Use-After-Free Crash in MergeState::UpdateContainerASR
Categories
(Core :: Web Painting, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox63 | --- | wontfix |
firefox64 | --- | wontfix |
firefox65 | --- | fix-optional |
firefox66 | --- | fix-optional |
firefox67 | --- | fix-optional |
People
(Reporter: philipp, Unassigned)
References
(Blocks 1 open bug)
Details
(5 keywords)
Crash Data
Comment 1•6 years ago
|
||
Comment 2•6 years ago
|
||
Comment 3•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 4•6 years ago
|
||
Updated•6 years ago
|
Reporter | ||
Updated•6 years ago
|
Updated•6 years ago
|
Comment 7•6 years ago
|
||
(In reply to Jessie [:jbonisteel] plz needinfo from comment #6)
Miko, does this bug look actionable?
Sadly, no. This looks like it belongs to a class of stalled bugs where display item/display item clip chain arena gets bogus/corrupted entries. The only lead we have here, is that it seems to happen more often with Windows 7.
Comment 8•4 years ago
|
||
Removing employee no longer with company from CC list of private bugs.
Updated•2 years ago
|
Comment 10•2 years ago
|
||
The severity field for this bug is set to S3. However, the bug is flagged with the sec-high
keyword.
:tnikkel, could you consider increasing the severity of this security bug?
For more information, please visit auto_nag documentation.
Updated•2 years ago
|
Comment 11•1 year ago
|
||
There are only two crashes with this signature in the last 6 months. One in Fenix 86 that's crashing on the UAF poison value (consistent with the original report), and one in ESR 102.8 on Linux that looks like a bit-flip
bp-1bbee9b8-8a67-4422-a29d-e335e0230302 crashes on an access of 0x08007f645a8f05e0 (rax + 0x20). Several other registers have values like 0x00007f645-------, reasonably close to the crashing address if you ignore that one highish bit. Given we have a significant number of ESR 102 users and the former UAF crashes were not rare we can safely assume this got fixed in another bug along the way.
Comment 12•1 year ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.
Description
•