Closed Bug 1388020 Opened 7 years ago Closed 7 years ago

IPC: heap-buffer-overflow [@raw_fTexImage2D]

Categories

(Core :: Graphics, defect, P3)

Unspecified
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 60+ fixed
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 + wontfix
firefox60 + fixed
firefox61 + fixed

People

(Reporter: posidron, Assigned: aosmond)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [gfx-noted][post-critsmash-triage][adv-main60+][adv-esr52.8+])

Attachments

(6 files, 3 obsolete files)

17.32 KB, text/plain
Details
115.93 KB, text/plain
Details
22.44 KB, patch
aosmond
: review+
Details | Diff | Splinter Review
16.88 KB, patch
aosmond
: review+
Details | Diff | Splinter Review
9.31 KB, patch
nical
: review+
abillings
: sec-approval+
Details | Diff | Splinter Review
9.25 KB, patch
aosmond
: review+
Details | Diff | Splinter Review
Attached file callstack.txt
The following crash occurs consistently on mozilla-central. Last tested revision is 20170805-933a04a91ce3. INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction. The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting https://html5test.com Possible reproduction scenario: pip install git+https://github.com/mozillasecurity/fuzzfetch fuzzfetch -a --fuzzing -n firefox -o /tmp export FAULTY_PROBABILITY=50000 export FAULTY_LARGE_VALUES=1 export FAULTY_PARENT=1 export FAULTY_ENABLE_LOGGING=1 export FAULTY_PICKLE=1 export MOZ_IPC_MESSAGE_LOG=1 Messages which correlate with the stack: [time: 1501976606668217][2079<-2079] [PCompositorBridgeChild] Received PCompositorBridge::Msg_DidComposite [time: 1501976606684187][2079->2130] [PVsyncParent] Sending PVsync::Msg_Notify [Faulty] pickle field {int} of value: 1139 changed to: 1140 [time: 1501976606687402][2130->2079] [PCompositorBridgeChild] Sending PCompositorBridge::Msg_PTextureConstructor [time: 1501976606689924][2130->2079] [PLayerTransactionChild] Sending PLayerTransaction::Msg_NewCompositable Calls before "swrast_dri.so": #8 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLContext.h#1629 #9 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLContext.cpp#2857 #10 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLUploadHelpers.cpp#361 #11 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLUploadHelpers.cpp#479 #12 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLUploadHelpers.cpp#540 #13 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLTextureImage.cpp#144 #14 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLTextureImage.cpp#86 #15 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/opengl/TextureHostOGL.cpp#185 #16 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/TextureHost.cpp#1047 #17 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/TextureHost.cpp#918 #18 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/TextureHost.cpp#500 #19 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/ContentHost.cpp#390 #20 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/ipc/CompositableTransactionParent.cpp#93
Attached file session.txt
Group: core-security → gfx-core-security
We may not know how to create corrupted messages like this from web content, but a compromised child process could use something like this as a sandbox escape.
Keywords: sec-high
Whiteboard: [gfx-noted]
Has STR: --- → no
Keywords: testcase-wanted
Hi Milan: I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them. Thanks! Wennie
Assignee: nobody → milan
If something stands out in the code
Assignee: milan → aosmond
What's the status here, Andrew? Anything we can do to unblock you?
Flags: needinfo?(aosmond)
At this point I do not have a smoking gun, as I have not been able to reproduce the same crash, but suspect where we create ShmemTextureHost objects: https://searchfox.org/mozilla-central/rev/03877052c151a8f062eea177f684a2743cd7b1d5/gfx/layers/composite/TextureHost.cpp#272 This is a bit removed from the callstack, but from what I can tell, we don't seem to do any verification of the shmem itself (e.g. mapped in N bytes) and the buffer descriptor (W x H pixels in format F => should expect < N bytes). My best guess is the buffer descriptor is too big in the fuzzing. > [Faulty] pickle field {int} of value: 1139 changed to: 1140 > ==2079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f276b7c3000 at pc 0x00000043a850 bp 0x7f27918abcb0 sp 0x7f27918ab458 > READ of size 4560 at 0x7f276b7c3000 thread T34 (Compositor) This is corroborating evidence, in that 4560 bytes is what OpenGL tried to read, and 4560/1140 = 4, which is a common pixel size if the texture uses a BGRA or similar format. It may have tried to read a row from the image, but since we were always reading 1 extra pixel, eventually it overflowed the buffer. I will write a patch to check for these sorts of overflow conditions in TextureHost::Create and its children.
Flags: needinfo?(aosmond)
Thanks for taking a look, that sounds great!
Attached patch 0001-Bug-1388020.patch, v1 (obsolete) — Splinter Review
try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=54a4fc7740b829eb27f68fa29fdedc8341e3ce8f Note that failing to create a TextureHost (due to a violation such as the shmem discrepancy) kills the process because it is an IPDL actor creation failure. I expanded on a few existing potential null pointer conventions in the subclasses to cover bad handles being passed in.
Attachment #8941951 - Flags: review?(nical.bugzilla)
Attachment #8941951 - Flags: review?(nical.bugzilla) → review+
Comment on attachment 8941951 [details] [diff] [review] 0001-Bug-1388020.patch, v1 Not fixing security bugs on a regular basis, it completely slipped my mind do sec-approval first. Ugh! I landed on inbound and backed out right away, but it is obviously out there now. [Security approval request comment] > How easily could an exploit be constructed based on the patch? If you can gain control of the content process, it is trivial -- just send a too small shmem with the appropriate graphics IPC message, and boom overflow when that texture is used. > Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No comments or tests were provided. > Which older supported branches are affected by this flaw? If not all supported branches, which bug introduced the flaw? > Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? No, but they are trivial to write. I will have them ready for ESR/release/beta just in case. > How likely is this patch to cause regressions; how much testing does it need? Very low. We just make sure the buffer is big enough, which is always should be right now.
Attachment #8941951 - Flags: sec-approval?
(In reply to Andrew Osmond [:aosmond] from comment #9) > Comment on attachment 8941951 [details] [diff] [review] > 0001-Bug-1388020.patch, v1 > > Which older supported branches are affected by this flaw? Bug 858914 introduced the issue. So all supported branches. > If not all supported branches, which bug introduced the flaw? See above.
There are also GTest failures for the push to inbound: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=ca1b397bffcfba088c848692e455e551459bc0ae&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=retry&filter-resultStatus=usercancel&filter-resultStatus=runnable Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=156576116&repo=mozilla-inbound [task 2018-01-16T13:17:38.366Z] 13:17:38 INFO - TEST-START | Gfx.TestTextureCompatibility [task 2018-01-16T13:17:38.366Z] 13:17:38 INFO - ExceptionHandler::GenerateDump cloned child 9950 [task 2018-01-16T13:17:38.366Z] 13:17:38 INFO - ExceptionHandler::SendContinueSignalToChild sent continue signal to child [task 2018-01-16T13:17:38.367Z] 13:17:38 INFO - ExceptionHandler::WaitForContinueSignal waiting for continue signal... [task 2018-01-16T13:17:38.730Z] 13:17:38 INFO - mozcrash INFO | Copy/paste: /usr/local/bin/linux64-minidump_stackwalk /builds/worker/workspace/build/tests/gtest/485dc6e4-46cf-69c5-aee6-1027aa6d532b.dmp /builds/worker/workspace/build/symbols [task 2018-01-16T13:17:47.673Z] 13:17:47 INFO - mozcrash INFO | Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/485dc6e4-46cf-69c5-aee6-1027aa6d532b.dmp [task 2018-01-16T13:17:47.683Z] 13:17:47 INFO - mozcrash INFO | Saved app info as /builds/worker/workspace/build/blobber_upload_dir/485dc6e4-46cf-69c5-aee6-1027aa6d532b.extra [task 2018-01-16T13:17:47.683Z] 13:17:47 WARNING - PROCESS-CRASH | gtest | application crashed [@ mozilla::layers::CreateBackendIndependentTextureHost] [task 2018-01-16T13:17:47.684Z] 13:17:47 INFO - Crash dump filename: /builds/worker/workspace/build/tests/gtest/485dc6e4-46cf-69c5-aee6-1027aa6d532b.dmp [task 2018-01-16T13:17:47.684Z] 13:17:47 INFO - Operating system: Linux [task 2018-01-16T13:17:47.685Z] 13:17:47 INFO - 0.0.0 Linux 4.4.0-98-generic #121~14.04.1-Ubuntu SMP Wed Oct 11 11:54:55 UTC 2017 x86_64 [task 2018-01-16T13:17:47.685Z] 13:17:47 INFO - CPU: amd64 [task 2018-01-16T13:17:47.686Z] 13:17:47 INFO - family 6 model 62 stepping 4 [task 2018-01-16T13:17:47.686Z] 13:17:47 INFO - 4 CPUs [task 2018-01-16T13:17:47.686Z] 13:17:47 INFO - GPU: UNKNOWN [task 2018-01-16T13:17:47.687Z] 13:17:47 INFO - Crash reason: SIGSEGV [task 2018-01-16T13:17:47.687Z] 13:17:47 INFO - Crash address: 0x0 [task 2018-01-16T13:17:47.687Z] 13:17:47 INFO - Process uptime: not available [task 2018-01-16T13:17:47.688Z] 13:17:47 INFO - Thread 0 (crashed) [task 2018-01-16T13:17:47.688Z] 13:17:47 INFO - 0 libxul.so!mozilla::layers::CreateBackendIndependentTextureHost [TextureHost.cpp:ca1b397bffcf : 297 + 0x0] [task 2018-01-16T13:17:47.688Z] 13:17:47 INFO - rax = 0x0000000000000001 rdx = 0x0000000000000000 [task 2018-01-16T13:17:47.689Z] 13:17:47 INFO - rcx = 0x0000000000000001 rbx = 0x00007ffe12094700 [task 2018-01-16T13:17:47.689Z] 13:17:47 INFO - rsi = 0x0000000000000001 rdi = 0x0000000000000001 [task 2018-01-16T13:17:47.689Z] 13:17:47 INFO - rbp = 0x00007ffe12094660 rsp = 0x00007ffe12094490 [task 2018-01-16T13:17:47.690Z] 13:17:47 INFO - r8 = 0x0000000000000040 r9 = 0x00007ffe120946f0 [task 2018-01-16T13:17:47.690Z] 13:17:47 INFO - r10 = 0x00007f6b4faec000 r11 = 0x0000000000000008 [task 2018-01-16T13:17:47.690Z] 13:17:47 INFO - r12 = 0x00007ffe12094698 r13 = 0x00007ffe120944a8 [task 2018-01-16T13:17:47.690Z] 13:17:47 INFO - r14 = 0x00007ffe12094740 r15 = 0x0000000000000000 [task 2018-01-16T13:17:47.691Z] 13:17:47 INFO - rip = 0x00007f6b5c13f265 [task 2018-01-16T13:17:47.691Z] 13:17:47 INFO - Found by: given as instruction pointer in context [task 2018-01-16T13:17:47.691Z] 13:17:47 INFO - 1 libxul.so!mozilla::layers::TextureHost::Create [TextureHost.cpp:ca1b397bffcf : 208 + 0x13] [task 2018-01-16T13:17:47.692Z] 13:17:47 INFO - rbx = 0x00007ffe12094700 rbp = 0x00007ffe120946d0 [task 2018-01-16T13:17:47.692Z] 13:17:47 INFO - rsp = 0x00007ffe12094670 r12 = 0x0000000000000000 [task 2018-01-16T13:17:47.692Z] 13:17:47 INFO - r13 = 0x0000000000000040 r14 = 0x0000000000000001 [task 2018-01-16T13:17:47.693Z] 13:17:47 INFO - r15 = 0x00007ffe12094690 rip = 0x00007f6b5c13f466 [task 2018-01-16T13:17:47.693Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.694Z] 13:17:47 INFO - 2 libxul.so!mozilla::layers::CreateTextureHostWithBackend [TextureHelper.h:ca1b397bffcf : 157 + 0x5] [task 2018-01-16T13:17:47.694Z] 13:17:47 INFO - rbx = 0x00007ffe12094808 rbp = 0x00007ffe12094790 [task 2018-01-16T13:17:47.694Z] 13:17:47 INFO - rsp = 0x00007ffe120946e0 r12 = 0x00007ffe12094700 [task 2018-01-16T13:17:47.695Z] 13:17:47 INFO - r13 = 0x00007f6b4f746f40 r14 = 0x00007f6b4fbdddb8 [task 2018-01-16T13:17:47.695Z] 13:17:47 INFO - r15 = 0x00007f6b4fbdddb8 rip = 0x00007f6b5e61107e [task 2018-01-16T13:17:47.695Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.696Z] 13:17:47 INFO - 3 libxul.so!CreateTextureWithBackend [TestTextureCompatibility.cpp:ca1b397bffcf : 46 + 0x14] [task 2018-01-16T13:17:47.696Z] 13:17:47 INFO - rbx = 0x0000000000000000 rbp = 0x00007ffe12094890 [task 2018-01-16T13:17:47.696Z] 13:17:47 INFO - rsp = 0x00007ffe120947a0 r12 = 0x00007ffe120947e8 [task 2018-01-16T13:17:47.697Z] 13:17:47 INFO - r13 = 0x00007ffe120948c8 r14 = 0x00007ffe120947d8 [task 2018-01-16T13:17:47.697Z] 13:17:47 INFO - r15 = 0x00007f6b4fbdddb8 rip = 0x00007f6b5e6113f5 [task 2018-01-16T13:17:47.697Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.698Z] 13:17:47 INFO - 4 libxul.so!Gfx_TestTextureCompatibility_Test::TestBody [TestTextureCompatibility.cpp:ca1b397bffcf : 121 + 0xb] [task 2018-01-16T13:17:47.698Z] 13:17:47 INFO - rbx = 0x00007ffe120948b8 rbp = 0x00007ffe12094900 [task 2018-01-16T13:17:47.698Z] 13:17:47 INFO - rsp = 0x00007ffe120948a0 r12 = 0x0000000000000000 [task 2018-01-16T13:17:47.699Z] 13:17:47 INFO - r13 = 0x00007ffe120948c8 r14 = 0x00007ffe120948c0 [task 2018-01-16T13:17:47.699Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b5e61150f [task 2018-01-16T13:17:47.699Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.700Z] 13:17:47 INFO - 5 libxul.so!testing::Test::Run [gtest.cc:ca1b397bffcf : 2477 + 0xf] [task 2018-01-16T13:17:47.700Z] 13:17:47 INFO - rbx = 0x00007f6b4fbd6eb0 rbp = 0x00007ffe12094920 [task 2018-01-16T13:17:47.701Z] 13:17:47 INFO - rsp = 0x00007ffe12094910 r12 = 0x00007f6b6cb4f3e0 [task 2018-01-16T13:17:47.701Z] 13:17:47 INFO - r13 = 0x00007f6b6cb4f3e0 r14 = 0x00007f6b6cb5d640 [task 2018-01-16T13:17:47.701Z] 13:17:47 INFO - r15 = 0x00000160ff1e36b1 rip = 0x00007f6b5e59d14c [task 2018-01-16T13:17:47.702Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.702Z] 13:17:47 INFO - 6 libxul.so!testing::TestInfo::Run [gtest.cc:ca1b397bffcf : 2658 + 0x8] [task 2018-01-16T13:17:47.703Z] 13:17:47 INFO - rbx = 0x00007f6b57f771c0 rbp = 0x00007ffe12094970 [task 2018-01-16T13:17:47.703Z] 13:17:47 INFO - rsp = 0x00007ffe12094930 r12 = 0x00007f6b4fbd6eb0 [task 2018-01-16T13:17:47.703Z] 13:17:47 INFO - r13 = 0x00007f6b6cb4f3e0 r14 = 0x00007f6b6cb5d640 [task 2018-01-16T13:17:47.704Z] 13:17:47 INFO - r15 = 0x00000160ff1e36b1 rip = 0x00007f6b5e59d25c [task 2018-01-16T13:17:47.704Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.705Z] 13:17:47 INFO - 7 libxul.so!testing::TestCase::Run [gtest.cc:ca1b397bffcf : 2776 + 0xd] [task 2018-01-16T13:17:47.705Z] 13:17:47 INFO - rbx = 0x00007f6b57f699e0 rbp = 0x00007ffe120949b0 [task 2018-01-16T13:17:47.706Z] 13:17:47 INFO - rsp = 0x00007ffe12094980 r12 = 0x00007f6b6cb4f3e0 [task 2018-01-16T13:17:47.706Z] 13:17:47 INFO - r13 = 0x00007f6b6cb5d640 r14 = 0x00000160ff1e364e [task 2018-01-16T13:17:47.707Z] 13:17:47 INFO - r15 = 0x0000000000000024 rip = 0x00007f6b5e59d2fa [task 2018-01-16T13:17:47.707Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.708Z] 13:17:47 INFO - 8 libxul.so!testing::internal::UnitTestImpl::RunAllTests [gtest.cc:ca1b397bffcf : 4651 + 0x15] [task 2018-01-16T13:17:47.708Z] 13:17:47 INFO - rbx = 0x00007f6b6cb4f3e0 rbp = 0x00007ffe12094a10 [task 2018-01-16T13:17:47.708Z] 13:17:47 INFO - rsp = 0x00007ffe120949c0 r12 = 0x00007f6b6cb5d640 [task 2018-01-16T13:17:47.709Z] 13:17:47 INFO - r13 = 0x00007ffe12094a00 r14 = 0x0000000000000000 [task 2018-01-16T13:17:47.709Z] 13:17:47 INFO - r15 = 0x0000000000001464 rip = 0x00007f6b5e5a024a [task 2018-01-16T13:17:47.710Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.710Z] 13:17:47 INFO - 9 libxul.so!testing::UnitTest::Run [gtest.cc:ca1b397bffcf : 2460 + 0x8] [task 2018-01-16T13:17:47.711Z] 13:17:47 INFO - rbx = 0x00007f6b6cb4f3e0 rbp = 0x00007ffe12094a40 [task 2018-01-16T13:17:47.711Z] 13:17:47 INFO - rsp = 0x00007ffe12094a20 r12 = 0x00007ffe12094a98 [task 2018-01-16T13:17:47.711Z] 13:17:47 INFO - r13 = 0x00007ffe12094a70 r14 = 0x00007ffe12094a68 [task 2018-01-16T13:17:47.712Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b5e5a036f [task 2018-01-16T13:17:47.712Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.713Z] 13:17:47 INFO - 10 libxul.so!mozilla::RunGTestFunc [gtest.h:ca1b397bffcf : 2233 + 0xd] [task 2018-01-16T13:17:47.713Z] 13:17:47 INFO - rbx = 0x00007ffe12094a78 rbp = 0x00007ffe12094b10 [task 2018-01-16T13:17:47.714Z] 13:17:47 INFO - rsp = 0x00007ffe12094a50 r12 = 0x00007ffe12094a98 [task 2018-01-16T13:17:47.714Z] 13:17:47 INFO - r13 = 0x00007ffe12094a70 r14 = 0x00007ffe12094a68 [task 2018-01-16T13:17:47.715Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b5e5a2477 [task 2018-01-16T13:17:47.715Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.715Z] 13:17:47 INFO - 11 libxul.so!XREMain::XRE_mainStartup [nsAppRunner.cpp:ca1b397bffcf : 3906 + 0x10] [task 2018-01-16T13:17:47.716Z] 13:17:47 INFO - rbx = 0x0000000000000000 rbp = 0x00007ffe12094d30 [task 2018-01-16T13:17:47.716Z] 13:17:47 INFO - rsp = 0x00007ffe12094b20 r12 = 0x00007ffe12094da0 [task 2018-01-16T13:17:47.716Z] 13:17:47 INFO - r13 = 0x00007ffe12094e78 r14 = 0x00007ffe12094c60 [task 2018-01-16T13:17:47.717Z] 13:17:47 INFO - r15 = 0x00007ffe12094e00 rip = 0x00007f6b5e2f2ab2 [task 2018-01-16T13:17:47.717Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.717Z] 13:17:47 INFO - 12 libxul.so!XREMain::XRE_main [nsAppRunner.cpp:ca1b397bffcf : 4826 + 0xb] [task 2018-01-16T13:17:47.718Z] 13:17:47 INFO - rbx = 0x00007ffe12094e00 rbp = 0x00007ffe12094de0 [task 2018-01-16T13:17:47.718Z] 13:17:47 INFO - rsp = 0x00007ffe12094d40 r12 = 0x00007ffe12094da0 [task 2018-01-16T13:17:47.719Z] 13:17:47 INFO - r13 = 0x00007ffe12094e78 r14 = 0x00007ffe12094d88 [task 2018-01-16T13:17:47.719Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b5e2f6f95 [task 2018-01-16T13:17:47.719Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.720Z] 13:17:47 INFO - 13 libxul.so!XRE_main [nsAppRunner.cpp:ca1b397bffcf : 4933 + 0x5] [task 2018-01-16T13:17:47.720Z] 13:17:47 INFO - rbx = 0x00007ffe12094e00 rbp = 0x00007ffe12094fb0 [task 2018-01-16T13:17:47.720Z] 13:17:47 INFO - rsp = 0x00007ffe12094df0 r12 = 0x0000000000000003 [task 2018-01-16T13:17:47.721Z] 13:17:47 INFO - r13 = 0x00007ffe120960f8 r14 = 0x00007ffe12094fc0 [task 2018-01-16T13:17:47.721Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b5e2f7329 [task 2018-01-16T13:17:47.722Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.722Z] 13:17:47 INFO - 14 firefox!do_main [nsBrowserApp.cpp:ca1b397bffcf : 231 + 0x22] [task 2018-01-16T13:17:47.722Z] 13:17:47 INFO - rbx = 0x0000000000000003 rbp = 0x00007ffe12095fe0 [task 2018-01-16T13:17:47.723Z] 13:17:47 INFO - rsp = 0x00007ffe12094fc0 r12 = 0x00007ffe120960f8 [task 2018-01-16T13:17:47.723Z] 13:17:47 INFO - r13 = 0x0000000000000000 r14 = 0x00007ffe12096118 [task 2018-01-16T13:17:47.723Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x0000000000406b7d [task 2018-01-16T13:17:47.724Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.724Z] 13:17:47 INFO - 15 firefox!main [nsBrowserApp.cpp:ca1b397bffcf : 304 + 0xd] [task 2018-01-16T13:17:47.724Z] 13:17:47 INFO - rbx = 0x0000000000000003 rbp = 0x00007ffe12096010 [task 2018-01-16T13:17:47.725Z] 13:17:47 INFO - rsp = 0x00007ffe12095ff0 r12 = 0x00007ffe120960f8 [task 2018-01-16T13:17:47.725Z] 13:17:47 INFO - r13 = 0x00007ffe12096118 r14 = 0x00000abe747a8ab9 [task 2018-01-16T13:17:47.725Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x0000000000406474 [task 2018-01-16T13:17:47.726Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.726Z] 13:17:47 INFO - 16 libc-2.23.so + 0x20830 [task 2018-01-16T13:17:47.726Z] 13:17:47 INFO - rbx = 0x0000000000000000 rbp = 0x000000000042d900 [task 2018-01-16T13:17:47.727Z] 13:17:47 INFO - rsp = 0x00007ffe12096020 r12 = 0x00000000004066a8 [task 2018-01-16T13:17:47.727Z] 13:17:47 INFO - r13 = 0x00007ffe120960f0 r14 = 0x0000000000000000 [task 2018-01-16T13:17:47.727Z] 13:17:47 INFO - r15 = 0x0000000000000000 rip = 0x00007f6b6cdd0830 [task 2018-01-16T13:17:47.727Z] 13:17:47 INFO - Found by: call frame info [task 2018-01-16T13:17:47.728Z] 13:17:47 INFO - 17 firefox!MOZ_ReportAssertionFailure [Assertions.h:ca1b397bffcf : 165 + 0x5] [task 2018-01-16T13:17:47.728Z] 13:17:47 INFO - rsp = 0x00007ffe12096040 rip = 0x00000000004063ee [task 2018-01-16T13:17:47.729Z] 13:17:47 INFO - Found by: stack scanning
Flags: needinfo?(aosmond)
We can't take this until February 6. This is too big of a patch to put into 58 with zero betas left and us about to make the release candidate. So, sec-approval+ for checkin on February 6 (no earlier!). At that point, we'll want a Beta and ESR52 patch as well.
Whiteboard: [gfx-noted] → [gfx-noted][checkin on 2/6]
Attachment #8941951 - Flags: sec-approval? → sec-approval+
Whiteboard: [gfx-noted][checkin on 2/6] → [gfx-noted]
This fixes the broken gtests. Will land and attach the ESR52 patch as well. The mozilla-inbound patch should apply cleanly to beta.
Flags: needinfo?(aosmond)
Attachment #8948865 - Flags: review+
Attachment #8948865 - Attachment description: 0001-Bug-1388020.patch, v2 [carries r=nical] → [central/beta] 0001-Bug-1388020.patch, v2 [carries r=nical]
Third try is the charm right? Backed out for a crash test failure on OS X only. This should fix that along with a typo.
Attachment #8948865 - Attachment is obsolete: true
Attachment #8948997 - Flags: review+
(In reply to Sebastian Hengst [:aryx][:archaeopteryx] (needinfo on intermittent or backout) from comment #17) > diagnostics patch: > https://hg.mozilla.org/releases/mozilla-beta/rev/a144e7e01f42 This got backed out because it didn't belong into this bug: https://hg.mozilla.org/releases/mozilla-beta/rev/58dc2e0f5a1562f390caf8ebfc517989348ddd0c
Please request uplift to beta and esr when you get a chance.
Flags: needinfo?(aosmond)
Group: gfx-core-security → core-security-release
Milan, can you request uplift here? This can still make it into Monday's beta 11.
Flags: needinfo?(milan)
Comment on attachment 8941951 [details] [diff] [review] 0001-Bug-1388020.patch, v1 Approval Request Comment [Feature/Bug causing the regression]: 858914 [User impact if declined]: Sec bug [Is this code covered by automated tests?]: Yes [Has the fix been verified in Nightly?]: Yes [Needs manual test from QE? If yes, steps to reproduce]: [List of other uplifts needed for the feature/fix]: [Is the change risky?]: No, now allocating enough memory [Why is the change risky/not risky?]: [String changes made/needed]:
Flags: needinfo?(milan)
Attachment #8941951 - Flags: approval-mozilla-beta?
Comment on attachment 8941951 [details] [diff] [review] 0001-Bug-1388020.patch, v1 Just to be clear, I think it's the central/beta patch that needs this request? Also, can we get an ESR52 approval request as well?
Attachment #8941951 - Attachment is obsolete: true
Attachment #8941951 - Flags: approval-mozilla-beta?
Comment on attachment 8948997 [details] [diff] [review] [central/beta] 0001-Bug-1388020.patch, v3 [carries r=nical] Approval Request Comment [Feature/Bug causing the regression]: Bug 858914 [User impact if declined]: Given control of the content process, one can cause a buffer overflow by sending a too small shmem in the parent or GPU process. [Is this code covered by automated tests?]: Yes. [Has the fix been verified in Nightly?]: Yes. [Needs manual test from QE? If yes, steps to reproduce]: No. May follow the original STR from submitter, but I had trouble reproducing even without the fix. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: No. [Why is the change risky/not risky?]: Been soaking in central for some time. It mostly just adds some size checks at alloc time, which is used a lot during runtime. [String changes made/needed]: None.
Flags: needinfo?(aosmond)
Attachment #8948997 - Flags: approval-mozilla-beta?
Comment on attachment 8948998 [details] [diff] [review] [esr52] 0001-Bug-1388020.patch, v3 [carries r=nical] [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: Given control of the content process, one can cause a buffer overflow by sending a too small shmem in the parent or GPU process. Fix Landed on Version: 60.0a Risk to taking this patch (and alternatives if risky): No. Been soaking in central for some time. It mostly just adds some size checks at alloc time, which is used a lot during runtime. String or UUID changes made by this patch: None. See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8948998 - Flags: approval-mozilla-esr52?
