Closed
Bug 1899180
Opened 1 year ago
Closed 1 year ago
Assertion failure: NS_UsePrivateBrowsing(newChannel) == mRespectPrivacy, at /builds/worker/checkouts/gecko/image/imgLoader.cpp:2460
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
FIXED
129 Branch
People
(Reporter: tsmith, Assigned: tnikkel)
References
(Blocks 2 open bugs, )
Details
(Keywords: assertion, pernosco, sec-other, Whiteboard: [adv-main129-])
Attachments
(1 file)
Found with m-c 20240512-45d7400ced7e (--enable-debug --enable-fuzzing)
This was found by visiting a live website with a debug build.
STR:
- Launch browser and visit site
This issue was triggered by visiting http://hoegl.ru/.
Marking as s-s. Similar issues could allow a page to escape out of private browsing mode.
Assertion failure: NS_UsePrivateBrowsing(newChannel) == mRespectPrivacy, at /builds/worker/checkouts/gecko/image/imgLoader.cpp:2460
0|0|xul.dll|imgLoader::LoadImage(nsIURI*, nsIURI*, nsIReferrerInfo*, nsIPrincipal*, unsigned long long, nsILoadGroup*, imgINotificationObserver*, nsINode*, mozilla::dom::Document*, unsigned int, nsISupports*, nsIContentPolicy::nsContentPolicyType, nsTSubstring<char16_t> const&, bool, bool, unsigned long long, mozilla::dom::FetchPriority, imgRequestProxy**)|hg:hg.mozilla.org/mozilla-central:image/imgLoader.cpp:222d646f13198a4c9e283516fbd040d65406bc01|2460|0x1cc2
0|1|xul.dll|nsContentUtils::LoadImage(nsIURI*, nsINode*, mozilla::dom::Document*, nsIPrincipal*, unsigned long long, nsIReferrerInfo*, imgINotificationObserver*, int, nsTSubstring<char16_t> const&, imgRequestProxy**, nsIContentPolicy::nsContentPolicyType, bool, bool, unsigned long long, mozilla::dom::FetchPriority)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:222d646f13198a4c9e283516fbd040d65406bc01|4092|0x278
0|2|xul.dll|nsImageLoadingContent::LoadImage(nsIURI*, bool, bool, nsImageLoadingContent::ImageLoadType, unsigned int, mozilla::dom::Document*, nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsImageLoadingContent.cpp:222d646f13198a4c9e283516fbd040d65406bc01|1144|0x5eb
0|3|xul.dll|nsImageLoadingContent::LoadImage(nsTSubstring<char16_t> const&, bool, bool, nsImageLoadingContent::ImageLoadType, nsIPrincipal*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsImageLoadingContent.cpp:222d646f13198a4c9e283516fbd040d65406bc01|1028|0x13e
0|4|xul.dll|mozilla::dom::SVGImageElement::LoadSVGImage(bool, bool)|hg:hg.mozilla.org/mozilla-central:dom/svg/SVGImageElement.cpp:222d646f13198a4c9e283516fbd040d65406bc01|146|0x174
0|5|xul.dll|mozilla::dom::SVGImageElement::AfterSetAttr(int, nsAtom*, nsAttrValue const*, nsAttrValue const*, nsIPrincipal*, bool)|hg:hg.mozilla.org/mozilla-central:dom/svg/SVGImageElement.cpp:222d646f13198a4c9e283516fbd040d65406bc01|215|0x7a
0|6|xul.dll|mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, mozilla::dom::Document*, mozAutoDocUpdate const&)|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:222d646f13198a4c9e283516fbd040d65406bc01|2732|0x5cf
0|7|xul.dll|mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:222d646f13198a4c9e283516fbd040d65406bc01|2588|0x304
0|8|xul.dll|nsXMLContentSink::AddAttributes(char16_t const**, mozilla::dom::Element*)|hg:hg.mozilla.org/mozilla-central:dom/xml/nsXMLContentSink.cpp:222d646f13198a4c9e283516fbd040d65406bc01|1409|0x95
0|9|xul.dll|nsXMLContentSink::HandleStartElement(char16_t const*, char16_t const**, unsigned int, unsigned int, unsigned int, bool)|hg:hg.mozilla.org/mozilla-central:dom/xml/nsXMLContentSink.cpp:222d646f13198a4c9e283516fbd040d65406bc01|992|0x2e5
0|10|xul.dll|nsXMLContentSink::HandleStartElement(char16_t const*, char16_t const**, unsigned int, unsigned int, unsigned int)|hg:hg.mozilla.org/mozilla-central:dom/xml/nsXMLContentSink.cpp:222d646f13198a4c9e283516fbd040d65406bc01|938|0x26
0|11|xul.dll|nsExpatDriver::HandleStartElement(rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>&, rlbox::tainted<void *,rlbox::rlbox_wasm2c_sandbox>, rlbox::tainted<const char16_t *,rlbox::rlbox_wasm2c_sandbox>, rlbox::tainted<const char16_t **,rlbox::rlbox_wasm2c_sandbox>)|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsExpatDriver.cpp:222d646f13198a4c9e283516fbd040d65406bc01|477|0x34f
0|12|xul.dll|w2c_rlbox_doContent(w2c_rlbox*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int)|s3:gecko-generated-sources:35b2c4dca8523dcd573954471cc044dca5ac3b4ad6f8662ba3bbbb14e92bf3d8847a770748758ef4107e5a150081204a1c6bcd80e5b76bce78eace1ad80053de/security/rlbox/rlbox.wasm.c:|56458|0x5ec
0|13|xul.dll|w2c_rlbox_doProlog(w2c_rlbox*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int)|s3:gecko-generated-sources:35b2c4dca8523dcd573954471cc044dca5ac3b4ad6f8662ba3bbbb14e92bf3d8847a770748758ef4107e5a150081204a1c6bcd80e5b76bce78eace1ad80053de/security/rlbox/rlbox.wasm.c:|52618|0x3d19
0|14|xul.dll|w2c_rlbox_prologProcessor(w2c_rlbox*, unsigned int, unsigned int, unsigned int, unsigned int)|s3:gecko-generated-sources:35b2c4dca8523dcd573954471cc044dca5ac3b4ad6f8662ba3bbbb14e92bf3d8847a770748758ef4107e5a150081204a1c6bcd80e5b76bce78eace1ad80053de/security/rlbox/rlbox.wasm.c:|51806|0x129
0|15|xul.dll|w2c_rlbox_MOZ_XML_Parse(w2c_rlbox*, unsigned int, unsigned int, unsigned int, unsigned int)|s3:gecko-generated-sources:35b2c4dca8523dcd573954471cc044dca5ac3b4ad6f8662ba3bbbb14e92bf3d8847a770748758ef4107e5a150081204a1c6bcd80e5b76bce78eace1ad80053de/security/rlbox/rlbox.wasm.c:|13506|0x357
0|16|xul.dll|nsExpatDriver::ParseChunk(char16_t const*, unsigned int, nsExpatDriver::ChunkOrBufferIsFinal, unsigned int*, unsigned long*)|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsExpatDriver.cpp:222d646f13198a4c9e283516fbd040d65406bc01|1248|0x347
0|17|xul.dll|nsExpatDriver::ResumeParse(nsScanner&, bool)|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsExpatDriver.cpp:222d646f13198a4c9e283516fbd040d65406bc01|1352|0x42a
0|18|xul.dll|nsParser::ResumeParse(bool, bool, bool)|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsParser.cpp:222d646f13198a4c9e283516fbd040d65406bc01|715|0x159
0|19|xul.dll|nsParser::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long long, unsigned int)|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsParser.cpp:222d646f13198a4c9e283516fbd040d65406bc01|1027|0x227
0|20|xul.dll|imgRequest::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long long, unsigned int)|hg:hg.mozilla.org/mozilla-central:image/imgRequest.cpp:222d646f13198a4c9e283516fbd040d65406bc01|1068|0x9df
0|21|xul.dll|nsBaseChannel::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long long, unsigned int)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsBaseChannel.cpp:222d646f13198a4c9e283516fbd040d65406bc01|846|0x9f
0|22|xul.dll|nsInputStreamPump::OnStateTransfer()|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:222d646f13198a4c9e283516fbd040d65406bc01|585|0x37c
0|23|xul.dll|nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:222d646f13198a4c9e283516fbd040d65406bc01|412|0x187
0|24|xul.dll|mozilla::NonBlockingAsyncInputStream::RunAsyncWaitCallback(mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable*, already_AddRefed<nsIInputStreamCallback>)|hg:hg.mozilla.org/mozilla-central:xpcom/io/NonBlockingAsyncInputStream.cpp:222d646f13198a4c9e283516fbd040d65406bc01|385|0xe3
0|25|xul.dll|mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/io/NonBlockingAsyncInputStream.cpp:222d646f13198a4c9e283516fbd040d65406bc01|33|0x51
0|26|xul.dll|mozilla::RunnableTask::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:222d646f13198a4c9e283516fbd040d65406bc01|580|0x1d
0|27|xul.dll|mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex &> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:222d646f13198a4c9e283516fbd040d65406bc01|907|0x960
0|28|xul.dll|mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex &> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:222d646f13198a4c9e283516fbd040d65406bc01|730|0x57
0|29|xul.dll|mozilla::TaskController::ProcessPendingMTTask(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:222d646f13198a4c9e283516fbd040d65406bc01|516|0x69
0|30|xul.dll|mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:7'>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:222d646f13198a4c9e283516fbd040d65406bc01|548|0x16
0|31|xul.dll|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:222d646f13198a4c9e283516fbd040d65406bc01|1199|0x892
0|32|xul.dll|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:222d646f13198a4c9e283516fbd040d65406bc01|480|0x6c
0|33|xul.dll|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:222d646f13198a4c9e283516fbd040d65406bc01|85|0xc9
0|34|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:222d646f13198a4c9e283516fbd040d65406bc01|363|0x4c
0|35|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:222d646f13198a4c9e283516fbd040d65406bc01|345|0x6e
0|36|xul.dll|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:222d646f13198a4c9e283516fbd040d65406bc01|148|0x27
0|37|xul.dll|nsAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/windows/nsAppShell.cpp:222d646f13198a4c9e283516fbd040d65406bc01|822|0x189
0|38|xul.dll|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:222d646f13198a4c9e283516fbd040d65406bc01|712|0x78
0|39|xul.dll|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:222d646f13198a4c9e283516fbd040d65406bc01|235|0x39
0|40|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:222d646f13198a4c9e283516fbd040d65406bc01|363|0x4c
0|41|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:222d646f13198a4c9e283516fbd040d65406bc01|345|0x6e
0|42|xul.dll|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:222d646f13198a4c9e283516fbd040d65406bc01|647|0x8a9
0|43|firefox.exe|NS_internal_main(int, char**, char**)|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:222d646f13198a4c9e283516fbd040d65406bc01|378|0x2c8
0|44|firefox.exe|wmain(int, wchar_t**)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsWindowsWMain.cpp:222d646f13198a4c9e283516fbd040d65406bc01|151|0x216
0|45|firefox.exe|__scrt_common_main_seh()|/builds/worker/workspace/obj-build/browser/app/D:/a/_work/1/s/src/vctools/crt/vcstartup/src/startup/exe_common.inl|288|0x10b
0|46|kernel32.dll||||
0|47|ntdll.dll||||
0|48|KERNELBASE.dll||||
|
Reporter | |
Comment 1•1 year ago
|
||
A Pernosco session is available here: https://pernos.co/debug/c-MxXXamXZE5dAkPU6Wc_Q/index.html
Keywords: pernosco
|
Assignee | |
Comment 2•1 year ago
|
||
If the channel is not a nsIPrivateBrowsingChannel, and it also has no load context (eg inside svg images) then we will over write a non-zero mPrivateBrowsingId on the OriginAttributes of the channel with 0, making NS_UsePrivateBrowsing return false for the channel.
|
||
Updated•1 year ago
|
Assignee: nobody → tnikkel
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•1 year ago
|
||
I also looked at all the places we NS_QueryNotificationCallbacks to see if any other places had a similar bug, everything seemed fine but I did find bug 1899684.
|
|
Assignee | |
Updated•1 year ago
|
Severity: -- → S3
|
|
Assignee | |
Comment 4•1 year ago
|
||
Since this is rated sec-other assuming this is an S3.
|
|
Assignee | |
Comment 5•1 year ago
|
||
Adding a friendly needinfo if you want to do anything with these potential followups mentioned in the review. (I tried adding the asserts, they trivially fire so I'm not moving forward on them)
"Should we assert that these flags don't disagree?
Side note, I wonder if it's time to get rid of nsIPrivateBrowsingChannel and loadContext::UsePrivateBrowsing since the same information should be available on the loadInfo's originAttributes which all channels have now."
Flags: needinfo?(valentin.gosu)
|
||
Comment 6•1 year ago
|
||
I think we can do this in a follow-up. I filed bug 1899968 for that.
It does seem like we have more gaps close - as indicated by the assertions. I think using the origin attributes as the source of truth is the best option.
Blocks: 1899968
Flags: needinfo?(valentin.gosu)
Pushed by tnikkel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0449f21df281
If a channel is not nsIPrivateBrowsingChannel and has no load context, use the private browsing field from it's origin attributes. r=necko-reviewers,anti-tracking-reviewers,valentin
|
||
Comment 8•1 year ago
•
|
||
Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox129:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
|
||
Comment 9•1 year ago
|
||
The patch landed in nightly and beta is affected.
:tnikkel, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox128towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(tnikkel)
|
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(tnikkel)
|
||
Updated•1 year ago
|
tracking-firefox129:
--- → +
|
||
Updated•1 year ago
|
status-firefox127:
--- → wontfix
status-firefox-esr115:
--- → wontfix
|
||
Updated•1 year ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
|
Reporter | |
Updated•1 year ago
|
Whiteboard: [adv-main129-]
|
||
Updated•8 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•