Crash in mozilla::net::Http2Session::FlushOutputQueue
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | wontfix |
firefox-esr78 | --- | wontfix |
firefox55 | --- | unaffected |
firefox56 | --- | wontfix |
firefox57 | - | wontfix |
firefox58 | + | wontfix |
firefox59 | --- | wontfix |
firefox60 | --- | wontfix |
firefox81 | --- | wontfix |
firefox82 | --- | wontfix |
firefox83 | --- | wontfix |
firefox84 | --- | wontfix |
firefox85 | --- | wontfix |
firefox92 | --- | wontfix |
firefox93 | --- | fixed |
firefox94 | --- | fixed |
People
(Reporter: philipp, Assigned: dragana)
References
Details
(4 keywords, Whiteboard: [necko-triaged][sec-survey])
Crash Data
Attachments
(1 file, 6 obsolete files)
(deleted),
text/x-phabricator-request
|
dveditz
:
sec-approval+
|
Details |
Updated•7 years ago
|
Updated•7 years ago
|
Updated•7 years ago
|
Updated•7 years ago
|
Comment 6•7 years ago
|
||
Comment 8•7 years ago
|
||
Comment 9•7 years ago
|
||
Comment 10•7 years ago
|
||
Comment 11•7 years ago
|
||
Comment 12•7 years ago
|
||
Comment 13•7 years ago
|
||
Comment 14•7 years ago
|
||
Comment 15•7 years ago
|
||
Comment 16•7 years ago
|
||
Updated•7 years ago
|
Comment 17•7 years ago
|
||
Comment 18•7 years ago
|
||
Comment 19•7 years ago
|
||
Comment 20•7 years ago
|
||
Comment 21•7 years ago
|
||
Comment 22•7 years ago
|
||
Comment 23•7 years ago
|
||
Comment 24•7 years ago
|
||
Comment 25•7 years ago
|
||
Comment 26•7 years ago
|
||
Comment 27•7 years ago
|
||
Comment 28•7 years ago
|
||
Comment 29•7 years ago
|
||
Comment 30•7 years ago
|
||
Comment 31•7 years ago
|
||
Updated•7 years ago
|
Comment 32•7 years ago
|
||
Comment 33•7 years ago
|
||
Comment 34•7 years ago
|
||
Comment 37•7 years ago
|
||
Comment 38•7 years ago
|
||
Comment 39•7 years ago
|
||
Comment 40•7 years ago
|
||
Comment 41•7 years ago
|
||
Comment 42•7 years ago
|
||
Updated•7 years ago
|
Comment 43•7 years ago
|
||
Comment 44•7 years ago
|
||
Comment 45•6 years ago
|
||
Comment 46•6 years ago
|
||
Comment 47•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 48•6 years ago
|
||
Comment 49•6 years ago
|
||
Comment 50•6 years ago
|
||
Comment 51•6 years ago
|
||
Updated•6 years ago
|
Comment 52•6 years ago
|
||
I don't see crashes for current releases, is this still a pertinent bug? Would you update the priority if not?
Comment 53•6 years ago
|
||
(In reply to Emma Humphries, Bugmaster ☕️🎸🧞♀️✨ (she/her) [:emceeaich] (UTC-8) needinfo? me from comment #52)
I don't see crashes for current releases, is this still a pertinent bug? Would you update the priority if not?
Given the low crash rate and lack of crashes in recent releases, I don't think this is a high priority anymore.
Comment 54•5 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:valentin, maybe it's time to close this bug?
Comment 55•5 years ago
|
||
No crashes in recent builds. I think it's safe to close.
Comment 56•5 years ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 57•4 years ago
|
||
Although happening at a low rate, this signature is still there and half of them are scary EXCEPTION_ACCESS_VIOLATION_EXEC crashes.
Updated•4 years ago
|
Comment 58•4 years ago
|
||
Comment 59•4 years ago
|
||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 60•4 years ago
|
||
Comment on attachment 9181215 [details]
Bug 1402014 - Make nsAHttpSegmentReader refcounted r=dragana
Security Approval Request
- How easily could an exploit be constructed based on the patch?: With difficulty. The scenario of how mSegmentReader becomes a dangling pointer is hard to pin down. Our fix was to turn it into a refPtr to avoid such issues.
Even if a scenario to reproduce the UAF after free were discovered by attackers, all they could do is call ReadSegments on that pointer - most likely crashing. - Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Grafts successfully onto esr78.
- How likely is this patch to cause regressions; how much testing does it need?: There is a chance for regressions due to altering the lifetime of Http2Stream.
I'd like this to have some time Nightly/Beta before it hits release.
Updated•4 years ago
|
Comment 61•4 years ago
|
||
Comment on attachment 9181215 [details]
Bug 1402014 - Make nsAHttpSegmentReader refcounted r=dragana
sec-approval+, a=dveditz for beta uplift
Comment 62•4 years ago
|
||
Make nsAHttpSegmentReader refcounted r=dragana,necko-reviewers
https://hg.mozilla.org/integration/autoland/rev/4298e31c3a86f0f17a0f42618ba49d7db03027a0
Comment 63•4 years ago
|
||
Comment 64•4 years ago
|
||
Changing the priority to p1 as the bug is tracked by a release manager for the current beta.
See What Do You Triage for more information
Comment 65•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Comment 66•4 years ago
|
||
Comment 67•4 years ago
|
||
It seems it didn't fix the problem 🙁
https://crash-stats.mozilla.org/report/index/a0ec32f0-3d45-40ba-8079-b36210201023
Updated•4 years ago
|
Comment 68•4 years ago
|
||
Comment on attachment 9181215 [details]
Bug 1402014 - Make nsAHttpSegmentReader refcounted r=dragana
Clearing the beta approval to get this off the needs-uplift radar.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 69•4 years ago
|
||
Dragana said she'd take a look when possible.
Assignee | ||
Comment 70•3 years ago
|
||
This is probably fixed by one of the patches is bug 1667102.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Description
•