Closed
Bug 1818762
Opened 2 years ago
Closed 2 years ago
Intermittent [windows 11] SUMMARY: AddressSanitizer: use-after-poison /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:461 in __asan_wrap_strlen
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
RESOLVED
FIXED
113 Branch
People
(Reporter: intermittent-bug-filer, Assigned: gstoll)
Details
(Keywords: csectype-uaf, intermittent-failure, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main112+r][adv-esr102.10+r] )
Attachments
(3 files, 1 obsolete file)
Filed by: nfay [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=406824575&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/FoQZvluPTNmfBLYiOt9OkA/runs/0/artifacts/public/logs/live_backing.log
Reftest URL: https://hg.mozilla.org/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml#logurl=https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/FoQZvluPTNmfBLYiOt9OkA/runs/0/artifacts/public/logs/live_backing.log&only_show_unexpected=1
[task 2023-02-24T13:48:27.524Z] 13:48:27 INFO - REFTEST TEST-START | image/test/reftest/generic/moz-icon-blank-1-almostref.html == image/test/reftest/generic/moz-icon-blank-1-ref.html
[task 2023-02-24T13:48:27.524Z] 13:48:27 INFO - REFTEST TEST-LOAD | file:///Z:/task_167724049679678/build/tests/reftest/tests/image/test/reftest/generic/moz-icon-blank-1-almostref.html | 5 / 6 (83%)
[task 2023-02-24T13:48:27.675Z] 13:48:27 INFO - console.error: (new Error("Unexpected content-type \"text/plain;charset=US-ASCII\"", "resource://services-settings/Utils.jsm", 407))
[task 2023-02-24T13:48:27.849Z] 13:48:27 INFO - REFTEST INFO | REFTEST fuzzy test (64, 45) <= (139, 189) <= (140, 189)
[task 2023-02-24T13:48:27.850Z] 13:48:27 INFO - REFTEST TEST-PASS | image/test/reftest/generic/moz-icon-blank-1-almostref.html == image/test/reftest/generic/moz-icon-blank-1-ref.html | image comparison, max difference: 139, number of differing pixels: 189
[task 2023-02-24T13:48:27.851Z] 13:48:27 INFO - REFTEST TEST-END | image/test/reftest/generic/moz-icon-blank-1-almostref.html == image/test/reftest/generic/moz-icon-blank-1-ref.html
[task 2023-02-24T13:48:27.894Z] 13:48:27 INFO - REFTEST INFO | Slowest test took 379ms (http://localhost:60026/1677246504866/1/accept-image-catchall.html)
[task 2023-02-24T13:48:27.894Z] 13:48:27 INFO - REFTEST INFO | Total canvas count = 2
[task 2023-02-24T13:48:28.145Z] 13:48:28 INFO - 1677246508145 Marionette TRACE Received observer notification quit-application
[task 2023-02-24T13:48:28.146Z] 13:48:28 INFO - 1677246508145 Marionette INFO Stopped listening on port 2828
[task 2023-02-24T13:48:28.147Z] 13:48:28 INFO - 1677246508145 Marionette DEBUG Marionette stopped listening
[task 2023-02-24T13:48:28.766Z] 13:48:28 INFO - WARNING: A blocker encountered an error while we were waiting.
[task 2023-02-24T13:48:28.767Z] 13:48:28 INFO - Blocker: Waiting for ping task
[task 2023-02-24T13:48:28.767Z] 13:48:28 INFO - Phase: TelemetryController: Waiting for pending ping activity
[task 2023-02-24T13:48:28.768Z] 13:48:28 INFO - State: (none)
[task 2023-02-24T13:48:28.768Z] 13:48:28 INFO - WARNING: Error: Phase "profile-before-change" is finished, it is too late to register completion condition "OS.File: flush I/O queued before profileBeforeChange"
[task 2023-02-24T13:48:28.770Z] 13:48:28 INFO - WARNING: addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:727:15
[task 2023-02-24T13:48:28.770Z] 13:48:28 INFO - addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:523:26
[task 2023-02-24T13:48:28.770Z] 13:48:28 INFO - addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:458:15
[task 2023-02-24T13:48:28.771Z] 13:48:28 INFO - setupShutdown@resource://gre/modules/osfile/osfile_async_front.jsm:1548:28
[task 2023-02-24T13:48:28.772Z] 13:48:28 INFO - @resource://gre/modules/osfile/osfile_async_front.jsm:1568:16
[task 2023-02-24T13:48:28.773Z] 13:48:28 INFO - @resource://gre/modules/osfile.jsm:12:30
[task 2023-02-24T13:48:28.774Z] 13:48:28 INFO - @resource://gre/modules/TelemetryStorage.sys.mjs:10:28
[task 2023-02-24T13:48:28.775Z] 13:48:28 INFO - _checkPendingPings@resource://gre/modules/TelemetrySend.sys.mjs:863:17
[task 2023-02-24T13:48:28.775Z] 13:48:28 INFO - setup@resource://gre/modules/TelemetrySend.sys.mjs:803:18
[task 2023-02-24T13:48:28.776Z] 13:48:28 INFO - setup@resource://gre/modules/TelemetrySend.sys.mjs:241:30
[task 2023-02-24T13:48:28.776Z] 13:48:28 INFO - setupTelemetry/this._delayedInitTask<@resource://gre/modules/TelemetryControllerParent.sys.mjs:828:36
[task 2023-02-24T13:48:28.777Z] 13:48:28 INFO - observe@resource://gre/modules/AsyncShutdown.sys.mjs:576:16
[task 2023-02-24T13:48:28.790Z] 13:48:28 INFO - console.error: "TelemetryScheduler.shutdown - Already shut down"
[task 2023-02-24T13:48:28.879Z] 13:48:28 INFO - WARNING: A blocker encountered an error while we were waiting.
[task 2023-02-24T13:48:28.880Z] 13:48:28 INFO - Blocker: Waiting for ping task
[task 2023-02-24T13:48:28.881Z] 13:48:28 INFO - Phase: TelemetryController: Waiting for pending ping activity
[task 2023-02-24T13:48:28.881Z] 13:48:28 INFO - State: (none)
[task 2023-02-24T13:48:28.882Z] 13:48:28 INFO - WARNING: Error: Phase "profile-before-change" is finished, it is too late to register completion condition "OS.File: flush I/O queued before profileBeforeChange"
[task 2023-02-24T13:48:28.883Z] 13:48:28 INFO - WARNING: addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:727:15
[task 2023-02-24T13:48:28.883Z] 13:48:28 INFO - addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:523:26
[task 2023-02-24T13:48:28.884Z] 13:48:28 INFO - addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:458:15
[task 2023-02-24T13:48:28.884Z] 13:48:28 INFO - setupShutdown@resource://gre/modules/osfile/osfile_async_front.jsm:1548:28
[task 2023-02-24T13:48:28.885Z] 13:48:28 INFO - @resource://gre/modules/osfile/osfile_async_front.jsm:1568:16
[task 2023-02-24T13:48:28.885Z] 13:48:28 INFO - @resource://gre/modules/osfile.jsm:12:30
[task 2023-02-24T13:48:28.886Z] 13:48:28 INFO - @resource://gre/modules/TelemetryStorage.sys.mjs:10:28
[task 2023-02-24T13:48:28.886Z] 13:48:28 INFO - _checkPendingPings@resource://gre/modules/TelemetrySend.sys.mjs:863:17
[task 2023-02-24T13:48:28.886Z] 13:48:28 INFO - setup@resource://gre/modules/TelemetrySend.sys.mjs:803:18
[task 2023-02-24T13:48:28.887Z] 13:48:28 INFO - setup@resource://gre/modules/TelemetrySend.sys.mjs:241:30
[task 2023-02-24T13:48:28.887Z] 13:48:28 INFO - setupTelemetry/this._delayedInitTask<@resource://gre/modules/TelemetryControllerParent.sys.mjs:828:36
[task 2023-02-24T13:48:28.888Z] 13:48:28 INFO - observe@resource://gre/modules/AsyncShutdown.sys.mjs:576:16
[task 2023-02-24T13:48:28.888Z] 13:48:28 INFO - WARNING: A blocker encountered an error while we were waiting.
[task 2023-02-24T13:48:28.889Z] 13:48:28 INFO - Blocker: Waiting for ping task
[task 2023-02-24T13:48:28.890Z] 13:48:28 INFO - Phase: TelemetryController: Waiting for pending ping activity
[task 2023-02-24T13:48:28.890Z] 13:48:28 INFO - State: (none)
[task 2023-02-24T13:48:28.891Z] 13:48:28 INFO - WARNING: Error: Phase "profile-before-change" is finished, it is too late to register completion condition "OS.File: flush I/O queued before profileBeforeChange"
[task 2023-02-24T13:48:28.892Z] 13:48:28 INFO - WARNING: addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:727:15
[task 2023-02-24T13:48:28.892Z] 13:48:28 INFO - addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:523:26
[task 2023-02-24T13:48:28.893Z] 13:48:28 INFO - addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:458:15
[task 2023-02-24T13:48:28.893Z] 13:48:28 INFO - setupShutdown@resource://gre/modules/osfile/osfile_async_front.jsm:1548:28
[task 2023-02-24T13:48:28.893Z] 13:48:28 INFO - @resource://gre/modules/osfile/osfile_async_front.jsm:1568:16
[task 2023-02-24T13:48:28.894Z] 13:48:28 INFO - @resource://gre/modules/osfile.jsm:12:30
[task 2023-02-24T13:48:28.895Z] 13:48:28 INFO - @resource://gre/modules/TelemetryStorage.sys.mjs:10:28
[task 2023-02-24T13:48:28.895Z] 13:48:28 INFO - _checkPendingPings@resource://gre/modules/TelemetrySend.sys.mjs:863:17
[task 2023-02-24T13:48:28.896Z] 13:48:28 INFO - setup@resource://gre/modules/TelemetrySend.sys.mjs:803:18
[task 2023-02-24T13:48:28.896Z] 13:48:28 INFO - setup@resource://gre/modules/TelemetrySend.sys.mjs:241:30
[task 2023-02-24T13:48:28.897Z] 13:48:28 INFO - setupTelemetry/this._delayedInitTask<@resource://gre/modules/TelemetryControllerParent.sys.mjs:828:36
[task 2023-02-24T13:48:28.898Z] 13:48:28 INFO - observe@resource://gre/modules/AsyncShutdown.sys.mjs:576:16
[task 2023-02-24T13:48:28.898Z] 13:48:28 INFO - WARNING: A blocker encountered an error while we were waiting.
