Closed Bug 1718911 Opened 4 years ago Closed 4 years ago

Crash in [@ objc_msgSend | CA::Layer::begin_change]

Categories

(Thunderbird :: General, defect)

Product:
Thunderbird
Component:
General
Platform:
Unspecified
macOS
Type:
defect

Tracking

(thunderbird_esr78 wontfix, thunderbird_esr91 affected)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
thunderbird_esr78 --- wontfix
thunderbird_esr91 --- affected

People

(Reporter: wsmwk, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

#7 crash for Mac, Thunderbird 78.11.0

Crash report: https://crash-stats.mozilla.org/report/index/833693a8-43fa-48f4-934f-8db840210701

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 libobjc.A.dylib objc_msgSend 
1 QuartzCore CA::Layer::begin_change 
2 QuartzCore CA::Layer::remove_sublayer 
3 QuartzCore CA::Layer::remove_from_superlayer 
4 AppKit -[NSView _removeLayerFromSuperlayer] 
5 AppKit -[NSView _setSuperview:] 
6 AppKit -[NSView removeFromSuperview] 
7 AppKit -[NSView removeFromSuperviewWithoutNeedingDisplay] 
8 AppKit -[NSView _finalize] 
9 AppKit -[NSView dealloc]
Severity: -- → S2
Depends on: 1719219
Keywords: csectype-uaf, sec-high
See Also: 1719219

crash signature does not exist for Thunderbird 91.
And I'm not finding a version 91 crash that has CA::Layer::begin_change in the stack.

status-thunderbird_esr78: --- → wontfix
status-thunderbird_esr91: --- → unaffected
Flags: needinfo?(mkmelin+mozilla)

Good if it's gone. I have no input.

Flags: needinfo?(mkmelin+mozilla)
See Also: → 1658432

Also both Japanese locale. All OS X 10.15. Actually not gone in version 91. But very rare:
bp-012b1865-778a-43ea-91f4-1e3ef0211109 Crash Address 0x000065e5e5e5e5f8
bp-6856bbb7-61a3-43f4-a8ba-2345e0211102 same address

Another signature, also ja-JP-macos bp-c261790a-f1b9-4907-9473-980420211108 objc_msgSend | CA::Layer::begin_change

Severity: S2 → S3
status-thunderbird_esr91: unaffectedaffected

Other version 91 signatures from https://crash-stats.mozilla.org/search/?address=0x000065e5e5e5e5f8&product=Thunderbird&version=91.2.1&version=91.3.0&platform=Mac%20OS%20X&date=%3E%3D2021-10-30T23%3A28%3A00.000Z&date=%3C2021-11-13T23%3A28%3A00.000Z&_facets=signature&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature

objc_msgSend | -[NSManagedObjectContext _retainedObjectsFromRemovedStore:]
objc_msgSend | CA::Layer::begin_change (previously mentioned)
objc_msgSend | +[__NSSetI __new::::]
objc_msgSend | CA::Layer::remove_sublayer
objc_msgSend | __21+[__NSSetI __new::::]_block_invoke

See Also: → 1735508
See Also: → 1718912

(In reply to Magnus Melin [:mkmelin] from comment #2)

Good if it's gone. I have no input.

I just closed bug 1718912. But still open is core Bug 1719219 - UAF [@ objc_msgSend | CA::Layer::begin_change ], after closing window, mostly on Japanese locale

So I think we can close this and let bug 1719219 cover the issue.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
Group: mail-core-security
You need to log in before you can comment on or make changes to this bug.