If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.
Bug 1135511 (CVE-2015-0805)

Memset crash in mozilla::layers::BufferTextureClient::AllocateForSurface

RESOLVED FIXED in Firefox 37, Firefox OS v2.2

Status

()

Core
Graphics: Layers
RESOLVED FIXED
3 years ago
6 months ago

People

(Reporter: Abhishek Arya, Assigned: dvander)

Tracking

({sec-critical})

Trunk
mozilla39
x86_64
All
sec-critical
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox36 wontfix, firefox37 fixed, firefox38 fixed, firefox39 fixed, firefox-esr31 unaffected, firefox-esr38 fixed, b2g-v2.2 fixed, b2g-v2.2r fixed, b2g-master fixed)

Details

(Whiteboard: [adv-main37+][fixed by bug 1135883][post-critsmash-triage])

Attachments

(1 attachment)

7.28 KB, application/java-archive
Details
(Reporter)

Description

3 years ago
Created attachment 8567650 [details]
Testcase

Crash Annotation GraphicsCriticalError: |[0][GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32[GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32
Crash Annotation GraphicsCriticalError: |[0][GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32|[1][GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32[GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32
Crash Annotation GraphicsCriticalError: |[0][GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32|[1][GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32|[2][GFX1]: Failed 2 buffer db=0x0 dw=0x0 for 0, 151536656, 442, 263984[GFX1]: Failed 2 buffer db=0x0 dw=0x0 for 0, 151536656, 442, 263984
ASAN:SIGSEGV
=================================================================
==9489==ERROR: AddressSanitizer: SEGV on unknown address 0x7f39c9748000 (pc 0x7f3a0b6360e0 bp 0x7fffe1dbfd50 sp 0x7fffe1dbf4d8 T0)
    #0 0x7f3a0b6360df in memset /build/buildd/eglibc-2.19/sysdeps/x86_64/memset.S:90
    #1 0x7f3a0fb55791 in mozilla::layers::BufferTextureClient::AllocateForSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::layers::TextureAllocationFlags) gfx/layers/client/TextureClient.cpp:753:5
    #2 0x7f3a0fb4315f in mozilla::layers::TextureClient::CreateForDrawing(mozilla::layers::ISurfaceAllocator*, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::BackendType, mozilla::layers::TextureFlags, mozilla::layers::TextureAllocationFlags) gfx/layers/client/TextureClient.cpp:402:8
    #3 0x7f3a0fb46dc0 in mozilla::layers::ContentClientRemoteBuffer::CreateBackBuffer(nsIntRect const&) gfx/layers/client/CompositableClient.cpp:211:10
    #4 0x7f3a0fb47373 in mozilla::layers::ContentClientRemoteBuffer::CreateBuffer(gfxContentType, nsIntRect const&, unsigned int, mozilla::RefPtr<mozilla::gfx::DrawTarget>*, mozilla::RefPtr<mozilla::gfx::DrawTarget>*) gfx/layers/client/ContentClient.cpp:308:3
    #5 0x7f3a0fa84504 in mozilla::layers::RotatedContentBuffer::BeginPaint(mozilla::layers::PaintedLayer*, unsigned int) gfx/layers/RotatedBuffer.cpp:671:5
    #6 0x7f3a0fba79d1 in mozilla::layers::ContentClientRemoteBuffer::BeginPaintBuffer(mozilla::layers::PaintedLayer*, unsigned int) objdir-ff-asan/dist/include/mozilla/layers/ContentClient.h:223:12
    #7 0x7f3a0fb2dcf2 in mozilla::layers::ClientPaintedLayer::PaintThebes() gfx/layers/client/ClientPaintedLayer.cpp:54:5
    #8 0x7f3a0fb2ec77 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) gfx/layers/client/ClientPaintedLayer.cpp:131:3
    #9 0x7f3a0fb38073 in mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h:68:7
    #10 0x7f3a0fb38073 in mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h:68:7
    #11 0x7f3a0fb38073 in mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h:68:7
    #12 0x7f3a0fb38073 in mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h:68:7
    #13 0x7f3a0fb295dd in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp:274:3
    #14 0x7f3a0fb29c5b in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp:317:3
    #15 0x7f3a13accd9e in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) layout/base/nsDisplayList.cpp:1712:3
    #16 0x7f3a13b60219 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:3199:5
    #17 0x7f3a13beb7c6 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:6359:5
    #18 0x7f3a132b7d46 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) view/nsViewManager.cpp:443:7
    #19 0x7f3a132b6e0b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/nsViewManager.cpp:384:9
    #20 0x7f3a13948bf2 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1708:5
    #21 0x7f3a1394fb13 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:198:5
    #22 0x7f3a0e015024 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:631:7
    #23 0x7f3a0e015b90 in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:724:3
    #24 0x7f3a0e00b055 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:855:7
    #25 0x7f3a0e06926c in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #26 0x7f3a0e8fe8de in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:99:21
    #27 0x7f3a0e8a6a61 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:233:3
    #28 0x7f3a132fc45f in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:164:3
    #29 0x7f3a14f2d603 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:743:12
    #30 0x7f3a0e8a6a61 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:233:3
    #31 0x7f3a14f2ca2c in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:580:7
    #32 0x4db12e in content_process_main(int, char**) ipc/contentproc/plugin-container.cpp:211:19
    #33 0x7f3a0b5caec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

AddressSanitizer can not provide additional info.
==9489==ABORTING
Flags: sec-bounty?
Attachment #8567650 - Attachment mime type: application/x-zip-compressed → application/java-archive
I don't crash in an opt build on Mac, but a segv during memset is usually pretty bad.
Component: GFX: Color Management → Graphics: Layers
Keywords: sec-critical
Assignee: nobody → milan
This was on Linux?
Almost certainly, as Linux is the only platform that works for ASan Firefox builds without some heroics.
(Reporter)

Comment 4

3 years ago
(In reply to Milan Sreckovic [:milan] from comment #2)
> This was on Linux?

Yes correct.
status-firefox38: --- → affected
status-firefox39: --- → affected
Note that this is with e10s+OMTC enabled, and the crash is in the child process.

That means that the Allocate function we just called should be ShmemTextureClient::Allocate.

It's not obvious how that would return true, but not have GetBuffer() be valid for writing.
I don't know if ShmemTextureClient::Allocate can be called twice on the same client. Succeed the first time, set mAllocated; pass 0 the second time, still return mAllocated, and have GetBuffer() give you the "old" pointer, which is perhaps invalid at this point.  Note that the crash doesn't look to be at a nullptr, but "unknown address".  Except that under ASAN, that would have shown as UAF or some such.
Looking at the calling code (TextureClient::CreateForDrawing), it doesn't appear to be possible to call AllocateForSurface twice.
I'm having trouble reproducing this on the latest nightly ASAN - Abhishek, can you still reproduce it?
Flags: needinfo?(inferno)
(Reporter)

Comment 9

3 years ago
I can't reproduce it anymore. These "Crash Annotation GraphicsCriticalError" in c#0 were easily coming up, but not anymore on trunk.

I think http://hg.mozilla.org/mozilla-central/rev/99af18fdfdfe would have fixed this, you can try reverting it to reproduce this bug. If that works, you have a fix to merge back :)
Flags: needinfo?(inferno)
(Reporter)

Comment 10

3 years ago
Yes it has to http://hg.mozilla.org/mozilla-central/rev/99af18fdfdfe. I just reverted BasicCompositor::GetMaxTextureSize() back to INT32_MAX (before the fix) and then i started getting all the GraphicsCriticalError in c#0.
Yes, I see the same thing - build just before patches for bug 1135883 has a problem, with those patches we're good.  David, would you consider uplifting bug 1135883?
Flags: needinfo?(dvander)
status-firefox39: affected → fixed
Depends on: 1135883
Whiteboard: [fixed by bug 1135883]
I was reluctant to make a secure bug dependent on a non-secure one, for the fear of the fix for the non-secure one giving away an attack, but I suppose that's no different than when a patch lands for a secure bug.
Yeah, it isn't necessarily a good idea.  I figured this only affects e10s, but I guess looking at the other bug it may actually affect non-e10s somehow.
(Assignee)

Comment 14

3 years ago
Sure, will ask for bug 1135883 to be uplifted.
Flags: needinfo?(dvander)
Assignee: milan → dvander
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox37: --- → affected
Resolution: --- → FIXED
The other bug says this is a regression from OMTC.  What version was that enabled on for various platforms?
Flags: needinfo?(dvander)
(Assignee)

Comment 16

3 years ago
I think Firefox 33 for Windows. Much earlier for OS X.
Flags: needinfo?(dvander)
Flags: sec-bounty? → sec-bounty+
Marking this as fixed on the same branches as bug 1135883
status-firefox36: --- → wontfix
status-firefox37: affected → fixed
status-firefox38: affected → fixed
status-firefox-esr31: --- → unaffected
Whiteboard: [fixed by bug 1135883] → [adv-main37+][fixed by bug 1135883]
Alias: CVE-2015-0805
Does this affect older B2G releases?
status-b2g-v2.0: --- → ?
status-b2g-v2.1: --- → ?
status-b2g-v2.2: --- → fixed
status-b2g-master: --- → fixed
status-firefox-esr38: --- → fixed
Flags: needinfo?(dvander)
Target Milestone: --- → mozilla39

Updated

2 years ago
Group: core-security → core-security-release
Whiteboard: [adv-main37+][fixed by bug 1135883] → [adv-main37+][fixed by bug 1135883][post-critsmash-triage]
status-b2g-v2.0: ? → ---
status-b2g-v2.1: ? → ---
status-b2g-v2.2r: --- → fixed
Flags: needinfo?(dvander)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.