Closed Bug 1761667 Opened 2 years ago Closed 2 years ago

Crash in [@ mozilla::detail::MutexImpl::lock | nsZipArchive::GetItem]

Categories

(Core :: Networking: JAR, defect)

Product:
Core
Component:
Networking: JAR
Version:
Firefox 100
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
100 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox98 --- unaffected
firefox99 --- unaffected
firefox100 --- fixed

People

(Reporter: calixte, Assigned: jesup)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, csectype-nullptr, sec-other, Whiteboard: [post-critsmash-triage])

Crash Data

Attachments

(1 file)

Bug 1761667: Handle failed OpenArchive in FileLocation r=nika
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/9a0842e6-4bc1-4d46-acd5-2ee5a0220326

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 libsystem_pthread.dylib pthread_mutex_lock 
1 libmozglue.dylib mozilla::detail::MutexImpl::lock mozglue/misc/Mutex_posix.cpp:118
2 XUL nsZipArchive::GetItem modules/libjar/nsZipArchive.cpp:413
3 XUL mozilla::FileLocation::GetData xpcom/build/FileLocation.cpp:156
4 XUL mozilla::URLPreloader::URLEntry::ReadLocation js/xpconnect/loader/URLPreloader.cpp:632
5 XUL mozilla::URLPreloader::Read js/xpconnect/loader/URLPreloader.cpp:523
6 XUL nsComponentManagerImpl::RegisterManifest xpcom/components/nsComponentManager.cpp:703
7 XUL nsComponentManagerImpl::AddBootstrappedManifestLocation xpcom/components/nsComponentManager.cpp:1845
8 XUL NS_InvokeByIndex 
9 XUL XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:1130

There are 4 crashes (from 1 installation) in nightly 100 with buildid 20220325214737. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1744043.

[1] https://hg.mozilla.org/mozilla-central/rev?node=17a501a19918

Flags: needinfo?
Flags: needinfo?(rjesup)
Group: core-security
Flags: needinfo?
Group: partner-confidential
Group: core-security → network-core-security

This is a null deref, so I'll mark it sec-other. It probably doesn't really need to be hidden.

The URL preloader is in the stack, so maybe this is related to bug 1724336.

Keywords: sec-other
See Also: → 1724336

So, really one crash -- appears to be a single installation, just multiple reports. Also a startup crash. Very likely the file was not accessible, and so OpenArchive returned null (which causes the crash). The old code set mZip to an empty nsZipArchive, then called OpenArchive on that -- and ignored the result. GetItem would simply fail in that case, and we'd return NS_ERROR_FILE_UNRECOGNIZED_PATH.

Flags: needinfo?(rjesup)
Assignee: nobody → rjesup
Status: NEW → ASSIGNED
Keywords: csectype-nullptr
Regressed by: 1744043

Handle failed OpenArchive in FileLocation r=nika
https://hg.mozilla.org/integration/autoland/rev/1bdd52fa9b1c0746ad6738c4dd79d571419ec4aa
https://hg.mozilla.org/mozilla-central/rev/1bdd52fa9b1c

Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox100: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch
Has Regression Range: --- → yes
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: