Open Bug 2009165 Opened 3 days ago Updated 2 days ago

Crash in [@ @0x0 | mozilla::dom::WinWebAuthnService::GetAssertion]

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

People

(Reporter: gsvelto, Unassigned)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/9a7ed49c-f415-4f68-9d25-5d2a50260108

Reason:

EXCEPTION_ACCESS_VIOLATION_EXEC

Top 10 frames:

0  ?  @0x0000000000000000
1  xul.dll  mozilla::dom::WinWebAuthnService::GetAssertion(unsigned long long, unsigned l...  dom/webauthn/WinWebAuthnService.cpp:720
2  xul.dll  mozilla::dom::WebAuthnService::GetAssertion(unsigned long long, unsigned long...  dom/webauthn/WebAuthnService.cpp:196
3  xul.dll  mozilla::dom::WebAuthnTransactionParent::RecvRequestSign(mozilla::dom::WebAut...  dom/webauthn/WebAuthnTransactionParent.cpp:552
4  xul.dll  mozilla::dom::PWebAuthnTransactionParent::OnMessageReceived(IPC::Message const&)  ipc/ipdl/PWebAuthnTransactionParent.cpp:246
5  xul.dll  mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&)  ipc/ipdl/PContentParent.cpp:6595
6  xul.dll  mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecyc...  ipc/glue/MessageChannel.cpp:1794
6  xul.dll  mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecyclePro...  ipc/glue/MessageChannel.cpp:1720
6  xul.dll  mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, ...  ipc/glue/MessageChannel.cpp:1509
6  xul.dll  mozilla::ipc::MessageChannel::MessageTask::Run()  ipc/glue/MessageChannel.cpp:1611

It looks like we're crashing because gWinWebauthnGetCancellationId is null when we call it here.

I'm struggling to see how this happens. We got an NS_OK return from EnsureWinWebAuthnModuleLoaded() a few lines prior to the crash, and that function explicitly checks that gWinWebauthnGetCancellationId is non-null. All of the crash reports have platform version 10.0.17763, so I wonder if the crash is actually inside of the webauthn.dll WebAuthNGetCancellationId function.

Severity: -- → S3
Priority: -- → P3

I'd need to crack open a minidump to try and figure out exactly where the null pointer was stored and what exact bit of code tried jumping through it, but in the meantime I noticed something that looks very wrong with these crash reports. There's another thread that has webauthn.dll entries on the stack, it's spawned from the tokio crate from what I can tell so that piqued my curiosity and I gave the stacks a bit of a closer examination hoping to find some kind of race, but instead I found that two different versions of webauthn.dll are loaded at the same time. Version 1.0.0.35 and version 10.0.17763.7553. That doesn't seem right. I've checked more crashes and they all seem to have both the DLLs loaded.

You need to log in before you can comment on or make changes to this bug.