Closed
Bug 1384858
Opened 7 years ago
Closed 1 year ago
IPC: heap-use-after-free [@ mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate]
Categories
(Core :: Graphics: Layers, defect, P3)
Tracking
()
People
(Reporter: posidron, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [gfx-noted])
Attachments
(2 files)
The following crash occurred on mozilla-central revision 20170727-f1693d664f8e INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction. The attached session.txt contains a trace of IPC messages which were sent and received during a session of processing a HTML document with on-going DOM mutations while mutating contents of certain IPC messages at the same time. [...] [time: 1501133849639092][29402<-29451] [PLayerTransactionParent] Received PLayerTransaction::Msg_NewCompositable [time: 1501133849639147][29451->29402] [PLayerTransactionChild] Sending PLayerTransaction::Msg_InitReadLocks [Faulty] pickle field {size_t} of value: 19 changed to: 18 [...]
Reporter | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
I'm not too familiar with this code, but it looks like CompositableHost::mLayer is a weak pointer. I'd guess that some parent code relies on the number of things sent by InitReadLocks to be accurate, and it ditches some data structure once it has gotten that many, but then the child sends another one and we hit the UAF?
Keywords: sec-critical
Comment 3•7 years ago
|
||
Well, maybe sec-high. Without being able to run script in the parent, this seems like it would be difficult to turn into arbitrary code execution. But not impossible.
Keywords: sec-critical → sec-high
Updated•7 years ago
|
status-firefox54:
--- → ?
status-firefox55:
--- → ?
status-firefox56:
--- → affected
status-firefox-esr52:
--- → ?
Updated•7 years ago
|
Group: core-security → gfx-core-security
Comment 4•7 years ago
|
||
Milan, do you know who could be a good person to take a look at this bug?
Flags: needinfo?(milan)
:dvander in a couple of weeks, unless we think this needs to be acted on now.
Assignee: nobody → dvander
Flags: needinfo?(milan)
How can this be reproduced?
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [gfx-noted]
Comment 7•7 years ago
|
||
P3 means fix-optional for 56. Is this affecting 57 as well?
status-firefox57:
--- → ?
Reporter | ||
Comment 8•7 years ago
|
||
(In reply to David Anderson [:dvander] from comment #6) > How can this be reproduced? There are no direct steps for reproduction due to the nature of the fuzzer. *** Possible reproduction scenario: pip install git+https://github.com/mozillasecurity/fuzzfetch fuzzfetch -a --fuzzing -n firefox -o /tmp export FAULTY_PROBABILITY=50000 export FAULTY_LARGE_VALUES=1 export FAULTY_PARENT=1 export FAULTY_ENABLE_LOGGING=1 export FAULTY_PICKLE=1 export MOZ_IPC_MESSAGE_LOG=1 Then launch against a test site: https://html5test.com (In reply to Panos Astithas [:past] (56 Regression Engineering Owner) (please ni?) from comment #7) > P3 means fix-optional for 56. Is this affecting 57 as well? Yes.
Updated•7 years ago
|
Assignee: dvander → nobody
Updated•7 years ago
|
Has STR: --- → no
Keywords: testcase-wanted
Hi Milan: I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them. Thanks! Wennie
Assignee: nobody → milan
Comment 10•6 years ago
|
||
David, did you have any luck at trying the reproduction scenario Christoph suggested?
Flags: needinfo?(dvander)
Sorry, I'm not going to have time to look at this.
Flags: needinfo?(dvander)
Comment 12•6 years ago
|
||
Christoph, in general it would be possible to add extra logging through Faulty to share what IPC Message has been spoofed and what the original and the fuzzed values are? Also out of desperation I'm CCing dholbert as one of the few people touching code in gfx/layers/ipc/CompositableTransactionParent.cpp recently
Flags: needinfo?(cdiehl)
Reporter | ||
Comment 13•6 years ago
|
||
Frederik, I made those changes https://bugzilla.mozilla.org/show_bug.cgi?id=777067#c80 some days ago and the patch awaits review. The new IPC reports filed recently have original and mutated messages attached.
Flags: needinfo?(cdiehl)
Updated•6 years ago
|
Assignee: milaninbugzilla → nobody
Reporter | ||
Comment 15•6 years ago
|
||
Sadly not for this version of the fuzzer, at that time we had not good logging support.
Flags: needinfo?(cdiehl)
Updated•5 years ago
|
Updated•2 years ago
|
Severity: critical → S2
Comment 16•1 year ago
|
||
Nothing left to be done here. Additional logs were added some years ago in Bug 777067. The likely source of NULL dereference noted in comment 2 no longer exists.
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
Comment 17•1 year ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Keywords: stalled
Updated•3 months ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•