Closed Bug 969517 Opened 10 years ago Closed 10 years ago

Faulty/ASan: heap-use-after-free of a LayerComposite that was destroyed by ContainerLayer::RemoveChild

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox29 --- wontfix
firefox30 + fixed
firefox-esr24 --- wontfix
b2g-v1.4 --- fixed
seamonkey2.26 --- unaffected

People

(Reporter: bjacob, Assigned: bjacob)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-critical, Whiteboard: [adv-main30+][qa-])

Attachments

(2 files)

Faulty/ASan session
18.63 KB, text/plain
Details
Another Faulty/ASan session
27.53 KB, text/plain
Details
Attached file Faulty/ASan session 
Found by Christoph Diehl's "Faulty" fuzzer, see bug 777067
Summary: Faulty/ASan: heap-use-after-free of a Layer, in ShadowLayerParent::ActorDestroy, that was destroyed by ContainerLayer::RemoveChild → Faulty/ASan: heap-use-after-free of a LayerComposite that was destroyed by ContainerLayer::RemoveChild
Updated the bug title to reflect the invariants between these two ASan sessions, which are likely the same bug.
Depends on: 970747
Fixed by the landing of shadow layer updates validation fixes, bug 970747.
Assignee: nobody → bjacob
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
status-b2g-v1.4: affectedfixed
status-firefox30: affectedfixed
Target Milestone: --- → mozilla30
Did this affect ESR24 at all?
status-firefox-esr24: --- → ?
The bug exists in ESR24 as well, but this is only a security issue with e10s which is not enabled in ESR24, so I wouldn't bother about it. (In the same-process case, if the client here is compromised so it can send evil messages to the parent, then all is already lost, because the client and parent are the same process).
Marking [qa-] for verification, lack of test case.
Whiteboard: [adv-main30+]
Marking [qa-] for desktop QA verification. FxOS QA may choose to verify at a later date.
Whiteboard: [adv-main30+] → [adv-main30+][qa-]
as far as I can tell SeaMonkey 2.26 (Gecko 29) is not affected by this bug, hence unaffected.
status-seamonkey2.26: --- → unaffected
Group: core-security
You need to log in before you can comment on or make changes to this bug.