[task 2023-02-24T13:48:28.899Z] 13:48:28 INFO - Blocker: TelemetryController: shutting down
[task 2023-02-24T13:48:28.899Z] 13:48:28 INFO - Phase: profile-before-change-telemetry
[task 2023-02-24T13:48:28.900Z] 13:48:28 INFO - State: Error getting state: Error: Phase "profile-before-change" is finished, it is too late to register completion condition "OS.File: flush I/O queued before profileBeforeChange" at addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:727:15
[task 2023-02-24T13:48:28.900Z] 13:48:28 INFO - addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:523:26
[task 2023-02-24T13:48:28.901Z] 13:48:28 INFO - addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:458:15
[task 2023-02-24T13:48:28.902Z] 13:48:28 INFO - setupShutdown@resource://gre/modules/osfile/osfile_async_front.jsm:1548:28
[task 2023-02-24T13:48:28.902Z] 13:48:28 INFO - @resource://gre/modules/osfile/osfile_async_front.jsm:1568:16
[task 2023-02-24T13:48:28.903Z] 13:48:28 INFO - @resource://gre/modules/osfile.jsm:12:30
[task 2023-02-24T13:48:28.903Z] 13:48:28 INFO - @resource://gre/modules/TelemetryStorage.sys.mjs:10:28
[task 2023-02-24T13:48:28.904Z] 13:48:28 INFO - _checkPendingPings@resource://gre/modules/TelemetrySend.sys.mjs:863:17
[task 2023-02-24T13:48:28.904Z] 13:48:28 INFO - setup@resource://gre/modules/TelemetrySend.sys.mjs:803:18
[task 2023-02-24T13:48:28.905Z] 13:48:28 INFO - setup@resource://gre/modules/TelemetrySend.sys.mjs:241:30
[task 2023-02-24T13:48:28.905Z] 13:48:28 INFO - setupTelemetry/this._delayedInitTask<@resource://gre/modules/TelemetryControllerParent.sys.mjs:828:36
[task 2023-02-24T13:48:28.906Z] 13:48:28 INFO - observe@resource://gre/modules/AsyncShutdown.sys.mjs:576:16
[task 2023-02-24T13:48:28.906Z] 13:48:28 INFO - WARNING: Error: Phase "profile-before-change" is finished, it is too late to register completion condition "OS.File: flush I/O queued before profileBeforeChange"
[task 2023-02-24T13:48:28.907Z] 13:48:28 INFO - WARNING: addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:727:15
[task 2023-02-24T13:48:28.908Z] 13:48:28 INFO - addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:523:26
[task 2023-02-24T13:48:28.908Z] 13:48:28 INFO - addBlocker@resource://gre/modules/AsyncShutdown.sys.mjs:458:15
[task 2023-02-24T13:48:28.909Z] 13:48:28 INFO - setupShutdown@resource://gre/modules/osfile/osfile_async_front.jsm:1548:28
[task 2023-02-24T13:48:28.909Z] 13:48:28 INFO - @resource://gre/modules/osfile/osfile_async_front.jsm:1568:16
[task 2023-02-24T13:48:28.910Z] 13:48:28 INFO - @resource://gre/modules/osfile.jsm:12:30
[task 2023-02-24T13:48:28.910Z] 13:48:28 INFO - @resource://gre/modules/TelemetryStorage.sys.mjs:10:28
[task 2023-02-24T13:48:28.911Z] 13:48:28 INFO - _checkPendingPings@resource://gre/modules/TelemetrySend.sys.mjs:863:17
[task 2023-02-24T13:48:28.911Z] 13:48:28 INFO - setup@resource://gre/modules/TelemetrySend.sys.mjs:803:18
[task 2023-02-24T13:48:28.911Z] 13:48:28 INFO - setup@resource://gre/modules/TelemetrySend.sys.mjs:241:30
[task 2023-02-24T13:48:28.911Z] 13:48:28 INFO - setupTelemetry/this._delayedInitTask<@resource://gre/modules/TelemetryControllerParent.sys.mjs:828:36
[task 2023-02-24T13:48:28.912Z] 13:48:28 INFO - observe@resource://gre/modules/AsyncShutdown.sys.mjs:576:16
[task 2023-02-24T13:48:28.913Z] 13:48:28 INFO - JavaScript error: resource://gre/modules/AsyncShutdown.sys.mjs, line 727: Error: Phase "profile-before-change" is finished, it is too late to register completion condition "OS.File: flush I/O queued before profileBeforeChange"
[task 2023-02-24T13:48:28.913Z] 13:48:28 INFO - JavaScript error: resource://gre/modules/AsyncShutdown.sys.mjs, line 727: Error: Phase "profile-before-change" is finished, it is too late to register completion condition "OS.File: flush I/O queued before profileBeforeChange"
[task 2023-02-24T13:48:28.914Z] 13:48:28 INFO - JavaScript error: resource://gre/modules/AsyncShutdown.sys.mjs, line 727: Error: Phase "profile-before-change" is finished, it is too late to register completion condition "OS.File: flush I/O queued before profileBeforeChange"
[task 2023-02-24T13:48:28.915Z] 13:48:28 INFO - JavaScript error: resource://gre/modules/AsyncShutdown.sys.mjs, line 727: Error: Phase "profile-before-change" is finished, it is too late to register completion condition "OS.File: flush I/O queued before profileBeforeChange"
[task 2023-02-24T13:48:28.915Z] 13:48:28 INFO - JavaScript error: resource://gre/modules/AsyncShutdown.sys.mjs, line 727: Error: Phase "profile-before-change" is finished, it is too late to register completion condition "OS.File: flush I/O queued before profileBeforeChange"
[task 2023-02-24T13:48:28.916Z] 13:48:28 INFO - JavaScript error: resource://gre/modules/AsyncShutdown.sys.mjs, line 727: Error: Phase "profile-before-change" is finished, it is too late to register completion condition "OS.File: flush I/O queued before profileBeforeChange"
[task 2023-02-24T13:48:30.624Z] 13:48:30 INFO - REFTEST INFO | Process mode: e10s
[task 2023-02-24T13:48:30.625Z] 13:48:30 WARNING - leakcheck | refcount logging is off, so leaks can't be detected!
