Closed Bug 1935713 Opened 2 months ago Closed 2 months ago

Crash in [@ mozilla::dom::WebAuthnSignResult::WebAuthnSignResult]

Categories

(Core :: DOM: Web Authentication, defect, P1)

Unspecified
Windows
defect

Tracking

()

RESOLVED FIXED
135 Branch
Tracking Status
firefox-esr128 --- unaffected
firefox133 --- unaffected
firefox134 --- unaffected
firefox135 + fixed

People

(Reporter: RyanVM, Assigned: jschanck)

References

(Regression)

Details

(Keywords: crash, csectype-bounds, regression)

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/9b056c5e-ad18-4bdf-a303-51eb80241206

Reason:

EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames:

0  xul.dll  mozilla::dom::WebAuthnSignResult::WebAuthnSignResult(nsTString<char>&, _WEBAU...  dom/webauthn/WebAuthnResult.h:222
1  xul.dll  mozilla::dom::WinWebAuthnService::DoGetAssertion::<lambda_18>::operator()()  dom/webauthn/WinWebAuthnService.cpp:917
1  xul.dll  mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/d...  xpcom/threads/nsThreadUtils.h:548
2  xul.dll  nsThreadPool::Run()  xpcom/threads/nsThreadPool.cpp:456
3  xul.dll  nsThread::ProcessNextEvent(bool, bool*)  xpcom/threads/nsThread.cpp:1153
3  xul.dll  NS_ProcessNextEvent(nsIThread*, bool)  xpcom/threads/nsThreadUtils.cpp:480
4  xul.dll  mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)  ipc/glue/MessagePump.cpp:299
5  xul.dll  MessageLoop::RunInternal()  ipc/chromium/src/base/message_loop.cc:369
5  xul.dll  MessageLoop::RunHandler()  ipc/chromium/src/base/message_loop.cc:362
6  xul.dll  MessageLoop::Run()  ipc/chromium/src/base/message_loop.cc:344

Looks like an out of bounds read due to a missing a struct version check. It affects systems with versions 1 and 2 of webauthn.dll. Version 3 was released in 2021.

Assignee: nobody → jschanck
Severity: -- → S3
Status: NEW → ASSIGNED
Priority: -- → P1

Set release status flags based on info from the regressing bug 1935278

Version 3 was released in 2021.

4 of the 5 crashes (2 installations) were in Windows 10.0.19045, which should mean Windows 10 22H2 (~November 2022) -- the "final" Windows 10 release supposedly. The other crash was in 10.0.19044, the 21H2 (Nov 2021) release. I don't know the relative proportions of Firefox users on Win 10 vs 11, but it looks like all Win 10 users would be affected.

Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/618505b0336f check webauthn.dll version before accessing WebAuthn PRF assertion values. r=dveditz
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: