Closed Bug 1193757 Opened 4 years ago Closed 4 years ago

Crash [@ graphite2::vm::Machine::Code::decoder::emit_opcode]

Categories

(Core :: Graphics: Text, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox42 --- wontfix
firefox43 --- fixed
firefox44 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-moderate, testcase, Whiteboard: sec-high+ without OTS [gfx-noted][adv-main43+][post-critsmash-triage])

Crash Data

Attachments

(1 file)

57.82 KB, application/octet-stream
Details
The attached testcase crashes on graphite2 revision fa8d4398dded (run through the gr2fonttest command line utility).

Backtrace:

==11150==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f753 at pc 0x7f5d80cf5439 bp 0x7fffe01ccaa0 sp 0x7fffe01cca98
READ of size 1 at 0x61a00001f753 thread T0
    #0 0x7f5d80cf5438 in graphite2::vm::Machine::Code::decoder::emit_opcode(graphite2::vm::opcode, unsigned char const*&) /src/Code.cpp:553
    #1 0x7f5d80cde90a in graphite2::vm::Machine::Code::decoder::load(unsigned char const*, unsigned char const*) /src/Code.cpp:260
    #2 0x7f5d80cde90a in graphite2::vm::Machine::Code::Code(bool, unsigned char const*, unsigned char const*, unsigned char, unsigned short, graphite2::Silf const&, graphite2::Face const&, graphite2::passtype, unsigned char*&) /src/Code.cpp:194
    #3 0x7f5d80d5bf0c in graphite2::Pass::readRules(unsigned char const*, unsigned long, unsigned char const*, unsigned short const*, unsigned short const*, unsigned char const*, unsigned short const*, unsigned char const*, graphite2::Face&, graphite2::passtype, graphite2::Error&) /src/Pass.cpp:238
    #4 0x7f5d80d5999c in graphite2::Pass::readPass(unsigned char const*, unsigned long, unsigned long, graphite2::Face&, graphite2::passtype, unsigned int, graphite2::Error&) /src/Pass.cpp:183
    #5 0x7f5d80d88b62 in graphite2::Silf::readGraphite(unsigned char const*, unsigned long, graphite2::Face&, unsigned int) /src/Silf.cpp:212
    #6 0x7f5d80d1cfb8 in graphite2::Face::readGraphite(graphite2::Face::Table const&) /src/Face.cpp:149
    #7 0x7f5d80cb8bef in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /src/gr_face.cpp:59
    #8 0x7f5d80cbbf79 in gr_make_face_with_ops /src/gr_face.cpp:89
    #9 0x7f5d80cbbf79 in gr_make_file_face /src/gr_face.cpp:242
    #10 0x48ed05 in Parameters::testFileFont() const /gr2fonttest/gr2FontTest.cpp:618
    #11 0x49248b in main /gr2fonttest/gr2FontTest.cpp:770
    #12 0x7f5d808f9ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #13 0x486c4c in _start (/build/gr2fonttest/gr2fonttest+0x486c4c)

0x61a00001f753 is located 0 bytes to the right of 1235-byte region [0x61a00001f280,0x61a00001f753)
allocated by thread T0 here:
    #0 0x46df61 in __interceptor_malloc (/build/gr2fonttest/gr2fonttest+0x46df61)
    #1 0x7f5d80dadbfe in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) /src/FileFace.cpp:90
    #2 0x7f5d80d1f79f in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) /src/Face.cpp:274
    #3 0x7f5d80cb88e7 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /src/gr_face.cpp:49
    #4 0x7f5d80cbbf79 in gr_make_face_with_ops /src/gr_face.cpp:89
    #5 0x7f5d80cbbf79 in gr_make_file_face /src/gr_face.cpp:242

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/Code.cpp:553 graphite2::vm::Machine::Code::decoder::emit_opcode(graphite2::vm::opcode, unsigned char const*&)
Shadow bytes around the buggy address:
  0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbee0: 00 00 00 00 00 00 00 00 00 00[03]fa fa fa fa fa
  0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==11150==ABORTING


Note that this is on graphite2 trunk and without OTS in front of it. We tested this particular file and Firefox and it is rejected by OTS with the message:

"Sill: table overruns end of file"

However, according to cdiehl that doesn't necessarily mean that the bug cannot be reached through OTS (e.g. by fixing up the testcase enough to make it through). Marking s-s until we confirmed that this bug cannot be reached/exploited with OTS enabled.
Attached file Testcase
Martin, could you take a look at this?
Flags: needinfo?(martin_hosken)
Fixed upstream
Flags: needinfo?(martin_hosken)
Keywords: sec-moderate
Whiteboard: sec-high+ without OTS
Group: core-security → gfx-core-security
(In reply to martin_hosken from comment #3)
> Fixed upstream

Could you link to the upstream fix? I assume we'll have to cherry pick the fix or update our version of graphite2 to that revision.
Flags: needinfo?(martin_hosken)
It was fixed in v1.3.2 which is applied in central, and also 1.3.3 which is proposed for inclusion in central and to be uplifted to aurora.
Flags: needinfo?(martin_hosken)
Depends on: 1207207
Whiteboard: sec-high+ without OTS → sec-high+ without OTS [gfx-noted]
...which means this was fixed for gecko in bug 1200098 (the update to graphite 1.3.2).
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Depends on: 1200098
No longer depends on: 1207207
Group: gfx-core-security → core-security-release
Whiteboard: sec-high+ without OTS [gfx-noted] → sec-high+ without OTS [gfx-noted][adv-main43+]
Whiteboard: sec-high+ without OTS [gfx-noted][adv-main43+] → sec-high+ without OTS [gfx-noted][adv-main43+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.