Closed
Bug 1620972
Opened 4 years ago
Closed 4 years ago
Crash in [@ mozilla::psm::TransportSecurityInfo::Write]
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla77
People
(Reporter: jesup, Assigned: keeler)
References
(Regression)
Details
(4 keywords, Whiteboard: [psm-assigned][post-critsmash-triage][adv-main77+r])
Crash Data
Attachments
(1 file)
|
47 bytes,
text/x-phabricator-request
|
dveditz
:
sec-approval+
|
Details | Review |
UAF; looks like this signature started again in 71, but frequency has gone way up in 74beta and 74 rc1/2.
This bug is for crash report bp-d07d976a-f35e-44a6-9e6d-9e6b20200306.
Top 10 frames of crashing thread:
0 xul.dll mozilla::psm::TransportSecurityInfo::Write security/manager/ssl/TransportSecurityInfo.cpp:239
1 xul.dll nsBinaryOutputStream::WriteCompoundObject xpcom/io/nsBinaryStream.cpp:328
2 xul.dll NS_SerializeToString netwerk/base/nsSerializationHelper.cpp:24
3 xul.dll mozilla::net::HttpChannelParent::UpdateAndSerializeSecurityInfo netwerk/protocol/http/HttpChannelParent.cpp:2444
4 xul.dll mozilla::net::HttpChannelParent::OnStartRequest netwerk/protocol/http/HttpChannelParent.cpp:1472
5 xul.dll mozilla::net::ParentChannelListener::OnStartRequest netwerk/protocol/http/ParentChannelListener.cpp:88
6 xul.dll mozilla::net::SubstitutingJARURI::GetSpec netwerk/protocol/res/SubstitutingJARURI.h:65
7 xul.dll mozilla::extensions::ChannelWrapper::RequestListener::OnStartRequest toolkit/components/extensions/webrequest/ChannelWrapper.cpp:1049
8 xul.dll mozilla::net::nsHttpChannel::CallOnStartRequest netwerk/protocol/http/nsHttpChannel.cpp:1984
9 xul.dll mozilla::net::nsHttpChannel::ContinueOnStartRequest4 netwerk/protocol/http/nsHttpChannel.cpp:8004
|
Reporter | |
Comment 1•4 years ago
|
||
This signature did show up in FF 5N versions but appears to be gone until 71, so counting this as a regression
status-firefox73:
--- → affected
status-firefox74:
--- → affected
status-firefox75:
--- → ?
status-firefox76:
--- → ?
status-firefox-esr68:
--- → unaffected
Keywords: regression
|
||
Updated•4 years ago
|
Component: Networking → Security: PSM
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
Group: core-security → crypto-core-security
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Comment 2•4 years ago
|
||
The priority flag is not set for this bug.
:keeler, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(dkeeler)
Priority: -- → P2
Whiteboard: [psm-backlog]
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 3•4 years ago
|
||
|
||
Updated•4 years ago
|
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•4 years ago
|
Priority: P2 → P1
Whiteboard: [psm-backlog] → [psm-assigned]
|
|
Assignee | |
Comment 4•4 years ago
|
||
Comment on attachment 9142597 [details]
Bug 1620972 - avoid unnecessary do_QueryInterface calls in TransportSecurityInfo r?kjacobs
Security Approval Request
- How easily could an exploit be constructed based on the patch?: unclear - unfortunately I'm not even sure if this solves the problem (this is a speculative fix)
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: release, beta
- If not all supported branches, which bug introduced the flaw?: Bug 1580315
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: unlikely to cause regressions (automated tests should be sufficient)
Attachment #9142597 -
Flags: sec-approval?
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
|
||
Comment 5•4 years ago
|
||
Comment on attachment 9142597 [details]
Bug 1620972 - avoid unnecessary do_QueryInterface calls in TransportSecurityInfo r?kjacobs
Sec-approval for nightly (77), but you don't sound sure enough it fixes the problem to try to ram it into 76 RC.
Attachment #9142597 -
Flags: sec-approval? → sec-approval+
|
|
||
Comment 6•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/e5332d369097293752c3e730201ea42903b47dc2
https://hg.mozilla.org/mozilla-central/rev/e5332d369097
Group: crypto-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
|
||
Updated•4 years ago
|
Flags: qe-verify-
Whiteboard: [psm-assigned] → [psm-assigned][post-critsmash-triage]
|
||
Updated•4 years ago
|
Whiteboard: [psm-assigned][post-critsmash-triage] → [psm-assigned][post-critsmash-triage][adv-main77+r]
|
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•