4422-a29d-e335e0230302 crashes on an access of 0x08007f645a8f05e0 (rax + 0x20). Several other registers have values like 0x00007f645-------, reasonably close to the crashing address if you ignore that one highish bit. Given we have a significant number of ESR 102 users and the former UAF crashes were not rare we can safely assume this got fixed in another bug along the way.
Comment 12•10 months ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.
Description
•