Closed Bug 1979072 Opened 9 months ago Closed 9 months ago

Crash in [@ mozilla::DataChannel::AddRef]

Categories

(Core :: WebRTC: Networking, defect)

Product:
Core
Component:
WebRTC: Networking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
143 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox-esr140 --- unaffected
firefox141 --- wontfix
firefox142 + fixed
firefox143 + fixed

People

(Reporter: aryx, Assigned: bwc)

References

(Regression)

Details

(4 keywords, Whiteboard: [adv-main142+r])

Crash Data

Attachments

(1 file)

(secure)
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review

35 crash reports from 33 installs of Firefox 141.0 on various operating systems. Address points to use-after-free in the content process, often after longer uptime (15+ minutes)

Crash report: https://crash-stats.mozilla.org/report/index/bce516b4-0538-40da-9452-8d0ae0250724

Reason:

EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames:

0  xul.dll  std::_Atomic_integral<unsigned long long, 8>::fetch_add(const unsigned long l...  /builds/worker/fetches/vs/VC/Tools/MSVC/14.39.33519/include/atomic:1619
0  xul.dll  mozilla::ThreadSafeAutoRefCnt::operator++()  xpcom/base/nsISupportsImpl.h:388
0  xul.dll  mozilla::DataChannel::AddRef()  netwerk/sctp/datachannel/DataChannel.h:400
0  xul.dll  mozilla::RefPtrTraits<mozilla::DataChannel>::AddRef(mozilla::DataChannel*)  mfbt/RefPtr.h:48
0  xul.dll  RefPtr<mozilla::DataChannel>::ConstRemovingRefPtrTraits<mozilla::DataChannel>...  mfbt/RefPtr.h:408
0  xul.dll  RefPtr<mozilla::DataChannel>::RefPtr(mozilla::DataChannel*)  mfbt/RefPtr.h:108
0  xul.dll  mozilla::DataChannelConnection::FinishClose_s(mozilla::DataChannel*)  netwerk/sctp/datachannel/DataChannel.cpp:1322
1  xul.dll  mozilla::DataChannelConnection::CloseAll::<lambda_12>::operator()() const  netwerk/sctp/datachannel/DataChannel.cpp:1376
1  xul.dll  mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/n...  xpcom/threads/nsThreadUtils.h:548
2  xul.dll  nsThread::ProcessNextEvent(bool, bool*)  xpcom/threads/nsThread.cpp:1153
Flags: needinfo?(docfaraday)
Component: Networking → WebRTC: Networking

I think I see a possibility here. I'll roll a fix into some work I'm already doing in this area.

See Also: → 1979081
Group: network-core-security → media-core-security

Nice find.

Keywords: csectype-uaf, sec-high
See Also: → 1979329

Bug 1979329 confirms my suspicion.

Flags: needinfo?(docfaraday)
Attached file (secure)
Assignee: nobody → docfaraday
Status: NEW → ASSIGNED

Comment on attachment 9503645 [details]
(secure)

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Depends on how closely they read it. It probably would not be particularly hard to trigger the crash.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: beta and release
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Very unlikely
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9503645 - Flags: sec-approval?

Comment on attachment 9503645 [details]
(secure)

Approved to land and request uplift

Attachment #9503645 - Flags: sec-approval? → sec-approval+

Comment on attachment 9503645 [details]
(secure)

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: Sec bug
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Very simple and safe.
  • String changes made/needed: None
  • Is Android affected?: Yes
Attachment #9503645 - Flags: approval-mozilla-release?
Attachment #9503645 - Flags: approval-mozilla-beta?

I isolated this patch from bug 1974443 as a possible fix; not 100% sure this was the cause, but it makes sense.

See Also: → 1974443
Group: media-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox143: affectedfixed
Depends on: 1974443
Resolution: --- → FIXED
See Also: 1974443
Target Milestone: --- → 143 Branch
Attachment #9503645 - Flags: approval-mozilla-release?
Attachment #9503645 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [adv-main142+r]
QA Whiteboard: [sec] [uplift] [qa-triage-done-c143/b142]
Flags: qe-verify-

(In reply to Byron Campen [:bwc] from comment #8)

I isolated this patch from bug 1974443 as a possible fix; not 100% sure this was the cause, but it makes sense.

The signature has definitely stopped showing up in crash-stats. I do not see the signatures for bugs 1979329 and 1979081 either. Looks like that was the fix.

Duplicate of this bug: 1979081
Duplicate of this bug: 1979329

Copying crash signatures from duplicate bugs.

Crash Signature: [@ mozilla::DataChannel::AddRef] → [@ mozilla::DataChannel::AddRef] [@ std::_Rb_tree_increment]

Copying crash signatures from duplicate bugs.

Crash Signature: [@ mozilla::DataChannel::AddRef] [@ std::_Rb_tree_increment] → [@ mozilla::DataChannel::AddRef] [@ std::_Rb_tree_increment] [@ nsTArray_Impl<T>::ClearAndRetainStorage | nsTArray_Impl<T>::Clear | mozilla::DataChannelConnection::FinishClose_s]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: