Crash in [@ sandbox::ParameterSet::Get]
Categories
(Core :: Security: Process Sandboxing, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox144 | --- | unaffected |
| firefox145 | --- | unaffected |
| firefox146 | + | fixed |
People
(Reporter: gsvelto, Assigned: bobowen)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/0c1ee358-0dbc-468a-8121-ff99a0251103
Reason:
EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames:
0 firefox.exe sandbox::ParameterSet::Get(unsigned int*) const security/sandbox/chromium/sandbox/win/src/policy_engine_params.h:67
0 firefox.exe sandbox::OpcodeEval(sandbox::PolicyOpcode*, sandbox::ParameterSet const*, san... security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc:103
0 firefox.exe sandbox::PolicyOpcode::EvaluateHelper(sandbox::ParameterSet const*, sandbox::... security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc:459
0 firefox.exe sandbox::PolicyOpcode::Evaluate(sandbox::ParameterSet const*, unsigned long l... security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc:425
0 firefox.exe sandbox::PolicyProcessor::Evaluate(unsigned int, sandbox::ParameterSet*, unsi... security/sandbox/chromium/sandbox/win/src/policy_engine_processor.cc:72
1 firefox.exe sandbox::PolicyBase::EvalPolicy(sandbox::IpcTag, sandbox::CountedParameterSet... security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc:741
2 firefox.exe sandbox::FilesystemDispatcher::EvalPolicy(sandbox::IpcTag, std::basic_string<... security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc:263
2 firefox.exe sandbox::FilesystemDispatcher::NtOpenFile(sandbox::IPCInfo*, std::basic_strin... security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc:134
3 firefox.exe sandbox::SharedMemIPCServer::InvokeCallback(sandbox::SharedMemIPCServer::Serv... security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.cc:205
3 firefox.exe sandbox::SharedMemIPCServer::ThreadPingEventReady(void*, unsigned char) security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.cc:313
This seems to have started recently, but I don't see recent changes to the affected code. Bob, can you tell what might be causing this? Note that this is only happening to what appear to be very recent versions of Windows 11. I've checked several crashes and all have ntdll.dll version 10.0.26100.6899 and kernel32.dll version 10.0.26100.6725, it's unlikely to be accidental.
|
Assignee | |
Comment 2•21 days ago
|
||
As :aryx suggested in the duplicate, I think this must be caused by bug 1996225.
The only thing I can think is we're hitting a bug in the chromium code when we get near the maximum rules.
I vaguely remember some issue that :handyman found many years ago, but I thought that was fixed.
|
||
Comment 3•21 days ago
|
||
Set release status flags based on info from the regressing bug 1996225
|
|
Assignee | |
Comment 4•21 days ago
|
||
(In reply to Bob Owen (:bobowen) from comment #2)
...
I vaguely remember some issue that :handyman found many years ago, but I thought that was fixed.
Well I found it ... bug 1299611.
:handyman reported it upstream and they said they were working on it, but it doesn't look like it went anywhere.
However, I didn't think we would even hit this, but the sandbox update that I landed just before the font rule changes (bug 1977201) altered the number of pages for the policy, which I'm relying on.
I'd written the patch before the sandbox landed and then didn't spot the change in the rebase.
I'll surface the internal figure so that I can rely on it directly.
|
|
Assignee | |
Comment 5•21 days ago
|
||
This also surfaces that value as a constant, so that we can rely on it.
|
||
Updated•21 days ago
|
|
|
Assignee | |
Comment 6•21 days ago
|
||
Hopefully the patch will fix this, but this shouldn't affect Fx146 Beta as the regressing patch changed code that is Nightly only at the moment.
|
||
Comment 8•20 days ago
|
||
| bugherder | ||
|
||
Updated•12 days ago
|
Description
•