Closed Bug 1821448 Opened 2 years ago Closed 2 years ago

Crash in [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::ElementAt | VisitDocAccessibleParentDescendantsAtTopLevelInContentProcess<T> ]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox-esr102 112+ fixed
firefox111 --- wontfix
firefox112 + fixed
firefox113 + fixed

People

(Reporter: mccr8, Assigned: Jamie)

References

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [post-critsmash-triage][adv-main112+r][adv-esr102.10+r])

Crash Data

Attachments

(1 file)

Bug 1821448: Improve handling of reentry in MsaaAccessible::VisitDocAccessibleParentDescendantsAtTopLevelInContentProcess.
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr102+
tjr
: sec-approval+
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/f98b8116-94a4-4e2c-8fe7-065180230308

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::Length const  xpcom/ds/nsTArray.h:410
0  xul.dll  nsTArray_Impl<mozilla::dom::PBrowserBridgeParent*, nsTArrayInfallibleAllocator>::ElementAt const  xpcom/ds/nsTArray.h:1204
0  xul.dll  mozilla::ArrayIterator<mozilla::dom::PBrowserBridgeParent*const&, nsTArray_Impl<mozilla::dom::PBrowserBridgeParent*, nsTArrayInfallibleAllocator> >::operator* const  xpcom/ds/ArrayIterator.h:107
0  xul.dll  std::all_of  /builds/worker/fetches/vs/VC/Tools/MSVC/14.16.27023/include/algorithm:500
0  xul.dll  VisitDocAccessibleParentDescendantsAtTopLevelInContentProcess<`lambda at /builds/worker/checkouts/gecko/accessible/windows/msaa/MsaaAccessible.cpp:725:21'>  accessible/windows/msaa/MsaaAccessible.cpp:678
1  xul.dll  mozilla::a11y::MsaaAccessible::GetRemoteIAccessibleFor  accessible/windows/msaa/MsaaAccessible.cpp:743
2  xul.dll  mozilla::a11y::MsaaAccessible::GetIAccessibleFor  accessible/windows/msaa/MsaaAccessible.cpp:550
3  xul.dll  mozilla::a11y::MsaaAccessible::get_accChild  accessible/windows/msaa/MsaaAccessible.cpp:970
4  xul.dll  mozilla::a11y::LazyInstantiator::get_accChild  accessible/windows/msaa/LazyInstantiator.cpp:563
5  rpcrt4.dll  Invoke

There are a few crashes that look like this, on jemalloc poison values, indicating a use after free. I don't know if it is a duplicate of an existing issue. My guess is that this is caused by ManagedPBrowserBridgeParent() being modified during the iteration.

Bug 1739372 is a prior issue with a UAF involving VisitDocAccessibleParentDescendantsAtTopLevelInContentProcess, so maybe this is similar.

Here are a few more crashes like this:
bp-a70187ed-9884-4f5c-aa13-4a80d0230308
bp-d62e5269-cf74-4f06-a03e-98c9a0230306

This looks similar, except we're hitting a release assert for some reason: bp-b14a57ea-5cc6-40ef-bb4a-035d50230307

I'll file a bug about adding ArrayIterator to the prefix list so these signatures are less generic.

Depends on: 1737193
Severity: -- → S3

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:Jamie, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jteh)

My bad, I missed the fact that this was a sec-high.

Severity: S3 → S2
Flags: needinfo?(jteh)
Assignee: nobody → jteh
Status: NEW → ASSIGNED

This signature looks similar, and there are also UAFs under it.

Crash Signature: [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::ElementAt | mozilla::ArrayIterator<T>::operator*] → [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::ElementAt | mozilla::ArrayIterator<T>::operator*] [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::end | mozilla::ManagedContainer<T>::end ]

Updating with a new signature after bug 1821453.

Crash Signature: [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::ElementAt | mozilla::ArrayIterator<T>::operator*] [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::end | mozilla::ManagedContainer<T>::end ] → [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::ElementAt | mozilla::ArrayIterator<T>::operator*] [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::end | mozilla::ManagedContainer<T>::end ] [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::ElementAt | VisitD…

I'll make that the signature in the summary because it is more useful.

Summary: Crash in [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::ElementAt | mozilla::ArrayIterator<T>::operator*] → Crash in [@ nsTArray_base<T>::Length | nsTArray_Impl<T>::ElementAt | VisitDocAccessibleParentDescendantsAtTopLevelInContentProcess<T> ]

Comment on attachment 9325096 [details]
Bug 1821448: Improve handling of reentry in MsaaAccessible::VisitDocAccessibleParentDescendantsAtTopLevelInContentProcess.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Unfortunately, the addition of RefPtr in a few places strongly hints at us fixing a UAF. That said, this is likely difficult to exploit due to its rarity and coordinating a race between two or three processes.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: ESR 102, beta
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Should apply cleanly or be very easy to create.
  • How likely is this patch to cause regressions; how much testing does it need?: Very unlikely to cause regressions; just an array copy and holding temporary references.
  • Is Android affected?: No
Attachment #9325096 - Flags: sec-approval?

Comment on attachment 9325096 [details]
Bug 1821448: Improve handling of reentry in MsaaAccessible::VisitDocAccessibleParentDescendantsAtTopLevelInContentProcess.

Approved to request uplift and land

Attachment #9325096 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/mozilla-central/rev/f9785025e232

Go ahead and request Beta & ESR approval on this whenever you're comfortable doing so.

Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox113: affectedfixed
Flags: needinfo?(jteh)
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch

Comment on attachment 9325096 [details]
Bug 1821448: Improve handling of reentry in MsaaAccessible::VisitDocAccessibleParentDescendantsAtTopLevelInContentProcess.

Beta/Release Uplift Approval Request

  • User impact if declined: Crash, UAF.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just an array copy and holding temporary references.
  • String changes made/needed:
  • Is Android affected?: No

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Crash, UAF.
  • Fix Landed on Version: 113
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just an array copy and holding temporary references.
Flags: needinfo?(jteh)
Attachment #9325096 - Flags: approval-mozilla-esr102?
Attachment #9325096 - Flags: approval-mozilla-beta?

Comment on attachment 9325096 [details]
Bug 1821448: Improve handling of reentry in MsaaAccessible::VisitDocAccessibleParentDescendantsAtTopLevelInContentProcess.

Approved for 112.0b9

Attachment #9325096 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9325096 [details]
Bug 1821448: Improve handling of reentry in MsaaAccessible::VisitDocAccessibleParentDescendantsAtTopLevelInContentProcess.

Approved for 102.10esr.

Attachment #9325096 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main112+r]
Whiteboard: [post-critsmash-triage][adv-main112+r] → [post-critsmash-triage][adv-main112+r][adv-esr102.10+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: