Closed Bug 1675540 Opened 5 years ago Closed 5 years ago

Crash in [@ mozilla::net::nsStandardURL::Release]

Categories

(Core :: Networking: HTTP, defect, P1)

defect

Tracking

()

RESOLVED FIXED
87 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox86 --- wontfix
firefox87 --- fixed

People

(Reporter: RyanVM, Assigned: valentin)

References

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [necko-triaged][sec-survey][adv-main87-])

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/afc51442-e422-4d43-bf7a-a65890201105

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(aSeg.mLen < 0 || (aSeg.mPos + aSeg.mLen <= aSpec.Length() && aSeg.mPos + aSeg.mLen >= aSeg.mPos))

Top 10 frames of crashing thread:

0 xul.dll mozilla::net::nsStandardURL::Release netwerk/base/nsStandardURL.cpp:1261
1 xul.dll mozilla::net::NullHttpChannel::Release netwerk/protocol/http/NullHttpChannel.cpp:14
2 xul.dll static mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize dom/bindings/BindingUtils.h:2727
3 xul.dll mozilla::IncrementalFinalizeRunnable::ReleaseNow xpcom/base/CycleCollectedJSRuntime.cpp:1546
4 xul.dll mozilla::IncrementalFinalizeRunnable::Run xpcom/base/CycleCollectedJSRuntime.cpp:1582
5 xul.dll IdleRunnableWrapper::Run xpcom/threads/nsThreadUtils.cpp:348
6 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:514
7 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1234
8 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:87
9 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:327
Group: network-core-security

Combination of weird pointer crashes and SanityCheck() failures; this points at some sort of UAF.

Assignee: nobody → valentin.gosu
Severity: -- → S3
Priority: -- → P1
Whiteboard: [necko-triaged]

(In reply to Randell Jesup [:jesup] (needinfo me) from comment #1)

Combination of weird pointer crashes and SanityCheck() failures; this points at some sort of UAF.

Not sure what is meant here with "weird pointer crashes". I see for example here a simple deallocation of nsStandardURL on the stack which triggers these sanity checks which cause one of these two MOZ_RELEASE_ASSERTs.

Valentin, are we sure those sanity checks are causing more good than harm? If we think they are really needed: Are we sure they are in the right place here in the deconstructor?

Flags: needinfo?(valentin.gosu)

(In reply to Jens Stutte [:jstutte] from comment #2)

Agreed, it's just the sanity check failing.

Valentin, are we sure those sanity checks are causing more good than harm? If we think they are really needed: Are we sure they are in the right place here in the deconstructor?

We have another check here but that can't catch every way the indexes can go wrong.
Ideally we would put a sanity check after every change, but that may needlessly impact performance.

Flags: needinfo?(valentin.gosu)

(In reply to Valentin Gosu [:valentin] (he/him) from comment #3)

Ideally we would put a sanity check after every change, but that may needlessly impact performance.

I fear that is the only way if you want to make them work. We might want to put them behind the nightly and early beta flag?

About half of the reports I've looked at also have LoadInfo::Release() on the stack, so I suspect there's a correlation with bug 1544127.
As Jens noticed with bug 1544127 comment 51, most of the crashes here also seem to be related with CycleCollection.
I wasn't able to find any better reasons. It could be that this is a UAF, and we assert because that memory has been overridden with bytes that trigger the assertion, or could point to an actual bug - it's difficult to say. I'm currently looking at the code for some other leads.

See Also: → 1544127
Flags: needinfo?(sgiesecke)

Comment on attachment 9202059 [details]
Bug 1675540 - Perform URL sanity checks when changing it r=#necko

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: This is only a diagnostic patch. Bug isn't immediately evident from the code, but it does indicate we believe to be a bug somewhere.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Easy to uplift.
  • How likely is this patch to cause regressions; how much testing does it need?: Low chance for regressions.
Attachment #9202059 - Flags: sec-approval?

Comment on attachment 9202059 [details]
Bug 1675540 - Perform URL sanity checks when changing it r=#necko

Approved to land. I do not think we want to uplift this, I think we should land it in Nightly and if needed, let it ride into Beta.

Attachment #9202059 - Flags: sec-approval? → sec-approval+
Attachment #9202059 - Attachment description: Bug 1675540 - Perform URL sanity checks after changes occur r=#necko → Bug 1675540 - Perform URL sanity checks when changing it r=#necko
Group: network-core-security → core-security
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch

I assume, being just a diagnostic patch means we should leave this open for now?

Flags: needinfo?(valentin.gosu)

The new crash reports will likely have a different signature, so it's probably OK to close this.

Flags: needinfo?(valentin.gosu)

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(valentin.gosu)
Whiteboard: [necko-triaged] → [necko-triaged][sec-survey]
Whiteboard: [necko-triaged][sec-survey] → [necko-triaged][sec-survey][adv-main87-]

Do we need a new bug for the remaining SanityCheck failures on 87+? E.g. bp-d8ec6330-74b5-4680-8cb7-7ebd80210325.

Group: core-security → core-security-release
Flags: needinfo?(valentin.gosu)

The remaining crashes are tracked in 1700895.

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: