Closed Bug 1854911 Opened 8 months ago Closed 6 months ago

Crash in [@ g_dbus_connection_call_sync_internal]

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox118 --- wontfix
firefox119 --- wontfix
firefox120 --- fixed
firefox121 --- fixed

People

(Reporter: gsvelto, Assigned: stransky)

References

Details

(4 keywords, Whiteboard: [adv-main120+r])

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/c0750a24-5fe0-48a4-84ba-ab5990230924

Reason: SIGSEGV / SI_KERNEL

Top 10 frames of crashing thread:

0  libgio-2.0.so.0  g_dbus_connection_call_sync_internal  /usr/src/debug/glib2/glib/gio/gdbusconnection.c:6067
1  libgio-2.0.so.0  g_dbus_proxy_call_sync_internal  /usr/src/debug/glib2/glib/gio/gdbusproxy.c:2848
2  libgio-2.0.so.0  g_dbus_proxy_call_sync  /usr/src/debug/glib2/glib/gio/gdbusproxy.c:3040
3  libxul.so  UserIdleServiceMutter::PollIdleTime  widget/gtk/nsUserIdleServiceGTK.cpp:160
4  libxul.so  nsUserIdleService::GetIdleTime  widget/nsUserIdleService.cpp:632
5  libxul.so  nsUserIdleService::IdleTimerCallback  widget/nsUserIdleService.cpp:694
5  libxul.so  nsUserIdleService::StaticIdleTimerCallback  widget/nsUserIdleService.cpp:681
6  libxul.so  nsTimerImpl::Fire const  xpcom/threads/nsTimerImpl.cpp:680
6  libxul.so  mozilla::detail::VariantImplementation<unsigned char,   mfbt/Variant.h:309
6  libxul.so  mozilla::detail::VariantImplementation<unsigned char,   mfbt/Variant.h:318

Pretty clear-cut use-after-free crash. It's affecting several distros and mostly happening on nightly/beta. I'm unsure if it's our fault or maybe something changed in the system libraries and led to this.

Flags: needinfo?(stransky)

There's a range of OS vendors and versions involved here. All involve libgio-2.0.so.0 but I don't know if that name hides different minor versions. The hashes are different, but that doesn't mean anything if they were compiled by different versions of the compiler on the different versions of the OS.

There are crashes on ESR 115.2.1 which corresponds to the earliest affected Release version 117.0.1 -- could it be a regression from the chemspill? That stack has nothing to do with the webp changes, but I know a lot more went into 117.0.1. I don't know if there were fixes already planned for a 115.2.1 before the webp chemspill hijacked the release. The earliest crashes were in a beta build 20230910175934 and several the next day which would have been before we started working on the webp bug.

Group: core-security → dom-core-security
status-firefox118: --- → affected
status-firefox119: --- → affected
status-firefox-esr115: --- → affected
Keywords: csectype-uaf, regression

org.gnome.Mutter.IdleMonitor was implemented by Bug 1847699 (118.0)
UAF regression was fixed for 118.0b9 (Bug 1850968) but that was a start up crash.

Flags: needinfo?(stransky)
Keywords: sec-high

Emilio, this is a sec-high. Can you take a look and see if there's anything obviously wrong?

Flags: needinfo?(emilio)

Martin has recently reworked this to not be sync anymore in bug 1861615, so should've fixed this effectively.

Depends on: 1861615
Flags: needinfo?(emilio)

Yeah, dupe of Bug 1861615.

I dont see any crashes in nightly since 20231103093836 (when bug 1861615 landed in central 121)
nor in beta since 120.0b7 (when bug 1861615 was uplifted to beta 120)

Closing this as fixed in 120/121.
Pls re-open if there is further work to be done here

Status: NEW → RESOLVED
Closed: 6 months ago
status-firefox120: fix-optionalfixed
status-firefox121: affectedfixed
Resolution: --- → FIXED

What should we do about ESR115?

Assignee: nobody → stransky
Group: dom-core-security → core-security-release
Flags: needinfo?(stransky)
Target Milestone: --- → 121 Branch

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

What should we do about ESR115?

UserIdleServiceMutter::PollIdleTime() was implemented by Bug 1847699 in 118.0. ESR is not be affect by this one. If you see a DBus related crash there it's from different bug or idle patches were backported downstream.

Flags: needinfo?(stransky)

For instance this crash https://crash-stats.mozilla.org/report/index/2352299e-6a24-4bd9-b7dd-a83620231103 (gio/dbus) comes from external library and not from Firefox itself so it's not directly related to Firefox.

QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main120+r][adv-esr115.5+r]
Whiteboard: [adv-main120+r][adv-esr115.5+r] → [adv-main120+r]

Looks like a bug in external library (DBus). The same error is triggered from various Firefox components and various external libraries which use DBus - libnotify, gio vfs interface.

See Also: → 1834219

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.