Closed
Bug 1388020
Opened 7 years ago
Closed 7 years ago
IPC: heap-buffer-overflow [@raw_fTexImage2D]
Categories
(Core :: Graphics, defect, P3)
Tracking
()
People
(Reporter: posidron, Assigned: aosmond)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [gfx-noted][post-critsmash-triage][adv-main60+][adv-esr52.8+])
Attachments
(6 files, 3 obsolete files)
17.32 KB,
text/plain
|
Details | |
115.93 KB,
text/plain
|
Details | |
22.44 KB,
patch
|
aosmond
:
review+
RyanVM
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
16.88 KB,
patch
|
aosmond
:
review+
|
Details | Diff | Splinter Review |
9.31 KB,
patch
|
nical
:
review+
RyanVM
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
9.25 KB,
patch
|
aosmond
:
review+
RyanVM
:
approval-mozilla-esr52+
|
Details | Diff | Splinter Review |
The following crash occurs consistently on mozilla-central. Last tested revision is 20170805-933a04a91ce3.
INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction.
The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting https://html5test.com
Possible reproduction scenario:
pip install git+https://github.com/mozillasecurity/fuzzfetch
fuzzfetch -a --fuzzing -n firefox -o /tmp
export FAULTY_PROBABILITY=50000
export FAULTY_LARGE_VALUES=1
export FAULTY_PARENT=1
export FAULTY_ENABLE_LOGGING=1
export FAULTY_PICKLE=1
export MOZ_IPC_MESSAGE_LOG=1
Messages which correlate with the stack:
[time: 1501976606668217][2079<-2079] [PCompositorBridgeChild] Received PCompositorBridge::Msg_DidComposite
[time: 1501976606684187][2079->2130] [PVsyncParent] Sending PVsync::Msg_Notify
[Faulty] pickle field {int} of value: 1139 changed to: 1140
[time: 1501976606687402][2130->2079] [PCompositorBridgeChild] Sending PCompositorBridge::Msg_PTextureConstructor
[time: 1501976606689924][2130->2079] [PLayerTransactionChild] Sending PLayerTransaction::Msg_NewCompositable
Calls before "swrast_dri.so":
#8 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLContext.h#1629
#9 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLContext.cpp#2857
#10 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLUploadHelpers.cpp#361
#11 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLUploadHelpers.cpp#479
#12 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLUploadHelpers.cpp#540
#13 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLTextureImage.cpp#144
#14 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLTextureImage.cpp#86
#15 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/opengl/TextureHostOGL.cpp#185
#16 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/TextureHost.cpp#1047
#17 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/TextureHost.cpp#918
#18 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/TextureHost.cpp#500
#19 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/ContentHost.cpp#390
#20 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/ipc/CompositableTransactionParent.cpp#93
Reporter | ||
Comment 1•7 years ago
|
||
Updated•7 years ago
|
Group: core-security → gfx-core-security
Comment 2•7 years ago
|
||
We may not know how to create corrupted messages like this from web content, but a compromised child process could use something like this as a sandbox escape.
Keywords: sec-high
Updated•7 years ago
|
Priority: -- → P3
Updated•7 years ago
|
Whiteboard: [gfx-noted]
Updated•7 years ago
|
Keywords: csectype-bounds
Updated•7 years ago
|
Has STR: --- → no
Keywords: testcase-wanted
Hi Milan:
I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them.
Thanks!
Wennie
Assignee: nobody → milan
If something stands out in the code
Comment 5•7 years ago
|
||
What's the status here, Andrew?
Anything we can do to unblock you?
Flags: needinfo?(aosmond)
Assignee | ||
Comment 6•7 years ago
|
||
At this point I do not have a smoking gun, as I have not been able to reproduce the same crash, but suspect where we create ShmemTextureHost objects:
https://searchfox.org/mozilla-central/rev/03877052c151a8f062eea177f684a2743cd7b1d5/gfx/layers/composite/TextureHost.cpp#272
This is a bit removed from the callstack, but from what I can tell, we don't seem to do any verification of the shmem itself (e.g. mapped in N bytes) and the buffer descriptor (W x H pixels in format F => should expect < N bytes). My best guess is the buffer descriptor is too big in the fuzzing.
> [Faulty] pickle field {int} of value: 1139 changed to: 1140
> ==2079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f276b7c3000 at pc 0x00000043a850 bp 0x7f27918abcb0 sp 0x7f27918ab458
> READ of size 4560 at 0x7f276b7c3000 thread T34 (Compositor)
This is corroborating evidence, in that 4560 bytes is what OpenGL tried to read, and 4560/1140 = 4, which is a common pixel size if the texture uses a BGRA or similar format. It may have tried to read a row from the image, but since we were always reading 1 extra pixel, eventually it overflowed the buffer.
I will write a patch to check for these sorts of overflow conditions in TextureHost::Create and its children.
Flags: needinfo?(aosmond)
Comment 7•7 years ago
|
||
Thanks for taking a look, that sounds great!
Assignee | ||
Comment 8•7 years ago
|
||
try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=54a4fc7740b829eb27f68fa29fdedc8341e3ce8f
Note that failing to create a TextureHost (due to a violation such as the shmem discrepancy) kills the process because it is an IPDL actor creation failure. I expanded on a few existing potential null pointer conventions in the subclasses to cover bad handles being passed in.
Assignee | ||
Updated•7 years ago
|
Attachment #8941951 -
Flags: review?(nical.bugzilla)
Updated•7 years ago
|
Attachment #8941951 -
Flags: review?(nical.bugzilla) → review+
Assignee | ||
Comment 9•7 years ago
|
||
Comment on attachment 8941951 [details] [diff] [review]
0001-Bug-1388020.patch, v1
Not fixing security bugs on a regular basis, it completely slipped my mind do sec-approval first. Ugh! I landed on inbound and backed out right away, but it is obviously out there now.
[Security approval request comment]
> How easily could an exploit be constructed based on the patch?
If you can gain control of the content process, it is trivial -- just send a too small shmem with the appropriate graphics IPC message, and boom overflow when that texture is used.
> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No comments or tests were provided.
> Which older supported branches are affected by this flaw?
If not all supported branches, which bug introduced the flaw?
> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
No, but they are trivial to write. I will have them ready for ESR/release/beta just in case.
> How likely is this patch to cause regressions; how much testing does it need?
Very low. We just make sure the buffer is big enough, which is always should be right now.
Attachment #8941951 -
Flags: sec-approval?
Assignee | ||
Comment 10•7 years ago
|
||
(In reply to Andrew Osmond [:aosmond] from comment #9)
> Comment on attachment 8941951 [details] [diff] [review]
> 0001-Bug-1388020.patch, v1
>
> Which older supported branches are affected by this flaw?
Bug 858914 introduced the issue. So all supported branches.
> If not all supported branches, which bug introduced the flaw?
See above.
Comment 11•7 years ago
|
||
There are also GTest failures for the push to inbound: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=ca1b397bffcfba088c848692e455e551459bc0ae&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=retry&filter-resultStatus=usercancel&filter-resultStatus=runnable
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=156576116&repo=mozilla-inbound
[task 2018-01-16T13:17:38.366Z] 13:17:38 INFO - TEST-START | Gfx.TestTextureCompatibility
[task 2018-01-16T13:17:38.366Z] 13:17:38 INFO - ExceptionHandler::GenerateDump cloned child 9950
[task 2018-01-16T13:17:38.366Z] 13:17:38 INFO - ExceptionHandler::SendContinueSignalToChild sent continue signal to child
[task 2018-01-16T13:17:38.367Z] 13:17:38 INFO - ExceptionHandler::WaitForContinueSignal waiting for continue signal...
[task 2018-01-16T13:17:38.730Z] 13:17:38 INFO - mozcrash INFO | Copy/paste: /usr/local/bin/linux64-minidump_stackwalk /builds/worker/workspace/build/tests/gtest/485dc6e4-46cf-69c5-aee6-1027aa6d532b.dmp /builds/worker/workspace/build/symbols
[task 2018-01-16T13:17:47.673Z] 13:17:47 INFO - mozcrash INFO | Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/485dc6e4-46cf-69c5-aee6-1027aa6d532b.dmp
[task 2018-01-16T13:17:47.683Z] 13:17:47 INFO - mozcrash INFO | Saved app info as /builds/worker/workspace/build/blobber_upload_dir/485dc6e4-46cf-69c5-aee6-1027aa6d532b.extra
[task 2018-01-16T13:17:47.683Z] 13:17:47 WARNING - PROCESS-CRASH | gtest | application crashed [@ mozilla::layers::CreateBackendIndependentTextureHost]
[task 2018-01-16T13:17:47.684Z] 13:17:47 INFO - Crash dump filename: /builds/worker/workspace/build/tests/gtest/485dc6e4-46cf-69c5-aee6-1027aa6d532b.dmp
[task 2018-01-16T13:17:47.684Z] 13:17:47 INFO - Operating system: Linux
[task 2018-01-16T13:17:47.685Z] 13:17:47 INFO - 0.0.0 Linux 4.4.0-98-generic #121~14.04.1-Ubuntu SMP Wed Oct 11 11:54:55 UTC 2017 x86_64
[task 2018-01-16T13:17:47.685Z] 13:17:47 INFO - CPU: amd64
[task 2018-01-16T13:17:47.686Z] 13:17:47 INFO - family 6 model 62 stepping 4
[task 2018-01-16T13:17:47.686Z] 13:17:47 INFO - 4 CPUs
[task 2018-01-16T13:17:47.686Z] 13:17:47 INFO - GPU: UNKNOWN
[task 2018-01-16T13:17:47.687Z] 13:17:47 INFO - Crash reason: SIGSEGV
[task 2018-01-16T13:17:47.687Z] 13:17:47 INFO - Crash address: 0x0
[task 2018-01-16T13:17:47.687Z] 13:17:47 INFO - Process uptime: not available
[task 2018-01-16T13:17:47.688Z] 13:17:47 INFO - Thread 0 (crashed)
[task 2018-01-16T13:17:47.688Z] 13:17:47 INFO - 0 libxul.so!mozilla::layers::CreateBackendIndependentTextureHost [TextureHost.cpp:ca1b397bffcf : 297 + 0x0]
[task 2018-01-16T13:17:47.688Z] 13:17:47 INFO - rax = 0x0000000000000001 rdx = 0x0000000000000000
[task 2018-01-16T13:17:47.689Z] 13:17:47 INFO - rcx = 0x0000000000000001 rbx = 0x00007ffe12094700
[task 2018-01-16T13:17:47.689Z] 13:17:47 INFO - rsi = 0x0000000000000001 rdi = 0x0000000000000001
[task 2018-01-16T13:17:47.689Z] 13:17:47 INFO - rbp = 0x00007ffe12094660 rsp = 0x00007ffe12094490
[task 2018-01-16T13:17:47.690Z] 13:17:47 INFO - r8 = 0x0000000000000040 r9 = 0x00007ffe120946f0
[task 2018-01-16T13:17:47.690Z] 13:17:47 INFO - r10 = 0x00007f6b4faec000 r11 = 0x0000000000000008
[task 2018-01-16T13:17:47.690Z] 13:17:47 INFO - r12 = 0x00007ffe12094698 r13 = 0x00007ffe120944a8
[task 2018-01-16T13:17:47.690Z] 13:17:47 INFO - r14 = 0x00007ffe12094740 r15 = 0x0000000000000000
[task 2018-01-16T13:17:47.691Z] 13:17:47 INFO - rip = 0x00007f6b5c13f265
[task 2018-01-16T13:17:47.691Z] 13:17:47 INFO - Found by: given as instruction pointer in context
[task 2018-01-16T13:17:47.691Z] 13:17:47 INFO - 1 libxul.so!mozilla::layers::TextureHost::Create [TextureHost.cpp:ca1b397bffcf : 208 + 0x13]
[task 2018-01-16T13:17:47.692Z] 13:17:47 INFO - rbx = 0x00007ffe12094700 rbp = 0x00007ffe120946d0
[task 2018-01-16T13:17:47.692Z] 13:17:47 INFO - rsp = 0x00007ffe12094670 r12 = 0x0000000000000000
[task 2018-01-16T13:17:47.692Z] 13:17:47 INFO - r13 = 0x0000000000000040 r14 = 0x0000000000000001
[task 2018-01-16T13:17:47.693Z] 13:17:47 INFO - r15 = 0x00007ffe12094690 rip = 0x00007f6b5c13f466
[task 2018-01-16T13:17:47.693Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.694Z] 13:17:47 INFO - 2 libxul.so!mozilla::layers::CreateTextureHostWithBackend [TextureHelper.h:ca1b397bffcf : 157 + 0x5]
[task 2018-01-16T13:17:47.694Z] 13:17:47 INFO - rbx = 0x00007ffe12094808 rbp = 0x00007ffe12094790
[task 2018-01-16T13:17:47.694Z] 13:17:47 INFO - rsp = 0x00007ffe120946e0 r12 = 0x00007ffe12094700
[task 2018-01-16T13:17:47.695Z] 13:17:47 INFO - r13 = 0x00007f6b4f746f40 r14 = 0x00007f6b4fbdddb8
[task 2018-01-16T13:17:47.695Z] 13:17:47 INFO - r15 = 0x00007f6b4fbdddb8 rip = 0x00007f6b5e61107e
[task 2018-01-16T13:17:47.695Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.696Z] 13:17:47 INFO - 3 libxul.so!CreateTextureWithBackend [TestTextureCompatibility.cpp:ca1b397bffcf : 46 + 0x14]
[task 2018-01-16T13:17:47.696Z] 13:17:47 INFO - rbx = 0x0000000000000000 rbp = 0x00007ffe12094890
[task 2018-01-16T13:17:47.696Z] 13:17:47 INFO - rsp = 0x00007ffe120947a0 r12 = 0x00007ffe120947e8
[task 2018-01-16T13:17:47.697Z] 13:17:47 INFO - r13 = 0x00007ffe120948c8 r14 = 0x00007ffe120947d8
[task 2018-01-16T13:17:47.697Z] 13:17:47 INFO - r15 = 0x00007f6b4fbdddb8 rip = 0x00007f6b5e6113f5
[task 2018-01-16T13:17:47.697Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.698Z] 13:17:47 INFO - 4 libxul.so!Gfx_TestTextureCompatibility_Test::TestBody [TestTextureCompatibility.cpp:ca1b397bffcf : 121 + 0xb]
[task 2018-01-16T13:17:47.698Z] 13:17:47 INFO - rbx = 0x00007ffe120948b8 rbp = 0x00007ffe12094900
[task 2018-01-16T13:17:47.698Z] 13:17:47 INFO - rsp = 0x00007ffe120948a0 r12 = 0x0000000000000000
[task 2018-01-16T13:17:47.699Z] 13:17:47 INFO - r13 = 0x00007ffe120948c8 r14 = 0x00007ffe120948c0
[task 2018-01-16T13:17:47.699Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b5e61150f
[task 2018-01-16T13:17:47.699Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.700Z] 13:17:47 INFO - 5 libxul.so!testing::Test::Run [gtest.cc:ca1b397bffcf : 2477 + 0xf]
[task 2018-01-16T13:17:47.700Z] 13:17:47 INFO - rbx = 0x00007f6b4fbd6eb0 rbp = 0x00007ffe12094920
[task 2018-01-16T13:17:47.701Z] 13:17:47 INFO - rsp = 0x00007ffe12094910 r12 = 0x00007f6b6cb4f3e0
[task 2018-01-16T13:17:47.701Z] 13:17:47 INFO - r13 = 0x00007f6b6cb4f3e0 r14 = 0x00007f6b6cb5d640
[task 2018-01-16T13:17:47.701Z] 13:17:47 INFO - r15 = 0x00000160ff1e36b1 rip = 0x00007f6b5e59d14c
[task 2018-01-16T13:17:47.702Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.702Z] 13:17:47 INFO - 6 libxul.so!testing::TestInfo::Run [gtest.cc:ca1b397bffcf : 2658 + 0x8]
[task 2018-01-16T13:17:47.703Z] 13:17:47 INFO - rbx = 0x00007f6b57f771c0 rbp = 0x00007ffe12094970
[task 2018-01-16T13:17:47.703Z] 13:17:47 INFO - rsp = 0x00007ffe12094930 r12 = 0x00007f6b4fbd6eb0
[task 2018-01-16T13:17:47.703Z] 13:17:47 INFO - r13 = 0x00007f6b6cb4f3e0 r14 = 0x00007f6b6cb5d640
[task 2018-01-16T13:17:47.704Z] 13:17:47 INFO - r15 = 0x00000160ff1e36b1 rip = 0x00007f6b5e59d25c
[task 2018-01-16T13:17:47.704Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.705Z] 13:17:47 INFO - 7 libxul.so!testing::TestCase::Run [gtest.cc:ca1b397bffcf : 2776 + 0xd]
[task 2018-01-16T13:17:47.705Z] 13:17:47 INFO - rbx = 0x00007f6b57f699e0 rbp = 0x00007ffe120949b0
[task 2018-01-16T13:17:47.706Z] 13:17:47 INFO - rsp = 0x00007ffe12094980 r12 = 0x00007f6b6cb4f3e0
[task 2018-01-16T13:17:47.706Z] 13:17:47 INFO - r13 = 0x00007f6b6cb5d640 r14 = 0x00000160ff1e364e
[task 2018-01-16T13:17:47.707Z] 13:17:47 INFO - r15 = 0x0000000000000024 rip = 0x00007f6b5e59d2fa
[task 2018-01-16T13:17:47.707Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.708Z] 13:17:47 INFO - 8 libxul.so!testing::internal::UnitTestImpl::RunAllTests [gtest.cc:ca1b397bffcf : 4651 + 0x15]
[task 2018-01-16T13:17:47.708Z] 13:17:47 INFO - rbx = 0x00007f6b6cb4f3e0 rbp = 0x00007ffe12094a10
[task 2018-01-16T13:17:47.708Z] 13:17:47 INFO - rsp = 0x00007ffe120949c0 r12 = 0x00007f6b6cb5d640
[task 2018-01-16T13:17:47.709Z] 13:17:47 INFO - r13 = 0x00007ffe12094a00 r14 = 0x0000000000000000
[task 2018-01-16T13:17:47.709Z] 13:17:47 INFO - r15 = 0x0000000000001464 rip = 0x00007f6b5e5a024a
[task 2018-01-16T13:17:47.710Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.710Z] 13:17:47 INFO - 9 libxul.so!testing::UnitTest::Run [gtest.cc:ca1b397bffcf : 2460 + 0x8]
[task 2018-01-16T13:17:47.711Z] 13:17:47 INFO - rbx = 0x00007f6b6cb4f3e0 rbp = 0x00007ffe12094a40
[task 2018-01-16T13:17:47.711Z] 13:17:47 INFO - rsp = 0x00007ffe12094a20 r12 = 0x00007ffe12094a98
[task 2018-01-16T13:17:47.711Z] 13:17:47 INFO - r13 = 0x00007ffe12094a70 r14 = 0x00007ffe12094a68
[task 2018-01-16T13:17:47.712Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b5e5a036f
[task 2018-01-16T13:17:47.712Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.713Z] 13:17:47 INFO - 10 libxul.so!mozilla::RunGTestFunc [gtest.h:ca1b397bffcf : 2233 + 0xd]
[task 2018-01-16T13:17:47.713Z] 13:17:47 INFO - rbx = 0x00007ffe12094a78 rbp = 0x00007ffe12094b10
[task 2018-01-16T13:17:47.714Z] 13:17:47 INFO - rsp = 0x00007ffe12094a50 r12 = 0x00007ffe12094a98
[task 2018-01-16T13:17:47.714Z] 13:17:47 INFO - r13 = 0x00007ffe12094a70 r14 = 0x00007ffe12094a68
[task 2018-01-16T13:17:47.715Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b5e5a2477
[task 2018-01-16T13:17:47.715Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.715Z] 13:17:47 INFO - 11 libxul.so!XREMain::XRE_mainStartup [nsAppRunner.cpp:ca1b397bffcf : 3906 + 0x10]
[task 2018-01-16T13:17:47.716Z] 13:17:47 INFO - rbx = 0x0000000000000000 rbp = 0x00007ffe12094d30
[task 2018-01-16T13:17:47.716Z] 13:17:47 INFO - rsp = 0x00007ffe12094b20 r12 = 0x00007ffe12094da0
[task 2018-01-16T13:17:47.716Z] 13:17:47 INFO - r13 = 0x00007ffe12094e78 r14 = 0x00007ffe12094c60
[task 2018-01-16T13:17:47.717Z] 13:17:47 INFO - r15 = 0x00007ffe12094e00 rip = 0x00007f6b5e2f2ab2
[task 2018-01-16T13:17:47.717Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.717Z] 13:17:47 INFO - 12 libxul.so!XREMain::XRE_main [nsAppRunner.cpp:ca1b397bffcf : 4826 + 0xb]
[task 2018-01-16T13:17:47.718Z] 13:17:47 INFO - rbx = 0x00007ffe12094e00 rbp = 0x00007ffe12094de0
[task 2018-01-16T13:17:47.718Z] 13:17:47 INFO - rsp = 0x00007ffe12094d40 r12 = 0x00007ffe12094da0
[task 2018-01-16T13:17:47.719Z] 13:17:47 INFO - r13 = 0x00007ffe12094e78 r14 = 0x00007ffe12094d88
[task 2018-01-16T13:17:47.719Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b5e2f6f95
[task 2018-01-16T13:17:47.719Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.720Z] 13:17:47 INFO - 13 libxul.so!XRE_main [nsAppRunner.cpp:ca1b397bffcf : 4933 + 0x5]
[task 2018-01-16T13:17:47.720Z] 13:17:47 INFO - rbx = 0x00007ffe12094e00 rbp = 0x00007ffe12094fb0
[task 2018-01-16T13:17:47.720Z] 13:17:47 INFO - rsp = 0x00007ffe12094df0 r12 = 0x0000000000000003
[task 2018-01-16T13:17:47.721Z] 13:17:47 INFO - r13 = 0x00007ffe120960f8 r14 = 0x00007ffe12094fc0
[task 2018-01-16T13:17:47.721Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b5e2f7329
[task 2018-01-16T13:17:47.722Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.722Z] 13:17:47 INFO - 14 firefox!do_main [nsBrowserApp.cpp:ca1b397bffcf : 231 + 0x22]
[task 2018-01-16T13:17:47.722Z] 13:17:47 INFO - rbx = 0x0000000000000003 rbp = 0x00007ffe12095fe0
[task 2018-01-16T13:17:47.723Z] 13:17:47 INFO - rsp = 0x00007ffe12094fc0 r12 = 0x00007ffe120960f8
[task 2018-01-16T13:17:47.723Z] 13:17:47 INFO - r13 = 0x0000000000000000 r14 = 0x00007ffe12096118
[task 2018-01-16T13:17:47.723Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x0000000000406b7d
[task 2018-01-16T13:17:47.724Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.724Z] 13:17:47 INFO - 15 firefox!main [nsBrowserApp.cpp:ca1b397bffcf : 304 + 0xd]
[task 2018-01-16T13:17:47.724Z] 13:17:47 INFO - rbx = 0x0000000000000003 rbp = 0x00007ffe12096010
[task 2018-01-16T13:17:47.725Z] 13:17:47 INFO - rsp = 0x00007ffe12095ff0 r12 = 0x00007ffe120960f8
[task 2018-01-16T13:17:47.725Z] 13:17:47 INFO - r13 = 0x00007ffe12096118 r14 = 0x00000abe747a8ab9
[task 2018-01-16T13:17:47.725Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x0000000000406474
[task 2018-01-16T13:17:47.726Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.726Z] 13:17:47 INFO - 16 libc-2.23.so + 0x20830
[task 2018-01-16T13:17:47.726Z] 13:17:47 INFO - rbx = 0x0000000000000000 rbp = 0x000000000042d900
[task 2018-01-16T13:17:47.727Z] 13:17:47 INFO - rsp = 0x00007ffe12096020 r12 = 0x00000000004066a8
[task 2018-01-16T13:17:47.727Z] 13:17:47 INFO - r13 = 0x00007ffe120960f0 r14 = 0x0000000000000000
[task 2018-01-16T13:17:47.727Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b6cdd0830
[task 2018-01-16T13:17:47.727Z] 13:17:47 INFO - Found by: call frame info
[task 2018-01-16T13:17:47.728Z] 13:17:47 INFO - 17 firefox!MOZ_ReportAssertionFailure [Assertions.h:ca1b397bffcf : 165 + 0x5]
[task 2018-01-16T13:17:47.728Z] 13:17:47 INFO - rsp = 0x00007ffe12096040 rip = 0x00000000004063ee
[task 2018-01-16T13:17:47.729Z] 13:17:47 INFO - Found by: stack scanning
Flags: needinfo?(aosmond)
Comment 12•7 years ago
|
||
We can't take this until February 6. This is too big of a patch to put into 58 with zero betas left and us about to make the release candidate.
So, sec-approval+ for checkin on February 6 (no earlier!). At that point, we'll want a Beta and ESR52 patch as well.
status-firefox59:
--- → affected
status-firefox-esr52:
--- → affected
tracking-firefox59:
--- → +
tracking-firefox-esr52:
--- → ?
Whiteboard: [gfx-noted] → [gfx-noted][checkin on 2/6]
Updated•7 years ago
|
Attachment #8941951 -
Flags: sec-approval? → sec-approval+
Updated•7 years ago
|
status-firefox60:
--- → affected
tracking-firefox60:
--- → +
Whiteboard: [gfx-noted][checkin on 2/6] → [gfx-noted]
Assignee | ||
Comment 13•7 years ago
|
||
This fixes the broken gtests. Will land and attach the ESR52 patch as well. The mozilla-inbound patch should apply cleanly to beta.
Flags: needinfo?(aosmond)
Attachment #8948865 -
Flags: review+
Assignee | ||
Comment 14•7 years ago
|
||
Attachment #8948867 -
Flags: review+
Assignee | ||
Updated•7 years ago
|
Attachment #8948865 -
Attachment description: 0001-Bug-1388020.patch, v2 [carries r=nical] → [central/beta] 0001-Bug-1388020.patch, v2 [carries r=nical]
Assignee | ||
Comment 15•7 years ago
|
||
Third try is the charm right? Backed out for a crash test failure on OS X only. This should fix that along with a typo.
Attachment #8948865 -
Attachment is obsolete: true
Attachment #8948997 -
Flags: review+
Assignee | ||
Comment 16•7 years ago
|
||
Attachment #8948867 -
Attachment is obsolete: true
Attachment #8948998 -
Flags: review+
Comment hidden (typo) |
Comment 18•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/fd15c14e5efb1874591f4e113c1ae1c49154804f
https://hg.mozilla.org/mozilla-central/rev/fd15c14e5efb
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Comment 19•7 years ago
|
||
(In reply to Sebastian Hengst [:aryx][:archaeopteryx] (needinfo on intermittent or backout) from comment #17)
> diagnostics patch:
> https://hg.mozilla.org/releases/mozilla-beta/rev/a144e7e01f42
This got backed out because it didn't belong into this bug: https://hg.mozilla.org/releases/mozilla-beta/rev/58dc2e0f5a1562f390caf8ebfc517989348ddd0c
Comment 20•7 years ago
|
||
Please request uplift to beta and esr when you get a chance.
Flags: needinfo?(aosmond)
Updated•7 years ago
|
Group: gfx-core-security → core-security-release
Comment 21•7 years ago
|
||
Milan, can you request uplift here? This can still make it into Monday's beta 11.
Flags: needinfo?(milan)
Comment on attachment 8941951 [details] [diff] [review]
0001-Bug-1388020.patch, v1
Approval Request Comment
[Feature/Bug causing the regression]: 858914
[User impact if declined]: Sec bug
[Is this code covered by automated tests?]: Yes
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]:
[List of other uplifts needed for the feature/fix]:
[Is the change risky?]: No, now allocating enough memory
[Why is the change risky/not risky?]:
[String changes made/needed]:
Flags: needinfo?(milan)
Attachment #8941951 -
Flags: approval-mozilla-beta?
Comment 23•7 years ago
|
||
Comment on attachment 8941951 [details] [diff] [review]
0001-Bug-1388020.patch, v1
Just to be clear, I think it's the central/beta patch that needs this request? Also, can we get an ESR52 approval request as well?
Attachment #8941951 -
Attachment is obsolete: true
Attachment #8941951 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 24•7 years ago
|
||
Comment on attachment 8948997 [details] [diff] [review]
[central/beta] 0001-Bug-1388020.patch, v3 [carries r=nical]
Approval Request Comment
[Feature/Bug causing the regression]: Bug 858914
[User impact if declined]: Given control of the content process, one can cause a buffer overflow by sending a too small shmem in the parent or GPU process.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: No. May follow the original STR from submitter, but I had trouble reproducing even without the fix.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Been soaking in central for some time. It mostly just adds some size checks at alloc time, which is used a lot during runtime.
[String changes made/needed]: None.
Flags: needinfo?(aosmond)
Attachment #8948997 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 25•7 years ago
|
||
Comment on attachment 8948998 [details] [diff] [review]
[esr52] 0001-Bug-1388020.patch, v3 [carries r=nical]
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: Given control of the content process, one can cause a buffer overflow by sending a too small shmem in the parent or GPU process.
Fix Landed on Version: 60.0a
Risk to taking this patch (and alternatives if risky): No. Been soaking in central for some time. It mostly just adds some size checks at alloc time, which is used a lot during runtime.
String or UUID changes made by this patch: None.
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8948998 -
Flags: approval-mozilla-esr52?
Comment 26•7 years ago
|
||
Comment on attachment 8948997 [details] [diff] [review]
[central/beta] 0001-Bug-1388020.patch, v3 [carries r=nical]
Let's take this for 59b12 and 52.7.0. Thanks!
Attachment #8948997 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•7 years ago
|
Attachment #8948998 -
Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Comment 27•7 years ago
|
||
uplift |
Comment 28•7 years ago
|
||
uplift |
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [gfx-noted] → [gfx-noted][post-critsmash-triage]
Updated•7 years ago
|
Whiteboard: [gfx-noted][post-critsmash-triage] → [gfx-noted][post-critsmash-triage][adv-main59+][adv-esr52.7+]
Reporter | ||
Comment 29•7 years ago
|
||
We need to re-open this bug because it's still being seen on our fuzzing cluster.
==22693==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7fc9a726c360 at pc 0x000000440db9 bp 0x7fc99f135b40 sp 0x7fc99f1352e0
READ of size 27754496 at 0x7fc9a726c360 thread T34 (Compositor)
#0 0x440db8 in memcpy /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:5
#1 0x7fc9b628dda2 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x449da2)
#2 0x7fc9b6291d40 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x44dd40)
#3 0x7fc9b607d3a3 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x2393a3)
#4 0x7fc9b607ee69 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x23ae69)
#5 0x7fc9b6001522 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1bd522)
#6 0x7fc9b60035df (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1bf5df)
#7 0x7fc9bde43495 in raw_fTexImage2D /builds/worker/workspace/build/src/obj-firefox/dist/include/GLContext.h:1654:9
#8 0x7fc9bde43495 in fTexImage2D /builds/worker/workspace/build/src/gfx/gl/GLContext.cpp:2789
#9 0x7fc9bde43495 in TexImage2DHelper /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:361
#10 0x7fc9bde43495 in mozilla::gl::UploadImageDataToTexture(mozilla::gl::GLContext*, unsigned char*, int, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:487
#11 0x7fc9bde3ec9e in mozilla::gl::UploadSurfaceToTexture(mozilla::gl::GLContext*, mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:548:12
#12 0x7fc9bde3e80c in mozilla::gl::BasicTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:144:9
#13 0x7fc9bde41216 in mozilla::gl::TiledTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:300:11
#14 0x7fc9bde3d8dc in mozilla::gl::TextureImage::UpdateFromDataSource(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:86:12
#15 0x7fc9be002814 in mozilla::layers::TextureImageTextureSourceOGL::Update(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/opengl/TextureHostOGL.cpp:171:14
#16 0x7fc9be277c22 in mozilla::layers::BufferTextureHost::Upload(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:1084:24
#17 0x7fc9be27365a in MaybeUpload /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:955:8
#18 0x7fc9be27365a in mozilla::layers::BufferTextureHost::UpdatedInternal(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:541
#19 0x7fc9be217e6c in mozilla::layers::ContentHostSingleBuffered::UpdateThebes(mozilla::layers::ThebesBufferData const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContentHost.cpp:391:17
#20 0x7fc9be28943f in mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate(mozilla::layers::CompositableOperation const&) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositableTransactionParent.cpp:92:26
#21 0x7fc9be2e7726 in mozilla::layers::LayerTransactionParent::RecvUpdate(mozilla::layers::TransactionInfo const&) /builds/worker/workspace/build/src/gfx/layers/ipc/LayerTransactionParent.cpp:462:10
#22 0x7fc9bccdf88b in mozilla::layers::PLayerTransactionParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PLayerTransactionParent.cpp:136:20
#23 0x7fc9bd18d3a5 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorManagerParent.cpp:121:28
#24 0x7fc9bca0e47e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2133:25
#25 0x7fc9bca0b401 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2063:17
#26 0x7fc9bca0cbfc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1909:5
#27 0x7fc9bca0d258 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1942:15
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 30•7 years ago
|
||
Please ping me on release day when we reopen a bug in the advisories...
Whiteboard: [gfx-noted][post-critsmash-triage][adv-main59+][adv-esr52.7+] → [gfx-noted][post-critsmash-triage]
Reporter | ||
Comment 31•7 years ago
|
||
Noting that all crashes occurring now are "underflows" rather than "overflows" as before but the stack is the same.
Reporter | ||
Comment 32•7 years ago
|
||
Another variation is a UAF but happened until now only one time.
==4874==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ffaf81a7fdc at pc 0x000000440db9 bp 0x7ffb1178b840 sp 0x7ffb1178afe0
READ of size 32768 at 0x7ffaf81a7fdc thread T34 (Compositor)
#0 0x440db8 in memcpy /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:5
#1 0x7ffb29053923 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x469923)
#2 0x7ffb29053a57 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x469a57)
#3 0x7ffb29057c70 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x46dc70)
#4 0x7ffb28e281d1 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x23e1d1)
#5 0x7ffb28e29c1f (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x23fc1f)
#6 0x7ffb28daac72 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1c0c72)
#7 0x7ffb28dacdef (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1c2def)
#8 0x7ffb310c4a55 in raw_fTexImage2D /builds/worker/workspace/build/src/obj-firefox/dist/include/GLContext.h:1654:9
#9 0x7ffb310c4a55 in fTexImage2D /builds/worker/workspace/build/src/gfx/gl/GLContext.cpp:2789
#10 0x7ffb310c4a55 in TexImage2DHelper /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:361
#11 0x7ffb310c4a55 in mozilla::gl::UploadImageDataToTexture(mozilla::gl::GLContext*, unsigned char*, int, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:487
#12 0x7ffb310c021e in mozilla::gl::UploadSurfaceToTexture(mozilla::gl::GLContext*, mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:548:12
#13 0x7ffb310bfd8c in mozilla::gl::BasicTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:144:9
#14 0x7ffb310c27d6 in mozilla::gl::TiledTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:300:11
#15 0x7ffb310bee5c in mozilla::gl::TextureImage::UpdateFromDataSource(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:86:12
#16 0x7ffb31270255 in mozilla::layers::TextureImageTextureSourceOGL::Update(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/opengl/TextureHostOGL.cpp:171:14
#17 0x7ffb314cd7a6 in mozilla::layers::BufferTextureHost::Upload(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:1084:24
#18 0x7ffb314c902a in MaybeUpload /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:955:8
#19 0x7ffb314c902a in mozilla::layers::BufferTextureHost::UpdatedInternal(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:541
#20 0x7ffb31475e6c in mozilla::layers::ContentHostSingleBuffered::UpdateThebes(mozilla::layers::ThebesBufferData const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContentHost.cpp:391:17
#21 0x7ffb314df55f in mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate(mozilla::layers::CompositableOperation const&) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositableTransactionParent.cpp:92:26
#22 0x7ffb3153c1af in mozilla::layers::LayerTransactionParent::RecvUpdate(mozilla::layers::TransactionInfo const&) /builds/worker/workspace/build/src/gfx/layers/ipc/LayerTransactionParent.cpp:463:10
#23 0x7ffb2fd8669b in mozilla::layers::PLayerTransactionParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PLayerTransactionParent.cpp:135:20
#24 0x7ffb303aff95 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorManagerParent.cpp:121:28
#25 0x7ffb2fababfe in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2133:25
#26 0x7ffb2fab7c77 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2063:17
#27 0x7ffb2fab937c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1909:5
#28 0x7ffb2fab99d8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1942:15
#29 0x7ffb2fa15893 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
#30 0x7ffb2fa15893 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
#31 0x7ffb2fa15893 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
#32 0x7ffb2fa17808 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
#33 0x7ffb2fa12c79 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#34 0x7ffb2fa12c79 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#35 0x7ffb2fa12c79 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#36 0x7ffb2fa3221f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
#37 0x7ffb2fa23c8c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
#38 0x7ffb4f37d6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#39 0x7ffb4e40641c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
0x7ffaf81a7fdc is located 42972 bytes inside of 2062080-byte region [0x7ffaf819d800,0x7ffaf8394f00)
freed by thread T34 (Compositor) here:
#0 0x4c6fc2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x7ffb2937b4a0 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x7914a0)
previously allocated by thread T34 (Compositor) here:
#0 0x4c7f9e in __interceptor_posix_memalign /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:157:3
#1 0x7ffb2937b33b (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x79133b)
Thread T34 (Compositor) created by T0 here:
#0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
#1 0x7ffb2fa215ef in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
#2 0x7ffb2fa215ef in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
#3 0x7ffb2fa31bbf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
#4 0x7ffb3150798a in CreateCompositorThread /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:101:26
#5 0x7ffb3150798a in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:51
#6 0x7ffb31507ba3 in mozilla::layers::CompositorThreadHolder::Start() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:123:33
#7 0x7ffb315ffbd2 in gfxPlatform::InitLayersIPC() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1035:5
#8 0x7ffb315fad73 in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:779:5
#9 0x7ffb315f839b in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:538:9
#10 0x7ffb3643b9b9 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/widget/GfxInfoBase.cpp:1518:25
#11 0x7ffb2ec126a1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
#12 0x7ffb306de5e0 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1948:12
#13 0x7ffb306de5e0 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1267
#14 0x7ffb306de5e0 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1234
#15 0x7ffb306e5659 in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1671:17
#16 0x7ffb306e5659 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965
#17 0x7ffb3ae65cae in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
#18 0x7ffb3ae65cae in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#19 0x7ffb3ae67a02 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:516:12
#20 0x7ffb3ae67a02 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
#21 0x7ffb3ae67a02 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:650
#22 0x7ffb3bfcbe1e in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2155:16
#23 0x7ffb3bfcbe1e in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2208
#24 0x7ffb3bfcbe1e in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2410
#25 0x7ffb3bfcbe1e in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2446
#26 0x7ffb3ae4d4c5 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1629:12
#27 0x7ffb3ae4d4c5 in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:520
#28 0x7ffb3ae4d4c5 in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:626
#29 0x7ffb3ae4d4c5 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2923
#30 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#31 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#32 0x7ffb3ae4e860 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#33 0x7ffb3ae4e860 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085
#34 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#35 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#36 0x7ffb3ae4e860 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#37 0x7ffb3ae4e860 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085
#38 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#39 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#40 0x7ffb3ae4e860 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#41 0x7ffb3ae4e860 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085
#42 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#43 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#44 0x7ffb3ae66813 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#45 0x7ffb3ba6bf15 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2969:12
#46 0x7ffb306c55c0 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1308:23
#47 0x7ffb2ec13c7f in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28
#48 0x7ffb2ec12c2a in SharedStub (/home/ubuntu/firefox/libxul.so+0x2251c2a)
#49 0x7ffb2eb8cded in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:810:19
#50 0x7ffb3ab798cc in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1022:11
#51 0x7ffb3ab563c8 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4516:16
#52 0x7ffb3ab5997c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4814:8
#53 0x7ffb3ab5adc4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4906:21
#54 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
#55 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
#56 0x7ffb4e31f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:5 in memcpy
==4874==ABORTING
Assignee | ||
Comment 33•7 years ago
|
||
The original bug reported bunch messed with the buffer size, which I fixed, but the new report is a little different. I think it is causing use to use a negative point of reference against the texture, here:
https://searchfox.org/mozilla-central/rev/6e96a3f1e44e286ddae5fdafab737709741d237a/gfx/gl/GLUploadHelpers.cpp#545
That could cause us to underflow.
