Closed
Bug 967808
Opened 10 years ago
Closed 10 years ago
Faulty: crash in free() under _moz_pixman_region32_copy under nsRegion::Copy under LayerTransactionParent::RecvUpdate
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: bjacob, Assigned: bjacob)
References
(Blocks 1 open bug)
Details
(Keywords: sec-critical, Whiteboard: [qa-])
Attachments
(2 files)
Found by Christoph Diehl's "Faulty" fuzzer, see bug 777067
Assignee | ||
Comment 1•10 years ago
|
||
free() crashes are often double frees, but here, see the GDB session attached, this doesn't look like already-freed memory. So I don't know what to make of this.
Updated•10 years ago
|
Group: core-security
Assignee | ||
Comment 2•10 years ago
|
||
Note: found while running css-blending reftests.
Comment 3•10 years ago
|
||
Sounds memory-corruptiony. Can you run the Faulty fuzzer with ASAN?
Assignee | ||
Comment 4•10 years ago
|
||
Should be trivial, since the fuzzer is orthogonal to compiler or memory allocator considerations. Remind me how to enable ASAN?
Comment 5•10 years ago
|
||
There's info about it here: https://developer.mozilla.org/en-US/docs/Building_Firefox_with_Address_Sanitizer
Assignee | ||
Comment 6•10 years ago
|
||
Thanks; my future reports will be with an ASAN build.
Assignee | ||
Comment 7•10 years ago
|
||
Classification: PLayerTransactionParent, memory corruption, hard.
Assignee | ||
Comment 8•10 years ago
|
||
Assignee | ||
Comment 9•10 years ago
|
||
Andrew, the new log says it's using ASan at the top, and there is __asan::AsanThread::ThreadStart in the crash callstack, so I assume that ASan is taking effect here. Does this tell you anything? Did I have to do something different?
Assignee | ||
Updated•10 years ago
|
Flags: needinfo?(continuation)
Assignee | ||
Comment 10•10 years ago
|
||
#1 0x00002aaab488c400 in nsRegion::Copy (this=0x617000214cd8, aRegion=...) at ../../dist/include/nsRegion.h:260 260 pixman_region32_copy(&mImpl, aRegion.Impl()); (gdb) p mImpl $3 = {extents = {x1 = 0, y1 = 0, x2 = 0, y2 = 0}, data = 0x3ff0000000000000} (gdb) p aRegion.Impl() $4 = (pixman_region32_t *) 0x62100088138c (gdb) p *aRegion.Impl() $5 = {extents = {x1 = 0, y1 = 0, x2 = 0, y2 = 0}, data = 0x2aaad4b87040}
Assignee | ||
Comment 11•10 years ago
|
||
Er, this looks like a bad pointer: (gdb) p mImpl.data $6 = (pixman_region32_data_t *) 0x3ff0000000000000 Looks like either something scribbled a region we're passing to pixman, or we're reinterpreting something else as a region.
Assignee | ||
Comment 12•10 years ago
|
||
Classification: PLayerTransaction, memory corruption, hard
Comment 13•10 years ago
|
||
Hmm. Yeah, that is certainly not producing an ASAN report. Maybe running it under the debugger interferes with how ASAN deals with a SIGSEV? Maybe decoder has some idea? An ASAN report will start out looking more like ==5650==ERROR: AddressSanitizer: heap-use-after-free on address 0xwhatever at pc [...] READ of size 8 at 0xsomething thread T0
Updated•10 years ago
|
Flags: needinfo?(continuation) → needinfo?(choller)
Assignee | ||
Comment 14•10 years ago
|
||
Ah, sure, GDB is catching the segfault before ASan can. But the above session still shows that there is no ASan-caught memory corruption before we crash, right?
Comment 15•10 years ago
|
||
Yeah, it sounds like it isn't a use-after-free at least, and we're just accessing some kind of garbage.
Assignee | ||
Updated•10 years ago
|
Depends on: PReinterpretCast
Comment 16•10 years ago
|
||
It's certainly possible to crash without triggering any ASan mechanisms other than ASan's internal SIGSEGV handler (which will not be triggered if GDB catches the signal first). This will for example happen if we directly access a memory address that is not accessible but also has never been accessible before (so ASan doesn't consider it uaf or anything else).
Flags: needinfo?(choller)
Comment 17•10 years ago
|
||
Sounds bad. Assigning to bjacob as he seems to be looking at the blocking bug already.
Assignee: nobody → bjacob
Keywords: sec-critical
Updated•10 years ago
|
status-firefox27:
--- → ?
status-firefox28:
--- → ?
status-firefox29:
--- → ?
status-firefox30:
--- → affected
status-firefox-esr24:
--- → unaffected
tracking-firefox30:
--- → +
Assignee | ||
Comment 18•10 years ago
|
||
Fixed by the landing of PLayerTransaction type checks before casting layers, bug 968833.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Target Milestone: --- → mozilla30
Comment 19•10 years ago
|
||
Benoit, is this one of the fixes that you don't think makes sense to take on Aurora and Beta?
Assignee | ||
Comment 20•10 years ago
|
||
Yes, so do generally all blockers (or blockers of blockers) of bug 963790.
Updated•10 years ago
|
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•