Hit MOZ_CRASH(nsSupportsPRUint32 not thread-safe) at xpcom/base/nsISupportsImpl.cpp:43
Categories
(Core :: Networking: HTTP, defect, P2)
Tracking
()
People
(Reporter: decoder, Assigned: kershaw)
References
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main97+r][sec-survey][adv-esr91.6+r])
Attachments
(3 files)
|
9.51 KB,
text/plain
|
Details | |
|
2.03 KB,
application/octet-stream
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
tjr
:
sec-approval+
|
Details | Review |
The attached testcase crashes on mozilla-central revision 20211231-d0a94b1f309b (fuzzing build required).
For detailed crash information, see attachment.
I was not able to reproduce this issue so far, but it reproduces fairly often in our fuzzing infra. I guess this is a data race of some sort, but I also tried a TSan build with no luck. Maybe the stack is enough to figure out what is going on.
Normally, the issue would be reproducible with the following steps:
- Download the attached testcase, save as "test.bin".
2a. Build with--enable-fuzzing(requires Clang and ASan, also build gtests using./mach gtest dontruntests).
2b. Alternatively you can download builds from TC usingpython -mfuzzfetch -a --fuzzing --gtest(see https://github.com/MozillaSecurity/fuzzfetch). - Run
FUZZER=NetworkHttpProxyPlain objdir/dist/bin/firefox test.bin
Marking s-s until investigated.
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 3•3 years ago
|
||
|
Assignee | |
Comment 4•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 5•3 years ago
|
||
Doing refcounting on the wrong thread for a non-threadsafe object can cause a UAF from a race. This is probably difficult to actually exploit, but I'll conservatively mark it sec-high.
|
|
Assignee | |
Comment 6•3 years ago
|
||
Comment on attachment 9257321 [details]
Bug 1748210 - Always release GetNextTokenCompleteEvent on main thread, r=#necko
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Probably not easy, since an exploit can be only constructed by race.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: n/a
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely. Forcing
GetNextTokenCompleteEventto be released on the right thread should not cause any problem.
|
||
Updated•3 years ago
|
|
|
||
Comment 7•3 years ago
|
||
Comment on attachment 9257321 [details]
Bug 1748210 - Always release GetNextTokenCompleteEvent on main thread, r=#necko
Approved to land and uplift
|
||
Comment 8•3 years ago
|
||
Always release GetNextTokenCompleteEvent on main thread, r=necko-reviewers,valentin
https://hg.mozilla.org/integration/autoland/rev/d0dc81c342c08e99cfd73b61d13138cc2ecec010
https://hg.mozilla.org/mozilla-central/rev/d0dc81c342c0
|
||
Comment 9•3 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
||
Comment 10•3 years ago
|
||
Please nominate this for Beta & ESR91 approval when you get a chance.
|
|
Assignee | |
Comment 11•3 years ago
|
||
Comment on attachment 9257321 [details]
Bug 1748210 - Always release GetNextTokenCompleteEvent on main thread, r=#necko
Beta/Release Uplift Approval Request
- User impact if declined: Possible UAF
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: N/A
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch is straightforward.
- String changes made/needed: N/A
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Possible UAF
- Fix Landed on Version: 98
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch is straightforward.
|
|
||
Comment 12•3 years ago
|
||
Comment on attachment 9257321 [details]
Bug 1748210 - Always release GetNextTokenCompleteEvent on main thread, r=#necko
Approved for 97.0b3 and 91.6esr.
|
|
||
Comment 13•3 years ago
|
||
| uplift | ||
|
|
||
Comment 14•3 years ago
|
||
| uplift | ||
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 15•3 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
|
Assignee | |
Comment 16•3 years ago
|
||
(In reply to Release mgmt bot [:marco/ :calixte] from comment #15)
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Done.
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Description
•