1135511 - (CVE-2015-0805) Memset crash in mozilla::layers::BufferTextureClient::AllocateForSurface

Status: RESOLVED FIXED

(Core :: Graphics: Layers, defect)

Description

[Abhishek Arya]

Attachment: Testcase

Crash Annotation GraphicsCriticalError: |[0][GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32[GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32
Crash Annotation GraphicsCriticalError: |[0][GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32|[1][GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32[GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32
Crash Annotation GraphicsCriticalError: |[0][GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32|[1][GFX1]: Attempt to create DrawTarget for invalid surface. Size(442,263984) Cairo Status: 32|[2][GFX1]: Failed 2 buffer db=0x0 dw=0x0 for 0, 151536656, 442, 263984[GFX1]: Failed 2 buffer db=0x0 dw=0x0 for 0, 151536656, 442, 263984
ASAN:SIGSEGV
=================================================================
==9489==ERROR: AddressSanitizer: SEGV on unknown address 0x7f39c9748000 (pc 0x7f3a0b6360e0 bp 0x7fffe1dbfd50 sp 0x7fffe1dbf4d8 T0)
    #0 0x7f3a0b6360df in memset /build/buildd/eglibc-2.19/sysdeps/x86_64/memset.S:90
    #1 0x7f3a0fb55791 in mozilla::layers::BufferTextureClient::AllocateForSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::layers::TextureAllocationFlags) gfx/layers/client/TextureClient.cpp:753:5
    #2 0x7f3a0fb4315f in mozilla::layers::TextureClient::CreateForDrawing(mozilla::layers::ISurfaceAllocator*, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::BackendType, mozilla::layers::TextureFlags, mozilla::layers::TextureAllocationFlags) gfx/layers/client/TextureClient.cpp:402:8
    #3 0x7f3a0fb46dc0 in mozilla::layers::ContentClientRemoteBuffer::CreateBackBuffer(nsIntRect const&) gfx/layers/client/CompositableClient.cpp:211:10
    #4 0x7f3a0fb47373 in mozilla::layers::ContentClientRemoteBuffer::CreateBuffer(gfxContentType, nsIntRect const&, unsigned int, mozilla::RefPtr<mozilla::gfx::DrawTarget>*, mozilla::RefPtr<mozilla::gfx::DrawTarget>*) gfx/layers/client/ContentClient.cpp:308:3
    #5 0x7f3a0fa84504 in mozilla::layers::RotatedContentBuffer::BeginPaint(mozilla::layers::PaintedLayer*, unsigned int) gfx/layers/RotatedBuffer.cpp:671:5
    #6 0x7f3a0fba79d1 in mozilla::layers::ContentClientRemoteBuffer::BeginPaintBuffer(mozilla::layers::PaintedLayer*, unsigned int) objdir-ff-asan/dist/include/mozilla/layers/ContentClient.h:223:12
    #7 0x7f3a0fb2dcf2 in mozilla::layers::ClientPaintedLayer::PaintThebes() gfx/layers/client/ClientPaintedLayer.cpp:54:5
    #8 0x7f3a0fb2ec77 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) gfx/layers/client/ClientPaintedLayer.cpp:131:3
    #9 0x7f3a0fb38073 in mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h:68:7
    #10 0x7f3a0fb38073 in mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h:68:7
    #11 0x7f3a0fb38073 in mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h:68:7
    #12 0x7f3a0fb38073 in mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h:68:7
    #13 0x7f3a0fb295dd in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp:274:3
    #14 0x7f3a0fb29c5b in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp:317:3
    #15 0x7f3a13accd9e in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) layout/base/nsDisplayList.cpp:1712:3
    #16 0x7f3a13b60219 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:3199:5
    #17 0x7f3a13beb7c6 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:6359:5
    #18 0x7f3a132b7d46 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) view/nsViewManager.cpp:443:7
    #19 0x7f3a132b6e0b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/nsViewManager.cpp:384:9
    #20 0x7f3a13948bf2 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1708:5
    #21 0x7f3a1394fb13 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:198:5
    #22 0x7f3a0e015024 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:631:7
    #23 0x7f3a0e015b90 in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:724:3
    #24 0x7f3a0e00b055 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:855:7
    #25 0x7f3a0e06926c in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #26 0x7f3a0e8fe8de in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:99:21
    #27 0x7f3a0e8a6a61 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:233:3
    #28 0x7f3a132fc45f in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:164:3
    #29 0x7f3a14f2d603 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:743:12
    #30 0x7f3a0e8a6a61 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:233:3
    #31 0x7f3a14f2ca2c in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:580:7
    #32 0x4db12e in content_process_main(int, char**) ipc/contentproc/plugin-container.cpp:211:19
    #33 0x7f3a0b5caec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

AddressSanitizer can not provide additional info.
==9489==ABORTING

Comment 1

[Daniel Veditz [:dveditz]]

I don't crash in an opt build on Mac, but a segv during memset is usually pretty bad.

Comment 2

[Milan Sreckovic [:milan] (needinfo for best results)]

This was on Linux?

Comment 3

[Andrew McCreight [:mccr8]]

Almost certainly, as Linux is the only platform that works for ASan Firefox builds without some heroics.

Comment 4

[Abhishek Arya]

(In reply to Milan Sreckovic [:milan] from comment #2)
> This was on Linux?

Yes correct.

Comment 5

[Matt Woodrow (:mattwoodrow)]

Note that this is with e10s+OMTC enabled, and the crash is in the child process.

That means that the Allocate function we just called should be ShmemTextureClient::Allocate.

It's not obvious how that would return true, but not have GetBuffer() be valid for writing.

Comment 6

[Milan Sreckovic [:milan] (needinfo for best results)]

I don't know if ShmemTextureClient::Allocate can be called twice on the same client. Succeed the first time, set mAllocated; pass 0 the second time, still return mAllocated, and have GetBuffer() give you the "old" pointer, which is perhaps invalid at this point.  Note that the crash doesn't look to be at a nullptr, but "unknown address".  Except that under ASAN, that would have shown as UAF or some such.

Comment 7

[Matt Woodrow (:mattwoodrow)]

Looking at the calling code (TextureClient::CreateForDrawing), it doesn't appear to be possible to call AllocateForSurface twice.

Comment 8

[Milan Sreckovic [:milan] (needinfo for best results)]

I'm having trouble reproducing this on the latest nightly ASAN - Abhishek, can you still reproduce it?

Comment 9

[Abhishek Arya]

I can't reproduce it anymore. These "Crash Annotation GraphicsCriticalError" in c#0 were easily coming up, but not anymore on trunk.

I think http://hg.mozilla.org/mozilla-central/rev/99af18fdfdfe would have fixed this, you can try reverting it to reproduce this bug. If that works, you have a fix to merge back :)

Comment 10

[Abhishek Arya]

Yes it has to http://hg.mozilla.org/mozilla-central/rev/99af18fdfdfe. I just reverted BasicCompositor::GetMaxTextureSize() back to INT32_MAX (before the fix) and then i started getting all the GraphicsCriticalError in c#0.

Comment 11

[Milan Sreckovic [:milan] (needinfo for best results)]

Yes, I see the same thing - build just before patches for bug 1135883 has a problem, with those patches we're good.  David, would you consider uplifting bug 1135883?

Comment 12

[Milan Sreckovic [:milan] (needinfo for best results)]

I was reluctant to make a secure bug dependent on a non-secure one, for the fear of the fix for the non-secure one giving away an attack, but I suppose that's no different than when a patch lands for a secure bug.

Comment 13

[Andrew McCreight [:mccr8]]

Yeah, it isn't necessarily a good idea.  I figured this only affects e10s, but I guess looking at the other bug it may actually affect non-e10s somehow.

Comment 14

[David Anderson [:dvander] - inactive, e-mail if emergency]

Sure, will ask for bug 1135883 to be uplifted.

Comment 15

[Andrew McCreight [:mccr8]]

The other bug says this is a regression from OMTC.  What version was that enabled on for various platforms?

Comment 16

[David Anderson [:dvander] - inactive, e-mail if emergency]

I think Firefox 33 for Windows. Much earlier for OS X.

Comment 17

[Al Billings [:abillings - ex-MoCo]]

Marking this as fixed on the same branches as bug 1135883

Comment 18

[Ryan VanderMeulen [:RyanVM]]

Does this affect older B2G releases?