Crash in [@ mozilla::psm::TransportSecurityInfo::Write]
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
People
(Reporter: jesup, Assigned: keeler)
References
(Regression)
Details
(4 keywords, Whiteboard: [psm-assigned][post-critsmash-triage][adv-main77+r])
Crash Data
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
dveditz
:
sec-approval+
|
Details | Review |
UAF; looks like this signature started again in 71, but frequency has gone way up in 74beta and 74 rc1/2.
This bug is for crash report bp-d07d976a-f35e-44a6-9e6d-9e6b20200306.
Top 10 frames of crashing thread:
0 xul.dll mozilla::psm::TransportSecurityInfo::Write security/manager/ssl/TransportSecurityInfo.cpp:239
1 xul.dll nsBinaryOutputStream::WriteCompoundObject xpcom/io/nsBinaryStream.cpp:328
2 xul.dll NS_SerializeToString netwerk/base/nsSerializationHelper.cpp:24
3 xul.dll mozilla::net::HttpChannelParent::UpdateAndSerializeSecurityInfo netwerk/protocol/http/HttpChannelParent.cpp:2444
4 xul.dll mozilla::net::HttpChannelParent::OnStartRequest netwerk/protocol/http/HttpChannelParent.cpp:1472
5 xul.dll mozilla::net::ParentChannelListener::OnStartRequest netwerk/protocol/http/ParentChannelListener.cpp:88
6 xul.dll mozilla::net::SubstitutingJARURI::GetSpec netwerk/protocol/res/SubstitutingJARURI.h:65
7 xul.dll mozilla::extensions::ChannelWrapper::RequestListener::OnStartRequest toolkit/components/extensions/webrequest/ChannelWrapper.cpp:1049
8 xul.dll mozilla::net::nsHttpChannel::CallOnStartRequest netwerk/protocol/http/nsHttpChannel.cpp:1984
9 xul.dll mozilla::net::nsHttpChannel::ContinueOnStartRequest4 netwerk/protocol/http/nsHttpChannel.cpp:8004
Reporter | ||
Comment 1•4 years ago
|
||
This signature did show up in FF 5N versions but appears to be gone until 71, so counting this as a regression
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 2•4 years ago
|
||
The priority flag is not set for this bug.
:keeler, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
Comment on attachment 9142597 [details]
Bug 1620972 - avoid unnecessary do_QueryInterface calls in TransportSecurityInfo r?kjacobs
Security Approval Request
- How easily could an exploit be constructed based on the patch?: unclear - unfortunately I'm not even sure if this solves the problem (this is a speculative fix)
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: release, beta
- If not all supported branches, which bug introduced the flaw?: Bug 1580315
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: unlikely to cause regressions (automated tests should be sufficient)
Updated•4 years ago
|
Updated•4 years ago
|
Comment 5•4 years ago
|
||
Comment on attachment 9142597 [details]
Bug 1620972 - avoid unnecessary do_QueryInterface calls in TransportSecurityInfo r?kjacobs
Sec-approval for nightly (77), but you don't sound sure enough it fixes the problem to try to ram it into 76 RC.
Comment 6•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/e5332d369097293752c3e730201ea42903b47dc2
https://hg.mozilla.org/mozilla-central/rev/e5332d369097
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Description
•