Closed Bug 1688592 Opened 4 years ago Closed 2 years ago

Crash in [@ g_type_check_instance]

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox96 --- wontfix
firefox97 --- wontfix
firefox98 --- wontfix
firefox109 --- wontfix
firefox110 --- fixed

People

(Reporter: gsvelto, Unassigned)

References

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [adv-main110+r] maybe fixed by 1802977)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/5920e127-f2c9-4520-b050-694ef0210124

Reason: SIGSEGV /0x00000080

Top 10 frames of crashing thread:

0 libgobject-2.0.so.0 g_type_check_instance gobject/gtype.c:4134
1 libgobject-2.0.so.0 g_signal_emit_valist gobject/gsignal.c:3277
2 libgobject-2.0.so.0 g_signal_emit gobject/gsignal.c:3554
3 libgobject-2.0.so.0 g_closure_invoke gobject/gclosure.c:810
4 libgobject-2.0.so.0 signal_emit_unlocked_R gobject/gsignal.c:3742
5 libgobject-2.0.so.0 g_signal_emit_valist gobject/gsignal.c:3498
6 libgobject-2.0.so.0 g_signal_emit gobject/gsignal.c:3554
7 libibus-1.0.so.5 ibus_proxy_dispose src/src/ibusproxy.c:102
8 libgobject-2.0.so.0 g_object_run_dispose gobject/gobject.c:1226
9 libgobject-2.0.so.0 g_closure_invoke gobject/gclosure.c:810

Low volume, given the stack and comments this seems to happen when we lose a connection to dbus.

I'm getting repeatedly hit by this, representative report: https://crash-stats.mozilla.org/report/index/448c5685-fb43-4112-80d9-0f4b00220114

I get a slightly different reason SIGSEGV / SI_KERNEL and a different stack trace.

The crash occurs whenever I attempt to leave a Google Meet call or close the tab containing it.

Thanks for your comment and for the STR, that's precious information to figure this bug out. I'm making the bug private because I double-checked the crashes and these are use-after-frees so potentially security sensitive. Martin can you please have a look? This seems to be only happening on versions >= 95.

Group: core-security
Flags: needinfo?(stransky)
Keywords: csectype-uaf

You're very welcome! What is an STR?

"Steps to reproduce"

I wonder if we call gtk_widget_disconnect_frame_clock() twice so the second call is called for already freed instance.

As a first step we should put MOZ_DIAGNOSTIC_ASSERT(IsMainThread()) to nsWindow::Destroy().

(In reply to Martin Stránský [:stransky] (ni? me) from comment #6)

As a first step we should put MOZ_DIAGNOSTIC_ASSERT(IsMainThread()) to nsWindow::Destroy().

Bug 1750513.

See Also: → 1750513

Let's see if we see any assertions from nsWindow::Destroy() when Bug 1750513 lands.

Flags: needinfo?(stransky)
Group: core-security → dom-core-security
Keywords: sec-high

Hello Martin, do you see any improvements after bug 1750513 landed?
thanks

Flags: needinfo?(stransky)

I haven't seen any related crashes recently so I think it's fixed.
Also there's a check we release it in correct thread (MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread()) so will clearly crash in the worst case.
I'd say it's not a security issue any more.

Flags: needinfo?(stransky)

There doesn't seem to be any crashes in 110 nor could I find crashes hitting the new assert so I'd say we can flag this fixed for 110.

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox110: --- → fixed
Resolution: --- → FIXED

Did something specifically land in 110 to address this? Do we need to do something for ESR still?

Group: dom-core-security → core-security-release
status-firefox109: affectedwontfix
Flags: needinfo?(stransky)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #12)

Did something specifically land in 110 to address this? Do we need to do something for ESR still?

Possible crash was fixed by Bug 1802977 in 109.

Flags: needinfo?(stransky)

This one is promising:

https://crash-stats.mozilla.org/report/index/5e8e40c4-d588-4aef-bbc9-0ab370230129

But these reports are completely different bug, original one was about wrong release from a different thread AFAIK.

(In reply to Martin Stránský [:stransky] (ni? me) from comment #15)

This one is promising:

https://crash-stats.mozilla.org/report/index/5e8e40c4-d588-4aef-bbc9-0ab370230129

hm, that's actually 102 ESR which looks like the original one.

Do we need another bug then? The crashes from 109 still look like UAFs to me.

Flags: needinfo?(stransky)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #17)

Do we need another bug then? The crashes from 109 still look like UAFs to me.

Yes please.

Flags: needinfo?(stransky)
Whiteboard: [adv-main110+r]
See Also: → 1824634

(In reply to Martin Stránský [:stransky] (ni? me) from comment #18)

Yes please.

Filed bug 1824634.

status-firefox-esr102: affectedwontfix
Target Milestone: --- → 110 Branch
Resolution: FIXED → WORKSFORME
Whiteboard: [adv-main110+r] → [adv-main110+r] maybe fixed by 1802977
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.