Closed Bug 1384858 Opened 7 years ago Closed 1 year ago

IPC: heap-use-after-free [@ mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate]

Categories

(Core :: Graphics: Layers, defect, P3)

Product:
Core
Component:
Graphics: Layers
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox54 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [gfx-noted])

Attachments

(2 files)

callstack.txt
24.12 KB, text/plain
Details
session.txt
101.46 KB, text/plain
Details
Attached file callstack.txt 
The following crash occurred on mozilla-central revision 20170727-f1693d664f8e

INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction.

The attached session.txt contains a trace of IPC messages which were sent and received during a session of processing a HTML document with on-going DOM mutations while mutating contents of certain IPC messages at the same time.

[...]
[time: 1501133849639092][29402<-29451] [PLayerTransactionParent] Received  PLayerTransaction::Msg_NewCompositable
[time: 1501133849639147][29451->29402] [PLayerTransactionChild]   Sending  PLayerTransaction::Msg_InitReadLocks
[Faulty] pickle field {size_t} of value: 19 changed to: 18
[...]
Attached file session.txt 

    
    

    
  
I'm not too familiar with this code, but it looks like CompositableHost::mLayer is a weak pointer. I'd guess that some parent code relies on the number of things sent by InitReadLocks to be accurate, and it ditches some data structure once it has gotten that many, but then the child sends another one and we hit the UAF?
Keywords: sec-critical

    
    

    
  
Well, maybe sec-high. Without being able to run script in the parent, this seems like it would be difficult to turn into arbitrary code execution. But not impossible.
Keywords: sec-criticalsec-high
Group: core-security → gfx-core-security

    
    

    
  
Milan, do you know who could be a good person to take a look at this bug?
Flags: needinfo?(milan)

    
    

    
  
:dvander in a couple of weeks, unless we think this needs to be acted on now.
Assignee: nobody → dvander
Flags: needinfo?(milan)

    
    

    
  
How can this be reproduced?
Priority: -- → P3
Whiteboard: [gfx-noted]

    
    

    
  
P3 means fix-optional for 56. Is this affecting 57 as well?

          status-firefox56:
          affectedfix-optional

          status-firefox57:
          --- → ?

    
    

    
  
(In reply to David Anderson [:dvander] from comment #6)
> How can this be reproduced?

There are no direct steps for reproduction due to the nature of the fuzzer.

*** Possible reproduction scenario:

pip install git+https://github.com/mozillasecurity/fuzzfetch
fuzzfetch -a --fuzzing -n firefox -o /tmp

export FAULTY_PROBABILITY=50000
export FAULTY_LARGE_VALUES=1
export FAULTY_PARENT=1
export FAULTY_ENABLE_LOGGING=1
export FAULTY_PICKLE=1
export MOZ_IPC_MESSAGE_LOG=1

Then launch against a test site: https://html5test.com


(In reply to Panos Astithas [:past] (56 Regression Engineering Owner) (please ni?) from comment #7)
> P3 means fix-optional for 56. Is this affecting 57 as well?

Yes.
Has STR: --- → no
Keywords: testcase-wanted

    
    

    
  
Hi Milan:

I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them.

Thanks!

Wennie
Assignee: nobody → milan

    
    

    
  
David, did you have any luck at trying the reproduction scenario Christoph suggested?
Flags: needinfo?(dvander)

    
    

    
  
Sorry, I'm not going to have time to look at this.
Flags: needinfo?(dvander)

    
    

    
  
Christoph, in general it would be possible to add extra logging through Faulty to share what IPC Message has been spoofed and what the original and the fuzzed values are?

Also out of desperation I'm CCing dholbert as one of the few people touching code in gfx/layers/ipc/CompositableTransactionParent.cpp recently
Flags: needinfo?(cdiehl)

    
    

    
  
Frederik, I made those changes https://bugzilla.mozilla.org/show_bug.cgi?id=777067#c80 some days ago and the patch awaits review. The new IPC reports filed recently have original and mutated messages attached.
Flags: needinfo?(cdiehl)
Assignee: milaninbugzilla → nobody

    
    

    
  
Are there better logs to share, given comment 13?
Flags: needinfo?(cdiehl)

    
    

    
  
Sadly not for this version of the fuzzer, at that time we had not good logging support.
Flags: needinfo?(cdiehl)

    
  
Severity: critical → S2

    
    

    
  
Nothing left to be done here. Additional logs were added some years ago in Bug 777067. The likely source of NULL dereference noted in comment 2 no longer exists.


Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE

    
    

    
  
Since the bug is closed, the stalled keyword is now meaningless.

For more information, please visit auto_nag documentation.


Keywords: stalled
Group: gfx-core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: