Closed Bug 1604847 Opened 4 years ago Closed 4 years ago

AddressSanitizer: heap-use-after-free /src/obj-firefox/dist/include/mozilla/RefPtr.h:303:36 in operator!

Categories

(Core :: DOM: Service Workers, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla75
Tracking Status
firefox-esr68 74+ fixed
firefox73 --- wontfix
firefox74 + fixed
firefox75 + fixed

People

(Reporter: jkratzer, Assigned: perry)

References

(Blocks 3 open bugs)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main74+r][adv-esr68.6+r])

Attachments

(2 files)

Found while fuzzing mozilla-central rev e928d6001344. I'm currently attempting to reduce the testcase and will update once complete.

=================================================================
==4346==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060002b51d0 at pc 0x7f03fc8c9520 bp 0x7ffc143c0a50 sp 0x7ffc143c0a48
READ of size 8 at 0x6060002b51d0 thread T0 (file:// Content)
    #0 0x7f03fc8c951f in operator! /src/obj-firefox/dist/include/mozilla/RefPtr.h:303:36
    #1 0x7f03fc8c951f in Exists /src/obj-firefox/dist/include/mozilla/MozPromise.h:1284:33
    #2 0x7f03fc8c951f in mozilla::MozPromiseRequestHolder<mozilla::MozPromise<mozilla::dom::ClientOpResult, nsresult, false> >::Track(already_AddRefed<mozilla::MozPromise<mozilla::dom::ClientOpResult, nsresult, false>::Request>) /src/obj-firefox/dist/include/mozilla/MozPromise.h:1261:5
    #3 0x7f03fc929034 in mozilla::MozPromise<mozilla::dom::ClientOpResult, nsresult, false>::ThenCommand<mozilla::MozPromise<mozilla::dom::ClientOpResult, nsresult, false>::ThenValue<void mozilla::dom::ClientSourceOpChild::DoSourceOp<RefPtr<mozilla::MozPromise<mozilla::dom::ClientOpResult, nsresult, false> > (mozilla::dom::ClientSource::*)(mozilla::dom::ClientControlledArgs const&), mozilla::dom::ClientControlledArgs>(RefPtr<mozilla::MozPromise<mozilla::dom::ClientOpResult, nsresult, false> > (mozilla::dom::ClientSource::*)(mozilla::dom::ClientControlledArgs const&), mozilla::dom::ClientControlledArgs const&)::'lambda'(mozilla::dom::ClientOpResult const&), void mozilla::dom::ClientSourceOpChild::DoSourceOp<RefPtr<mozilla::MozPromise<mozilla::dom::ClientOpResult, nsresult, false> > (mozilla::dom::ClientSource::*)(mozilla::dom::ClientControlledArgs const&), mozilla::dom::ClientControlledArgs>(RefPtr<mozilla::MozPromise<mozilla::dom::ClientOpResult, nsresult, false> > (mozilla::dom::ClientSource::*)(mozilla::dom::ClientControlledArgs const&), mozilla::dom::ClientControlledArgs const&)::'lambda'(nsresult)> >::Track(mozilla::MozPromiseRequestHolder<mozilla::MozPromise<mozilla::dom::ClientOpResult, nsresult, false> >&) /src/obj-firefox/dist/include/mozilla/MozPromise.h:893:22
    #4 0x7f03fc91ca05 in void mozilla::dom::ClientSourceOpChild::DoSourceOp<RefPtr<mozilla::MozPromise<mozilla::dom::ClientOpResult, nsresult, false> > (mozilla::dom::ClientSource::*)(mozilla::dom::ClientControlledArgs const&), mozilla::dom::ClientControlledArgs>(RefPtr<mozilla::MozPromise<mozilla::dom::ClientOpResult, nsresult, false> > (mozilla::dom::ClientSource::*)(mozilla::dom::ClientControlledArgs const&), mozilla::dom::ClientControlledArgs const&) /src/dom/clients/manager/ClientSourceOpChild.cpp:69:9
    #5 0x7f03fc91be31 in mozilla::dom::ClientSourceChild::RecvPClientSourceOpConstructor(mozilla::dom::PClientSourceOpChild*, mozilla::dom::ClientOpConstructorArgs const&) /src/dom/clients/manager/ClientSourceChild.cpp:43:10
    #6 0x7f03f7f7edbf in mozilla::dom::PClientSourceChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PClientSourceChild.cpp:365:28
    #7 0x7f03f83fffff in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
    #8 0x7f03f7c8f212 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2209:25
    #9 0x7f03f7c89ea4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2131:9
    #10 0x7f03f7c8c16f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1973:3
    #11 0x7f03f7c8d070 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:2004:13
    #12 0x7f03f6a81328 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1256:14
    #13 0x7f03f6a89dac in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #14 0x7f03fe646cbe in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2954:31)> /src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #15 0x7f03fe646cbe in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) /src/dom/xhr/XMLHttpRequestMainThread.cpp:2954:12
    #16 0x7f03fe644fbb in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /src/dom/xhr/XMLHttpRequestMainThread.cpp:2728:11
    #17 0x7f03fbd4d58a in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1284:24
    #18 0x7f03fc4002f8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3151:13
    #19 0x7f0402776b6a in CallJSNative /src/js/src/vm/Interpreter.cpp:457:13
    #20 0x7f0402776b6a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:549:12
    #21 0x7f040277895f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /src/js/src/vm/Interpreter.cpp:618:10
    #22 0x7f0403666363 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /src/js/src/jit/BaselineIC.cpp:2941:10
    #23 0x7f036db07f57  (<unknown module>)

0x6060002b51d0 is located 48 bytes inside of 56-byte region [0x6060002b51a0,0x6060002b51d8)
freed by thread T0 (file:// Content) here:
    #0 0x555a9598a82d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7f03fc91be04 in mozilla::dom::ClientSourceChild::DeallocPClientSourceOpChild(mozilla::dom::PClientSourceOpChild*) /src/dom/clients/manager/ClientSourceChild.cpp:36:3
    #2 0x7f03f7ca1bf5 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() /src/ipc/glue/ProtocolUtils.cpp:253:11
    #3 0x7f03f7f672d5 in Release /src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:913:3
    #4 0x7f03f7f672d5 in mozilla::dom::PClientSourceChild::ClearSubtree() /src/obj-firefox/ipc/ipdl/PClientSourceChild.cpp:444:9
    #5 0x7f03f7f7ee6c in mozilla::dom::PClientSourceChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PClientSourceChild.cpp:411:20
    #6 0x7f03f83fffff in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
    #7 0x7f03f7c8f212 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2209:25
    #8 0x7f03f7c89ea4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2131:9
    #9 0x7f03f7c8c16f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1973:3
    #10 0x7f03f7c8d070 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:2004:13
    #11 0x7f03f6a81328 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1256:14
    #12 0x7f03f6a89dac in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #13 0x7f03fe0e0176 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1249:24)> /src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #14 0x7f03fe0e0176 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /src/dom/ipc/ContentChild.cpp:1249:5
    #15 0x7f03fe153dfc in mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /src/dom/ipc/BrowserChild.cpp:936:14
    #16 0x7f0402478551 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:804:24
    #17 0x7f040247b432 in nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:375:10
    #18 0x7f03fa6d61cb in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, mozilla::dom::BrowsingContext**) /src/dom/base/nsGlobalWindowOuter.cpp:7201:21
    #19 0x7f03fa6d5157 in nsGlobalWindowOuter::OpenJS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext**) /src/dom/base/nsGlobalWindowOuter.cpp:5741:10
    #20 0x7f03fa6d4ea2 in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /src/dom/base/nsGlobalWindowOuter.cpp:5714:12
    #21 0x7f03fa6785d8 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /src/dom/base/nsGlobalWindowInner.cpp:3717:3

previously allocated by thread T0 (file:// Content) here:
    #0 0x555a9598aaad in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x555a959c028d in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f03fc91bd60 in operator new /src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f03fc91bd60 in mozilla::dom::ClientSourceChild::AllocPClientSourceOpChild(mozilla::dom::ClientOpConstructorArgs const&) /src/dom/clients/manager/ClientSourceChild.cpp:31:10
    #4 0x7f03f7f7ebcd in mozilla::dom::PClientSourceChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PClientSourceChild.cpp:356:51
    #5 0x7f03f83fffff in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
    #6 0x7f03f7c8f212 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2209:25
    #7 0x7f03f7c89ea4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2131:9
    #8 0x7f03f7c8c16f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1973:3
    #9 0x7f03f7c8d070 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:2004:13
    #10 0x7f03f6a81328 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1256:14
    #11 0x7f03f6a89dac in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #12 0x7f03fe646cbe in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2954:31)> /src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #13 0x7f03fe646cbe in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) /src/dom/xhr/XMLHttpRequestMainThread.cpp:2954:12
    #14 0x7f03fe644fbb in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /src/dom/xhr/XMLHttpRequestMainThread.cpp:2728:11
    #15 0x7f03fbd4d58a in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1284:24
    #16 0x7f03fc4002f8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3151:13
    #17 0x7f0402776b6a in CallJSNative /src/js/src/vm/Interpreter.cpp:457:13
    #18 0x7f0402776b6a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:549:12
    #19 0x7f040277895f in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /src/js/src/vm/Interpreter.cpp:618:10
    #20 0x7f0403666363 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /src/js/src/jit/BaselineIC.cpp:2941:10
    #21 0x7f036db07f57  (<unknown module>)
    #22 0x7f03507f2517  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free /src/obj-firefox/dist/include/mozilla/RefPtr.h:303:36 in operator!
Shadow bytes around the buggy address:
  0x0c0c8004e9e0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c8004e9f0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c8004ea00: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c8004ea10: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c0c8004ea20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0c8004ea30: fa fa fa fa fd fd fd fd fd fd[fd]fa fa fa fa fa
  0x0c0c8004ea40: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c8004ea50: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c8004ea60: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c8004ea70: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c8004ea80: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4346==ABORTING
Group: core-security → dom-core-security
Priority: -- → P2

We you ever able to reduce this testcase (or maybe get it in a Pernosco session)?

Flags: needinfo?(jkratzer)
Flags: needinfo?(jkratzer)
Flags: needinfo?(jkratzer)

Just noting down my understanding so far:

ClientSourceOpChild contains a MozPromiseRequestHolder<ClientOpPromise> mPromiseRequestHolder; and the UAF occurs in the Exists() function accessing the RefPtr<typename PromiseType::Request> mRequest; variable of the mPromiseRequestHolder (which is part of the memory of the ClientSourceOpChild itself).

This happens on an instance that has been allocated and freed within a previous event cycle (probably the same?). The de-allocation of ClientSourceOpChildren seems not to be governed by refcounting. I see no (obvious) way how a pointer to this instance can survive the actor lifecycle between events.

Assignee: nobody → perry

If ClientSourceOpChild::DoSourceOp is actually called with ClientFocusArgs and not ClientControlledArgs (as the crashing stack says), it's possible that

  1. The ClientSourceOpChild is created and does a ClientSource::Focus (ClientSourceOpChild::DoSourceOp is still on the stack)
  2. ClientSource::Focus does many things, in particular sending a "focus" event: https://searchfox.org/mozilla-central/rev/174f1195ec740e8f17223b48018f7e14e6d4e40e/dom/base/nsFocusManager.cpp#1939
  3. An event handler for the focus event possibly calls window.open, which explains the nsGlobalWindowInner::Open stuff on the stack which deallocates the initial ClientSourceOpChild. ClientSourceOpChild::DoSourceOp is still on the stack at this point. An IPC message is received to deallocate that ClientSourceOpChild.
  4. The stack unwinds back to ClientSourceOpChild::DoSourceOp, where the this object was deleted in 3), and then at the end of DoSourceOp, the attempt to access its mPromiseRequestHolder results in a UAF

A Pernosco session is available here: https://pernos.co/debug/4JtOQW23NixnOHaCoDuAMw/index.html

This was a very stubborn bug to reproduce. The test case that was used is not fully reduced and there are multiple (3x) instances of it open at once.

Flags: needinfo?(jkratzer)

AFAIU the pernosco session confirms Perry's analysis, well done! As the ClientSourceOpChild class seems not to support refcounting, we cannot just ensure its survival by a local reference in the surrounding scope. Is there a different (preferred) way to ensure this or should we just add refcounting here?

Flags: needinfo?(perry)

This could be a dupe of bug 1616079.

Comment on attachment 9127367 [details]
Bug 1604847 - let ClientSourceOpChild finish initialization r?#dom-workers-and-storage

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It is pretty obvious from the patch what the exploit might be. The patch clearly shows a delete call being deferred until later to avoid a UAF. Comments in the patch/commit message do not indicate what exactly may cause the UAF though, but there's a pretty limited set of options.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: current beta, release, esr
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes: https://phabricator.services.mozilla.com/D63277 for ESR
  • If not, how different, hard to create, and risky will they be?: N/A
  • How likely is this patch to cause regressions; how much testing does it need?: Highly unlikely. Testing will be done by fuzzing.
Flags: needinfo?(perry)
Attachment #9127367 - Flags: sec-approval?
Attachment #9127367 - Flags: sec-approval?
Attachment #9127367 - Flags: sec-approval+
Attachment #9127367 - Flags: approval-mozilla-beta+
Attachment #9127430 - Flags: approval-mozilla-esr68+
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main74+r][adv-esr68.6+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: