Crash in nsHostResolver::ResolveHost
Categories
(Core :: Networking: DNS, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | wontfix |
| firefox-esr68 | - | wontfix |
| firefox-esr78 | 87+ | fixed |
| firefox64 | --- | wontfix |
| firefox65 | --- | wontfix |
| firefox66 | + | wontfix |
| firefox67 | --- | wontfix |
| firefox68 | --- | wontfix |
| firefox69 | --- | wontfix |
| firefox70 | --- | wontfix |
| firefox71 | --- | wontfix |
| firefox86 | --- | wontfix |
| firefox87 | + | fixed |
| firefox88 | + | fixed |
People
(Reporter: julienw, Assigned: valentin)
References
Details
(4 keywords, Whiteboard: [necko-triaged][post-critsmash-triage][sec-survey][adv-main87+r][adv-esr78.9+r])
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr78+
dveditz
:
sec-approval+
|
Details | Review |
|
Reporter | |
Updated•7 years ago
|
|
||
Updated•7 years ago
|
|
||
Updated•7 years ago
|
|
||
Comment 1•7 years ago
|
||
|
||
Comment 2•7 years ago
|
||
Dragana, do you think you'll have cycles to look at this during this cycle still?
|
|
||
Comment 3•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2)
Dragana, do you think you'll have cycles to look at this during this cycle still?
I was on PTO and back today.
I looked into this today a bit and I will continue looking... I may have a theory why this is happening.
|
|
||
Updated•7 years ago
|
|
||
Comment 5•7 years ago
•
|
||
I don't see anything interesting in the reports that have logs on Android. The stack is kinda weird, though.
According to the reports, the crash is occuring in RefPtr::AddRef(), so we are likely creating a RefPtr with a garbage referent, but frame 1 points to the line[0] where nsDNSService::AsyncResolveInternal calls nsHostResolver::ResolveHost. We aren't creating a RefPtr here, but we would've for the new nsDNSAsyncRequest(...) just above for the mResolver member. Optimization side effect? Busted stack trace? Also, we're passing the value for mResolver from an existing RefPtr, so it doesn't make sense that it could suddenly become garbage.
Is this still a P1 for this release cycle?
|
|
||
Comment 7•7 years ago
|
||
(In reply to Emma Humphries, Bugmaster ☕️🎸🧞♀️✨ (she/her) [:emceeaich] (UTC-8) needinfo? me from comment #6)
Is this still a P1 for this release cycle?
I would like to fix it but currently I do not know what the next step should be.
I will keep it P1.
|
||
Updated•7 years ago
|
|
||
Comment 8•7 years ago
|
||
Dragana, are you able to take another look? The crash volume went up quite a lot on 66.0.2 for Fennec.
Petru, cc-ing you into the bug in case you may be able to investigate.
|
||
Comment 9•7 years ago
|
||
Sorry but all this seems native code for which I don't anything to contribute atm.
Feel free to ping me if there's anything to be done in the Android app.
|
|
||
Comment 10•7 years ago
|
||
Actually - at this point, this isn't likely to be fixed for 66. But we could still take a patch for 68 or potentially, 67.
|
|
||
Comment 11•7 years ago
|
||
The volume of crashes on 67 beta is low and we don't currently have a patch in review orwhile we are one week away from RC week. Marking as fix-optional at this point for 67.
|
||
Comment 12•6 years ago
|
||
The cause seems to be the same as in bug 1549398. Looks like nsDNSService::mResolver is invalid, but I have no idea why...
|
|
||
Comment 13•6 years ago
|
||
Too late for a fix in 68 as we are a week away from release.
|
|
||
Updated•6 years ago
|
|
|
||
Comment 14•6 years ago
|
||
We do not know how to fix this at the moment.
|
|
||
Comment 15•6 years ago
|
||
OK. I'll mark this stalled for now. Dan just double checking that's ok with you.
|
||
Comment 16•6 years ago
|
||
Christian, making you aware. This is likely a race in our DNS code we can't figure out.
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Comment 17•6 years ago
|
||
setting status for esr68 since these are mostly fennec crashes.
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
||
Comment 18•5 years ago
|
||
Removing employee no longer with company from CC list of private bugs.
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 19•5 years ago
|
||
|
|
Assignee | |
Comment 20•5 years ago
|
||
Comment on attachment 9206332 [details]
Bug 1513519 - Always hold lock when accessing mResolver r=#necko
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Racy code is rather obvious. Unclear how easy this would be to exploit.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Easy to backport.
- How likely is this patch to cause regressions; how much testing does it need?: Low risk of regressions - only locks mutex for sensitive operations
|
|
||
Updated•5 years ago
|
|
|
||
Comment 21•5 years ago
|
||
Comment on attachment 9206332 [details]
Bug 1513519 - Always hold lock when accessing mResolver r=#necko
sec-approval=dveditz
|
|
||
Updated•5 years ago
|
|
|
||
Comment 22•5 years ago
|
||
Always hold lock when accessing mResolver r=necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/a9c0999063b5358a196fa958563a9c43b3ebf6eb
https://hg.mozilla.org/mozilla-central/rev/a9c0999063b5
|
|
||
Comment 23•5 years ago
|
||
Please request beta/esr uplift when you get a chance.
|
|
Assignee | |
Comment 24•5 years ago
|
||
Comment on attachment 9206332 [details]
Bug 1513519 - Always hold lock when accessing mResolver r=#necko
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Sec-high
- User impact if declined: nsDNSService::mResolver may be accessed from multiple threads without holding a lock leading to a use after free.
- Fix Landed on Version: 88
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch makes no big logic changes. We just hold the lock when accessing the RefPtr in a few extra places in the code.
- String or UUID changes made by this patch:
Beta/Release Uplift Approval Request
- User impact if declined: nsDNSService::mResolver may be accessed from multiple threads without holding a lock leading to a use after free.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch makes no big logic changes. We just hold the lock when accessing the RefPtr in a few extra places in the code.
- String changes made/needed:
|
||
Updated•5 years ago
|
|
|
||
Comment 25•5 years ago
|
||
Comment on attachment 9206332 [details]
Bug 1513519 - Always hold lock when accessing mResolver r=#necko
approved for 87.0b8
|
|
||
Comment 26•5 years ago
|
||
| uplift | ||
|
|
||
Comment 27•5 years ago
|
||
Comment on attachment 9206332 [details]
Bug 1513519 - Always hold lock when accessing mResolver r=#necko
Approved for 78.9esr.
|
|
||
Comment 28•5 years ago
|
||
| uplift | ||
|
||
Comment 29•5 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
Description
•