Assignee | ||
Comment 34•7 years ago
|
||
I think the UAF could be explained under similar circumstances -- with a large enough negative (or position for that matter) offset, we could probably reach arbitrary memory that has been freed.
Updated•7 years ago
|
status-firefox61:
--- → affected
tracking-firefox61:
--- → +
Updated•7 years ago
|
Target Milestone: mozilla60 → ---
Comment 36•7 years ago
|
||
Comment on attachment 8948998 [details] [diff] [review]
[esr52] 0001-Bug-1388020.patch, v3 [carries r=nical]
Clearing the ESR52 approval flag for now just to get this off the "approved & needs uplift" bug query.
Attachment #8948998 -
Flags: approval-mozilla-esr52+
Assignee | ||
Comment 37•7 years ago
|
||
I *think* this should do it.
Flags: needinfo?(aosmond)
Attachment #8964939 -
Flags: review?(nical.bugzilla)
Updated•7 years ago
|
Attachment #8964939 -
Flags: review?(nical.bugzilla) → review+
Assignee | ||
Comment 38•7 years ago
|
||
Comment on attachment 8964939 [details] [diff] [review]
[central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1
[Security approval request comment]
> How easily could an exploit be constructed based on the patch?
The patch will suggest there is a possible overflow/underflow on this path. You can eventually get here from an IPC message, although there is some clamping/transformations done on the input.
> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
I don't think so.
> Which older supported branches are affected by this flaw?
> If not all supported branches, which bug introduced the flaw?
All.
> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Yes. It should apply cleanly to release/beta and with a minor tweaks, esr52. Not risky.
> How likely is this patch to cause regressions; how much testing does it need?
Unlikely to cause regressions. If we were under/overflowing the surface data in the normal case, we would be corrupting memory anyways, and now it would just fail to draw something instead.
Attachment #8964939 -
Flags: sec-approval?
Comment 39•7 years ago
|
||
sec-approval+ for trunk.
We'll want Beta and ESR52 patches made and nominated.
Updated•7 years ago
|
Attachment #8964939 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Comment 40•7 years ago
|
||
Comment on attachment 8964939 [details] [diff] [review]
[central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1
This patch should apply cleanly on central/beta/release. try results with mozilla-central: https://treeherder.mozilla.org/#/jobs?repo=try&revision=a692edf1a895312cd197f8b5ffbd331baf3e4388
Attachment #8964939 -
Attachment description: 0001-Bug-1388020.patch, secondary cause, v1 → [central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1
Assignee | ||
Comment 41•7 years ago
|
||
try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=3fda6dffd2487e117046060d40fa069e5190e0b8
Attachment #8965659 -
Flags: review+
Comment 42•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4f4d41bd1d6c21a7010fa4c82401bd466f5d86fa
https://hg.mozilla.org/mozilla-central/rev/4f4d41bd1d6c
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 43•7 years ago
|
||
Comment on attachment 8964939 [details] [diff] [review]
[central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1
Approval Request Comment
[Feature/Bug causing the regression]: N/A
[User impact if declined]: May access arbitrary memory to copy into a GL texture. Could crash or leak information from GPU or main process.
[Is this code covered by automated tests?]: Yes, the bounds check to hit during normal testing. The fuzzer hits the out-of-bounds cases.
[Has the fix been verified in Nightly?]: Yes. The crash has not been reproduced by the fuzzer since landing.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: It just adds a bounds check, and ensures any failures are passed up to the caller. If we are outside the bounds, we likely would crash anyways.
[String changes made/needed]: None.
Attachment #8964939 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 44•7 years ago
|
||
Comment on attachment 8948998 [details] [diff] [review]
[esr52] 0001-Bug-1388020.patch, v3 [carries r=nical]
This is a sec-high. See comment 43 for details.
Attachment #8948998 -
Flags: approval-mozilla-esr52?
Assignee | ||
Comment 45•7 years ago
|
||
Comment on attachment 8948998 [details] [diff] [review]
[esr52] 0001-Bug-1388020.patch, v3 [carries r=nical]
Wrong patch.
Attachment #8948998 -
Flags: approval-mozilla-esr52?
Assignee | ||
Comment 46•7 years ago
|
||
Comment on attachment 8965659 [details] [diff] [review]
[esr52] 0001-Bug-1388020.patch, secondary cause, v1 [carries r=nical]
This is a sec-high bug. See comment 43 for details.
Attachment #8965659 -
Flags: approval-mozilla-esr52?
Comment 47•7 years ago
|
||
Comment on attachment 8964939 [details] [diff] [review]
[central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1
Approved for 60.0b12 and ESR 52.8.0.
Attachment #8964939 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•7 years ago
|
Attachment #8965659 -
Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Comment 48•7 years ago
|
||
uplift |
Comment 49•7 years ago
|
||
Updated•7 years ago
|
Target Milestone: --- → mozilla61
Updated•7 years ago
|
Whiteboard: [gfx-noted][post-critsmash-triage] → [gfx-noted][post-critsmash-triage][adv-main60+][adv-esr52.8+]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•