Closed Bug 1979955 Opened 11 months ago Closed 11 months ago

Crash in [@ mozilla::net::Http2Session::RemoveStreamFromTables]

Categories

(Core :: Networking: HTTP, defect, P1)

Unspecified
Windows 11
defect

Tracking

()

RESOLVED FIXED
143 Branch
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox-esr140 142+ fixed
firefox141 --- wontfix
firefox142 + fixed
firefox143 + fixed

People

(Reporter: RyanVM, Assigned: kershaw)

References

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [adv-main142+r][adv-esr140.2+r][necko-triaged] [necko-priority-queue])

Crash Data

Attachments

(3 files, 1 obsolete file)

48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.com/report/index/cd182de3-ade4-4c71-99b7-92af10250729

Reason:

EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames:

0  xul.dll  PLDHashTable::ComputeKeyHash(void const*) const  xpcom/ds/PLDHashTable.cpp:479
0  xul.dll  PLDHashTable::Search(void const*) const  xpcom/ds/PLDHashTable.cpp:499
1  xul.dll  nsTHashtable<nsBaseHashtableET<nsPtrHashKey<mozilla::net::nsAHttpTransaction>...  xpcom/ds/nsTHashtable.h:290
1  xul.dll  nsRefCountedHashtable<nsPtrHashKey<mozilla::net::nsAHttpTransaction>, RefPtr<...  xpcom/ds/nsRefCountedHashtable.h:229
1  xul.dll  mozilla::net::Http2Session::RemoveStreamFromTables(mozilla::net::Http2StreamB...  netwerk/protocol/http/Http2Session.cpp:1417
1  xul.dll  mozilla::net::Http2Session::CleanupStream(mozilla::net::Http2StreamBase*, nsr...  netwerk/protocol/http/Http2Session.cpp:1386
2  xul.dll  mozilla::net::Http2Session::ReadSegmentsAgain(mozilla::net::nsAHttpSegmentRea...  netwerk/protocol/http/Http2Session.cpp:2717
3  xul.dll  mozilla::net::nsHttpConnection::OnSocketWritable()  netwerk/protocol/http/nsHttpConnection.cpp:1715
4  xul.dll  mozilla::net::nsHttpConnection::OnOutputStreamReady(nsIAsyncOutputStream*)  netwerk/protocol/http/nsHttpConnection.cpp:2262
5  xul.dll  mozilla::net::nsSocketOutputStream::OnSocketReady(nsresult)  netwerk/base/nsSocketTransport2.cpp:528

This appears to still be crashing with a UAF pattern after bug 1976376 landed.

Flags: needinfo?(kershaw)
See Also: → 1976376

A short summery:

  1. We are retrieving a WeakPtr<Http2StreamBase> from a queue and promoting it to a RefPtr:
 RefPtr<Http2StreamBase> stream =
      mQueueManager.GetNextStreamFromQueue(Http2StreamQueueType::ReadyForWrite);
  1. Then, this line failed
rv = stream->ReadSegments(this, count, countRead);
  1. We call CleanupStream because rv is an error
CleanupStream(stream, rv, CANCEL_ERROR);
  1. Inside CleanupStream, we call RemoveStreamFromTables and we do:
 mStreamTransactionHash.Remove(aStream->Transaction());

The crash seems to happen here, but it's not clear which object is destroyed. The stream should be kept alive by the RefPtr in step 1 and the Http2Session should be also alive at this point.

I’m currently out of ideas and could really use a fresh pair of eyes. Randell, would you mind taking a look? Thanks!

Severity: -- → S2
Flags: needinfo?(kershaw) → needinfo?(rjesup)
Priority: -- → P1
Whiteboard: [necko-triaged] [necko-priority-queue]

Any chance that nsHttpConnection::mTransaction could get mutated somewhere in here? That is often a problem in DOM code, so it is good to avoid complex method calls on data members. I don't know if that's a similar concern in networking code. (The fix for that problem is to create a strong stack reference to the transaction, and do the call on that.)

(In reply to Andrew McCreight [:mccr8] from comment #3)

Any chance that nsHttpConnection::mTransaction could get mutated somewhere in here? That is often a problem in DOM code, so it is good to avoid complex method calls on data members. I don't know if that's a similar concern in networking code. (The fix for that problem is to create a strong stack reference to the transaction, and do the call on that.)

I think this is a good suggestion and worth trying. Let me write a patch for this.
Thanks.

Attached file (secure)
Assignee: nobody → kershaw
Status: NEW → ASSIGNED

Comment on attachment 9504123 [details]
(secure)

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Unknown. This patch only ensures nsHttpConnection::mTransaction is alive when executing WriteSegment/ReadSegment.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Low. This patch is straightforward.
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9504123 - Flags: sec-approval?
Attachment #9504123 - Flags: sec-approval? → sec-approval+

Should this patch be marked leave-open if we need to come back and confirm the fix? Also, does this code run in the parent or socket process? If so, it should be keyworded as csectype-sandbox-escape

Keywords: leave-open

No Nightly crashes since this landed when there used to be a semi-steady trickle of them basically every day. How are we feeling about declaring victory here? :-)

Flags: needinfo?(kershaw)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #10)

No Nightly crashes since this landed when there used to be a semi-steady trickle of them basically every day. How are we feeling about declaring victory here? :-)

I'd wait a few more days, but I think we can uplift this low-risk patch to beta and ESR first.

Flags: needinfo?(kershaw)
Attached file (secure)
Attachment #9505248 - Flags: approval-mozilla-beta?

firefox-beta Uplift Approval Request

  • User impact if declined: Possible crash
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A
  • Risk associated with taking this patch: Low
  • Explanation of risk level: This patch is straightforward.
  • String changes made/needed: N/A
  • Is Android affected?: yes
Attached file (secure) (obsolete) —
Attachment #9505249 - Flags: approval-mozilla-esr140?

firefox-esr140 Uplift Approval Request

  • User impact if declined: Possible crash
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A
  • Risk associated with taking this patch: Low
  • Explanation of risk level: This patch is really simple.
  • String changes made/needed: N/A
  • Is Android affected?: yes
Attachment #9505248 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

(In reply to Kershaw Chang [:kershaw] from comment #11)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #10)

No Nightly crashes since this landed when there used to be a semi-steady trickle of them basically every day. How are we feeling about declaring victory here? :-)

I'd wait a few more days, but I think we can uplift this low-risk patch to beta and ESR first.

To clarify, I meant we can leave this bug open for a few more days before closing it.

Regressions: 1981294

Going to add this to the advisories list assuming we will close this in the next couple of days. So far so good.

Whiteboard: [necko-triaged] [necko-priority-queue] → [adv-main142+r][adv-esr140.2+r][necko-triaged] [necko-priority-queue]
Attachment #9505249 - Attachment is obsolete: true
Attachment #9505249 - Flags: approval-mozilla-esr140?
Attached file (secure)
Attachment #9506052 - Flags: approval-mozilla-esr140?

firefox-esr140 Uplift Approval Request

  • User impact if declined: Possible crash
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A
  • Risk associated with taking this patch: Low
  • Explanation of risk level: This patch is simple: adding null check and holding another reference.
  • String changes made/needed: N/A
  • Is Android affected?: yes
Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Keywords: leave-open
Resolution: --- → FIXED
Target Milestone: --- → 143 Branch
Attachment #9506052 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
QA Whiteboard: [sec] [uplift] [qa-triage-done-c143/b142]
Flags: qe-verify-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: