Closed Bug 1416227 Opened 7 years ago Closed 7 years ago

Firefox 58.0a1 Crash Report [@ mozilla::net::nsHttpChannel::ProcessId ]

Categories

(WebExtensions :: Request Handling, defect, P2)

57 Branch
defect

Tracking

(firefox-esr52 unaffected, firefox59 fixed)

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- fixed

People

(Reporter: kernp25, Assigned: kmag)

References

Details

(Keywords: crash, regression)

Crash Data

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0 Build ID: 20171110100139 Steps to reproduce: This code crashes firefox after some time (e.g. if you reload all tabs, load some sites...) function listener(details) { let filter = browser.webRequest.filterResponseData(details.requestId); filter.ondata = event => { filter.write(event.data); filter.disconnect(); } } browser.webRequest.onBeforeRequest.addListener( listener, {urls: ["<all_urls>"]}, ["blocking"] ); Actual results: Here are the crash reports: https://crash-stats.mozilla.com/report/index/bp-4908d9ee-4279-48a9-9d17-0dbe60171110 https://crash-stats.mozilla.com/report/index/bp-35ee4760-2fb8-44ff-b96d-bb0970171110 https://crash-stats.mozilla.com/report/index/bp-cf7ffdd0-f0f1-4fc1-bb74-1d1780171110 https://crash-stats.mozilla.com/report/index/bp-6c4b127e-c43f-4526-afd7-98c360171110
Flags: needinfo?(kmaglione+bmo)
My Firefox version: 58.0a1 (2017-11-10) (32-Bit)
Hm. Looks like a UAF on the HttpChannelParent. Not entirely sure how that's possible, though. The vtable lookup for the QueryInterface should have failed, in that case...
Flags: needinfo?(kmaglione+bmo)
Priority: -- → P2
hiding as UAF.
Group: toolkit-core-security
Crash Signature: [@ mozilla::net::nsHttpChannel::ProcessId]
the signature started getting more common starting on 2018-01-10. also copying over some info from the dupe: this crash signature is regressing in firefox 57 with bug 1255894. on release it's 100% correlated to the presence of the "NoScript Security Suite" addon and many user comments link the crash to interacting with the XSS popup, a couple of times in relation to tumblr as well: https://crash-stats.mozilla.com/signature/?signature=mozilla%3A%3Anet%3A%3AnsHttpChannel%3A%3AProcessId&date=%3E%3D2017-12-24#comments
Blocks: 1255894
Severity: normal → critical
Has Regression Range: --- → yes
Has STR: --- → yes
Keywords: crash, regression
OS: Unspecified → All
Hardware: Unspecified → All
Version: unspecified → 57 Branch
(In reply to [:philipp] from comment #6) > this crash signature is regressing in firefox 57 with bug 1255894. on > release it's 100% correlated to the presence of the "NoScript Security > Suite" addon and many user comments link the crash to interacting with the > XSS popup, a couple of times in relation to tumblr as well: Indeed, on some Tumblr pages a XSS false positive is triggered causing NoScript to attempt a window.name sanitization involving filterResponseData(). Not sure if this is relevant, but when this happens after a "XSS popup" as the reporters call it, the channel has been suspended for a certain time (until the popup is dismissed) and then resumed before the stream filter being used, which might be the actual trigger of bug 1430508. Both things (the false positive and using stream filters to sanitize) are going away from NoScript in Firefox 58 (thanks to contentScripts.register()), but I do hope the stream filter is fixed because there are other useful usages for that.
Yes, bug 1430508 should have fixed this. (In reply to Giorgio Maone [:mao] from comment #8) > Not sure if this is relevant, but when this happens after a "XSS popup" as > the reporters call it, the channel has been suspended for a certain time > (until the popup is dismissed) and then resumed before the stream filter > being used, which might be the actual trigger of bug 1430508. Yes, it's probably relevant. This mostly seems to happen when the content process that initiated a request shuts down before we try to attach a stream filter. Suspending the request for an extended period of time before attaching the stream filter would tend to make that more likely.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Assignee: nobody → kmaglione+bmo
Target Milestone: --- → mozilla59
Group: toolkit-core-security → core-security-release
Product: Toolkit → WebExtensions
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.