Closed
Bug 1935713
Opened 2 months ago
Closed 2 months ago
Crash in [@ mozilla::dom::WebAuthnSignResult::WebAuthnSignResult]
Categories
(Core :: DOM: Web Authentication, defect, P1)
Tracking
()
RESOLVED
FIXED
135 Branch
Tracking | Status | |
---|---|---|
firefox-esr128 | --- | unaffected |
firefox133 | --- | unaffected |
firefox134 | --- | unaffected |
firefox135 | + | fixed |
People
(Reporter: RyanVM, Assigned: jschanck)
References
(Regression)
Details
(Keywords: crash, csectype-bounds, regression)
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/9b056c5e-ad18-4bdf-a303-51eb80241206
Reason:
EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames:
0 xul.dll mozilla::dom::WebAuthnSignResult::WebAuthnSignResult(nsTString<char>&, _WEBAU... dom/webauthn/WebAuthnResult.h:222
1 xul.dll mozilla::dom::WinWebAuthnService::DoGetAssertion::<lambda_18>::operator()() dom/webauthn/WinWebAuthnService.cpp:917
1 xul.dll mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/d... xpcom/threads/nsThreadUtils.h:548
2 xul.dll nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:456
3 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1153
3 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:480
4 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:299
5 xul.dll MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:369
5 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:362
6 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:344
Assignee | ||
Comment 1•2 months ago
|
||
Looks like an out of bounds read due to a missing a struct version check. It affects systems with versions 1 and 2 of webauthn.dll. Version 3 was released in 2021.
Assignee: nobody → jschanck
Severity: -- → S3
Status: NEW → ASSIGNED
Priority: -- → P1
Comment 2•2 months ago
|
||
Set release status flags based on info from the regressing bug 1935278
status-firefox133:
--- → unaffected
status-firefox134:
--- → unaffected
status-firefox135:
--- → affected
status-firefox-esr128:
--- → unaffected
Assignee | ||
Comment 3•2 months ago
|
||
Comment 4•2 months ago
|
||
Version 3 was released in 2021.
4 of the 5 crashes (2 installations) were in Windows 10.0.19045, which should mean Windows 10 22H2 (~November 2022) -- the "final" Windows 10 release supposedly. The other crash was in 10.0.19044, the 21H2 (Nov 2021) release. I don't know the relative proportions of Firefox users on Win 10 vs 11, but it looks like all Win 10 users would be affected.
Updated•2 months ago
|
tracking-firefox135:
--- → +
Keywords: csectype-bounds
Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/618505b0336f
check webauthn.dll version before accessing WebAuthn PRF assertion values. r=dveditz
Comment 6•2 months ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•