Closed
Bug 1548822
Opened 5 years ago
Closed 5 years ago
AddressSanitizer: heap-use-after-free [@ HashStringKnownLength<const unsigned char *>] with READ of size 1
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla68
People
(Reporter: decoder, Assigned: mayhemer)
References
(Blocks 2 open bugs, Regression)
Details
(4 keywords, Whiteboard: [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+])
Attachments
(3 files, 1 obsolete file)
20.91 KB,
text/plain
|
Details | |
47 bytes,
text/x-phabricator-request
|
abillings
:
sec-approval+
|
Details | Review |
1.33 KB,
patch
|
RyanVM
:
approval-mozilla-esr60+
|
Details | Diff | Splinter Review |
The attached use-after-free keeps getting triggered by libfuzzer on mozilla-central revision 4bc31addf415+ (with the not yet landed HTTP target).
I was so far not able to reproduce any of these crashes (probably because they depend on one of the prior tests in the target). However, since the crash is a use-after-free with a full ASan trace, I guess we should be able to figure out what is going on even without steps to reproduce.
Reporter | ||
Comment 1•5 years ago
|
||
Updated•5 years ago
|
Group: core-security → network-core-security
Updated•5 years ago
|
Keywords: csectype-uaf,
sec-high
Assignee | ||
Comment 2•5 years ago
|
||
We must clone the ci
at [1].
Assignee | ||
Updated•5 years ago
|
Priority: -- → P1
Whiteboard: [necko-triaged]
Assignee | ||
Updated•5 years ago
|
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•5 years ago
|
||
Assignee | ||
Comment 6•5 years ago
|
||
Comment on attachment 9063495 [details]
Bug 1548822, r=kershaw
Security Approval Request
- How easily could an exploit be constructed based on the patch?: there is a long path of indirection to actually find the crash we deal with from the code change, so, really not easily
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: I think all
- If not all supported branches, which bug introduced the flaw?: Bug 855185
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: this is very simple to backport, probably will apply cleanly to this very old code
- How likely is this patch to cause regressions; how much testing does it need?: zero and automated testing will cover this well.
Attachment #9063495 -
Flags: sec-approval?
Updated•5 years ago
|
Keywords: regression
Regressed by: 855185
Comment 7•5 years ago
|
||
Comment on attachment 9063495 [details]
Bug 1548822, r=kershaw
sec-approval+ for trunk.
Attachment #9063495 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Updated•5 years ago
|
Keywords: checkin-needed
Comment 8•5 years ago
|
||
Keywords: checkin-needed
Comment 9•5 years ago
|
||
Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Comment 10•5 years ago
|
||
Please rebase this for ESR60 and nominate it for approval when you get a chance.
status-firefox67:
--- → wontfix
status-firefox-esr60:
--- → affected
tracking-firefox68:
--- → +
tracking-firefox-esr60:
--- → 68+
Flags: needinfo?(honzab.moz)
Updated•5 years ago
|
Flags: qe-verify-
Whiteboard: [necko-triaged] → [necko-triaged][post-critsmash-triage]
Comment 12•5 years ago
|
||
Please rebase and nominate this for ESR60 soon :)
Flags: needinfo?(honzab.moz)
Assignee | ||
Comment 13•5 years ago
|
||
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: UAF
- Fix Landed on Version: 68
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): trivial patch
- String or UUID changes made by this patch:
Flags: needinfo?(honzab.moz)
Attachment #9075166 -
Flags: approval-mozilla-esr60?
Assignee | ||
Comment 14•5 years ago
|
||
Beta/Release Uplift Approval Request
- User impact if declined: comment 13
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String changes made/needed:
Attachment #9075166 -
Attachment is obsolete: true
Attachment #9075166 -
Flags: approval-mozilla-esr60?
Attachment #9075216 -
Flags: approval-mozilla-beta?
Comment 15•5 years ago
|
||
Comment on attachment 9075216 [details] [diff] [review] esr60 Fixes a Necko sec bug. Approved for 60.8esr.
Attachment #9075216 -
Flags: approval-mozilla-beta? → approval-mozilla-esr60+
Comment 16•5 years ago
|
||
Updated•5 years ago
|
Whiteboard: [necko-triaged][post-critsmash-triage] → [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+]
Updated•4 years ago
|
Blocks: asan-maintenance
Updated•4 years ago
|
Group: core-security-release
Updated•2 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•