Closed Bug 1801628 Opened 2 years ago Closed 2 years ago

Fenix 106.1.0 Crash Report [@ @0xe5e5e5e5e5e5e5e5 ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: geeknik, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Crash Data

After reading an update to crash statistics, I went searching for the UAF signature and found https://crash-stats.mozilla.org/report/index/8db26d80-9ac0-4685-af87-872440221031, dated 31 October 2022. This seems like one of those bugs that needs some attention as it appears to have affected Fenix for some time.

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → Security: Android
Product: Firefox → Fenix

These crashes don't look very actionable. Maybe gsvelto has some ideas.

Flags: needinfo?(gsvelto)

The first Mozilla controlled code in this crash is in JS.

Group: mobile-core-security → core-security
Crash Signature: [@ @0xe5e5e5e5e5e5e5e5 ]
Component: Security: Android → JavaScript Engine
Product: Fenix → Core
Group: core-security → javascript-core-security

We are jumping into a UAF pointer which is indeed unfortunate... but the stacks in the few crashes here are different and often completely jumbled up. They don't look to be coming from a single issue and some might be caused by bad hardware. I don't think this is actionable. Also generally speaking you won't see the poison pattern in the crash signature - this one in particular was already visible before we fixed bug 1493342 - but in the crash address.

Flags: needinfo?(gsvelto)

There's no real information to go on here, so I'm going to unhide this.

Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.