Closed Bug 1756639 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::dom::MessageChannel::~MessageChannel]

Categories

(Core :: DOM: postMessage, defect)

Product:
Core
Component:
DOM: postMessage
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: jesup, Assigned: jstutte)

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

UAFs with e5e5 addresses in ~MessageChannel, called from CC

Group: core-security → dom-core-security

This is actually about the DOM API MessageChannel, not the IPC MessageChannel. The cycle collector appears in the stack just because it always does when we delete cycle collected objects.

Component: IPC → DOM: Networking
Component: DOM: Networking → DOM: Core & HTML

There are 3 reports in the last 6 months, all from the same install time. The URL of the crash is WhatsApp.

Component: DOM: Core & HTML → DOM: postMessage

I see always only that 3 crashes from the same install and same beta-version on Windows 7. Randell, is this really worth a sec-high rating?

Flags: needinfo?(rjesup)
Flags: needinfo?(rjesup)
Assignee: nobody → jstutte

We do not have any actionable information but want to monitor this for a while before marking it stalled.

Given that this only happened once as far as we can see, I'd just mark it incomplete if it doesn't come up again.

(In reply to Andrew McCreight [:mccr8] from comment #5)

Given that this only happened once as far as we can see, I'd just mark it incomplete if it doesn't come up again.

Yes, no more reports and those occurred where all from the same beta install on the same day, so not even from a shipped release.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.