Closed
Bug 1846526
Opened 1 year ago
Closed 1 year ago
AddressSanitizer: heap-use-after-free [@ operator!] with READ of size 4
Categories
(Core :: DOM: Service Workers, defect)
Tracking
()
People
(Reporter: jkratzer, Assigned: jesup)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf, sec-high, testcase-wanted, Whiteboard: [bugmon:confirm] [adv-main117+r] [adv-esr115.2+r] [adv-esr102.15+r])
Attachments
(2 files)
18.18 KB,
text/plain
|
Details | |
48 bytes,
text/x-phabricator-request
|
dveditz
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr102+
RyanVM
:
approval-mozilla-esr115+
dveditz
:
sec-approval+
|
Details | Review |
Found while fuzzing mozilla-central rev ce5b2b0d4bc0 (built with: --enable-address-sanitizer --enable-fuzzing).
I don't currently have a working testcase for this issue.
AddressSanitizer: heap-use-after-free [@ operator!] with READ of size 4
=================================================================
==121183==ERROR: AddressSanitizer: heap-use-after-free on address 0x63b90f20 at pc 0xe08b0db0 bp 0xff86c998 sp 0xff86c990
READ of size 4 at 0x63b90f20 thread T0
#0 0xe08b0daf in operator! /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:350:36
#1 0xe08b0daf in Ensure /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1362:9
#2 0xe08b0daf in mozilla::dom::FetchEventOpChild::SendFetchEvent(mozilla::dom::PRemoteWorkerControllerChild*, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>, RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>, RefPtr<mozilla::dom::FetchServicePromises>&&, RefPtr<mozilla::dom::KeepAliveToken>&&) /gecko/dom/serviceworkers/FetchEventOpChild.cpp:202:32
#3 0xe09ae249 in mozilla::dom::ServiceWorkerPrivate::SendFetchEventInternal(RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>&&, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>&&, RefPtr<mozilla::dom::FetchServicePromises>&&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:986:3
#4 0xe09bab03 in mozilla::dom::ServiceWorkerPrivate::SendFetchEvent(nsCOMPtr<nsIInterceptedChannel>, nsILoadGroup*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:958:10
#5 0xe0a0dbea in mozilla::dom::(anonymous namespace)::ContinueDispatchFetchEventRunnable::Run() /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2048:33
#6 0xd48aaf41 in mozilla::PermissionManager::WhenPermissionsAvailable(nsIPrincipal*, nsIRunnable*) /gecko/extensions/permissions/PermissionManager.cpp:3500:16
#7 0xe0954ac9 in mozilla::dom::ServiceWorkerManager::DispatchFetchEvent(nsIInterceptedChannel*, mozilla::ErrorResult&) /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2235:14
#8 0xe0953d4e in mozilla::dom::ServiceWorkerInterceptController::ChannelIntercepted(nsIInterceptedChannel*) /gecko/dom/serviceworkers/ServiceWorkerInterceptController.cpp:165:8
#9 0xd350c2a7 in ChannelIntercepted /gecko/netwerk/protocol/http/ParentChannelListener.cpp:218:34
#10 0xd350c2a7 in non-virtual thunk to mozilla::net::ParentChannelListener::ChannelIntercepted(nsIInterceptedChannel*) /gecko/netwerk/protocol/http/ParentChannelListener.cpp
#11 0xd34471e5 in mozilla::net::InterceptedHttpChannel::AsyncOpenInternal() /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:189:20
#12 0xd344f870 in mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:617:3
#13 0xd344fb47 in non-virtual thunk to mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp
#14 0xd360c61a in mozilla::net::nsHttpChannel::OpenRedirectChannel(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2986:26
#15 0xd3608547 in mozilla::net::nsHttpChannel::ContinueAsyncRedirectChannelToURI(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2954:10
#16 0xd3672164 in mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:8684:14
#17 0xd3672a3a in non-virtual thunk to mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp
#18 0xd23449b8 in mozilla::net::nsAsyncVerifyRedirectCallbackEvent::Run() /gecko/netwerk/base/nsAsyncRedirectVerifyHelper.cpp:41:22
#19 0xd1e35694 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:559:16
#20 0xd1e173f7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:886:26
#21 0xd1e12bde in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:709:15
#22 0xd1e13861 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:495:36
#23 0xd1e3fae0 in operator() /gecko/xpcom/threads/TaskController.cpp:218:37
#24 0xd1e3fae0 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
#25 0xd1e79569 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1199:16
#26 0xd1e8caca in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#27 0xd41a7aed in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#28 0xd3f44b4c in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
#29 0xd3f44b4c in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
#30 0xd3f44b4c in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
#31 0xe0ebf3bf in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:148:27
#32 0xe7e5b669 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#33 0xe825488a in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5672:22
#34 0xe82578e1 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5873:8
#35 0xe82596a2 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5929:21
#36 0xe8287641 in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/Bootstrap.cpp:45:12
#37 0x567b91ea in do_main /gecko/browser/app/nsBrowserApp.cpp:227:22
#38 0x567b91ea in main /gecko/browser/app/nsBrowserApp.cpp:445:16
#39 0xf7915518 (/lib/i386-linux-gnu/libc.so.6+0x21518) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
#40 0xf79155f2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x215f2) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
#41 0x566d0ce0 in _start (/home/worker/builds/linux32-m-c-20230730210800-fuzzing-asan-opt/firefox-bin+0xe7ce0) (BuildId: 1892929de9b1fbcf552cf2884abc0b34ac0b9fa6)
0x63b90f20 is located 928 bytes inside of 952-byte region [0x63b90b80,0x63b90f38)
freed by thread T0 here:
#0 0x56775f66 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0xe08b1846 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
#2 0xe08b1846 in mozilla::dom::FetchEventOpChild::~FetchEventOpChild() /gecko/dom/serviceworkers/FetchEventOpChild.cpp:205:41
#3 0xdfefcbb9 in DeallocPFetchEventOpChild /gecko/dom/workers/remoteworkers/RemoteWorkerControllerChild.cpp:45:3
#4 0xdfefcbb9 in mozilla::dom::PRemoteWorkerControllerChild::DeallocManagee(int, mozilla::ipc::IProtocol*) /builds/worker/workspace/obj-build/ipc/ipdl/PRemoteWorkerControllerChild.cpp:312:58
#5 0xd233e683 in mozilla::ipc::IProtocol::ActorDealloc() /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:318:18
#6 0xd41cc1fc in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() /gecko/ipc/glue/ProtocolUtils.cpp:261:11
#7 0xdfefca37 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:643:3
#8 0xdfefca37 in mozilla::dom::PRemoteWorkerControllerChild::RemoveManagee(int, mozilla::ipc::IProtocol*) /builds/worker/workspace/obj-build/ipc/ipdl/PRemoteWorkerControllerChild.cpp:299:13
#9 0xdfef9849 in mozilla::dom::PRemoteWorkerControllerChild::SendPFetchEventOpConstructor(mozilla::dom::PFetchEventOpChild*, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemoteWorkerControllerChild.cpp:164:14
#10 0xe08b0c3c in mozilla::dom::FetchEventOpChild::SendFetchEvent(mozilla::dom::PRemoteWorkerControllerChild*, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>, RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>, RefPtr<mozilla::dom::FetchServicePromises>&&, RefPtr<mozilla::dom::KeepAliveToken>&&) /gecko/dom/serviceworkers/FetchEventOpChild.cpp:200:23
#11 0xe09ae249 in mozilla::dom::ServiceWorkerPrivate::SendFetchEventInternal(RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>&&, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>&&, RefPtr<mozilla::dom::FetchServicePromises>&&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:986:3
#12 0xe09bab03 in mozilla::dom::ServiceWorkerPrivate::SendFetchEvent(nsCOMPtr<nsIInterceptedChannel>, nsILoadGroup*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:958:10
#13 0xe0a0dbea in mozilla::dom::(anonymous namespace)::ContinueDispatchFetchEventRunnable::Run() /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2048:33
#14 0xd48aaf41 in mozilla::PermissionManager::WhenPermissionsAvailable(nsIPrincipal*, nsIRunnable*) /gecko/extensions/permissions/PermissionManager.cpp:3500:16
#15 0xe0954ac9 in mozilla::dom::ServiceWorkerManager::DispatchFetchEvent(nsIInterceptedChannel*, mozilla::ErrorResult&) /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2235:14
#16 0xe0953d4e in mozilla::dom::ServiceWorkerInterceptController::ChannelIntercepted(nsIInterceptedChannel*) /gecko/dom/serviceworkers/ServiceWorkerInterceptController.cpp:165:8
#17 0xd350c2a7 in ChannelIntercepted /gecko/netwerk/protocol/http/ParentChannelListener.cpp:218:34
#18 0xd350c2a7 in non-virtual thunk to mozilla::net::ParentChannelListener::ChannelIntercepted(nsIInterceptedChannel*) /gecko/netwerk/protocol/http/ParentChannelListener.cpp
#19 0xd34471e5 in mozilla::net::InterceptedHttpChannel::AsyncOpenInternal() /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:189:20
#20 0xd344f870 in mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:617:3
#21 0xd344fb47 in non-virtual thunk to mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp
#22 0xd360c61a in mozilla::net::nsHttpChannel::OpenRedirectChannel(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2986:26
#23 0xd3608547 in mozilla::net::nsHttpChannel::ContinueAsyncRedirectChannelToURI(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2954:10
#24 0xd3672164 in mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:8684:14
#25 0xd3672a3a in non-virtual thunk to mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp
#26 0xd23449b8 in mozilla::net::nsAsyncVerifyRedirectCallbackEvent::Run() /gecko/netwerk/base/nsAsyncRedirectVerifyHelper.cpp:41:22
#27 0xd1e35694 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:559:16
#28 0xd1e173f7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:886:26
#29 0xd1e12bde in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:709:15
#30 0xd1e13861 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:495:36
#31 0xd1e3fae0 in operator() /gecko/xpcom/threads/TaskController.cpp:218:37
#32 0xd1e3fae0 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
#33 0xd1e79569 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1199:16
#34 0xd1e8caca in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
previously allocated by thread T0 here:
#0 0x567761b0 in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x567c00e6 in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
#2 0xe08b0bdb in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0xe08b0bdb in mozilla::dom::FetchEventOpChild::SendFetchEvent(mozilla::dom::PRemoteWorkerControllerChild*, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>, RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>, RefPtr<mozilla::dom::FetchServicePromises>&&, RefPtr<mozilla::dom::KeepAliveToken>&&) /gecko/dom/serviceworkers/FetchEventOpChild.cpp:194:30
#4 0xe09ae249 in mozilla::dom::ServiceWorkerPrivate::SendFetchEventInternal(RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>&&, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>&&, RefPtr<mozilla::dom::FetchServicePromises>&&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:986:3
#5 0xe09bab03 in mozilla::dom::ServiceWorkerPrivate::SendFetchEvent(nsCOMPtr<nsIInterceptedChannel>, nsILoadGroup*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:958:10
#6 0xe0a0dbea in mozilla::dom::(anonymous namespace)::ContinueDispatchFetchEventRunnable::Run() /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2048:33
#7 0xd48aaf41 in mozilla::PermissionManager::WhenPermissionsAvailable(nsIPrincipal*, nsIRunnable*) /gecko/extensions/permissions/PermissionManager.cpp:3500:16
#8 0xe0954ac9 in mozilla::dom::ServiceWorkerManager::DispatchFetchEvent(nsIInterceptedChannel*, mozilla::ErrorResult&) /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2235:14
#9 0xe0953d4e in mozilla::dom::ServiceWorkerInterceptController::ChannelIntercepted(nsIInterceptedChannel*) /gecko/dom/serviceworkers/ServiceWorkerInterceptController.cpp:165:8
#10 0xd350c2a7 in ChannelIntercepted /gecko/netwerk/protocol/http/ParentChannelListener.cpp:218:34
#11 0xd350c2a7 in non-virtual thunk to mozilla::net::ParentChannelListener::ChannelIntercepted(nsIInterceptedChannel*) /gecko/netwerk/protocol/http/ParentChannelListener.cpp
#12 0xd34471e5 in mozilla::net::InterceptedHttpChannel::AsyncOpenInternal() /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:189:20
#13 0xd344f870 in mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:617:3
#14 0xd344fb47 in non-virtual thunk to mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp
#15 0xd360c61a in mozilla::net::nsHttpChannel::OpenRedirectChannel(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2986:26
#16 0xd3608547 in mozilla::net::nsHttpChannel::ContinueAsyncRedirectChannelToURI(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2954:10
#17 0xd3672164 in mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:8684:14
#18 0xd3672a3a in non-virtual thunk to mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp
#19 0xd23449b8 in mozilla::net::nsAsyncVerifyRedirectCallbackEvent::Run() /gecko/netwerk/base/nsAsyncRedirectVerifyHelper.cpp:41:22
#20 0xd1e35694 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:559:16
#21 0xd1e173f7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:886:26
#22 0xd1e12bde in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:709:15
#23 0xd1e13861 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:495:36
#24 0xd1e3fae0 in operator() /gecko/xpcom/threads/TaskController.cpp:218:37
#25 0xd1e3fae0 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
#26 0xd1e79569 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1199:16
#27 0xd1e8caca in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#28 0xd41a7aed in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#29 0xd3f44b4c in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
#30 0xd3f44b4c in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
#31 0xd3f44b4c in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
#32 0xe0ebf3bf in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:148:27
#33 0xe7e5b669 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#34 0xe825488a in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5672:22
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:350:36 in operator!
Shadow bytes around the buggy address:
0x63b90c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x63b90d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x63b90d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x63b90e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x63b90e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x63b90f00: fd fd fd fd[fd]fd fd fa fa fa fa fa fa fa fa fa
0x63b90f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x63b91000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x63b91080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x63b91100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x63b91180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==121183==ABORTING
Reporter | ||
Comment 1•1 year ago
|
||
Reporter | ||
Updated•1 year ago
|
Group: core-security, dom-core-security
Reporter | ||
Updated•1 year ago
|
Group: dom-core-security
Assignee | ||
Comment 2•1 year ago
|
||
Updated•1 year ago
|
Assignee: nobody → rjesup
Status: NEW → ASSIGNED
Updated•1 year ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-high
Assignee | ||
Comment 3•1 year ago
|
||
Comment on attachment 9346938 [details]
Bug 1846526: Handle IPC error condition r=nika
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Hard. A comment mentions that it may have been destroyed, but it'd be quite hard to go from there to an exploit.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: trivial
- How likely is this patch to cause regressions; how much testing does it need?: very unlikely to cause regressions
- Is Android affected?: Yes
Attachment #9346938 -
Flags: sec-approval?
Updated•1 year ago
|
status-firefox116:
--- → wontfix
status-firefox117:
--- → affected
status-firefox118:
--- → affected
status-firefox-esr102:
--- → affected
status-firefox-esr115:
--- → affected
Updated•1 year ago
|
Comment 4•1 year ago
|
||
Comment on attachment 9346938 [details]
Bug 1846526: Handle IPC error condition r=nika
sec-approval+ = dveditz
a=dveditz for beta 117 uplift so we can get max real-world feedback
Attachment #9346938 -
Flags: sec-approval?
Attachment #9346938 -
Flags: sec-approval+
Attachment #9346938 -
Flags: approval-mozilla-beta+
Pushed by rjesup@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6d48f2fd0bf9 Handle IPC error condition r=nika
Comment 6•1 year ago
|
||
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
Comment 8•1 year ago
|
||
^ Landed for 117.0b7.
Updated•1 year ago
|
QA Whiteboard: [post-critsmash-triage] [qa-triaged]
Comment 9•1 year ago
|
||
Comment on attachment 9346938 [details]
Bug 1846526: Handle IPC error condition r=nika
Approved for 115.2esr and 102.15esr.
Attachment #9346938 -
Flags: approval-mozilla-esr115+
Attachment #9346938 -
Flags: approval-mozilla-esr102+
Comment 10•1 year ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr115/rev/24fcf3c75dec
Updated•1 year ago
|
Comment 11•1 year ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr102/rev/72845771a432
Updated•1 year ago
|
Updated•1 year ago
|
Whiteboard: [bugmon:confirm] → [bugmon:confirm] [adv-main117+r] [adv-esr115.2+r] [adv-esr102.15+r]
Updated•9 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•