Closed
Bug 1958224
Opened 1 year ago
Closed 1 year ago
AddressSanitizer: heap-use-after-free [@ RecvdFin] through [@ mozilla::net::Http2Session::ReadyToProcessDataFrame] with READ of size 2
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
RESOLVED
FIXED
139 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox137 | --- | unaffected |
| firefox138 | --- | unaffected |
| firefox139 | --- | fixed |
People
(Reporter: decoder, Assigned: kershaw)
References
(Regression)
Details
(5 keywords, Whiteboard: [necko-triaged] [necko-priority-queue])
Attachments
(3 files)
The attached testcase crashes on mozilla-central revision 20250401-87c6b5c18c28 (fuzzing build).
For detailed crash information, see attachment.
To reproduce the issue, perform the following steps:
- Download the attached testcase, save as "test.bin".
2a. Build with--enable-fuzzing(requires Clang and ASan, also build gtests using./mach gtest dontruntests).
2b. Alternatively you can download builds from TC usingpython -mfuzzfetch -a --fuzzing --target firefox gtest(see https://github.com/MozillaSecurity/fuzzfetch). - Run
FUZZER=NetworkHttp2ProxyHttp2 objdir/dist/bin/firefox test.bin
| Reporter | ||
Comment 1•1 year ago
|
||
| Reporter | ||
Comment 2•1 year ago
|
||
| Reporter | ||
Comment 3•1 year ago
|
||
I haven't tried to reproduce this, let me know if it doesn't work. I figured the trace in connection with a recent change might be enough to spot what went wrong here.
| Assignee | ||
Comment 4•1 year ago
|
||
This is regressed by bug 1874101.
I think the root cause is that we use a hash table to store the mapping between transactions and tunnel streams.
If another transaction uses the same address to create a tunnel stream, we may release the previous one, which leads to this crash.
Assignee: nobody → kershaw
Severity: -- → S3
Keywords: regression
Priority: -- → P1
Regressed by: 1874101
Whiteboard: [necko-triaged] [necko-priority-queue]
Comment 5•1 year ago
|
||
Set release status flags based on info from the regressing bug 1874101
status-firefox137:
--- → unaffected
status-firefox138:
--- → unaffected
status-firefox-esr128:
--- → unaffected
| Assignee | ||
Comment 6•1 year ago
|
||
Updated•1 year ago
|
Group: core-security → network-core-security
Updated•1 year ago
|
Keywords: csectype-uaf,
sec-high
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6b24b81749b4
Use nsTArray to store tunnel streams, r=necko-reviewers,valentin
Comment 8•1 year ago
|
||
Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox-esr115:
--- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch
Updated•1 year ago
|
Attachment #9476879 -
Attachment filename: test.bin.undefined → test.bin
Updated•1 year ago
|
QA Whiteboard: [sec] [qa-triage-done-c140/b139]
Flags: qe-verify-
Updated•1 year ago
|
QA Whiteboard: [sec] [qa-triage-done-c140/b139] → [qa-triage-done-c140/b139]
Updated•6 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•