Closed Bug 1349913 Opened 3 years ago Closed 3 years ago

AddressSanitizer: heap-buffer-overflow [@ _cairo_scaled_font_keys_equal] with READ of size 8

Categories

(Core :: Graphics: Text, defect, P3, critical)

defect

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: truber, Assigned: Gankra)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [gfx-noted][sec-triage-backlog])

Crash Data

Attachments

(1 file)

Crash observed while fuzzing mozilla-inbound rev 3df85eb27d47. I can't reproduce it from the fuzz input.

==21611==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160006f9080 at pc 0x7fb90259cc35 bp 0x7ffe6c2ee970 sp 0x7ffe6c2ee968
READ of size 8 at 0x6160006f9080 thread T0
    #0 0x7fb90259cc34 in _cairo_scaled_font_keys_equal /home/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-scaled-font.c:639:53
    #1 0x7fb902532a9e in _cairo_hash_table_lookup /home/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-hash.c:337:10
    #2 0x7fb902587933 in INT__moz_cairo_scaled_font_create /home/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-scaled-font.c:985:24
    #3 0x7fb8fcfbcde3 in gfxFontconfigFontEntry::CreateScaledFont(_FcPattern*, double, gfxFontStyle const*, bool) /home/worker/workspace/build/src/gfx/thebes/gfxFcPlatformFontList.cpp:714:18
    #4 0x7fb8fcfbd548 in gfxFontconfigFontEntry::CreateFontInstance(gfxFontStyle const*, bool) /home/worker/workspace/build/src/gfx/thebes/gfxFcPlatformFontList.cpp:824:9
    #5 0x7fb8fd0a1136 in gfxFontEntry::FindOrMakeFont(gfxFontStyle const*, bool, gfxCharacterMap*) /home/worker/workspace/build/src/gfx/thebes/gfxFontEntry.cpp:284:28
    #6 0x7fb8fd105a39 in gfxFontGroup::GetFontAt(int, unsigned int) /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:1850:20
    #7 0x7fb8fd107ece in gfxFontGroup::GetFirstValidFont(unsigned int) /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:2027:16
    #8 0x7fb8fcad1e67 in nsFontMetrics::GetMetrics(gfxFont::Orientation) const /home/worker/workspace/build/src/gfx/src/nsFontMetrics.cpp:167:24
    #9 0x7fb8fcad27ae in GetMetrics /home/worker/workspace/build/src/gfx/src/nsFontMetrics.h:243:14
    #10 0x7fb8fcad27ae in nsFontMetrics::ExternalLeading() /home/worker/workspace/build/src/gfx/src/nsFontMetrics.cpp:238
    #11 0x7fb901613ce4 in GetNormalLineHeight /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2769:43
    #12 0x7fb901613ce4 in ComputeLineHeight /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2825
    #13 0x7fb901613ce4 in mozilla::ReflowInput::CalcLineHeight(nsIContent*, nsStyleContext*, int, float) /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2848
    #14 0x7fb9015ed70e in CalcLineHeight /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2835:10
    #15 0x7fb9015ed70e in mozilla::BlockReflowInput::BlockReflowInput(mozilla::ReflowInput const&, nsPresContext*, nsBlockFrame*, bool, bool, bool, int) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:142
    #16 0x7fb9016476ae in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1185:20
    #17 0x7fb90166740d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11
    #18 0x7fb90165d386 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3462:11
    #19 0x7fb9016513a3 in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2831:5
    #20 0x7fb9016513a3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370
    #21 0x7fb901647b3f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3
    #22 0x7fb90166740d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11
    #23 0x7fb90165d386 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3462:11
    #24 0x7fb9016513a3 in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2831:5
    #25 0x7fb9016513a3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370
    #26 0x7fb901647b3f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3
    #27 0x7fb90166740d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11
    #28 0x7fb90165d386 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3462:11
    #29 0x7fb9016513a3 in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2831:5
    #30 0x7fb9016513a3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370
    #31 0x7fb901647b3f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3
    #32 0x7fb9016a927a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:895:14
    #33 0x7fb9016a7bee in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:717:5
    #34 0x7fb9016a927a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:895:14
    #35 0x7fb9017492cd in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:552:3
    #36 0x7fb90174a9d4 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:664:3
    #37 0x7fb90174da66 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1039:3
    #38 0x7fb9016b8883 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:939:14
    #39 0x7fb90162df0b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:328:7
    #40 0x7fb9014362c8 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9272:11
    #41 0x7fb901449c42 in mozilla::PresShell::ProcessReflowCommands(bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9445:24
    #42 0x7fb901448b86 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4221:11
    #43 0x7fb9013bc3e0 in FlushPendingNotifications /home/worker/workspace/build/src/layout/base/nsIPresShell.h:608:5
    #44 0x7fb9013bc3e0 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1905
    #45 0x7fb9013cad83 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299:7
    #46 0x7fb9013caa42 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:320:5
    #47 0x7fb9013ccffb in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:711:5
    #48 0x7fb9013ccffb in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:624
    #49 0x7fb9013cd23e in applyImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12
    #50 0x7fb9013cd23e in apply<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861
    #51 0x7fb9013cd23e in mozilla::detail::RunnableMethodImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver*, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, false, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890
    #52 0x7fb8fad856b0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #53 0x7fb8fad820f8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #54 0x7fb8fbb27676 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:124:5
    #55 0x7fb8fba88820 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #56 0x7fb8fba88820 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #57 0x7fb8fba88820 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #58 0x7fb900d4267f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #59 0x7fb9041ba761 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30
    #60 0x7fb90437704a in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4512:22
    #61 0x7fb904378ad3 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4690:8
    #62 0x7fb904379e5c in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4781:21
    #63 0x4eb3c3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #64 0x4eb3c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307
    #65 0x7fb91603982f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #66 0x41cf18 in _start (/home/ubuntu/firefox/firefox+0x41cf18)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-scaled-font.c:639:53 in _cairo_scaled_font_keys_equal
Shadow bytes around the buggy address:
  0x0c2c800d71c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d71d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d71e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d71f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d7200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2c800d7210:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d7220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d7230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d7240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d7250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d7260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21611==ABORTING
I'm going to mark this sec-high, but I don't know how exploitable this will be in practice.
Lee, you've been looking at fonts much lately..
Flags: needinfo?(lsalzman)
Priority: -- → P3
Whiteboard: [gfx-noted]
Not enough to go on here without a reproducible testcase or STR. It looks like maybe some memory was getting used after it was freed or possibly corrupted somehow, but I can't really tell much more from this trace.
Flags: needinfo?(lsalzman)
(In reply to Jesse Schwartzentruber (:truber) from comment #0)
> Crash observed while fuzzing mozilla-inbound rev 3df85eb27d47. I can't
> reproduce it from the fuzz input.


(In reply to Lee Salzman [:lsalzman] from comment #3)
> Not enough to go on here without a reproducible testcase or STR. It looks
> like maybe some memory was getting used after it was freed or possibly
> corrupted somehow, but I can't really tell much more from this trace.

Taking these two statements, it seems we are stuck :)

Jesse, can you provide your input never the less (or some input before you ran this specific test case?)
If not, I suggest we close this as invalid.
Flags: needinfo?(jschwartzentruber)
Attached file Fuzzing input
Attached the crashing test case (test_page_1746.html) and 4 preceding inputs.
Flags: needinfo?(jschwartzentruber)
Assignee: nobody → a.beingessner
Alexis, did you have a chance to look at Jesse's input?
Flags: needinfo?(a.beingessner)
Yes, but I couldn't reproduce the crash with them, and am otherwise stumped as to how to proceed.
Flags: needinfo?(a.beingessner)
Whiteboard: [gfx-noted] → [gfx-noted][sec-triage-backlog]
Calling this incomplete for now since nobody can reproduce it at this point (I couldn't either). We can always reopen it if/when it becomes more reproducible again.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.