Closed Bug 1523185 Opened 7 years ago Closed 7 years ago

Crash in SnowWhiteKiller::Visit due to UAF

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Platform:
Unspecified
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1540166
Tracking Flags:
Tracking Status
firefox-esr60 --- fixed
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: gsvelto, Unassigned)

References

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

This bug is for crash report bp-0c5ef992-61bc-42b3-bf92-07b9a0190127.

Top 10 frames of crashing thread:

0 libxul.so SnowWhiteKiller::Visit xpcom/base/nsISupportsImpl.h:262
1 libxul.so void nsPurpleBuffer::VisitEntries<SnowWhiteKiller> xpcom/base/nsCycleCollector.cpp:956
2 libxul.so nsCycleCollector::FreeSnowWhiteWithBudget xpcom/base/nsCycleCollector.cpp:2622
3 libxul.so AsyncFreeSnowWhite::Run js/xpconnect/src/XPCJSRuntime.cpp:142
4 libxul.so IdleRunnableWrapper::Run xpcom/threads/nsThreadUtils.cpp:317
5 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1160
6 libxul.so NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:468
7 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:88
8 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:315
9 libxul.so nsBaseAppShell::Run widget/nsBaseAppShell.cpp:137

There's two crash stacks here. One is for older stable releases and I don't think it's relevant, the most recent one which applies to nightly has crash addresses that look like an UAF.

Component: JavaScript: GC → XPCOM

It looks like the purple buffer is pointing to a dead object. Unfortunately there's no information about what the class of the object is.

Updating 68 to affected. This crash is visible in both Firefox beta and nightly and affects desktop as well as mobile.

status-firefox68: --- → affected

Marking as sec sensitive since I see a number of Fennec reports with possible UAF addresses.

Group: core-security

This could be the same thing as bug 1540166. We should see if this is improved once that lands on beta.

Depends on: 1540166

the highest buildID I see for a crash with a UAF address is 20190330093331

(In reply to Daniel Veditz [:dveditz] from comment #5)

the highest buildID I see for a crash with a UAF address is 20190330093331

Andrew, should we go ahead and close this?

Flags: needinfo?(continuation)
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(continuation)
Resolution: --- → DUPLICATE
Group: core-security
Summary: Crash in SnowWhiteKiller::Visit → Crash in SnowWhiteKiller::Visit due to UAF
You need to log in before you can comment on or make changes to this bug.