Closed Bug 1802044 Opened 2 years ago Closed 2 years ago

Crash in [@ RefPtr<T>::get | RefPtr<T>::operator mozilla::dom::CanonicalBrowsingContext* const | mozilla::a11y::DocAccessibleParent::GetBrowsingContext]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1802040

Tracking Flags:

Tracking

Status

firefox-esr102

---

unaffected

firefox107

---

unaffected

firefox108

---

unaffected

firefox109

---

affected

People

(Reporter: cpeterson, Unassigned)

Details

(Keywords: crash, regression)

Chris Peterson [:cpeterson]

Reporter

Description

•

2 years ago

•

Edited

These crashes look like a possible UAF because all the crashing addresses have e5s like 0x00e5e5e5e5e5e6d5.

We have 12 crashes from 9 Fenix Nightly users so far. The earliest crash report is from build ID 20221119085828. Here is the pushlog for that build ID:

https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3b5a8f67189bd6549f0da19ea5da4a53f7e5c79a&tochange=f7eac47f5daa86a7f28257322b36cf85ae49c7f6

Crash report: https://crash-stats.mozilla.org/report/index/2608abfe-1562-4d98-bb63-a7a6c0221122

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libxul.so  RefPtr<mozilla::dom::CanonicalBrowsingContext>::get const  mfbt/RefPtr.h:286
0  libxul.so  RefPtr<mozilla::dom::CanonicalBrowsingContext>::operator mozilla::dom::CanonicalBrowsingContext* const&  mfbt/RefPtr.h:299
0  libxul.so  mozilla::a11y::DocAccessibleParent::GetBrowsingContext const  accessible/ipc/DocAccessibleParent.h:95
0  libxul.so  mozilla::a11y::DocAccessibleParent::GetFrom  accessible/ipc/DocAccessibleParent.cpp:1381
1  libxul.so  mozilla::a11y::FocusManager::FocusedAccessible const  accessible/base/FocusManager.cpp:97
2  libxul.so  mozilla::a11y::FocusManager::IsFocused const  accessible/base/FocusManager.h:47
2  libxul.so  mozilla::a11y::Accessible::ApplyImplicitState const  accessible/basetypes/Accessible.cpp:498
3  libxul.so  mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::State  accessible/ipc/RemoteAccessibleBase.cpp:1104
4  libxul.so  mozilla::a11y::RemoteAccessible::State  accessible/ipc/other/RemoteAccessible.cpp:26
5  libxul.so  mozilla::a11y::SessionAccessibility::PopulateNodeInfo  accessible/android/SessionAccessibility.cpp:874

Chris Peterson [:cpeterson]

Reporter

Comment 1

•

2 years ago

@ Jamie: could this DocAccessibleParent crash be a regression from your fixes for shadow root bug 1800731, IsAbbreviation bug 1800780, or font family bug 1800181? Your fixes all landed in the pushlog for the first crashing build.

Ryan VanderMeulen [:RyanVM]

Updated

•

2 years ago

Group: core-security → dom-core-security

status-firefox-esr102: --- → unaffected

Ryan VanderMeulen [:RyanVM]

Updated

•

2 years ago

Group: dom-core-security → layout-core-security

James Teh [:Jamie]

Updated

•

2 years ago

Status: NEW → RESOLVED

Closed: 2 years ago

Duplicate of bug: 1802040

Resolution: --- → DUPLICATE

Chris Peterson [:cpeterson]

Reporter

Updated

•

2 years ago

Crash Signature: [@ RefPtr<T>::get | RefPtr<T>::operator mozilla::dom::CanonicalBrowsingContext* const | mozilla::a11y::DocAccessibleParent::GetBrowsingContext]

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Group: layout-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Crash in [@ RefPtr<T>::get | RefPtr<T>::operator mozilla::dom::CanonicalBrowsingContext* const | mozilla::a11y::DocAccessibleParent::GetBrowsingContext]

Categories

(Core :: Disability Access APIs, defect)

Tracking

()

People

(Reporter: cpeterson, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Updated

Updated

Updated

Updated