Closed Bug 969517 Opened 6 years ago Closed 6 years ago

Faulty/ASan: heap-use-after-free of a LayerComposite that was destroyed by ContainerLayer::RemoveChild

Categories

(Core :: Graphics, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla30
Tracking Status
firefox29 --- wontfix
firefox30 + fixed
firefox-esr24 --- wontfix
b2g-v1.4 --- fixed
seamonkey2.26 --- unaffected

People

(Reporter: bjacob, Assigned: bjacob)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-critical, Whiteboard: [adv-main30+][qa-])

Attachments

(2 files)

Attached file Faulty/ASan session
Found by Christoph Diehl's "Faulty" fuzzer, see bug 777067
Summary: Faulty/ASan: heap-use-after-free of a Layer, in ShadowLayerParent::ActorDestroy, that was destroyed by ContainerLayer::RemoveChild → Faulty/ASan: heap-use-after-free of a LayerComposite that was destroyed by ContainerLayer::RemoveChild
Updated the bug title to reflect the invariants between these two ASan sessions, which are likely the same bug.
Depends on: 970747
Fixed by the landing of shadow layer updates validation fixes, bug 970747.
Assignee: nobody → bjacob
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Did this affect ESR24 at all?
The bug exists in ESR24 as well, but this is only a security issue with e10s which is not enabled in ESR24, so I wouldn't bother about it. (In the same-process case, if the client here is compromised so it can send evil messages to the parent, then all is already lost, because the client and parent are the same process).
Marking [qa-] for verification, lack of test case.
Whiteboard: [adv-main30+]
Marking [qa-] for desktop QA verification. FxOS QA may choose to verify at a later date.
Whiteboard: [adv-main30+] → [adv-main30+][qa-]
as far as I can tell SeaMonkey 2.26 (Gecko 29) is not affected by this bug, hence unaffected.
Group: core-security
You need to log in before you can comment on or make changes to this bug.