Closed Bug 1951554 (CVE-2025-3608) Opened 9 months ago Closed 8 months ago

ThreadSanitizer: data race [@ GetConnInfo] vs. [@ mozilla::net::nsHttpTransaction::DisableHttp3]

Categories

(Core :: Networking: HTTP, defect, P2)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
138 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox136 --- unaffected
firefox137 + fixed
firefox138 + fixed

People

(Reporter: tsmith, Assigned: kershaw)

References

(Blocks 1 open bug, Regression,
URL
)

Details

(Keywords: csectype-race, regression, sec-high, Whiteboard: [necko-triaged][necko-priority-queue][adv-main137.0.2+])

Crash Data

Attachments

(3 files)

tsan-log.txt
41.32 KB, text/plain
Details
Bug 1951554 - Avoid racing on nsHttpTransaction::mConnInfo, r=#necko
48 bytes, text/x-phabricator-request
Details | Review
Bug 1951554 - Avoid racing on nsHttpTransaction::mConnInfo, r=#necko
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-release+
dveditz
: sec-approval+
Details | Review
Attached file tsan-log.txt

Found with m-c 20250303-d4371465982d (--enable-thread-sanitizer --enable-fuzzing)

This was found by visiting a live website with a TSan build.

STR:

  • Launch browser and visit site

This issue was triggered by visiting https://www.aol.com/.

WARNING: ThreadSanitizer: data race (pid=160094)
  Read of size 8 at 0x7264000771e8 by main thread:
    #0 get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:314:27 (libxul.so+0x41a1d09) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #1 operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:344:12 (libxul.so+0x41a1d09)
    #2 GetConnInfo /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpTransaction.cpp:1022:43 (libxul.so+0x41a1d09)
    #3 non-virtual thunk to mozilla::net::nsHttpTransaction::GetConnInfo() const /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpTransaction.cpp (libxul.so+0x41a1d09)
    #4 mozilla::net::nsHttpChannel::ContinueProcessResponse1() /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:2750:61 (libxul.so+0x412669d) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #5 mozilla::net::nsHttpChannel::ProcessResponse() /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:2693:10 (libxul.so+0x4126306) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #6 mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:8058:31 (libxul.so+0x4145bfd) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #7 non-virtual thunk to mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp (libxul.so+0x41468a5) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #8 nsInputStreamPump::OnStateStart() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:504:20 (libxul.so+0x3b536e8) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #9 nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:409:21 (libxul.so+0x3b5324f) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #10 non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp (libxul.so+0x3b54579) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    ...

  Previous write of size 8 at 0x7264000771e8 by thread T7:
    #0 swap /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:270:13 (libxul.so+0x41a948c) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #1 mozilla::net::nsHttpTransaction::DisableHttp3(bool) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpTransaction.cpp:2784:15 (libxul.so+0x41a948c)
    #2 mozilla::net::Http3Session::Shutdown() /builds/worker/checkouts/gecko/netwerk/protocol/http/Http3Session.cpp:300:30 (libxul.so+0x401c6b7) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #3 mozilla::net::Http3Session::~Http3Session() /builds/worker/checkouts/gecko/netwerk/protocol/http/Http3Session.cpp:395:3 (libxul.so+0x401d3de) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #4 mozilla::net::Http3Session::Release() /builds/worker/checkouts/gecko/netwerk/protocol/http/Http3Session.cpp:61:1 (libxul.so+0x401a63a) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #5 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40 (libxul.so+0x409b142) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #6 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:409:36 (libxul.so+0x409b142)
    #7 assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:68:7 (libxul.so+0x409b142)
    #8 operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:180:5 (libxul.so+0x409b142)
    #9 mozilla::net::HttpConnectionUDP::CloseTransaction(mozilla::net::nsAHttpTransaction*, nsresult, bool) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpConnectionUDP.cpp:514:17 (libxul.so+0x409b142)
    #10 mozilla::net::HttpConnectionUDP::OnQuicTimeoutExpired() /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpConnectionUDP.cpp:539:5 (libxul.so+0x409c5eb) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    ...

  Location is heap block of size 1240 at 0x726400077100 allocated by main thread:
    #0 malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:666:5 (firefox-bin+0xd5870) (BuildId: c23a8080410895e75213a9ce9421a9827c597478)
    #1 moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15 (firefox-bin+0x15cce8) (BuildId: c23a8080410895e75213a9ce9421a9827c597478)
    #2 operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10 (libxul.so+0x4120431) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #3 mozilla::net::nsHttpChannel::InitTransaction() /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:1832:20 (libxul.so+0x4120431)
    #4 mozilla::net::nsHttpChannel::DispatchTransaction(mozilla::net::HttpTransactionShell*) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:1382:17 (libxul.so+0x4120043) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #5 DoConnectActual /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:1375:10 (libxul.so+0x411ed5f) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #6 mozilla::net::nsHttpChannel::DoConnect(mozilla::net::HttpTransactionShell*) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:1362:10 (libxul.so+0x411ed5f)
    #7 mozilla::net::nsHttpChannel::ContinueConnect() /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:1324:17 (libxul.so+0x411cdad) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #8 mozilla::net::nsHttpChannel::TriggerNetwork() /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:10757:10 (libxul.so+0x411e1de) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #9 mozilla::net::nsHttpChannel::OnCacheEntryAvailableInternal(nsICacheEntry*, bool, nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:4860:10 (libxul.so+0x413601f) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    #10 mozilla::net::nsHttpChannel::OnCacheEntryAvailable(nsICacheEntry*, bool, nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp:4788:8 (libxul.so+0x4135c44) (BuildId: 484928afbdd0d069e31cd70a0342bf5d7488dbda)
    ...
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged][necko-priority-new]
Whiteboard: [necko-triaged][necko-priority-new] → [necko-triaged][necko-priority-queue]

nsHttpTransaction::GetConnInfo and nsHttpTransaction::DisableHttp3 both need to hold the mutex while accessing mConnInfo. Probably the same for all other methods using mConnInfo.

Assignee: nobody → kershaw
Duplicate of this bug: 1956962

Copying crash signatures from duplicate bugs.

Crash Signature: [@ mozilla::net::nsHttpConnectionInfo::GetAnonymous]
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b3ffe3409712 Avoid racing on nsHttpTransaction::mConnInfo, r=necko-reviewers,valentin

https://hg.mozilla.org/mozilla-central/rev/b3ffe3409712

Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 8 months ago
status-firefox136: --- → wontfix
status-firefox137: --- → wontfix
status-firefox138: affectedfixed
status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → wontfix
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch
Attachment #9475643 - Flags: approval-mozilla-release?

release Uplift Approval Request

  • User impact if declined: Possible crash. See bug 1956962, this could be a sec-high bug.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A
  • Risk associated with taking this patch: Low.
  • Explanation of risk level: This patch is straightforward.
  • String changes made/needed: N/A
  • Is Android affected?: yes
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-

Per jesup's suggestion, I'll bump this up to sec-high. Comment 0 suggests it isn't that hard to reproduce the race.

Keywords: sec-moderatesec-high

Maybe you want to revist the uplift flags, Ryan? Thanks.

Flags: needinfo?(ryanvm)

Sure, but ESR128 and ESR115 are the branches we'll want to uplift to. It'll need rebasing for both, however.

status-firefox-esr115: wontfixaffected
status-firefox-esr128: wontfixaffected
tracking-firefox138: --- → +
tracking-firefox-esr115: --- → 138+
tracking-firefox-esr128: --- → 138+
Flags: needinfo?(ryanvm) → needinfo?(kershaw)

The bug 1956962 crashes only started showing up in 137 so it is possible that it doesn't affect older branches, but maybe that's just a fluke. Hopefully Kershaw can figure that out given that we have a patch now.

(In reply to Andrew McCreight [:mccr8] from comment #12)

The bug 1956962 crashes only started showing up in 137 so it is possible that it doesn't affect older branches, but maybe that's just a fluke. Hopefully Kershaw can figure that out given that we have a patch now.

This is regressed by bug 1948203, so old branches are not affected.
I think we should just uplift this to release 137.

Flags: needinfo?(kershaw)
Keywords: regression
Regressed by: 1948203

Could be a candidate for next week's mid-cycle dot release since ESR isn't affected.

status-firefox137: wontfixaffected
status-firefox-esr115: affectedunaffected
status-firefox-esr128: affectedunaffected
tracking-firefox137: --- → ?
tracking-firefox-esr115: 138+ → ---
tracking-firefox-esr128: 138+ → ---

I will build on Monday, can we get sec-approval+ and a CVE or are we OK with shipping the fix in 138?

Flags: needinfo?(kershaw)

Comment on attachment 9475643 [details]
Bug 1951554 - Avoid racing on nsHttpTransaction::mConnInfo, r=#necko

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Probably not easy, since this is a race.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: 137
  • If not all supported branches, which bug introduced the flaw?: Bug 1948203
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Should be low, since the patch is straightforward and is already landed.
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Flags: needinfo?(kershaw)
Attachment #9475643 - Flags: sec-approval?

(In reply to Pascal Chevrel:pascalc from comment #15)

I will build on Monday, can we get sec-approval+ and a CVE or are we OK with shipping the fix in 138?

Yes, I think it's fine to ship this in 138.

(In reply to Kershaw Chang [:kershaw] from comment #17)

(In reply to Pascal Chevrel:pascalc from comment #15)

I will build on Monday, can we get sec-approval+ and a CVE or are we OK with shipping the fix in 138?

Yes, I think it's fine to ship this in 138.

Ok, marking 137 as wontfix then, thanks.

status-firefox137: affectedwontfix

Comment on attachment 9475643 [details]
Bug 1951554 - Avoid racing on nsHttpTransaction::mConnInfo, r=#necko

-> 138

Attachment #9475643 - Flags: approval-mozilla-release? → approval-mozilla-release-

(In reply to Pascal Chevrel:pascalc from comment #18)

(In reply to Kershaw Chang [:kershaw] from comment #17)

(In reply to Pascal Chevrel:pascalc from comment #15)

I will build on Monday, can we get sec-approval+ and a CVE or are we OK with shipping the fix in 138?

Yes, I think it's fine to ship this in 138.

Ok, marking 137 as wontfix then, thanks.

Ah, sorry I was confused with the Fx version. I'd like to uplift this to release 137 if possible.
Thanks.

status-firefox137: wontfixaffected
Flags: needinfo?(pascalc)

Dan, should we include this bug in the dot release? Thanks

Flags: needinfo?(pascalc) → needinfo?(dveditz)

Comment on attachment 9475643 [details]
Bug 1951554 - Avoid racing on nsHttpTransaction::mConnInfo, r=#necko

sec-approval+ for taking this in the mid-cycle point release, a=dveditz

Flags: needinfo?(dveditz)
Attachment #9475643 - Flags: sec-approval? → sec-approval+
Attachment #9475643 - Flags: approval-mozilla-release- → approval-mozilla-release+
https://hg.mozilla.org/releases/mozilla-release/rev/8969c956ed8e Reminder that the dot release ships on April 15 around 3PM CET, so we'll need an advisory ready, thanks!
Alias: CVE-2025-3608
Whiteboard: [necko-triaged][necko-priority-queue] → [necko-triaged][necko-priority-queue][adv-main137.0.2+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: