Closed
Bug 844088
Opened 12 years ago
Closed 12 years ago
ASAN: Several xpcshell tests in toolkit/identity trigger use-after-free, involving KeyGenRunnable
Categories
(Core Graveyard :: Identity, defect)
Tracking
(firefox21 unaffected, firefox22 ?, firefox23+ fixed, firefox-esr17 unaffected, b2g18+ fixed, b2g18-v1.0.1 wontfix, b2g-v1.1hd fixed)
RESOLVED
FIXED
mozilla23
Tracking | Status | |
---|---|---|
firefox21 | --- | unaffected |
firefox22 | --- | ? |
firefox23 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | + | fixed |
b2g18-v1.0.1 | --- | wontfix |
b2g-v1.1hd | --- | fixed |
People
(Reporter: decoder, Assigned: bholley)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [asan][asan-test-failure][fixed by bug 850253][adv-main23+])
Attachments
(1 file)
9.37 KB,
text/plain
|
Details |
In several try runs I've already been observing that tests like toolkit/identity/tests/unit/test_jwcrypto.js toolkit/identity/tests/unit/test_relying_party.js toolkit/identity/tests/unit/test_provisioning.js cause ASan errors. I was however never able to reproduce it locally. Now I managed to reproduce a failure with the third test locally, using: taskset -c 0 make -C toolkit/identity/tests/ xpcshell-tests on an optimized build (mozilla-central 885cde564ff3). Might need to run it multiple times, but maybe the attached symbolized trace already helps to solve this issue.
This looks like it's just the XPCWrappedJS off the main thread bug in different clothing.
Comment 2•12 years ago
|
||
For the ASAN failures, how much risk do these ASAN failures pose to FF OS's use of navigator.id from a security perspective? I'm looking to know if this is worth nominating to block or not.
Flags: needinfo?(choller)
Comment 3•12 years ago
|
||
Jed and I stand ready to fix this ... except we don't know how to read these traces. Kyle: can you help us? Is this how we handled wrapped JS objects, or is it in the C++ crypto code we're using?
(In reply to Ben Adida [:benadida] from comment #3) > Jed and I stand ready to fix this ... except we don't know how to read these > traces. Kyle: can you help us? Is this how we handled wrapped JS objects, or > is it in the C++ crypto code we're using? I think its the same underlying issue as bug 843923 (which is being fixed in bug 773610) and has nothing to do with identity.
Comment 5•12 years ago
|
||
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #4) > > I think its the same underlying issue as bug 843923 (which is being fixed in > bug 773610) and has nothing to do with identity. OK, it looks to me like there is a fix in sight for this, so should we wait and see if that fix also fixes this? Or should we be more aggressive and investigate this further right away?
I think you should just wait and see.
Updated•12 years ago
|
Comment 7•12 years ago
|
||
(In reply to Jason Smith [:jsmith] from comment #2) > For the ASAN failures, how much risk do these ASAN failures pose to FF OS's > use of navigator.id from a security perspective? > > I'm looking to know if this is worth nominating to block or not. Shouldn't block, but you'll eventually want the fix when we have one.
Flags: needinfo?(choller)
Updated•12 years ago
|
tracking-b2g18:
--- → ?
Updated•12 years ago
|
Comment 8•12 years ago
|
||
Assigning to bholley so he can mark it fixed when bug 772610 lands (assuming that turns out to do the trick).
Assignee: nobody → bobbyholley+bmo
Keywords: csec-uaf
Comment 9•12 years ago
|
||
More precisely, it appears that bug 850253 should fix this.
Comment 10•12 years ago
|
||
decoder, now that bug 850253 has landed on central, can you make sure that this doesn't happen any more? Thanks!
Flags: needinfo?(choller)
Reporter | ||
Comment 11•12 years ago
|
||
Several try runs haven't shown the issue anymore, confirming as fixed :)
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(choller)
Resolution: --- → FIXED
Reporter | ||
Updated•12 years ago
|
Blocks: asan-maintenance
Updated•12 years ago
|
status-firefox23:
--- → fixed
Updated•12 years ago
|
No longer depends on: 773610
Whiteboard: [asan][asan-test-failure] → [asan][asan-test-failure][fixed by bug 850253]
Comment 12•12 years ago
|
||
Does this need to be fixed on prior branches? I don't think the identity code is enabled anywhere shipping, is it?
status-firefox21:
--- → unaffected
status-firefox22:
--- → ?
status-firefox-esr17:
--- → unaffected
tracking-firefox23:
--- → +
Depends on: 850253
Comment 14•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #13) > oh, b2g18 has this though. Right. B2G Identity is enabled on b2g18 and b2g18v1.01. Given comment 7 doesn't indicate this is a blocker, I'd suggest nominating the dependency here (bug 850253) for approval b2g18 to uplift this fix.
status-b2g18-v1.0.1:
--- → wontfix
Updated•11 years ago
|
Whiteboard: [asan][asan-test-failure][fixed by bug 850253] → [asan][asan-test-failure][fixed by bug 850253][adv-main23+]
Comment 15•11 years ago
|
||
Bug 850253 landed on b2g18. https://hg.mozilla.org/releases/mozilla-b2g18/rev/2d1fe68319cc
Comment 16•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g18_v1_1_0_hd/rev/bb1ba0f59b31
status-b2g-v1.1hd:
--- → fixed
Target Milestone: --- → mozilla23
Updated•11 years ago
|
Group: core-security
Updated•6 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•