Closed Bug 1625227 Opened 5 years ago Closed 5 years ago

Crash in [@ mozilla::dom::ClientMatchPrincipalInfo]

Categories

(Core :: DOM: Service Workers, defect)

Product:
Core
Component:
DOM: Service Workers
Version:
76 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox74 --- unaffected
firefox75 --- unaffected
firefox76 blocking verified

People

(Reporter: calixte, Assigned: perry)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords)

Crash Data

This bug is for crash report bp-4eed3ca0-71cd-428e-9ba4-41fc30200326.

Top 10 frames of crashing thread:

0 libxul.so mozilla::dom::ClientMatchPrincipalInfo ipc/ipdl/_ipdlheaders/mozilla/ipc/PBackgroundSharedTypes.h:504
1 libxul.so mozilla::dom::ClientHandleParent::FoundSource dom/clients/manager/ClientHandleParent.cpp:94
2 libxul.so mozilla::MozPromise<mozilla::dom::ClientSourceParent*, mozilla::CopyableErrorResult, false>::ThenValue<mozilla::dom::ClientHandleParent::Init xpcom/threads/MozPromise.h:727
3 libxul.so mozilla::MozPromise<mozilla::dom::ClientSourceParent*, mozilla::CopyableErrorResult, false>::ThenValueBase::ResolveOrRejectRunnable::Run xpcom/threads/MozPromise.h:403
4 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1220
5 libxul.so mozilla::ipc::MessagePumpForNonMainThreads::Run xpcom/threads/nsThreadUtils.cpp:481
6 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:290
7 libxul.so nsThread::ThreadFunc xpcom/threads/nsThread.cpp:464
8 libnspr4.so _pt_root nsprpub/pr/src/pthreads/ptthread.c:201
9 libpthread.so.0 libpthread.so.0@0x9668

There are 8 crashes (from 7 installations) in nightly 76 with buildid 20200326093308. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1584007.

[1] https://hg.mozilla.org/mozilla-central/rev?node=00eda7b39a13

Flags: needinfo?(perry)

At least bp-b72640f0-e89c-4660-881a-5bbaf0200327 looks like a UAF.

Group: dom-core-security
Keywords: csectype-uaf

Julien, should we hide then bug 1625243, too?

Flags: needinfo?(jcristau)

There is also bug 1625255 that seems related, at least the one on Windows I looked at.

Crash Signature: [@ mozilla::dom::ClientMatchPrincipalInfo] → [@ mozilla::dom::ClientMatchPrincipalInfo] [@ mozilla::dom::ClientMatchPrincipalInfo(mozilla::ipc::PrincipalInfo const&, mozilla::ipc::PrincipalInfo const&)]

We might want to back out bug 1584007 given the volume here.

Crash Signature: [@ mozilla::dom::ClientMatchPrincipalInfo] [@ mozilla::dom::ClientMatchPrincipalInfo(mozilla::ipc::PrincipalInfo const&, mozilla::ipc::PrincipalInfo const&)] → [@ mozilla::dom::ClientMatchPrincipalInfo] [@ mozilla::dom::ClientMatchPrincipalInfo(mozilla::ipc::PrincipalInfo const&, mozilla::ipc::PrincipalInfo const&)]
tracking-firefox76: +blocking
Flags: needinfo?(jcristau)
Keywords: topcrash

This bug is tracked by a release manager but with a small severity so change it to major.
For more information, please visit auto_nag documentation.

Severity: normal → major
Keywords: sec-high

Should be fixed by backout now in the next run of Nightly builds.

Assignee: nobody → perry
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox76: affectedfixed
Flags: needinfo?(perry)
Resolution: --- → FIXED
Target Milestone: --- → mozilla76

I believe I've identified the bug and will add it in when re-landing bug 1584007.

Status: RESOLVED → VERIFIED
status-firefox76: fixedverified
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.