[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
#16495: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
-------------------------+-------------------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: | Milestone:
critical | Version:
Component: Tor | Keywords: tbb-crash, tbb-5.0a,
Browser | TorBrowserTeam201507
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mcs):
Replying to [comment:4 gk]:
> After building a recent GDB I got a better stacktrace:
> {{{
> Program received signal SIGSEGV, Segmentation fault.
> 0xb3d62e2a in BaseType (this=0x5a5a5a5a)
> at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
> 455 /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h: Datei oder
Verzeichnis nicht gefunden.
> (gdb) bt
> #0 0xb3d62e2a in BaseType (this=0x5a5a5a5a)
> at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
> #1 nsAttrValue::Type (this=0x5a5a5a5a)
> at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.cpp:186
> #2 0xb3d62f45 in nsAttrValue::GetAtomCount (this=0x5a5a5a5a)
The new stacktrace is much better.
The "this=0x5a5a5a5a" indicates a UAF. Now the question is "How did we
get to that state?"
Maybe look at aElement within RuleHash::EnumerateAllRules() or higher in
the call stack to see if the entire element has been freed?
I was hoping that a debug build might shed more light on this crash, but I
foolishly picked Win32 instead of Linux32 because I know my old Linux
system has hopelessly old tools (not good for compiling or debugging)...
and of course my non-Gitian Windows build has failed a couple of times so
far (at the moment I am stuck on unresolved symbols when trying to link
libxul).
Unfortunately, Kathy and I are traveling this weekend (starting in an hour
or so) and will only have sporadic access to the net. So someone else
will need to debug this, or we will look at it on Monday. Sorry for the
bad timing :(
I did encounter one compile error that has an obvious fix while trying to
complete a Windows debug build; I opened #16497 for that.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16495#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs