Poison crash in [@ mozilla::a11y::Accessible::AsRemote] with FSDomNodeFirefoxMP.DLL
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
People
(Reporter: mccr8, Assigned: Jamie)
References
Details
(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [adv-main121+r][adv-esr115.6+r])
Crash Data
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
tjr
:
sec-approval+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr115+
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/ff2449f5-9543-4abe-9bc2-302360231104
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll mozilla::a11y::Accessible::AsRemote accessible/ipc/RemoteAccessible.h:505
0 xul.dll mozilla::a11y::MsaaAccessible::GetFrom accessible/windows/msaa/MsaaAccessible.cpp:479
0 xul.dll mozilla::a11y::MsaaAccessible::NativeAccessible accessible/windows/msaa/MsaaAccessible.cpp:452
1 xul.dll mozilla::a11y::ia2AccessibleRelation::ia2AccessibleRelation accessible/windows/ia2/ia2AccessibleRelation.cpp:21
2 xul.dll mozilla::a11y::ia2Accessible::get_relations accessible/windows/ia2/ia2Accessible.cpp:140
3 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0x25da3
4 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0x25dfc
5 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0x21bdb
6 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0x21b97
7 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0x1ab96
This signature is a bit generic, but the crashes I looked at mostly had FSDomNodeFirefoxMP.DLL in the stack. Maybe there's some kind of callback involving a stale pointer?
I noticed a lot of DropBox URLs with these crashes, if that means anything.
|
||
Comment 1•2 years ago
|
||
Jamie, Frank - For some reason none of us had permission to view this bug when it was reported. I just got access, so I'm adding you both.
|
Assignee | |
Comment 2•2 years ago
|
||
Thanks Maire. Weird that we didn't have access. The triage owner on our team now gets rotated weekly, so that might explain why I didn't have access, but it doesn't explain why you or Frank didn't.
Investigation note: I'm suspicious of AccGroupInfo::ConceptualParent. That gets invalidated by reorder events; i.e. when any siblings change. However, I'm wondering whether a client call could be received between the IPDL call where the conceptual parent (really a sibling) is removed and the IPDL call where the group info is invalidated. In that case, we'd be holding onto a dead RemoteAccessible.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
||
Updated•2 years ago
|
|
Reporter | |
Comment 4•2 years ago
|
||
Sorry, I thought a11y was under the DOM security group, but looking now it is actually layout. I'll try to remember that.
|
|
Reporter | |
Comment 5•2 years ago
|
||
I did a search just now and it looks like all security bugs in Disability Access APIs are now either release-track or in layout-core-security.
|
|
Assignee | |
Comment 6•2 years ago
|
||
Comment on attachment 9364879 [details]
Bug 1864015: Correctly handle removal of the conceptual parent.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The patch switches from a raw pointer to an id, which could hint at a possible UAF. However, i think it would be difficult to get the impacted memory address from within the content process.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: This patch should apply cleanly or with minimal modification on all supported older branches.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely. The underlying functionality is covered by automated tests.
- Is Android affected?: No
|
||
Comment 7•2 years ago
|
||
Comment on attachment 9364879 [details]
Bug 1864015: Correctly handle removal of the conceptual parent.
Approved to land and uplift
|
||
Updated•2 years ago
|
|
||
Comment 9•2 years ago
|
||
|
||
Comment 10•2 years ago
|
||
The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox121towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 11•2 years ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D194322
|
|
||
Updated•2 years ago
|
|
|
||
Comment 12•2 years ago
|
||
Uplift Approval Request
- User impact if declined: Crash. UAF.
- Steps to reproduce for manual QE testing: NA
- Needs manual QE test: no
- Explanation of risk level: Isolated to accessibility group position calculations. Just changes a pointer to use an existing id. Underlying code covered by automated tests.
- Is Android affected?: no
- Code covered by automated testing: yes
- String changes made/needed: none
- Fix verified in Nightly: no
- Risk associated with taking this patch: low
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Comment 13•2 years ago
|
||
Comment on attachment 9366762 [details]
Bug 1864015: Correctly handle removal of the conceptual parent.
Approved for 121.0b8 and 115.6esr.
|
||
Updated•2 years ago
|
|
||
Comment 14•2 years ago
|
||
| uplift | ||
|
|
||
Comment 15•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 17•1 year ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Description
•