Closed Bug 1746537 Opened 3 years ago Closed 3 years ago

Use-after-free crash in [@ mozilla::net::ProxyAutoConfig::MyIPAddressTryHost]

Categories

(Core :: Networking: HTTP, defect, P1)

Product:
Core
Component:
Networking: HTTP
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1746543
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox95 --- unaffected
firefox96 --- unaffected
firefox97 --- fixed

People

(Reporter: mccr8, Assigned: kershaw)

References

(Regression)

Details

(4 keywords, Whiteboard: [necko-triaged])

Crash Data

Attachments

(1 obsolete file)

Crash report: https://crash-stats.mozilla.org/report/index/015a2800-7f3a-4174-860a-356dc0211216

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 4 frames of crashing thread:

0 xul.dll mozilla::net::ProxyAutoConfig::MyIPAddressTryHost netwerk/base/ProxyAutoConfig.cpp:995
1 xul.dll mozilla::net::ProxyAutoConfig::MyIPAddress netwerk/base/ProxyAutoConfig.cpp:1071
2 xul.dll mozilla::net::PACMyIpAddress netwerk/base/ProxyAutoConfig.cpp:587
3 None @0x0000030cb889a0e9

There are a couple of crashes with this signature. The rax register contains a jemalloc poison value.

It looks like this feature is Nightly-only for now.

status-firefox96: --- → unaffected
status-firefox97: --- → affected
See Also: → 1746543

Maybe [@ mozilla::net::ProxyAutoConfig::MyIPAddress ] is the same crash on Windows? Not a lot of these, but they also have a poison value in rax.

Crash Signature: [@ mozilla::net::ProxyAutoConfig::MyIPAddressTryHost] → [@ mozilla::net::ProxyAutoConfig::MyIPAddressTryHost] [@ mozilla::net::ProxyAutoConfig::MyIPAddress ]

I think the problem is that ProxyAutoConfig is released too early at here. In ProxyAutoConfig, we spin the event loop for waiting the DNS result. At this point, if ProxyAutoConfigChild::ActorDestroy is called, we got this crash.

Assignee: nobody → kershaw
Status: NEW → RESOLVED
Closed: 3 years ago
Priority: -- → P1
Resolution: --- → FIXED
Whiteboard: [necko-triaged]
Attached file Bug 1746537, r=#necko (obsolete) —

Sorry, this bug was closed by mistake.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment on attachment 9255892 [details]
Bug 1746537, r=#necko

Revision D134137 was moved to bug 1746543. Setting attachment 9255892 [details] to obsolete.

Attachment #9255892 - Attachment is obsolete: true

Set release status flags based on info from the regressing bug 1745385

status-firefox95: --- → unaffected
status-firefox-esr91: --- → unaffected

No recent crashes it would appear. Did bug 1746543 fix this crash too?

Flags: needinfo?(kershaw)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

No recent crashes it would appear. Did bug 1746543 fix this crash too?

Yes, I think so. We can close this one.

Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Flags: needinfo?(kershaw)
Resolution: --- → DUPLICATE
Group: network-core-security → core-security-release
status-firefox97: affectedfixed
Has Regression Range: --- → yes
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: