Closed Bug 1736230 Opened 3 years ago Closed 9 months ago

UAF Crash in [@ RtlDeleteCriticalSection | sofree | mozilla::DataChannelConnection::DestroyOnSTS]

Categories

(Core :: WebRTC, defect)

Product:
Core
Component:
WebRTC
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: jesup, Unassigned)

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

UAF when trying to free an sctp connection socket; crashes trying to release a critical section.

Crash report: https://crash-stats.mozilla.org/report/index/3f1723b7-0215-41c3-84eb-0cad30211011

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 ntdll.dll RtlDeleteCriticalSection 
1 xul.dll sofree netwerk/sctp/src/user_socket.c:287
2 xul.dll mozilla::DataChannelConnection::DestroyOnSTS netwerk/sctp/datachannel/DataChannel.cpp:410
3 xul.dll mozilla::runnable_args_memfn<RefPtr<mozilla::DataChannelConnection>, void  dom/media/webrtc/transport/runnable_utils.h:121
4 xul.dll mozilla::detail::runnable_args_base<mozilla::detail::NoResult>::Run dom/media/webrtc/transport/runnable_utils.h:41
5 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1142
6 xul.dll mozilla::net::nsSocketTransportService::Run netwerk/base/nsSocketTransportService2.cpp:1190
7 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1142
8 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:300
9 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:324

I think I have a reproducer for this issue. Need to find time to fix the issue...

Hey Michael, please let us know when you have a fix. Thanks!

Flags: needinfo?(tuexen)
Keywords: stalled

Will do.

Flags: needinfo?(tuexen)
Assignee: nobody → jmathies
No longer blocks: webrtc-triage
Assignee: jmathies → nobody
Severity: S2 → S3

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:mjf, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mfroman)

This bug is already marked stalled, and recently moved from s2 to s3. There is no real action to take here.

Flags: needinfo?(mfroman)

Extremely low crash rate, and hopefully fixed since the two crashes present are on 99 and 102.15 ESR

Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.

Keywords: stalled
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.