Closed Bug 1600351 Opened 5 years ago Closed 5 years ago

Crash in [@ objc_release | nsOSHelperAppService::IsCurrentAppOSDefaultForProtocol]

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Version:
72 Branch
Platform:
Unspecified
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 72
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox70 --- unaffected
firefox71 --- unaffected
firefox72 + fixed

People

(Reporter: philipp, Assigned: Gijs)

References

(Regression)

Details

(Keywords: crash, csectype-uaf, regression)

Crash Data

Attachments

(1 file)

Bug 1600351 - don't release things we don't own, r?barret
47 bytes, text/x-phabricator-request
Details | Review

[Tracking Requested - why for this release]:

This bug is for crash report bp-2a75ae0d-f247-4cfe-a80e-13de80191129.

Top 10 frames of crashing thread:

0 libobjc.A.dylib objc_release 
1 XUL nsOSHelperAppService::IsCurrentAppOSDefaultForProtocol uriloader/exthandler/mac/nsOSHelperAppService.mm:184
2 XUL nsMIMEInfoBase::LaunchWithURI uriloader/exthandler/nsMIMEInfoImpl.cpp:337
3 XUL nsExternalHelperAppService::LoadURI uriloader/exthandler/nsExternalHelperAppService.cpp:994
4 XUL mozilla::dom::ContentParent::RecvLoadURIExternal dom/ipc/ContentParent.cpp:3905
5 XUL mozilla::dom::PContentParent::OnMessageReceived ipc/ipdl/PContentParent.cpp:7714
6 XUL mozilla::ipc::MessageChannel::DispatchMessage ipc/glue/MessageChannel.cpp:2208
7 XUL mozilla::ipc::MessageChannel::MessageTask::Run ipc/glue/MessageChannel.cpp:2003
8 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1250
9 XUL NS_ProcessPendingEvents xpcom/threads/nsThreadUtils.cpp:434

this macos crash signature is starting to show up on nightly after the patch for bug 1496380 landed. the crashing address of most reports indicates that this is a security sensitive issue (UAF).

Crash Signature: [@ objc_release | nsOSHelperAppService::IsCurrentAppOSDefaultForProtocol] [@ objc_msgSend | CFBundleCreate ] → [@ objc_release | nsOSHelperAppService::IsCurrentAppOSDefaultForProtocol] [@ objc_release | CopyApplicationArray] [@ objc_msgSend | CFBundleCreate ]

Sometimes I figure, some day this codebase is gonna run out of ways of showing I'm an idiot, but clearly today is not that day. One lives in hope.

Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED

(I'm landing this because it's nightly only so I don't need sec-approval.)

https://hg.mozilla.org/mozilla-central/rev/d841771bed63

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox72: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 72

Thanks for the super quick fix!

tracking-firefox72: ?+
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: