Crash in [@ mozilla::net::Http2Stream::TransmitFrame]
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
People
(Reporter: kershaw, Assigned: kershaw)
References
Details
(4 keywords, Whiteboard: [necko-triaged][sec-survey][adv-main96+r][adv-ESR91.5+r])
Crash Data
Attachments
(2 files)
62.11 KB,
image/png
|
Details | |
48 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
approval-mozilla-esr91+
tjr
:
sec-approval+
|
Details | Review |
+++ This bug was initially created as a clone of Bug #1667102 +++
Crash report: https://crash-stats.mozilla.org/report/index/c27d1c1c-2530-4f43-9ce4-c4d000200924
Top 10 frames of crashing thread:
0 @0x858481e6
1 @0xebeacfc6
2 xul.dll mozilla::net::Http2Stream::TransmitFrame netwerk/protocol/http/Http2Stream.cpp:971
3 xul.dll mozilla::net::Http2Stream::OnReadSegment netwerk/protocol/http/Http2Stream.cpp:1516
4 xul.dll static mozilla::net::nsHttpTransaction::ReadRequestSegment netwerk/protocol/http/nsHttpTransaction.cpp:725
5 xul.dll nsBufferedInputStream::ReadSegments netwerk/base/nsBufferedStreams.cpp:446
6 xul.dll mozilla::net::nsHttpTransaction::ReadSegments netwerk/protocol/http/nsHttpTransaction.cpp:752
7 xul.dll mozilla::net::Http2Stream::ReadSegments netwerk/protocol/http/Http2Stream.cpp:164
8 xul.dll mozilla::net::Http2Session::ReadSegmentsAgain netwerk/protocol/http/Http2Session.cpp:2815
9 xul.dll mozilla::net::nsHttpConnection::OnSocketWritable netwerk/protocol/http/nsHttpConnection.cpp:1993
Most of these crashes seem to be EXCEPTION_ACCESS_VIOLATION_EXEC
which might be scary?
Updated•3 years ago
|
Updated•3 years ago
|
Comment 1•2 years ago
|
||
This is a tricky one -- the remaining crashes are very low volume, and because of that a single installation crashing 3-5 times really distorts the picture of what's going on. Bug 1667102 definitely helped: have only seen a single beta crash since that was uplifted. The release crash rate quieted down considerably as can be clearly seen in the crash chart, but that happened slightly earlier (something else fixed part of this in 92?).
Comment 2•2 years ago
|
||
Preserving the crash frequency chart because the visible improvement will scroll off in a couple of months.
Assignee | ||
Comment 3•2 years ago
|
||
Assignee | ||
Comment 4•2 years ago
|
||
Comment on attachment 9253410 [details]
Bug 1740274 - Avoid accessing Http2Session through raw pointer, r=#necko
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Unknown. We assume the problem is that an UAF of
Http2Session
, so this patch only avoid accessing it through a raw pointer. - Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: This should be able to applied on older branches cleanly.
- How likely is this patch to cause regressions; how much testing does it need?: Low. This patch doesn't change any behavior.
Comment 5•2 years ago
|
||
Comment on attachment 9253410 [details]
Bug 1740274 - Avoid accessing Http2Session through raw pointer, r=#necko
Approved to land and uplift
Comment 6•2 years ago
|
||
Avoid accessing Http2Session through raw pointer, r=necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/8ceb33ff6deb54274128e26fb82a67de9e3be74b
https://hg.mozilla.org/mozilla-central/rev/8ceb33ff6deb
Comment 7•2 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Assignee | ||
Comment 8•2 years ago
|
||
(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #7)
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Done.
Updated•2 years ago
|
Comment 9•2 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/fa6a4611f89d
Approved for 96.0b4
Comment 10•2 years ago
|
||
uplift |
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•