Closed Bug 1618349 Opened 6 years ago Closed 6 years ago

Crash when confirming FilePrompt triggered by extension page

Categories

(GeckoView :: Extensions, defect, P1)

Product:
GeckoView
Component:
Extensions
Platform:
Unspecified
All
Type:
defect

Tracking

(firefox-esr68 wontfix, firefox73 wontfix, firefox74 wontfix, firefox75 fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix
firefox75 --- fixed

People

(Reporter: csadilek, Assigned: agi)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [geckoview:m75])

Attachments

(2 files)

stacktrace.txt
6.19 KB, text/plain
Details
Bug 1618349 - Resolve domFile async before returning the file picker callback.
47 bytes, text/x-phabricator-request
Details | Review

This is reproducible in GeckoView example by opening uBlock's settings page, clicking "back-up to file" and then "restore from file".

Bug in Fenix: https://github.com/mozilla-mobile/fenix/issues/8155

Logs:

2020-02-26 15:36:53.574 18378-18378/org.mozilla.geckoview_example E/GeckoSession: Only file URIs are supported: content://com.android.providers.downloads.documents/document/msf%3A3228
2020-02-26 15:36:53.575 18378-18378/org.mozilla.geckoview_example D/GeckoRuntime: Lifecycle: onResume
2020-02-26 15:36:53.575 18378-18378/org.mozilla.geckoview_example D/GeckoNetworkManager: Incoming event start for state OffWithListeners -> OnWithListeners
2020-02-26 15:36:53.584 18378-18422/org.mozilla.geckoview_example W/GeckoEventDispatcher: No listener for GeckoView:BrowserAction:Update
2020-02-26 15:36:53.585 18378-18422/org.mozilla.geckoview_example I/chatty: uid=10351(org.mozilla.geckoview_example) Gecko identical 1 line
2020-02-26 15:36:53.587 18378-18422/org.mozilla.geckoview_example W/GeckoEventDispatcher: No listener for GeckoView:BrowserAction:Update
2020-02-26 15:36:53.589 18378-18422/org.mozilla.geckoview_example E/GeckoConsole: [JavaScript Error: "uncaught exception: No listener for GeckoView:BrowserAction:Update"]
2020-02-26 15:36:53.589 18378-18422/org.mozilla.geckoview_example I/chatty: uid=10351(org.mozilla.geckoview_example) Gecko identical 1 line
2020-02-26 15:36:53.589 18378-18422/org.mozilla.geckoview_example E/GeckoConsole: [JavaScript Error: "uncaught exception: No listener for GeckoView:BrowserAction:Update"]
2020-02-26 15:36:53.589 18378-18378/org.mozilla.geckoview_example D/GeckoNetworkManager: Incoming event receivedUpdate for state OnWithListeners -> OnWithListeners
2020-02-26 15:36:53.593 18378-18378/org.mozilla.geckoview_example D/GeckoNetworkManager: New network state: UP, WIFI, WIFI
2020-02-26 15:36:53.609 18378-18422/org.mozilla.geckoview_example W/google-breakpad: ExceptionHandler::GenerateDump cloned child 
2020-02-26 15:36:53.610 18378-18422/org.mozilla.geckoview_example W/google-breakpad: 18974
2020-02-26 15:36:53.610 18378-18422/org.mozilla.geckoview_example W/google-breakpad: ExceptionHandler::SendContinueSignalToChild sent continue signal to child
2020-02-26 15:36:54.144 18378-18378/org.mozilla.geckoview_example I/Choreographer: Skipped 31 frames!  The application may be doing too much work on its main thread.

Note that Only file URIs are supported:.... isn't the cause here. In Fenix (A-C), we convert content:// urls to file:// urls before confirming the file prompt. The crash happens in either case.

Whiteboard: [geckoview:m75]
Assignee: nobody → agi
Attached file stacktrace.txt

This might be a potential use-after-free so I'm restricting this bug.

Group: mobile-core-security

The GH issue describes how to trigger this so I don't know what a security bug gets us here?

Looks like the problem here is that we're trying to cast a Promise object to a Directory and we crash.

(In reply to Kevin Brosnan [:kbrosnan] from comment #3)

The GH issue describes how to trigger this so I don't know what a security bug gets us here?

yeah not sure, maybe we can open it then.

|get domFileOrDirectory| is sync so we cannot return a promise from there. We
instead resolve the DOMFile before returning from the file picker callback
which is async already.

https://hg.mozilla.org/integration/autoland/rev/cc6de55956ee7dbc2f9f930b46f9dd324b8d51e1
https://hg.mozilla.org/mozilla-central/rev/cc6de55956ee

Group: mobile-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Has Regression Range: --- → yes
Keywords: regression
Group: core-security-release

Moving some extension bugs to the GeckoView::Extensions component.

Component: General → Extensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: