Closed Bug 1967048 Opened 8 months ago Closed 8 months ago

Crash in [@ mozilla::LinkedListElement<T>::remove] from AnimationTimeline::RemoveAnimation()

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1923344

People

(Reporter: jesup, Unassigned)

References

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

Summary: Crash in [@ mozilla::LinkedListElement<T>::remove] → Crash in [@ mozilla::LinkedListElement<T>::remove] from AnimationTimeline::RemoveAnimation()

perhaps a dup of bug 1923344? Note all these crashes were against 130, and the bug referenced was fixed in 133

See Also: → CVE-2024-9680

Yeah, this is clearly somebody messing around with a publicly disclosed zero day on an old unpatched build.

Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 8 months ago
Component: Graphics → DOM: Animation
Duplicate of bug: CVE-2024-9680
Resolution: --- → DUPLICATE

I'm going to hide comment 0 because it has somebody's name in it, but here's the content of that comment without it:

(In reply to Randell Jesup [:jesup] (needinfo me) from comment #0)

URL is file:///home/[...]/exploit_dev_heap_attack/index.html and file:///home/[...]/exploit_dev_boosted/index.html and file:///home/[...]/exploit_dev/index.html ...
There are about 100 crashes in crash-stats from this user with 0xe5e5 signatures. Clearly they've found a repeatable way to trigger it, and are trying to create an exploit.

Crash report: https://crash-stats.mozilla.org/report/index/0b84e66f-e4c0-4078-ae67-8cd280250505

Reason:

SIGSEGV / SI_KERNEL

Top 10 frames:

0  libxul.so  mozilla::LinkedListElement<mozilla::dom::Animation>::remove()  mfbt/LinkedList.h:244
0  libxul.so  mozilla::dom::AnimationTimeline::RemoveAnimation(mozilla::dom::Animation*)  dom/animation/AnimationTimeline.cpp:97
1  libxul.so  mozilla::dom::AnimationTimeline::Tick(mozilla::dom::AnimationTimeline::TickSt...  dom/animation/AnimationTimeline.cpp:75
2  libxul.so  mozilla::dom::DocumentTimeline::WillRefresh()  dom/animation/DocumentTimeline.cpp:180
3  libxul.so  UpdateAndReduceAnimations(mozilla::dom::Document&)  layout/base/nsRefreshDriver.cpp:2316
3  libxul.so  nsRefreshDriver::UpdateAnimationsAndSendEvents()  layout/base/nsRefreshDriver.cpp:2346
3  libxul.so  nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType...  layout/base/nsRefreshDriver.cpp:2750
4  libxul.so  mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, mozilla::layers::Ba...  layout/base/nsRefreshDriver.cpp:369
4  libxul.so  mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransact...  layout/base/nsRefreshDriver.cpp:347
5  libxul.so  mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla:...  layout/base/nsRefreshDriver.cpp:363
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.