[task 2023-02-24T13:48:30.626Z] 13:48:30 INFO - REFTEST INFO | Running tests in file:///Z:/task_167724049679678/build/tests/reftest/tests/layout/reftests/css-invalid/default-style/reftest.list
[task 2023-02-24T13:48:30.655Z] 13:48:30 INFO - REFTEST INFO | Running with e10s: True
[task 2023-02-24T13:48:30.656Z] 13:48:30 INFO - REFTEST INFO | Running with fission: True
[task 2023-02-24T13:48:30.656Z] 13:48:30 INFO - REFTEST INFO | INFO | runtests.py | ASan using symbolizer at Z:\task_167724049679678\build\application\firefox\llvm-symbolizer.exe
[task 2023-02-24T13:48:30.772Z] 13:48:30 INFO - REFTEST INFO | Failed determine available memory, disabling ASan low-memory configuration
[task 2023-02-24T13:48:30.773Z] 13:48:30 INFO - REFTEST INFO | Application command: Z:\task_167724049679678\build\application\firefox\firefox.exe -marionette --wait-for-browser -profile C:\Users\task_167724049679678\AppData\Local\Temp\tmpl0h3xnby.mozrunner
[task 2023-02-24T13:48:32.729Z] 13:48:32 INFO - 1677246512728 Marionette INFO Marionette enabled
[task 2023-02-24T13:48:32.739Z] 13:48:32 INFO - 1677246512738 Marionette TRACE Received observer notification final-ui-startup
[task 2023-02-24T13:48:32.747Z] 13:48:32 INFO - 1677246512746 Marionette INFO Listening on port 2828
[task 2023-02-24T13:48:32.748Z] 13:48:32 INFO - 1677246512747 Marionette DEBUG Marionette is listening
[task 2023-02-24T13:48:33.310Z] 13:48:33 INFO - 1677246513308 Marionette DEBUG Accepted connection 0 from 127.0.0.1:60041
[task 2023-02-24T13:48:33.476Z] 13:48:33 INFO - 1677246513475 Marionette DEBUG Closed connection 0
[task 2023-02-24T13:48:33.477Z] 13:48:33 INFO - 1677246513476 Marionette DEBUG Accepted connection 1 from 127.0.0.1:60042
[task 2023-02-24T13:48:34.676Z] 13:48:34 INFO - 1677246514675 Marionette DEBUG 1 -> [0,1,"WebDriver:NewSession",{"strictFileInteractability":true}]
[task 2023-02-24T13:48:34.705Z] 13:48:34 INFO - 1677246514704 Marionette DEBUG Waiting for initial application window
[task 2023-02-24T13:48:35.310Z] 13:48:35 INFO - JavaScript error: resource://gre/modules/XULStore.jsm, line 58: Error: Can't find profile directory.
[task 2023-02-24T13:48:36.251Z] 13:48:36 INFO - console.error: (new Error("Unexpected content-type \"text/plain;charset=US-ASCII\"", "resource://services-settings/Utils.jsm", 407))
[task 2023-02-24T13:48:38.289Z] 13:48:38 INFO - console.warn: SearchSettings: "get: No settings file exists, new profile?" (new NotFoundError("Could not open the file at C:\\Users\\task_167724049679678\\AppData\\Local\\Temp\\tmpl0h3xnby.mozrunner\\search.json.mozlz4", (void 0)))
[task 2023-02-24T13:48:38.607Z] 13:48:38 INFO - =================================================================
[task 2023-02-24T13:48:38.609Z] 13:48:38 ERROR - ==7704==ERROR: AddressSanitizer: use-after-poison on address 0x11d309b55c76 at pc 0x7ff904048438 bp 0x002ba83fbe50 sp 0x002ba83fbe90
[task 2023-02-24T13:48:38.610Z] 13:48:38 INFO - READ of size 31 at 0x11d309b55c76 thread T0
[task 2023-02-24T13:48:38.727Z] 13:48:38 INFO - ==7704==WARNING: Failed to use and restart external symbolizer!
[task 2023-02-24T13:48:40.158Z] 13:48:40 INFO - #0 0x7ff904048437 in __asan_wrap_strlen /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:461
[task 2023-02-24T13:48:40.159Z] 13:48:40 INFO - #1 0x7ff6ca3002c4 in sandbox::AnsiToUnicode /builds/worker/checkouts/gecko/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc:412
[task 2023-02-24T13:48:40.160Z] 13:48:40 INFO - #2 0x7ff6ca3004fa in sandbox::GetImageInfoFromModule /builds/worker/checkouts/gecko/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc:459
[task 2023-02-24T13:48:40.160Z] 13:48:40 INFO - #3 0x7ff6ca3104c0 in TargetNtMapViewOfSection /builds/worker/checkouts/gecko/security/sandbox/chromium/sandbox/win/src/target_interceptions.cc:84
[task 2023-02-24T13:48:40.161Z] 13:48:40 INFO - #4 0x7ff6ca2cf27f in TargetNtMapViewOfSection64 /builds/worker/checkouts/gecko/security/sandbox/chromium/sandbox/win/src/interceptors_64.cc:39
[task 2023-02-24T13:48:40.162Z] 13:48:40 INFO - #5 0x7ff93e96d572 in RtlLengthRequiredSid+0x112 (C:\Windows\SYSTEM32\ntdll.dll+0x18007d572)
[task 2023-02-24T13:48:40.163Z] 13:48:40 INFO - #6 0x7ff93e91b1f0 in RtlDeriveCapabilitySidsFromName+0x340 (C:\Windows\SYSTEM32\ntdll.dll+0x18002b1f0)
[task 2023-02-24T13:48:40.163Z] 13:48:40 INFO - #7 0x7ff93e9063f2 in RtlInitUTF8String+0x192 (C:\Windows\SYSTEM32\ntdll.dll+0x1800163f2)
[task 2023-02-24T13:48:40.164Z] 13:48:40 INFO - #8 0x7ff93e91a49d in LdrGetDllHandleEx+0xad (C:\Windows\SYSTEM32\ntdll.dll+0x18002a49d)
[task 2023-02-24T13:48:40.164Z] 13:48:40 INFO - #9 0x7ff93e91b2ab in LdrGetDllHandle+0x1b (C:\Windows\SYSTEM32\ntdll.dll+0x18002b2ab)
[task 2023-02-24T13:48:40.165Z] 13:48:40 INFO - #10 0x7ff93c396da5 in GetModuleHandleW+0x35 (C:\Windows\System32\KERNELBASE.dll+0x180056da5)
