Crash [@ mozilla::net::CallOnStop::Run] at address 0xffffffffdddddddd on shutdown

RESOLVED DUPLICATE of bug 712572

Status

()

Core
Networking: WebSockets
RESOLVED DUPLICATE of bug 712572
6 years ago
4 years ago

People

(Reporter: bc, Assigned: jduell)

Tracking

(Blocks: 1 bug, {crash})

Trunk
x86
All
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical], crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 584208 [details]
crash report from automation

1. http://www.bilibili.tv/video/bangumi.html and many others on this site.
2. CPU pegs, consumes RAM until OOM crash but this bug is *not* about the OOM. To reproduce you need to exit the browser some time after the cpu pegs and the ram begins to increase but before the OOM abort. I've had best luck starting the browser under WinDBG.

Reproducible on Windows/Linux Aurora/11, Nightly/12.

Nightly on Windows XP with WinDBG and !exploitable says

eax=feeefeee ebx=7ffdf000 ecx=080c1b5c edx=feeefeee esi=00398490 edi=0094f558
eip=017785f0 esp=0012f1e8 ebp=0012f1f8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
xul!mozilla::net::CallOnStop::Run+0x40:
017785f0 8b08            mov     ecx,dword ptr [eax]  ds:0023:feeefeee=????????
0:000> !load winext/msec.dll
0:000> !exploitable
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll - 
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at xul!mozilla::net::CallOnStop::Run+0x0000000000000040 (Hash=0x7618023a.0x3a133d0b)

The data from the faulting address is later used as the target for a branch.

Updated

6 years ago
Assignee: nobody → jduell.mcbugs

Comment 1

6 years ago
Jason, can you look into this?
this is essentially a dup of 712572
(Assignee)

Comment 3

6 years ago
> Jason, can you look into this?

Yes.

> this is essentially a dup of 712572

Does look that way.  Do we want to make that bug secure too?  Not sure this issue needs to be hidden.
(Assignee)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 712572
Group: core-security
You need to log in before you can comment on or make changes to this bug.