Crash in [@ objc_msgSend | AppKit@0x424da2] - Implement accessibilityFrame
Categories
(Core :: Widget: Cocoa, defect, P2)
Tracking
()
People
(Reporter: emilghitta, Assigned: eeejay)
References
(Regression)
Details
(4 keywords, Whiteboard: [sec-survey][adv-main90+r][adv-esr78.12+r])
Crash Data
Attachments
(1 file, 3 obsolete files)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr78+
tjr
:
sec-approval+
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/89be788d-bdab-497d-976e-d96d70210422
Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Top 10 frames of crashing thread:
0 libobjc.A.dylib objc_msgSend
1 AppKit AppKit@0x424da2
2 HIServices HIServices@0x25a78
3 HIServices HIServices@0x2f344
4 HIServices HIServices@0x66ec
5 CoreFoundation CoreFoundation@0x8e3f8
6 CoreFoundation CoreFoundation@0x8e344
7 CoreFoundation CoreFoundation@0x85eff
8 CoreFoundation CoreFoundation@0x85152
9 HIToolbox HIToolbox@0x2fd95
Just encountered this crash while using macOS 10.13.6 with VoiceOver enabled (As a note: I have the "Synchronize keyboard focus and VoiceOver cursor enabed" and the mouse pointer is set to follow the VoiceOver cursor).
Affected platforms
- macOS 10.13.6
Unaffected platforms
- macOS 10.14
- macOS 10.15
- macOS 11.3
Steps to reproduce
- Launch Firefox.
- Access a random page.
- Open the browser console.
- Interact with the browser console by:
4.1 Clicking the "Clear the Web Console output".
4.2 Closing the browser console.
4.3 Restart the browser via the browser console.
Please note that you may have to repeat step 4 (and it's sub steps) in order to reproduce this issue. It seems that the crash only occurs when the browser console is closed while VO has focus inside it.
Actual Result
- Firefox crashes
Expected Result
- Firefox doesn't crash :)
Regression Range
- I'll search for a regression asap.
Additional Notes
- For further information regarding this issue, access this link for screencast (Mozilla account needed).
- This is reproducible on non native context menus as well.
- Please feel free to change the component if necessary.
|
Reporter | |
Comment 1•4 years ago
|
||
Hi Morgan!
I can reproduce this crash on macOS 10.12 as well. The crash occurs with different crash signatures for the same steps mentioned in comment 0.
I couldn't trigger the following signatures on macOS 10.13 (seems to be 10.12 specific):
[@ objc_msgSend | RemoveObserver ] :
bp-b82e5228-86ec-414c-8528-2c1bd0210422
[@ objc_msgSend | CopyAttributeValue ]
bp-ab17cf65-bae3-4f80-b9a9-e21720210422
[@ lookUpImpOrForward ]
bp-6895abb9-a855-4e31-bdf3-c4b950210422
How should I proceed? Should I file different bug reports for each different crash signature even if the same reproducible steps are involved?
|
||
Comment 2•4 years ago
•
|
||
The most helpful crash dump might be https://crash-stats.mozilla.org/report/index/6895abb9-a855-4e31-bdf3-c4b950210422 here. The app notes seem to show that we're missing an implementation for accessibilityFrame.
|
||
Comment 3•4 years ago
|
||
(In reply to Stephen A Pohl [:spohl] from comment #2)
The most helpful crash dump might be https://crash-stats.mozilla.org/report/index/6895abb9-a855-4e31-bdf3-c4b950210422 here. The app notes seem to show that we're missing an implementation for
accessibilityFrame.
Yep, this is the issue -- I'll update this bug and self-assign :)
Thanks for the tag Emil!
|
|
||
Updated•4 years ago
|
|
|
||
Comment 4•4 years ago
|
||
|
||
Updated•4 years ago
|
|
||
Comment 5•4 years ago
•
|
||
Some of these crashes with this signature look like use-after-frees:
bp-fa140464-a1d8-4de6-84be-f7af80210422
bp-e64f93bf-e45c-46e4-88ab-093f60210422
I don't know if these are the same issue, but they also have Accessibility enabled.
|
|
||
Updated•4 years ago
|
|
|
||
Comment 6•4 years ago
|
||
Also with this signature: bp-14056105-3e5b-4f0b-8653-866750210422
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 7•4 years ago
|
||
Mozregression pointed out Bug 1641002 for causing this regression.
|
|
Reporter | |
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Comment 8•4 years ago
|
||
|
|
||
Updated•4 years ago
|
|
|
||
Comment 9•4 years ago
|
||
Comment on attachment 9218789 [details]
Bug 1706910: Implement AXFrame, accessibilityFrame for VoiceOver r?eeejay
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not very easily -- this patch implements a feature we didn't have before, but does not expose how the absence of that feature was previously problematic (since the crash was initiated by interaction through a third-party AT).
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all, I think
- If not all supported branches, which bug introduced the flaw?: Bug 1641002
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: This patch can be applied directly -- we shouldn't need to modify it to backport it.
- How likely is this patch to cause regressions; how much testing does it need?: This patch likely won't cause regressions because we're supporting something that didn't exist before. That said, it probably needs some manual testing because its a speculative fix -- I don't have a 10.12 or 10.13 machine on which to try to reproduce this crash :(
|
|
||
Updated•4 years ago
|
|
||
Comment 10•4 years ago
|
||
Comment on attachment 9217895 [details]
Bug 1706910: Introduce testing for AXFrame, accessibilityFrame r?eeejay
In this instance I think it is okay to land the test with the patch given the need for an unusual OS setting to be involved.
|
|
||
Updated•4 years ago
|
|
|
||
Comment 11•4 years ago
|
||
(In reply to Tom Ritter [:tjr] (ni? for response to sec-[advisories/bounties/ratings/cves]) from comment #10)
Comment on attachment 9217895 [details]
Bug 1706910: Introduce testing for AXFrame, accessibilityFrame r?eeejayIn this instance I think it is okay to land the test with the patch given the need for an unusual OS setting to be involved.
Do I land these patches through lando now, or is there a special way I should submit them?
|
|
||
Comment 12•4 years ago
|
||
(In reply to Morgan Reschenberg [:morgan] from comment #11)
Do I land these patches through lando now, or is there a special way I should submit them?
You have sec-approval+, so you can just land them the usual way via Lando.
|
||
Comment 13•4 years ago
|
||
Implement AXFrame, accessibilityFrame for VoiceOver r=eeejay
https://hg.mozilla.org/integration/autoland/rev/67c05979577ea97a10a79f70ccadc039fcc55e4f
Introduce testing for AXFrame, accessibilityFrame r=eeejay
https://hg.mozilla.org/integration/autoland/rev/e0769fe4d6fdb51f604c6dc8d0f9336c9473db43
https://hg.mozilla.org/mozilla-central/rev/67c05979577e
https://hg.mozilla.org/mozilla-central/rev/e0769fe4d6fd
|
|
||
Comment 14•4 years ago
|
||
Please request uplift when you get a chance.
|
|
||
Comment 15•4 years ago
|
||
We're still seeing similar crashes today -- see bug 1709390
I'd like to hold off on uplift until we can verify the fix
|
|
Reporter | |
Comment 16•4 years ago
|
||
Unfortunately I can't verify this fix until Bug 1709390 is fixed. Firefox crashes instantly when I turn VoiceOver on and move the focus over the Firefox window.
|
|
||
Comment 17•4 years ago
|
||
Yeah I’m gonna request a back out for this and reinvestigate, given the new (worse) crashes. Something about this patch exacerbates UAF’s 🤔 which is odd.
|
|
||
Comment 18•4 years ago
|
||
Backed out on request from Morgan for the crashes in bug 1709390.
https://hg.mozilla.org/integration/autoland/rev/104f996f1a1f6f83564f5678add948a5bcd8bbb1
|
|
||
Updated•4 years ago
|
|
|
||
Comment 19•4 years ago
|
||
|
|
||
Comment 20•4 years ago
|
||
Backout merged: https://hg.mozilla.org/mozilla-central/rev/104f996f1a1f
|
|
||
Comment 21•4 years ago
|
||
Reassigning to eitan since he has a broader fix to apply here :)
|
|
||
Comment 22•4 years ago
|
||
Comment on attachment 9218789 [details]
Bug 1706910: Implement AXFrame, accessibilityFrame for VoiceOver r?eeejay
Revision D113585 was moved to bug 1710493. Setting attachment 9218789 [details] to obsolete.
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 23•4 years ago
|
||
This crash seems to be a retain/release imbalance that probably has to
do with the inconsistency of what object is returned for the root
accessible.
I was able to reproduce the crash on a 10.12 VM, and this patch seemed
to fix it.
|
|
Assignee | |
Comment 24•4 years ago
|
||
I realize "seemed to fix it" doesn't communicate real confidence. I'm pretty sure this fixes it.
|
|
Assignee | |
Comment 25•4 years ago
|
||
Comment on attachment 9221230 [details]
Bug 1706910 - Don't expose MOXAccessible with represented view to AppKit. r?morgan
Security Approval Request
- How easily could an exploit be constructed based on the patch?: I think it would be very hard.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: 86
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: They will be easy to create. The infrequency of this crash makes me question if it should be back ported at all.
- How likely is this patch to cause regressions; how much testing does it need?:
|
|
||
Comment 26•4 years ago
|
||
Comment on attachment 9221230 [details]
Bug 1706910 - Don't expose MOXAccessible with represented view to AppKit. r?morgan
Approved to land. I'll let Relman decide about uplift.
|
|
||
Comment 27•4 years ago
|
||
Don't expose MOXAccessible with represented view to AppKit. r=morgan
https://hg.mozilla.org/integration/autoland/rev/59039e0d5a3d00c14922d774f56d3215a3d41772
https://hg.mozilla.org/mozilla-central/rev/59039e0d5a3d
|
||
Comment 28•4 years ago
|
||
The patch landed in nightly and beta is affected.
:eeejay, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
If yes, don't forget to request an uplift for the patches in the regression caused by this fix.
For more information, please visit auto_nag documentation.
|
|
Reporter | |
Comment 29•4 years ago
|
||
This issue is verified fixed using Firefox 90.0a1 (BuildId:20210518094531) on macOS 10.13 & macOS 10.12 the crash no longer occurs.
|
||
Comment 30•4 years ago
•
|
||
Given that it would be very hard to exploit and that it is a rare crash, I think we can let it ride the 90 train.
|
|
||
Comment 31•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
||
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 32•4 years ago
|
||
Comment on attachment 9221230 [details]
Bug 1706910 - Don't expose MOXAccessible with represented view to AppKit. r?morgan
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Occasional crash
- Fix Landed on Version: 90
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): These are a few simple one line corrections.
- String or UUID changes made by this patch:
|
|
||
Comment 33•4 years ago
|
||
Comment on attachment 9221230 [details]
Bug 1706910 - Don't expose MOXAccessible with represented view to AppKit. r?morgan
Approved for 78.12esr.
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Comment 34•4 years ago
|
||
| uplift | ||
|
||
Updated•4 years ago
|
Description
•