Closed Bug 1521639 Opened 11 months ago Closed 10 months ago

AddressSanitizer: heap-use-after-free [@ operator] with READ of size 8 involving mozilla::net::TRRService

Categories

(Core :: Networking: DNS, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox-esr60 --- disabled
firefox64 --- disabled
firefox65 --- disabled
firefox66 + fixed
firefox67 + fixed

People

(Reporter: decoder, Assigned: dragana)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(2 files)

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 66.0a1-20190120094340-https://hg.mozilla.org/mozilla-central/rev/219bc50b5cd5ac8b374cac6531ece44dddf4bfff.

For detailed crash information, see attachment.

Flags: sec-bounty?

$ Downloads/firefox/firefox
*** You are running in chaos test mode. See ChaosMode.h. ***
IPDL protocol Error: Received an invalid file descriptor
IPDL protocol Error: Received an invalid file descriptor
IPDL protocol Error: Received an invalid file descriptor
IPDL protocol Error: Received an invalid file descriptor
IPDL protocol Error: Received an invalid file descriptor
QInotifyFileSystemWatcherEngine::addPaths: inotify_add_watch failed: No space left on device
[warn] Unable to parse nameserver address fe80::52ff:20ff:fe04:c8da%enp4s0
Attempting load of libEGL.so
[Child 6066, MediaPlayback #49] WARNING: Decoder=615000e22a00 Decode error: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005) - RefPtr<MediaSourceTrackDemuxer::SamplesPromise> mozilla::MediaSourceTrackDemuxer::DoGetSamples(int32_t): manager is detached.: file /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp, line 3325
[Child 6066, MediaPlayback #57] WARNING: Decoder=615002819080 Decode error: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005) - RefPtr<MediaSourceTrackDemuxer::SamplesPromise> mozilla::MediaSourceTrackDemuxer::DoGetSamples(int32_t): manager is detached.: file /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp, line 3325
[Child 6066, MediaPlayback #58] WARNING: Decoder=615002819080 Decode error: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005) - RefPtr<MediaSourceTrackDemuxer::SamplesPromise> mozilla::MediaSourceTrackDemuxer::DoGetSamples(int32_t): manager is detached.: file /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp, line 3325
[Child 6066, MediaPlayback #78] WARNING: Decoder=6150006a5e80 Decode error: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005) - RefPtr<MediaSourceTrackDemuxer::SamplesPromise> mozilla::MediaSourceTrackDemuxer::DoGetSamples(int32_t): manager is detached.: file /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp, line 3325
[Child 6066, MediaPlayback #80] WARNING: Decoder=615003037500 Decode error: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005) - RefPtr<MediaSourceTrackDemuxer::SamplesPromise> mozilla::MediaSourceTrackDemuxer::DoGetSamples(int32_t): manager is detached.: file /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp, line 3325
[Child 6066, MediaPlayback #82] WARNING: Decoder=615003037500 Decode error: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005) - RefPtr<MediaSourceTrackDemuxer::SamplesPromise> mozilla::MediaSourceTrackDemuxer::DoGetSamples(int32_t): manager is detached.: file /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp, line 3325
[Child 6066, MediaPlayback #82] WARNING: Decoder=615003037500 Decode error: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005) - RefPtr<MediaSourceTrackDemuxer::SamplesPromise> mozilla::MediaSourceTrackDemuxer::DoGetSamples(int32_t): manager is detached.: file /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp, line 3325
[Child 6066, MediaPlayback #80] WARNING: Decoder=615003037500 Decode error: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005) - RefPtr<MediaSourceTrackDemuxer::SamplesPromise> mozilla::MediaSourceTrackDemuxer::DoGetSamples(int32_t): manager is detached.: file /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp, line 3325
[Child 6066, MediaPlayback #83] WARNING: Decoder=615003037500 Decode error: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005) - RefPtr<MediaSourceTrackDemuxer::SamplesPromise> mozilla::MediaSourceTrackDemuxer::DoGetSamples(int32_t): manager is detached.: file /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp, line 3325
[Child 6066, MediaPlayback #91] WARNING: Decoder=615002ebab00 Decode error: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005) - RefPtr<MediaSourceTrackDemuxer::SamplesPromise> mozilla::MediaSourceTrackDemuxer::DoGetSamples(int32_t): manager is detached.: file /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp, line 3325
AddressSanitizer:DEADLYSIGNAL

Group: core-security
Group: network-core-security
Assignee: nobody → dd.mozilla
Status: NEW → ASSIGNED
Blocks: DoH

Comment on attachment 9039527 [details]
Bug 1521639 - Fix locking in TRRService. r=valentin

Security Approval Request

How easily could an exploit be constructed based on the patch?

The patch shows exactly what the problem is, but it needs special timing of operations to trigger the bug.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Yes

Which older supported branches are affected by this flaw?

60

If not all supported branches, which bug introduced the flaw?

Bug 1441391

Do you have backports for the affected branches?

No

If not, how different, hard to create, and risky will they be?

It is easy to create on and it is low risk change.

How likely is this patch to cause regressions; how much testing does it need?

It is unlikely.

Attachment #9039527 - Flags: sec-approval?

I'm giving sec-approval+ for checkin on February 12 since the patch is pretty obvious. At that point, we'll also want patches made and nominated for Beta and ESR60.

Whiteboard: [checkin on 2/12]
Attachment #9039527 - Flags: sec-approval? → sec-approval+

Comment on attachment 9039527 [details]
Bug 1521639 - Fix locking in TRRService. r=valentin

Beta/Release Uplift Approval Request

Feature/Bug causing the regression

Bug 1441391

User impact if declined

It can cause a crash and uaf.

Is this code covered by automated tests?

No

Has the fix been verified in Nightly?

No

Needs manual test from QE?

No

If yes, steps to reproduce

List of other uplifts needed

None

Risk to taking this patch

Low

Why is the change risky/not risky? (and alternatives if risky)

The patch only adds locking.

String changes made/needed

Attachment #9039527 - Flags: approval-mozilla-beta?

(In reply to Al Billings [:abillings] from comment #6)

I'm giving sec-approval+ for checkin on February 12 since the patch is pretty obvious. At that point, we'll also want patches made and nominated for Beta and ESR60.

The TRR feature is disabled on ESR60 (it is also disabled by default on the current release). ESR60 also miss some other fixes for TRR (e.g. fix for crash in bug 1441131). Do we need to uplift this to ESR60?

Flags: needinfo?(abillings)

(In reply to Dragana Damjanovic [:dragana] from comment #8)

(In reply to Al Billings [:abillings] from comment #6)

I'm giving sec-approval+ for checkin on February 12 since the patch is pretty obvious. At that point, we'll also want patches made and nominated for Beta and ESR60.

The TRR feature is disabled on ESR60 (it is also disabled by default on the
current release). ESR60 also miss some other fixes for TRR (e.g. fix for
crash in bug 1441131). Do we need to uplift this to ESR60?

I think we could get away without it then.

If this is disabled by default on current release, you can check in now and ask for uplift for a beta patch as well.

Flags: needinfo?(abillings) → needinfo?(dd.mozilla)
Flags: needinfo?(dd.mozilla)
Keywords: checkin-needed

Don't worry, I've got queries for timed landings :).

Keywords: checkin-needed
Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Comment on attachment 9039527 [details]
Bug 1521639 - Fix locking in TRRService. r=valentin

Avoid a crash + uaf, landed ok on nightly.
OK for uplift for beta 8.

Attachment #9039527 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Blocks: 1441391
Flags: sec-bounty? → sec-bounty+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.