Closed Bug 1740274 Opened 3 years ago Closed 2 years ago

Crash in [@ mozilla::net::Http2Stream::TransmitFrame]

Categories

(Core :: Networking: HTTP, defect, P1)

Product:
Core
Component:
Networking: HTTP
Platform:
Desktop
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
firefox-esr91 96+ fixed
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 + fixed
firefox97 + fixed

People

(Reporter: kershaw, Assigned: kershaw)

References

Details

(4 keywords, Whiteboard: [necko-triaged][sec-survey][adv-main96+r][adv-ESR91.5+r])

Crash Data

Attachments

(2 files)

crash frequency chart from 2021-11-29
62.11 KB, image/png
Details
Bug 1740274 - Avoid accessing Http2Session through raw pointer, r=#necko
48 bytes, text/x-phabricator-request
tjr
: approval-mozilla-beta+
tjr
: approval-mozilla-esr91+
tjr
: sec-approval+
Details | Review

+++ This bug was initially created as a clone of Bug #1667102 +++

Crash report: https://crash-stats.mozilla.org/report/index/c27d1c1c-2530-4f43-9ce4-c4d000200924

Top 10 frames of crashing thread:

0  @0x858481e6 
1  @0xebeacfc6 
2 xul.dll mozilla::net::Http2Stream::TransmitFrame netwerk/protocol/http/Http2Stream.cpp:971
3 xul.dll mozilla::net::Http2Stream::OnReadSegment netwerk/protocol/http/Http2Stream.cpp:1516
4 xul.dll static mozilla::net::nsHttpTransaction::ReadRequestSegment netwerk/protocol/http/nsHttpTransaction.cpp:725
5 xul.dll nsBufferedInputStream::ReadSegments netwerk/base/nsBufferedStreams.cpp:446
6 xul.dll mozilla::net::nsHttpTransaction::ReadSegments netwerk/protocol/http/nsHttpTransaction.cpp:752
7 xul.dll mozilla::net::Http2Stream::ReadSegments netwerk/protocol/http/Http2Stream.cpp:164
8 xul.dll mozilla::net::Http2Session::ReadSegmentsAgain netwerk/protocol/http/Http2Session.cpp:2815
9 xul.dll mozilla::net::nsHttpConnection::OnSocketWritable netwerk/protocol/http/nsHttpConnection.cpp:1993

Most of these crashes seem to be EXCEPTION_ACCESS_VIOLATION_EXEC which might be scary?

Group: core-security-release
status-firefox94: --- → wontfix
status-firefox95: --- → affected
status-firefox96: --- → affected
status-firefox-esr91: --- → affected
Whiteboard: [necko-triaged][sec-survey][adv-main93+][adv-esr91.3+] → [necko-triaged]

This is a tricky one -- the remaining crashes are very low volume, and because of that a single installation crashing 3-5 times really distorts the picture of what's going on. Bug 1667102 definitely helped: have only seen a single beta crash since that was uplifted. The release crash rate quieted down considerably as can be clearly seen in the crash chart, but that happened slightly earlier (something else fixed part of this in 92?).

Keywords: csectype-uaf

Preserving the crash frequency chart because the visible improvement will scroll off in a couple of months.

Comment on attachment 9253410 [details]
Bug 1740274 - Avoid accessing Http2Session through raw pointer, r=#necko

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Unknown. We assume the problem is that an UAF of Http2Session, so this patch only avoid accessing it through a raw pointer.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: This should be able to applied on older branches cleanly.
  • How likely is this patch to cause regressions; how much testing does it need?: Low. This patch doesn't change any behavior.
Attachment #9253410 - Flags: sec-approval?

Comment on attachment 9253410 [details]
Bug 1740274 - Avoid accessing Http2Session through raw pointer, r=#necko

Approved to land and uplift

Attachment #9253410 - Flags: sec-approval?
Attachment #9253410 - Flags: sec-approval+
Attachment #9253410 - Flags: approval-mozilla-esr91+
Attachment #9253410 - Flags: approval-mozilla-beta+

Avoid accessing Http2Session through raw pointer, r=necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/8ceb33ff6deb54274128e26fb82a67de9e3be74b
https://hg.mozilla.org/mozilla-central/rev/8ceb33ff6deb

Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox97: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(kershaw)
Whiteboard: [necko-triaged] → [necko-triaged][sec-survey]

(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #7)

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Done.

Flags: needinfo?(kershaw)
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [necko-triaged][sec-survey] → [necko-triaged][sec-survey][adv-main96+r][adv-ESR91.5+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: