Closed Bug 1095925 (CVE-2015-0824) Opened 5 years ago Closed 5 years ago

SEGV in mozilla::layers::BufferTextureClient::AllocateForSurface

Categories

(Core :: Graphics: Layers, defect)

All
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla36
Tracking Status
firefox35 --- wontfix
firefox36 --- fixed
firefox-esr31 --- wontfix

People

(Reporter: attekett, Assigned: milan)

References

Details

(Keywords: sec-moderate, Whiteboard: [adv-main36+])

Attachments

(2 files)

Attached file repro-file.html
Tested on:

OS: Ubuntu 14.04

Firefox: ASAN build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1415445665/


I'm guessing the component which this issue belongs to. Feel free to change it if I got it wrong.

Repro-file as an attachment. Note: You might need to resize firefox window to find the correct size where crash occurs.

ASAN-trace:

GFX ERROR: Attempt to create DrawTarget for invalid surface. Size(34013184,2) Cairo Status: 32
GFX ERROR: Attempt to create DrawTarget for invalid surface. Size(34013184,2) Cairo Status: 32
GFX ERROR: Attempt to create DrawTarget for invalid surface. Size(8421376,1) Cairo Status: 32
GFX ERROR: Attempt to create DrawTarget for invalid surface. Size(8421376,1) Cairo Status: 32
ASAN:SIGSEGV
=================================================================
==14686==ERROR: AddressSanitizer: SEGV on unknown address 0x7f2229ae2000 (pc 0x7f235ac9709d sp 0x7fff815ce9b8 bp 0x7fff815ce9f0 T0)
    #0 0x7f235ac9709c in memset ??:0:0
    #1 0x45f042 in __interceptor_memset _asan_rtl_:0
    #2 0x7f235ea334df in mozilla::layers::BufferTextureClient::AllocateForSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::layers::TextureAllocationFlags) /builds/slave/m-cen-l64-asan-000000000000000/build/gfx/layers/client/TextureClient.cpp:677:0
    #3 0x7f235ea22614 in mozilla::layers::TextureClient::CreateForDrawing(mozilla::layers::ISurfaceAllocator*, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::BackendType, mozilla::layers::TextureFlags, mozilla::layers::TextureAllocationFlags) /builds/slave/m-cen-l64-asan-000000000000000/build/gfx/layers/client/TextureClient.cpp:350:0
    #4 0x7f235ea249b3 in CreateTextureClientForDrawing /builds/slave/m-cen-l64-asan-000000000000000/build/gfx/layers/client/CompositableClient.cpp:210:0
    #5 0x7f235ea249b3 in mozilla::layers::ContentClientRemoteBuffer::CreateBackBuffer(nsIntRect const&) /builds/slave/m-cen-l64-asan-000000000000000/build/gfx/layers/client/ContentClient.cpp:302:0
    #6 0x7f235ea24f2a in BuildTextureClients /builds/slave/m-cen-l64-asan-000000000000000/build/gfx/layers/client/ContentClient.cpp:295:0
    #7 0x7f235ea24f2a in mozilla::layers::ContentClientRemoteBuffer::CreateBuffer(gfxContentType, nsIntRect const&, unsigned int, mozilla::RefPtr<mozilla::gfx::DrawTarget>*, mozilla::RefPtr<mozilla::gfx::DrawTarget>*) /builds/slave/m-cen-l64-asan-000000000000000/build/gfx/layers/client/ContentClient.cpp:331:0
    #8 0x7f235e982c8b in mozilla::layers::RotatedContentBuffer::BeginPaint(mozilla::layers::PaintedLayer*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/gfx/layers/RotatedBuffer.cpp:648:0
    #9 0x7f235ea36021 in mozilla::layers::ContentClientRemoteBuffer::BeginPaintBuffer(mozilla::layers::PaintedLayer*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/gfx/layers/../../dist/include/mozilla/layers/ContentClient.h:214:0
.
.
.

Output from debug build: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan-debug/1415445665/

.
.
.
[Child 15255] WARNING: Overflowed nscoord_MAX in conversion to nscoord height: file ../../dist/include/nsRect.h, line 95
[Child 15255] WARNING: Overflowed nscoord_MAX in conversion to nscoord height: file ../../dist/include/nsRect.h, line 95
[Child 15255] WARNING: Surface size too large (exceeds caller's limit)!: file /builds/slave/m-cen-l64-asan-d-0000000000000/build/gfx/thebes/gfxASurface.cpp, line 394
[Child 15255] ###!!! ASSERTION: creating Xlib surface failed!: 'Error', file /builds/slave/m-cen-l64-asan-d-0000000000000/build/gfx/layers/basic/TextureClientX11.cpp, line 113
[Child 15255] WARNING: Failed to allocate a TextureClient, falling back to BufferTextureClient.: file /builds/slave/m-cen-l64-asan-d-0000000000000/build/gfx/layers/client/TextureClient.cpp, line 344
GFX ERROR: Attempt to create DrawTarget for invalid surface. Size(34013184,2) Cairo Status: 32
GFX ERROR: Attempt to create DrawTarget for invalid surface. Size(34013184,2) Cairo Status: 32
[Child 15255] WARNING: Surface size too large (exceeds caller's limit)!: file /builds/slave/m-cen-l64-asan-d-0000000000000/build/gfx/thebes/gfxASurface.cpp, line 394
[Child 15255] ###!!! ASSERTION: creating Xlib surface failed!: 'Error', file /builds/slave/m-cen-l64-asan-d-0000000000000/build/gfx/layers/basic/TextureClientX11.cpp, line 113
[Child 15255] WARNING: Failed to allocate a TextureClient, falling back to BufferTextureClient.: file /builds/slave/m-cen-l64-asan-d-0000000000000/build/gfx/layers/client/TextureClient.cpp, line 344
GFX ERROR: Attempt to create DrawTarget for invalid surface. Size(8421376,1) Cairo Status: 32
GFX ERROR: Attempt to create DrawTarget for invalid surface. Size(8421376,1) Cairo Status: 32
[Child 15255] WARNING: Surface size too large (exceeds caller's limit)!: file /builds/slave/m-cen-l64-asan-d-0000000000000/build/gfx/thebes/gfxASurface.cpp, line 394
[Child 15255] WARNING: Surface size too large (would overflow)!: file /builds/slave/m-cen-l64-asan-d-0000000000000/build/gfx/thebes/gfxASurface.cpp, line 411
[Child 15255] ###!!! ASSERTION: creating Xlib surface failed!: 'Error', file /builds/slave/m-cen-l64-asan-d-0000000000000/build/gfx/layers/basic/TextureClientX11.cpp, line 113
[Child 15255] WARNING: Failed to allocate a TextureClient, falling back to BufferTextureClient.: file /builds/slave/m-cen-l64-asan-d-0000000000000/build/gfx/layers/client/TextureClient.cpp, line 344

Program /home/attekett/Downloads/firefox-debug/plugin-container (pid = 15255) received signal 11.
Stack:
#01: ???[/lib/x86_64-linux-gnu/libpthread.so.0 +0x10340]
#02: memset[/lib/x86_64-linux-gnu/libc.so.6 +0x8d09d]
#03: memset[/home/attekett/Downloads/firefox-debug/plugin-container +0x60ee3]

###!!! [Parent][MessageChannel] Error: Channel error: cannot send/recv
.
.
.
Milan, how bad is this one? (Feel free to assign a sec-rating)
Flags: needinfo?(milan)
sec-moderate should cover this - we zero out some memory, I don't think that can be easily exploited?
Flags: needinfo?(milan)
Keywords: sec-moderate
Btw, error code 32 is, unsurprisingly, CAIRO_STATUS_INVALID_SIZE.
Assignee: nobody → milan
Flags: sec-bounty?
Atte questions the security rating for this. Atte, can you demonstrate why this should be rated higher than a sec-moderate issue?
Attachment #8523161 - Flags: review?(jmuizelaar) → review+
Comment on attachment 8523161 [details] [diff] [review]
Propagate the error (in this case size based) up the chain.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Not easily - we don't check for "large" values, which is what the real cause of the problem is.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Not really.  Yes, we check the error status of some functions, but we don't give away how that error status could come to be.

Which older supported branches are affected by this flaw?

All.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Not risky, easy patch.

How likely is this patch to cause regressions; how much testing does it need?

It is possible that we hit an early exit where before we continued even with an error condition.

It is also possible this is not the actual fix - without being able to reproduce it, this is a guess as to what could be going on.
Attachment #8523161 - Flags: sec-approval?
Comment on attachment 8523161 [details] [diff] [review]
Propagate the error (in this case size based) up the chain.

As a sec-moderate, this doesn't need sec-approval+ to go in. Only sec-high and sec-critical issues affecting multiple branches do.

So you can check this into trunk. If you wanted to backport this to Aurora or Beta, you'd need to nominate it. At this point, it probably won't get approved on Beta since we're shipping in less than two weeks and we only have one beta left.
Attachment #8523161 - Flags: sec-approval?
https://hg.mozilla.org/mozilla-central/rev/c38c0e99ea32
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
@atte we are about to - this for the bug bounty based on its rating.  If you have any additional information we can use to increase the rating let us know.
setting the sec-bounty flag to - per the above comment.
Flags: sec-bounty? → sec-bounty-
Go ahead. I can't currently prove it otherwise. Will let you know if something changes.
Whiteboard: [adv-main36+]
Alias: CVE-2015-0824
If I open the repro case here in my nightly build on OS X, it crashes all of my tabs. Build: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0

"Bad news first: This tab has crashed

Now for the good news: You can just close this tab, restore it or restore all your crashed tabs." 

Crash reports:
bp-1d0d60c1-9f1c-420a-82c5-c9cae2150220
bp-0209cde9-e28d-469f-9908-7d8db2150220
bp-1314a72e-f059-4d94-a000-903752150220

Is this actually fixed in 36 (and higher)?
Flags: needinfo?(milan)
This particular crash got fixed, but the same test still causes a crash (different stack), as you've discovered, on OS X.

Reopen this bug, or create a new one?
Flags: needinfo?(milan)
Created a new bug for the OS X crash - bug 1135066
OS: All → Linux
Ok. I'll proceed with the advisory for this bug for the release then.
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.