[task 2023-02-24T13:48:40.165Z] 13:48:40 INFO - #11 0x7ff916e5606a in mozilla::glue::ModuleLoadFrame::ModuleLoadFrame /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/ModuleLoadFrame.cpp:86
[task 2023-02-24T13:48:40.166Z] 13:48:40 INFO - #12 0x7ff916e4acf6 in patched_LdrLoadDll /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:533
[task 2023-02-24T13:48:40.167Z] 13:48:40 INFO - #13 0x7ff93c36bbb1 in LoadLibraryExW+0x171 (C:\Windows\System32\KERNELBASE.dll+0x18002bbb1)
[task 2023-02-24T13:48:40.168Z] 13:48:40 INFO - #14 0x7ff93e0f56e8 in CoGetProcessIdentifier+0x3348 (C:\Windows\System32\combase.dll+0x1800456e8)
[task 2023-02-24T13:48:40.168Z] 13:48:40 INFO - #15 0x7ff93e0f55f7 in CoGetProcessIdentifier+0x3257 (C:\Windows\System32\combase.dll+0x1800455f7)
[task 2023-02-24T13:48:40.169Z] 13:48:40 INFO - #16 0x7ff93e0f53c8 in CoGetProcessIdentifier+0x3028 (C:\Windows\System32\combase.dll+0x1800453c8)
[task 2023-02-24T13:48:40.169Z] 13:48:40 INFO - #17 0x7ff93e108f6a in RoGetActivationFactory+0x1e2a (C:\Windows\System32\combase.dll+0x180058f6a)
[task 2023-02-24T13:48:40.170Z] 13:48:40 INFO - #18 0x7ff93e1075ef in RoGetActivationFactory+0x4af (C:\Windows\System32\combase.dll+0x1800575ef)
[task 2023-02-24T13:48:40.170Z] 13:48:40 INFO - #19 0x7ff8ebb5b603 in CollectProcessInfo /builds/worker/checkouts/gecko/xpcom/base/nsSystemInfo.cpp:652
[task 2023-02-24T13:48:40.171Z] 13:48:40 INFO - #20 0x7ff8f9c5b209 in PreRecordMetaInformation /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:2793
[task 2023-02-24T13:48:40.172Z] 13:48:40 INFO - #21 0x7ff8f9c84e60 in profiler_shutdown /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:5317
[task 2023-02-24T13:48:40.172Z] 13:48:40 INFO - #22 0x7ff8fa771eda in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:689
[task 2023-02-24T13:48:40.173Z] 13:48:40 INFO - #23 0x7ff6ca242c9e in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353
[task 2023-02-24T13:48:40.173Z] 13:48:40 INFO - #24 0x7ff6ca24166e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
[task 2023-02-24T13:48:40.174Z] 13:48:40 INFO - #25 0x7ff6ca335637 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
[task 2023-02-24T13:48:40.175Z] 13:48:40 INFO - #26 0x7ff93cb526bc in BaseThreadInitThunk+0x1c (C:\Windows\System32\KERNEL32.DLL+0x1800126bc)
[task 2023-02-24T13:48:40.175Z] 13:48:40 INFO - #27 0x7ff93e94dfb7 in RtlUserThreadStart+0x27 (C:\Windows\SYSTEM32\ntdll.dll+0x18005dfb7)
[task 2023-02-24T13:48:40.176Z] 13:48:40 INFO - Address 0x11d309b55c76 is a wild pointer inside of access range of size 0x00000000001f.
[task 2023-02-24T13:48:40.176Z] 13:48:40 INFO - SUMMARY: AddressSanitizer: use-after-poison /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:461 in __asan_wrap_strlen
[task 2023-02-24T13:48:40.177Z] 13:48:40 INFO - Shadow bytes around the buggy address:
[task 2023-02-24T13:48:40.178Z] 13:48:40 INFO - 0x038d6ae6ab30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[task 2023-02-24T13:48:40.178Z] 13:48:40 INFO - 0x038d6ae6ab40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[task 2023-02-24T13:48:40.178Z] 13:48:40 INFO - 0x038d6ae6ab50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[task 2023-02-24T13:48:40.178Z] 13:48:40 INFO - 0x038d6ae6ab60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[task 2023-02-24T13:48:40.179Z] 13:48:40 INFO - 0x038d6ae6ab70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[task 2023-02-24T13:48:40.180Z] 13:48:40 INFO - =>0x038d6ae6ab80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7
[task 2023-02-24T13:48:40.181Z] 13:48:40 INFO - 0x038d6ae6ab90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[task 2023-02-24T13:48:40.181Z] 13:48:40 INFO - 0x038d6ae6aba0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[task 2023-02-24T13:48:40.181Z] 13:48:40 INFO - 0x038d6ae6abb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[task 2023-02-24T13:48:40.182Z] 13:48:40 INFO - 0x038d6ae6abc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[task 2023-02-24T13:48:40.182Z] 13:48:40 INFO - 0x038d6ae6abd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[task 2023-02-24T13:48:40.183Z] 13:48:40 INFO - Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2023-02-24T13:48:40.183Z] 13:48:40 INFO - Addressable: 00
[task 2023-02-24T13:48:40.183Z] 13:48:40 INFO - Partially addressable: 01 02 03 04 05 06 07
[task 2023-02-24T13:48:40.184Z] 13:48:40 INFO - Heap left redzone: fa
[task 2023-02-24T13:48:40.184Z] 13:48:40 INFO - Freed heap region: fd
[task 2023-02-24T13:48:40.185Z] 13:48:40 INFO - Stack left redzone: f1
[task 2023-02-24T13:48:40.185Z] 13:48:40 INFO - Stack mid redzone: f2
[task 2023-02-24T13:48:40.186Z] 13:48:40 INFO - Stack right redzone: f3
