Don't run forgetSkippable during SnowWhiteFreeing
Categories
(Core :: XPCOM, defect)
Tracking
()
People
(Reporter: smaug, Assigned: smaug)
References
(Blocks 1 open bug)
Details
(Keywords: sec-high, Whiteboard: [adv-main67+][adv-esr60.7+])
Attachments
(1 file)
|
47 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
lizzard
:
approval-mozilla-esr60+
abillings
:
sec-approval+
|
Details | Review |
This is related to bug https://bugzilla.mozilla.org/show_bug.cgi?id=1318810
The theory is that event loop spins in some destructor. That isn't too good practice, but also we shouldn't try to run forgetSkippable.
When manually forcing forgetSkippable to happen during snowwhitefreeing, we're crashing at the same place as in https://bugzilla.mozilla.org/show_bug.cgi?id=1318810 on android.
|
Assignee | |
Updated•7 years ago
|
|
|
Assignee | |
Comment 1•7 years ago
|
||
|
||
Comment 2•7 years ago
|
||
Thanks for looking at this. I looked over the other places where we use the purple buffer, and the rest are either guarded like this, are deep inside the CC, or are inside Suspect methods, which I think the code intends to handle.
|
|
Assignee | |
Comment 3•7 years ago
|
||
Comment on attachment 9054508 [details]
Bug 1540166, avoid some useless ForgetSkippable handling while we're already dealing with snow-white objects, r=mccr8
Security Approval Request
- How easily could an exploit be constructed based on the patch?: I don't know how to trigger the crash (expect manually injecting forgetSkippable calls). But the theory is that event loop spins at unexpected time.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All, assuming the event loop spinning happens on all the branches
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: The same patch seem to applies at least to esr60.
- How likely is this patch to cause regressions; how much testing does it need?: Should be safe, since we just don't run CC optimization phase if event loop spins at odd time.
|
||
Comment 4•7 years ago
|
||
this is to fix (some of?) the crashes in bug 1318810, and in those signatures I see a bunch of EXCEPTION_ACCESS_VIOLATION_EXEC crashes at exploitable-looking addresses like bp-31fce5d1-4f6c-41f6-8c27-856f60190329
We probably should be making 1318810 a security bug, but in the meantime calling this sec-high because at least these seem to be in the sandboxed content process.
|
||
Comment 5•7 years ago
•
|
||
Comment on attachment 9054508 [details]
Bug 1540166, avoid some useless ForgetSkippable handling while we're already dealing with snow-white objects, r=mccr8
sec-approval+ for trunk. Let's get a beta patch and ESR60 one nominated as well.
|
|
||
Updated•7 years ago
|
|
|
Assignee | |
Updated•7 years ago
|
|
|
Assignee | |
Comment 6•7 years ago
|
||
|
|
Assignee | |
Comment 7•7 years ago
|
||
Comment on attachment 9054508 [details]
Bug 1540166, avoid some useless ForgetSkippable handling while we're already dealing with snow-white objects, r=mccr8
Beta/Release Uplift Approval Request
- Feature/Bug causing the regression: NA
- User impact if declined: See comment 3
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String changes made/needed: NA
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String or UUID changes made by this patch:
|
|
Assignee | |
Comment 8•7 years ago
|
||
Ah, no, this doesn't need QE.
|
||
Comment 9•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/73ebc8384c0f3790b23bad2a133ba4338a7a8816
https://hg.mozilla.org/mozilla-central/rev/73ebc8384c0f
|
|
||
Comment 10•7 years ago
|
||
It is probably still too early to tell, but there have been no nsPurpleBufferEntry::Swap crashes since this landed in the Android Nightly. (20190330093331 is the last Android Nightly without this patch.)
|
||
Updated•7 years ago
|
|
|
Assignee | |
Comment 11•7 years ago
|
||
Still looking good.
|
|
Assignee | |
Comment 12•7 years ago
|
||
... 20190330093331 is the last build with crashes.
|
||
Comment 13•7 years ago
|
||
Comment on attachment 9054508 [details]
Bug 1540166, avoid some useless ForgetSkippable handling while we're already dealing with snow-white objects, r=mccr8
Crashes stopped over the last week after landing on mozilla-central on the depending bugs, approved for 67 beta, thanks.
|
|
||
Comment 14•7 years ago
|
||
| uplift | ||
|
||
Updated•7 years ago
|
|
||
Comment 15•7 years ago
|
||
Comment on attachment 9054508 [details]
Bug 1540166, avoid some useless ForgetSkippable handling while we're already dealing with snow-white objects, r=mccr8
Fix for sec-high crash, let's take it for 60.7 esr.
|
|
||
Comment 16•7 years ago
|
||
| uplift | ||
|
|
||
Updated•7 years ago
|
|
|
||
Updated•5 years ago
|
Description
•