Closed Bug 1867983 Opened 6 months ago Closed 6 months ago

Crash in [@ libgdk-3.so.0@0x55ade] called from ~NativeLayerRootWayland()

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Platform:
Other
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1868038
Tracking Flags:
Tracking Status
firefox122 --- fixed

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [adv-main122-])

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/5405cf22-747c-4c93-8937-1e9910231202

Reason: SIGSEGV / SI_KERNEL

Top 10 frames of crashing thread:

0  libgdk-3.so.0  libgdk-3.so.0@0x55ade  
1  libxul.so  mozilla::layers::NativeLayerRootWayland::~NativeLayerRootWayland  gfx/layers/NativeLayerWayland.cpp:79
2  libxul.so  mozilla::layers::NativeLayerRoot::Release  gfx/layers/NativeLayer.h:47
2  libxul.so  mozilla::RefPtrTraits<mozilla::layers::NativeLayerRootWayland>::Release  mfbt/RefPtr.h:54
2  libxul.so  RefPtr<mozilla::layers::NativeLayerRootWayland>::ConstRemovingRefPtrTraits<mozilla::layers::NativeLayerRootWayland>::Release  mfbt/RefPtr.h:420
2  libxul.so  RefPtr<mozilla::layers::NativeLayerRootWayland>::~RefPtr  mfbt/RefPtr.h:85
2  libxul.so  mozilla::widget::GtkCompositorWidget::~GtkCompositorWidget  widget/gtk/GtkCompositorWidget.cpp:64
3  libxul.so  mozilla::widget::InProcessGtkCompositorWidget::~InProcessGtkCompositorWidget  widget/gtk/InProcessGtkCompositorWidget.h:16
4  libxul.so  mozilla::widget::CompositorWidget::Release  widget/CompositorWidget.h:90
4  libxul.so  mozilla::RefPtrTraits<mozilla::widget::CompositorWidget>::Release  mfbt/RefPtr.h:54

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2023-11-28
  • Process type: Parent
  • Is startup crash: No
  • Has user comments: Yes
  • Is null crash: No
  • Is use after free crash: Yes - all crashes happened on or near an allocator poison value
Group: core-security → dom-core-security
Component: General → Widget: Gtk
Group: dom-core-security → layout-core-security

UAF crash in the parent, first seen in the 20231127092818 build. Did we change something in our Wayland-related code just before then? Very low volume, and not seen after Nov 29 builds so maybe it got fixed

Keywords: csectype-uaf, regression, sec-high
Summary: Crash in [@ libgdk-3.so.0@0x55ade] → Crash in [@ libgdk-3.so.0@0x55ade] called from ~NativeLayerRootWayland()
Status: NEW → RESOLVED
Closed: 6 months ago
Duplicate of bug: 1868038
Resolution: --- → DUPLICATE
Group: layout-core-security
Whiteboard: [adv-main122-]
You need to log in before you can comment on or make changes to this bug.