Crash in [@ mozilla::net::WebSocketChannel::DoStopSession] getting ObliviousHttpService in nsDNSService::Init()
Categories
(Core :: Networking: DNS, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | 121+ | fixed |
| firefox120 | --- | unaffected |
| firefox121 | --- | unaffected |
| firefox122 | --- | unaffected |
People
(Reporter: jesup, Assigned: jesup)
Details
(Keywords: crash, csectype-uaf, sec-moderate, Whiteboard: [necko-triaged][necko-priority-queue][adv-esr115.6+r])
Crash Data
Attachments
(3 files)
Note: these incorrectly show up under WebSockets.
This applies to the crashes (16 in the last 6 months) with nsDNSService::Init on the stack. about 1/4 of these are e5e5 crashes.
NOTE: all appear to be in 115ESR, and all are Win7, and all are startup crashes (which I suppose isn't surprising nsDNSService::Init). It's possible this is fixed in later versions, or it may be specific to Win7.
Crash report: https://crash-stats.mozilla.org/report/index/dde35565-4c20-48e8-b5fa-592fe0230927
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll mozilla::net::WebSocketChannel::DoStopSession netwerk/protocol/websocket/WebSocketChannel.cpp:2382
1 ? @0x0000000002b4ac7f
2 xul.dll _tailMerge_hid.dll
3 xul.dll nsCOMPtr<nsIObliviousHttpService>::assign_from_gs_contractid xpcom/base/nsCOMPtr.h:867
3 xul.dll nsCOMPtr<nsIObliviousHttpService>::nsCOMPtr xpcom/base/nsCOMPtr.h:509
3 xul.dll nsDNSService::Init netwerk/dns/nsDNSService2.cpp:879
4 xul.dll nsDNSService::GetSingleton netwerk/dns/nsDNSService2.cpp:747
5 xul.dll nsDNSService::GetXPCOMSingleton::<lambda_0>::operator const netwerk/dns/nsDNSService2.cpp:717
6 xul.dll nsDNSService::GetXPCOMSingleton netwerk/dns/nsDNSService2.cpp:732
7 xul.dll mozilla::xpcom::CreateInstanceImpl xpcom/components/StaticComponents.cpp:11388
|
||
Comment 1•10 months ago
|
||
Interesting find.
I'm not sure why assigning the OHTTP service would fail, or how the websocket fits into this (I suspect 0x0000000002a4a7cf simply points to that instruction?). The fact that it's only win7 makes this a bit less severe IMO.
In any case, I think there's nothing using the OHTTP service on ESR, so we can simply remove the line doing the initialization (only for ESR)
Bumping this directly into the necko-priority-queue.
|
Assignee | |
Comment 2•10 months ago
|
||
|
||
Updated•10 months ago
|
|
||
Updated•10 months ago
|
|
|
Assignee | |
Comment 3•10 months ago
|
||
Comment on attachment 9366959 [details]
Bug 1868042: Remove unused OHTTP initialization r=valentin!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Sec moderate UAF that affects 115esr only
- User impact if declined: Rare startup crashes
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Removes unused initialization of OHTTP
|
||
Comment 4•10 months ago
|
||
Comment on attachment 9366959 [details]
Bug 1868042: Remove unused OHTTP initialization r=valentin!
This issue only impacts ESR115 and the patch isn't suitable for landing on other branches. Approved for 115.6esr.
|
|
||
Updated•10 months ago
|
|
|
Assignee | |
Comment 6•10 months ago
|
||
|
||
Updated•10 months ago
|
|
|
||
Comment 8•10 months ago
|
||
|
|
||
Updated•12 days ago
|
Description
•