Closed Bug 1841123 Opened 1 year ago Closed 1 year ago

Crash in [@ mozilla::ipc::DataPipeReceiver::AsyncWait::<T>::operator()]

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1839703

People

(Reporter: gsvelto, Unassigned)

Details

(Keywords: crash, csectype-uaf)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/75a706bc-80ea-4de3-bcb4-881980230629

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  mozilla::ipc::DataPipeReceiver::AsyncWait::<lambda_8>::operator const  ipc/glue/DataPipe.cpp:660
0  xul.dll  NS_NewCancelableRunnableFunction<`lambda at /builds/worker/checkouts/gecko/ipc/glue/DataPipe.cpp:656:23'>::FuncCancelableRunnable::Run  xpcom/threads/nsThreadUtils.h:667
1  xul.dll  mozilla::dom::  dom/workers/WorkerPrivate.cpp:202
2  xul.dll  mozilla::dom::WorkerRunnable::Run  dom/workers/WorkerRunnable.cpp:377
3  xul.dll  nsThread::ProcessNextEvent  xpcom/threads/nsThread.cpp:1234
3  xul.dll  NS_ProcessNextEvent  xpcom/threads/nsThreadUtils.cpp:479
4  xul.dll  mozilla::dom::WorkerPrivate::DoRunLoop  dom/workers/WorkerPrivate.cpp:3287
5  xul.dll  mozilla::dom::workerinternals::  dom/workers/RuntimeService.cpp:2149
6  xul.dll  nsThread::ProcessNextEvent  xpcom/threads/nsThread.cpp:1234
6  xul.dll  NS_ProcessNextEvent  xpcom/threads/nsThreadUtils.cpp:479

This appears to be a use-after-free crash. I'm not sufficiently familiar with the code to be able to tell what's going on but we're clearly accessing a dead object.

Seems to be the same as bug 1839703?

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: CVE-2023-3600
Resolution: --- → DUPLICATE
Group: network-core-security
You need to log in before you can comment on or make changes to this bug.