Closed
Bug 976838
Opened 11 years ago
Closed 6 years ago
Deleting ProcessLink before ::Open may access uninitialized mTransport/mIOLoop
Categories
(Core :: IPC, defect, P3)
Core
IPC
Tracking
()
RESOLVED
FIXED
People
(Reporter: johns, Unassigned)
References
Details
(Keywords: csectype-uninitialized, sec-other)
Attachments
(1 file)
1.10 KB,
patch
|
bent.mozilla
:
review+
|
Details | Diff | Splinter Review |
In bug 974933, we're crashing deleting a PluginModuleParent -> PPluginModuleParent -> MessageChannel -> ProcessLink. I believe I've tracked this down to ProcessLink::Open not being called due to an abort [1], which means mTransport and mIOLoop are never initialized, resulting in a bogus |mTransport->set_listener(0)| [2]
[1] http://dxr.mozilla.org/mozilla-central/source/dom/plugins/ipc/PluginModuleParent.cpp#101
[2] http://dxr.mozilla.org/mozilla-central/source/ipc/glue/MessageLink.cpp#69
Reporter | ||
Comment 1•11 years ago
|
||
Looks like this was introduced in bug 901789. Unsure if this code gets used in b2g
Blocks: 901789
status-b2g-v1.3:
--- → ?
status-b2g-v1.3T:
--- → ?
status-b2g-v1.4:
--- → ?
status-firefox27:
--- → affected
status-firefox28:
--- → affected
status-firefox29:
--- → affected
status-firefox30:
--- → affected
status-firefox-esr24:
--- → unaffected
Reporter | ||
Comment 2•11 years ago
|
||
Attachment #8381782 -
Flags: review?(bent.mozilla)
Comment on attachment 8381782 [details] [diff] [review]
Initialize mTransport/mIOLoop in constructor
Review of attachment 8381782 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks!
Attachment #8381782 -
Flags: review?(bent.mozilla) → review+
Let's backport this as far as it needs to go.
Updated•11 years ago
|
Comment 5•11 years ago
|
||
I'm going to say sec-high. Feel free to adjust.
Keywords: csectype-uninitialized,
sec-high
Reporter | ||
Comment 6•11 years ago
|
||
@bent Do you know if this code is only used by plugin-IPC or should it apply to b2g as well?
Flags: needinfo?(bent.mozilla)
Well, now that I'm looking at this more closely I'm not sure this is such a big deal after all. The issue isn't that PluginModuleParent is created/destroyed and Open never called, it's that ProcessLink could be created and destroyed with Open never being called.
I don't see anywhere where that could happen given this:
http://mxr.mozilla.org/mozilla-central/source/ipc/glue/MessageChannel.cpp#296
We should still fix this though.
Am I missing anything here?
Flags: needinfo?(bent.mozilla)
Comment on attachment 8381782 [details] [diff] [review]
Initialize mTransport/mIOLoop in constructor
Review of attachment 8381782 [details] [diff] [review]:
-----------------------------------------------------------------
::: ipc/glue/MessageLink.cpp
@@ +59,5 @@
> ProcessLink::ProcessLink(MessageChannel *aChan)
> : MessageLink(aChan),
> + mExistingListener(nullptr),
> + mTransport(nullptr),
> + mIOLoop(nullptr)
Oh, please make sure these are in the correct order.
Comment 9•11 years ago
|
||
The crash at https://crash-stats.mozilla.com/report/index/eb39173b-4faa-4dcc-b47e-ca1862140219 clearly indicates that we're operating on poisoned memory.
Uninitialized is a possibility although bent's right that this seems unlikely. It's also possible that we're just operating on a dead object and have a dangling pointer. Here are the possibilities I can think of:
* double-deleting the PluginModuleParent
* the channel is a member of PluginModuleParent so that's not a problem
* in MessageChannel::Clear the pointer mLink
* in ProcessLink::~ProcessLink the pointer to mTransport
* in Channel::set_listener the pointer to channel_impl_
My intuition is that we're somehow deleting the PluginModuleParent nested inside its own destructor somehow.
Reporter | ||
Comment 10•11 years ago
|
||
You're right, I was under the impression ::Open() was called directly from ModuleParent::Open. If that's not happening, that can't be the cause. Argh.
Comment 11•11 years ago
|
||
John, what sort of security rating should this get? Is this not actually an issue after all? Or maybe something like sec-moderate? Thanks.
Reporter | ||
Comment 12•11 years ago
|
||
I think per comment 7 this isn't a security issue, though it should probably stay protected until the memory corruption issue it's talking about is resolved (or, the relevant comments all hidden, I guess)
Updated•9 years ago
|
Group: core-security → dom-core-security
Comment 13•8 years ago
|
||
Is this still relevant?
status-b2g-v1.3:
? → ---
status-b2g-v1.3T:
? → ---
status-b2g-v1.4:
? → ---
status-firefox27:
wontfix → ---
status-firefox28:
affected → ---
status-firefox29:
affected → ---
status-firefox30:
affected → ---
status-firefox-esr24:
unaffected → ---
Flags: needinfo?(jld)
Comment 14•8 years ago
|
||
Probably still relevant, but there have been some changes to the IPC core over the past few years. :billm might know.
Flags: needinfo?(jld) → needinfo?(wmccloskey)
The original crash seems to have gone away. There's a patch that initializes some stuff, which is nice. But I don't think this stuff should ever be accessed before Open, when it's currently initialized. The patch still seems nice to guard against unspecified badness, but I don't think we need to spend too much time wondering how the crash might have happened or got fixed.
Perhaps we should just take the patch and close the bug. Does that sound okay to you Jed?
Flags: needinfo?(wmccloskey) → needinfo?(jld)
Updated•7 years ago
|
Assignee: john → nobody
Status: ASSIGNED → NEW
Priority: -- → P2
Comment 17•6 years ago
|
||
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
Comment 18•6 years ago
|
||
This was actually fixed by the patch for bug 1044322.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Group: dom-core-security → core-security-release
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•