[task 2023-02-24T13:48:40.186Z] 13:48:40 INFO - Stack after return: f5
[task 2023-02-24T13:48:40.187Z] 13:48:40 INFO - Stack use after scope: f8
[task 2023-02-24T13:48:40.187Z] 13:48:40 INFO - Global redzone: f9
[task 2023-02-24T13:48:40.187Z] 13:48:40 INFO - Global init order: f6
[task 2023-02-24T13:48:40.188Z] 13:48:40 INFO - Poisoned by user: f7
[task 2023-02-24T13:48:40.188Z] 13:48:40 INFO - Container overflow: fc
[task 2023-02-24T13:48:40.189Z] 13:48:40 INFO - Array cookie: ac
[task 2023-02-24T13:48:40.189Z] 13:48:40 INFO - Intra object redzone: bb
[task 2023-02-24T13:48:40.190Z] 13:48:40 INFO - ASan internal: fe
[task 2023-02-24T13:48:40.190Z] 13:48:40 INFO - Left alloca redzone: ca
[task 2023-02-24T13:48:40.190Z] 13:48:40 INFO - Right alloca redzone: cb
[task 2023-02-24T13:48:40.191Z] 13:48:40 INFO - ==7704==ABORTING
[task 2023-02-24T13:48:41.729Z] 13:48:41 INFO - console.error: (new Error("Unexpected content-type \"text/plain;charset=US-ASCII\"", "resource://services-settings/Utils.jsm", 407))
[task 2023-02-24T13:48:41.730Z] 13:48:41 INFO - console.error: (new Error("Unexpected content-type \"text/plain;charset=US-ASCII\"", "resource://services-settings/Utils.jsm", 407))
[task 2023-02-24T13:48:41.731Z] 13:48:41 INFO - console.error: (new Error("Unexpected content-type \"text/plain;charset=US-ASCII\"", "resource://services-settings/Utils.jsm", 407))
[task 2023-02-24T13:48:41.970Z] 13:48:41 INFO - 1677246521969 Marionette TRACE Received observer notification browser-idle-startup-tasks-finished
[task 2023-02-24T13:48:42.007Z] 13:48:42 INFO - 1677246522006 RemoteAgent TRACE [11] ProgressListener Start: expectNavigation=false resolveWhenStarted=false unloadTimeout=1600 waitForExplicitStart=false
[task 2023-02-24T13:48:42.008Z] 13:48:42 INFO - 1677246522007 RemoteAgent TRACE [11] ProgressListener Setting unload timer (1600ms)
[task 2023-02-24T13:48:42.009Z] 13:48:42 INFO - 1677246522008 RemoteAgent TRACE [11] Document already finished loading: about:blank
[task 2023-02-24T13:48:42.009Z] 13:48:42 INFO - 1677246522008 RemoteAgent TRACE [11] ProgressListener Stop: has error=false
[task 2023-02-24T13:48:42.070Z] 13:48:42 INFO - 1677246522067 Marionette DEBUG 1 <- [1,1,null,{"sessionId":"a46b374c-f3fb-4200-847c-e6b8a1f09a76","capabilities":{"browserName":"firefox","browserVersion":"112.0a1","platformName":"windows","acceptInsecureCerts":false,"pageLoadStrategy":"normal","setWindowRect":true,"timeouts":{"implicit":0,"pageLoad":300000,"script":30000},"strictFileInteractability":true,"unhandledPromptBehavior":"dismiss and notify","moz:accessibilityChecks":false,"moz:buildID":"20230224121425","moz:headless":false,"moz:platformVersion":"10.0","moz:processID":9284,"moz:profile":"C:\\Users\\task_167724049679678\\AppData\\Local\\Temp\\tmpl0h3xnby.mozrunner","moz:shutdownTimeout":300000,"moz:useNonSpecCompliantPointerOrigin":false,"moz:webdriverClick":true,"moz:windowless":false,"proxy":{}}}]
[task 2023-02-24T13:48:42.100Z] 13:48:42 INFO - 1677246522099 Marionette DEBUG 1 -> [0,2,"Addon:Install",{"path":"Z:\\task_167724049679678\\build\\tests\\reftest\\specialpowers","temporary":true}]
[task 2023-02-24T13:48:42.160Z] 13:48:42 INFO - 1677246522160 Marionette DEBUG 1 <- [1,2,null,{"value":"special-powers@mozilla.org"}]
[task 2023-02-24T13:48:42.183Z] 13:48:42 INFO - 1677246522182 Marionette DEBUG 1 -> [0,3,"Addon:Install",{"path":"Z:\\task_167724049679678\\build\\tests\\reftest\\reftest","temporary":true}]
[task 2023-02-24T13:48:42.288Z] 13:48:42 INFO - 1677246522287 Marionette TRACE Received observer notification domwindowopened
[task 2023-02-24T13:48:42.300Z] 13:48:42 INFO - 1677246522299 Marionette DEBUG 1 <- [1,3,null,{"value":"reftest@mozilla.org"}]
[task 2023-02-24T13:48:42.333Z] 13:48:42 INFO - 1677246522331 Marionette DEBUG 1 -> [0,4,"WebDriver:DeleteSession",{}]
[task 2023-02-24T13:48:42.344Z] 13:48:42 INFO - 1677246522343 Marionette DEBUG 1 <- [1,4,null,{"value":null}]
[task 2023-02-24T13:48:42.351Z] 13:48:42 INFO - 1677246522350 Marionette DEBUG Closed connection 1
[task 2023-02-24T13:48:43.004Z] 13:48:43 INFO - REFTEST TEST-START | layout/reftests/css-invalid/default-style/input.html == layout/reftests/css-invalid/default-style/input-ref.html
|
||
Comment 1•2 years ago
|
||
Use-after-poison in sandbox::AnsiToUnicode.
Group: core-security → dom-core-security
Component: Graphics: ImageLib → Security: Process Sandboxing
|
|
||
Comment 2•2 years ago
|
||
Kind of a weird stack. It looks like we're shutting down a child process, which in turn is shutting down the profiler, and then we're bouncing through the DLL blocklist code and somehow hitting a string that has been poisoned?
|
|
||
Updated•2 years ago
|
Keywords: csectype-uaf,
sec-moderate
|
||
Comment 3•2 years ago
|
||
6 failures since Friday on the new Windows 11 platform.
