Closed
Bug 718311
Opened 13 years ago
Closed 13 years ago
instanceof for worker properties segfaults, crash [@ WorkerGlobalScope::GetOnErrorListener ]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla12
| Tracking | Status | |
|---|---|---|
| firefox9 | --- | affected |
| firefox10 | --- | fixed |
| firefox11 | --- | verified |
| firefox12 | --- | verified |
| status1.9.2 | --- | unaffected |
People
(Reporter: jussi.kalliokoski, Assigned: bent.mozilla)
References
()
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:dos])
Crash Data
Attachments
(3 files, 2 obsolete files)
|
8.44 KB,
text/plain
|
Details | |
|
469 bytes,
application/java-archive
|
Details | |
|
659 bytes,
patch
|
mrbkap
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
I flagged this as a security issue, because you can make Firefox segfault via JS with this.
So beware, going to the page might just make the whole browser crash.
Go to http://bugs.avd.io/firefox/worker-segfault.html
I'm running Arch Linux, Aurora 11.02a, although this is reproducible on every instance of Firefox, on my laptop at least.
What it does is invoke a worker, source available here: http://bugs.avd.io/firefox/worker-segfault.js
|
Reporter | |
Updated•13 years ago
|
Component: General → DOM
Product: Firefox → Core
|
||
Comment 1•13 years ago
|
||
Confirmed on nightly on Mac:
https://crash-stats.mozilla.com/report/index/bp-a25632ac-a02d-4563-aef6-1a23e2120115
|
|
||
Updated•13 years ago
|
Summary: instanceof for worker properties segfaults → instanceof for worker properties segfaults, crash [@ WorkerGlobalScope::GetOnErrorListener ]
|
|
||
Updated•13 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 2•13 years ago
|
||
I got a similar crash bp-402e7b35-e7cc-4f47-95cc-611062120116
Both crashes are on null or null+offset so it might not be exploitable, but can't entirely tell without more investigation (e.g. running in Valgrind/ASan, or finding the bug itself).
I happened to be testing 9.0.1 so this goes back a ways.
Crash Signature: [@ WorkerGlobalScope::GetOnErrorListener ]
[@ js_GetReservedSlot ]
Keywords: testcase
Version: 11 Branch → unspecified
|
|
||
Comment 3•13 years ago
|
||
|
Assignee | |
Comment 4•13 years ago
|
||
Hm, dumb bug. I doubt this is exploitable because it's just sending a null pointer into the JS engine, but the fix is simple.
|
|
Assignee | |
Comment 5•13 years ago
|
||
That was the wrong patch, sorry.
Attachment #589032 -
Attachment is obsolete: true
Attachment #589032 -
Flags: review?(jonas)
Attachment #589033 -
Flags: review?(jonas)
|
|
Assignee | |
Comment 6•13 years ago
|
||
Ugh, third time is the charm.
Attachment #589033 -
Attachment is obsolete: true
Attachment #589033 -
Flags: review?(jonas)
Attachment #589036 -
Flags: review?(jonas)
|
||
Updated•13 years ago
|
Attachment #589036 -
Flags: review?(jonas) → review+
|
|
Assignee | |
Comment 7•13 years ago
|
||
|
|
||
Comment 8•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
|
|
Assignee | |
Comment 9•13 years ago
|
||
Comment on attachment 589036 [details] [diff] [review]
Patch, v1
[Approval Request Comment]
Regression caused by (bug #): Bug 649537
User impact if declined: Crash
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): None. This simply returns null instead of crashing.
Attachment #589036 -
Flags: approval-mozilla-beta?
Attachment #589036 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Updated•13 years ago
|
status-firefox10:
--- → affected
status-firefox11:
--- → affected
status-firefox12:
--- → fixed
status-firefox9:
--- → affected
|
|
Assignee | |
Updated•13 years ago
|
tracking-firefox10:
--- → ?
tracking-firefox11:
--- → ?
|
|
||
Comment 10•13 years ago
|
||
Comment on attachment 589036 [details] [diff] [review]
Patch, v1
[Triage Comment]
Given the low risk evaluation of this fix, and the security team's recommendation, let's take this on aurora/beta.
Attachment #589036 -
Flags: approval-mozilla-beta?
Attachment #589036 -
Flags: approval-mozilla-beta+
Attachment #589036 -
Flags: approval-mozilla-aurora?
Attachment #589036 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 11•13 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/922795c904e8
https://hg.mozilla.org/releases/mozilla-beta/rev/a02b2c63e8d9
tracking-firefox10:
? → ---
tracking-firefox11:
? → ---
|
|
||
Updated•13 years ago
|
|
||
Comment 12•13 years ago
|
||
Verified fixed in 12 with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0a1) Gecko/20120123 Firefox/12.0a1 after crashing in 9.0.1 on same machine with testcase.
Verified fixed in 11 with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a2) Gecko/20120120 Firefox/11.0a2.
|
|
||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•