Crash in mozilla::dom::ContentChild::RecvNotifyAlertsObserver caused by bug 1642991
Categories
(Core :: XPCOM, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox77 | --- | unaffected |
| firefox78 | --- | unaffected |
| firefox79 | + | verified |
| firefox80 | + | verified |
People
(Reporter: emilio, Assigned: emilio)
References
(Regression)
Details
(Keywords: csectype-uaf, regression, sec-high, Whiteboard: [sec-survey][post-critsmash-triage])
Attachments
(3 files)
|
290 bytes,
text/html
|
Details | |
|
27.30 KB,
text/plain
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
sec-approval+
|
Details | Review |
Sebastian Simon helpfully came up with the STR for a crash in bug 1427459, which is a recent regression introduced in bug 1642991.
It is a pre-existing bug in RemoveElementsBy.
|
Assignee | |
Comment 1•5 years ago
|
||
Hmm, maybe my diagnostic is wrong, let me build without optimizations to double-check me.
|
|
Assignee | |
Comment 2•5 years ago
|
||
|
|
Assignee | |
Comment 4•5 years ago
|
||
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 6•5 years ago
|
||
This probably had logic issues before bug 1642991, but not security
issues (at worst, an array out of bounds which is a release assertion
that would crash the process in a safe way).
|
|
Assignee | |
Comment 7•5 years ago
•
|
||
Comment on attachment 9160187 [details]
Bug 1649228 - Fix ContentChild::RecvNotifyAlertsObserver to notify after, not while, removing observers from the vector. r=froydnj,smaug
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Relatively easy, the patch is very obvious.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
- Which older supported branches are affected by this flaw?: beta
- If not all supported branches, which bug introduced the flaw?: Bug 1642991
- Do you have backports for the affected branches?: Yes, applies cleanly on beta
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Not likely at all. It's more correct than the code that used to be before bug 1642991.
|
||
Updated•5 years ago
|
|
|
||
Comment 9•5 years ago
|
||
(In reply to Emilio Cobos Álvarez (:emilio) from comment #7)
- Which older supported branches are affected by this flaw?: none, nightly-only
- If not all supported branches, which bug introduced the flaw?: Bug 1642991
I think the merge already happened. The bug is effectively on Beta now and we'll need to uplift the patch.
|
|
Assignee | |
Comment 10•5 years ago
|
||
Ah, true... I edited the form.
|
||
Comment 11•5 years ago
|
||
The assertion suggested to be added in Bug 1649770 would probably have caught this earlier on.
|
||
Comment 12•5 years ago
|
||
Comment on attachment 9160187 [details]
Bug 1649228 - Fix ContentChild::RecvNotifyAlertsObserver to notify after, not while, removing observers from the vector. r=froydnj,smaug
Approved to land and uplift
|
||
Comment 13•5 years ago
|
||
|
|
||
Comment 14•5 years ago
|
||
| uplift | ||
|
||
Comment 15•5 years ago
|
||
|
||
Comment 16•5 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
||
Updated•5 years ago
|
|
||
Comment 18•5 years ago
|
||
I've reproduced this crash using an affected Nightly asan build from 2020-07-02, and by loading into the browser the test case from comment 2.
The crash is verified as fixed on the latest asan builds, Nightly 80.0a1 and Beta 79.0b9, running Ubuntu 18.04 x64.
|
|
||
Updated•5 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
Description
•