Summary: Intermittent [tier 2] SUMMARY: AddressSanitizer: use-after-poison /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:461 in __asan_wrap_strlen → Intermittent [windows 11] SUMMARY: AddressSanitizer: use-after-poison /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:461 in __asan_wrap_strlen
|
||
Updated•2 years ago
|
Assignee: nobody → bobowencode
|
|
||
Comment 4•2 years ago
•
|
||
we're bouncing through the DLL blocklist code
That's because CoGetProcessIdentifier loads a DLL, and we patch the DLL loader.
|
|
||
Updated•2 years ago
|
Severity: -- → S2
Priority: -- → P1
|
||
Updated•2 years ago
|
OS: Unspecified → Windows
|
||
Comment 5•2 years ago
|
||
I wondered if this was a garbled stack, but it looks like the ntdll.dll offsets are correct it just has the wrong functions:
#0 0x7ff904048437 in _asan_wrap_strlen /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:461
#1 0x7ff6ca3002c4 in sandbox::AnsiToUnicode /builds/worker/checkouts/gecko/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc:412
#2 0x7ff6ca3004fa in sandbox::GetImageInfoFromModule /builds/worker/checkouts/gecko/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc:459
#3 0x7ff6ca3104c0 in TargetNtMapViewOfSection /builds/worker/checkouts/gecko/security/sandbox/chromium/sandbox/win/src/target_interceptions.cc:84
#4 0x7ff6ca2cf27f in TargetNtMapViewOfSection64 /builds/worker/checkouts/gecko/security/sandbox/chromium/sandbox/win/src/interceptors_64.cc:39
#5 0x7ff93e96d572 in LdrpFindLoadedDllByMappingFile+0xf6 (C:\Windows\SYSTEM32\ntdll.dll+0x18007d572)
#6 0x7ff93e91b1f0 in LdrpFindLoadedDllInternal+0x154 (C:\Windows\SYSTEM32\ntdll.dll+0x18002b1f0)
#7 0x7ff93e9063f2 in LdrpFindLoadedDll+0x7e (C:\Windows\SYSTEM32\ntdll.dll+0x1800163f2)
#8 0x7ff93e91a49d in LdrGetDllHandleEx+0xad (C:\Windows\SYSTEM32\ntdll.dll+0x18002a49d)
#9 0x7ff93e91b2ab in LdrGetDllHandle+0x1b (C:\Windows\SYSTEM32\ntdll.dll+0x18002b2ab)
#10 0x7ff93c396da5 in GetModuleHandleW+0x35 (C:\Windows\System32\KERNELBASE.dll+0x180056da5)
#11 0x7ff916e5606a in mozilla::glue::ModuleLoadFrame::ModuleLoadFrame /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/ModuleLoadFrame.cpp:86
The only thing I can think is happening here is somehow the file that is being mapped is being unloaded from underneath this thread.
mccr8 - what is doing the poisoning here?
There are checks on the data in GetImageInfoFromModule before this (VerifyMagic) and getting the exports must have worked.
The pointer for the name ending in 5c76 points to this being for the Windows.Security.Integrity.dll.
Which makes sense because this load is triggered by this call to GetActivationFactory
Given where this is crashing I don't think it would happen in opt/shippable builds.
It crashes when profiler_shutdown is triggered by the function teardown at the end of XRE_InitChildProcess.
Normally I think we exit early in ContentChild::ActorDestroy, which is before we leave uiMessageLoop.MessageLoop::Run in XRE_InitChildProcess
Not really sure what we can do about this.
Flags: needinfo?(continuation)
|
|
||
Comment 6•2 years ago
|
||
(In reply to Bob Owen (:bobowen) from comment #5)
The only thing I can think is happening here is somehow the file that is being mapped is being unloaded from underneath this thread.
mccr8 - what is doing the poisoning here?
I think this ASan use-after-poison indicator means that somebody called __asan_poison_memory_region on the region of memory. For instance, if you had a vector data structure and shrunk it down, but didn't return the memory, then you could call __asan_poison_memory_region on the tail part of it that you are no longer using. It looks like we call into this function via MOZ_MAKE_MEM_NOACCESS.
I have no idea why ASan doesn't store the stack of the call doing the poisoning, so it is hard to figure out what might be going on.
Flags: needinfo?(continuation)
|
|
||
Comment 7•2 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #6)
(In reply to Bob Owen (:bobowen) from comment #5)
The only thing I can think is happening here is somehow the file that is being mapped is being unloaded from underneath this thread.
mccr8 - what is doing the poisoning here?I think this ASan use-after-poison indicator means that somebody called __asan_poison_memory_region on the region of memory. For instance, if you had a vector data structure and shrunk it down, but didn't return the memory, then you could call __asan_poison_memory_region on the tail part of it that you are no longer using. It looks like we call into this function via MOZ_MAKE_MEM_NOACCESS.
I have no idea why ASan doesn't store the stack of the call doing the poisoning, so it is hard to figure out what might be going on.
Most of the uses of MOZ_MAKE_MEM_NOACCESS seem to be JS based, so I don't think it can be via that.
Serge - any ideas as to whether we can find out where this poisoning is happening? Like we do with UAFs for example.
Flags: needinfo?(sguelton)
|
|
||
Comment 8•2 years ago
|
||
Even though this particular trigger should not be able to happen in release builds because of QuickExit, it is possible that a similar scenario could happen.
GetModuleHandleW is only used in the older fallback DLL blocklist.
It is used to determine if the DLL is already loaded, we don't need this for the new blocklist because we also hook NtMapViewOfSection so we can determine this during the load.
I don't know if we have any metrics on the usage of the new and old blocklists.
As far as I can tell, the already loaded flag is only used for knowing if we have already logged details about the module, so we might be able to use another mechanism for this. A map tracking loaded modules maybe.
|
Assignee | |
Comment 9•2 years ago
|
||
I don't have metrics specifically on the percentage of users who have the launcher process turned on vs. off, but we do get a significant number of launcher process failures, which will cause the launcher process to get turned off. So I think we do have to handle this case for the old blocklist.
I think a map tracking loaded modules is a good option to work around this.
|
|
||
Updated•2 years ago
|
Assignee: bobowencode → gstoll
Status: NEW → ASSIGNED
|
||
Comment 10•2 years ago
|
||
Most of the uses of
MOZ_MAKE_MEM_NOACCESSseem to be JS based, so I don't think it can be via that.
Serge - any ideas as to whether we can find out where this poisoning is happening? Like we do with UAFs for example.
I have no clue, but I can dig into this if needs be - I don't have a windows machine at hand, but I can try to come up with a theoretical explanation at least :-)
Flags: needinfo?(sguelton)
|
|
Assignee | |
Comment 11•2 years ago
|
||
|
||
Comment 12•2 years ago
•
|
||
Hello,
Sorry I am a bit late to the party. Following the proper stack shared in comment 5, I have looked at the conditions under which LdrpFindLoadedDllByMappingFile gets called, and I do not think this is a race condition. I think the problem is as follows:
LdrpFindLoadedDllByMappingFileseems to be called when we do not manage to find a module just based on the DLL name directly, but the path we use inGetModuleHandlecan be resolved to a file on disk;- in that case,
LdrpFindLoadedDllByMappingFilewill callNtMapViewOfSectionto map the DLL file and somehow try to find the module based on that; - however the file is mapped as raw bytes, resulting in a different memory layout from the one we would have if we were truly loading the library;
- but our (outdated) chromium sandbox code identifies this call to
NtMapViewOfSectionas if we were loading a library; - it will resolve the DLL name found in the export directory as an RVA, but this is wrong since the file is mapped as raw bytes, so the string will point to a wrong location;
- somehow sometimes ASAN realizes that the string points to a wrong location.
I believe the proper fix is to update our implementation for IsValidImageSection based on the changes that chromium people have integrated themselves. We currently have diverged:
https://searchfox.org/mozilla-central/source/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc#379-408
https://source.chromium.org/chromium/chromium/src/+/main:sandbox/win/src/sandbox_nt_util.cc;l=377
In particular, there is a comment that states:
// Windows 10 2009+ may open PEs as SEC_IMAGE_NO_EXECUTE in non-dll-loading
// paths which looks identical to dll-loading unless we check if the section
// handle has execute rights.
|
|
Assignee | |
Comment 13•2 years ago
|
||
Oh, this makes a lot of sense. Thanks - I'll abandon the current review and get going on a new one.
|
||
Updated•2 years ago
|
Attachment #9323996 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 14•2 years ago
|
||
|
|
||
Comment 15•2 years ago
|
||
Bob, comment 12 seems to indicate it may be time to consider updating our sandboxing code anyway.
Flags: needinfo?(bobowencode)
|
|
Assignee | |
Comment 16•2 years ago
|
||
Yeah, my "fix" is going to be to just apply a patch manually. I assume it makes more sense to do that for now until we decide to update our sandboxing code since I presume that's a more involved process :-)
|
|
Assignee | |
Comment 17•2 years ago
|
||
Comment on attachment 9324509 [details]
Bug 1818762 - update our implementation of IsValidImageSection r=yjuglaret!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: I don't think it would be very easy. This function is only used one place, so people could get the idea that we are not rejecting some kinds of DLL images that we should be, but there's not much of a hint after that.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all of them
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: They would be pretty easy and not risky to make. I haven't done so because we're not even sure this is actually exploitable.
- How likely is this patch to cause regressions; how much testing does it need?: Very unlikely to cause regressions. We're getting intermittent failures about this so hopefully those will go away and we will know that the patch worked.
- Is Android affected?: No
Attachment #9324509 -
Flags: sec-approval?
|
||
Comment 18•2 years ago
|
||
Comment on attachment 9324509 [details]
Bug 1818762 - update our implementation of IsValidImageSection r=yjuglaret!
Approved to land and request uplift
Attachment #9324509 -
Flags: sec-approval? → sec-approval+
|
||
Comment 19•2 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox113:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch
|
|
||
Updated•2 years ago
|
Group: dom-core-security → core-security-release
|
||
Comment 20•2 years ago
|
||
Please nominate this for Beta and ESR102 approval when you get a chance. Also, do we need to get a bug on file for updating our sandbox code in general?
status-firefox111:
--- → wontfix
status-firefox112:
--- → affected
status-firefox-esr102:
--- → affected
tracking-firefox112:
--- → +
tracking-firefox113:
--- → +
tracking-firefox-esr102:
--- → 112+
Flags: needinfo?(gstoll)
|
|
Assignee | |
Comment 21•2 years ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D173328
|
|
||
Comment 22•2 years ago
|
||
Uplift Approval Request
- Needs manual QE test: no
- User impact if declined: more exposure to a possible security bug
- Fix verified in Nightly: yes
- Steps to reproduce for manual QE testing: n/a
- Is Android affected?: no
- String changes made/needed: none
- Code covered by automated testing: yes
- Explanation of risk level: It's just a better check for when we should ignore DLL loads
- Risk associated with taking this patch: very low
|
|
Assignee | |
Comment 23•2 years ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D173328
|
|
||
Comment 24•2 years ago
|
||
Uplift Approval Request
- Risk associated with taking this patch: very low
- Explanation of risk level: It's just a better check for when we should ignore DLL loads
- Code covered by automated testing: yes
- Is Android affected?: no
- String changes made/needed: none
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: n/a
- Fix verified in Nightly: yes
- User impact if declined: more exposure to a possible security bug
|
|
Assignee | |
Comment 25•2 years ago
•
|
||
Thanks, I've requested uplift for both of those.
Yes, we should probably look into updating the sandbox code, looks like the last time we did this was in 2020. :bobowen has done this in the past so I'll NI him here (he's on PTO right now)
Flags: needinfo?(gstoll)
|
||
Updated•2 years ago
|
|
||
Comment 26•2 years ago
|
||
| uplift | ||
|
||
Comment 27•2 years ago
|
||
A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)
|
|
||
Comment 28•2 years ago
|
||
| uplift | ||
|
||
Updated•2 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•2 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main112+r]
|
|
||
Updated•2 years ago
|
Whiteboard: [post-critsmash-triage][adv-main112+r] → [post-critsmash-triage][adv-main112+r][adv-esr102.10+r]
|
|
||
Updated•2 years ago
|
Flags: needinfo?(bobowencode)
|
||
Updated•1 year ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•