Comment on attachment 8948997 [details] [diff] [review] [central/beta] 0001-Bug-1388020.patch, v3 [carries r=nical] Let's take this for 59b12 and 52.7.0. Thanks!
Attachment #8948997 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8948998 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Flags: qe-verify-
Whiteboard: [gfx-noted] → [gfx-noted][post-critsmash-triage]
Whiteboard: [gfx-noted][post-critsmash-triage] → [gfx-noted][post-critsmash-triage][adv-main59+][adv-esr52.7+]
We need to re-open this bug because it's still being seen on our fuzzing cluster. ==22693==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7fc9a726c360 at pc 0x000000440db9 bp 0x7fc99f135b40 sp 0x7fc99f1352e0 READ of size 27754496 at 0x7fc9a726c360 thread T34 (Compositor) #0 0x440db8 in memcpy /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:5 #1 0x7fc9b628dda2 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x449da2) #2 0x7fc9b6291d40 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x44dd40) #3 0x7fc9b607d3a3 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x2393a3) #4 0x7fc9b607ee69 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x23ae69) #5 0x7fc9b6001522 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1bd522) #6 0x7fc9b60035df (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1bf5df) #7 0x7fc9bde43495 in raw_fTexImage2D /builds/worker/workspace/build/src/obj-firefox/dist/include/GLContext.h:1654:9 #8 0x7fc9bde43495 in fTexImage2D /builds/worker/workspace/build/src/gfx/gl/GLContext.cpp:2789 #9 0x7fc9bde43495 in TexImage2DHelper /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:361 #10 0x7fc9bde43495 in mozilla::gl::UploadImageDataToTexture(mozilla::gl::GLContext*, unsigned char*, int, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:487 #11 0x7fc9bde3ec9e in mozilla::gl::UploadSurfaceToTexture(mozilla::gl::GLContext*, mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:548:12 #12 0x7fc9bde3e80c in mozilla::gl::BasicTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:144:9 #13 0x7fc9bde41216 in mozilla::gl::TiledTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:300:11 #14 0x7fc9bde3d8dc in mozilla::gl::TextureImage::UpdateFromDataSource(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:86:12 #15 0x7fc9be002814 in mozilla::layers::TextureImageTextureSourceOGL::Update(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/opengl/TextureHostOGL.cpp:171:14 #16 0x7fc9be277c22 in mozilla::layers::BufferTextureHost::Upload(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:1084:24 #17 0x7fc9be27365a in MaybeUpload /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:955:8 #18 0x7fc9be27365a in mozilla::layers::BufferTextureHost::UpdatedInternal(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:541 #19 0x7fc9be217e6c in mozilla::layers::ContentHostSingleBuffered::UpdateThebes(mozilla::layers::ThebesBufferData const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContentHost.cpp:391:17 #20 0x7fc9be28943f in mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate(mozilla::layers::CompositableOperation const&) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositableTransactionParent.cpp:92:26 #21 0x7fc9be2e7726 in mozilla::layers::LayerTransactionParent::RecvUpdate(mozilla::layers::TransactionInfo const&) /builds/worker/workspace/build/src/gfx/layers/ipc/LayerTransactionParent.cpp:462:10 #22 0x7fc9bccdf88b in mozilla::layers::PLayerTransactionParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PLayerTransactionParent.cpp:136:20 #23 0x7fc9bd18d3a5 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorManagerParent.cpp:121:28 #24 0x7fc9bca0e47e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2133:25 #25 0x7fc9bca0b401 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2063:17 #26 0x7fc9bca0cbfc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1909:5 #27 0x7fc9bca0d258 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1942:15
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Please ping me on release day when we reopen a bug in the advisories...
Whiteboard: [gfx-noted][post-critsmash-triage][adv-main59+][adv-esr52.7+] → [gfx-noted][post-critsmash-triage]
Noting that all crashes occurring now are "underflows" rather than "overflows" as before but the stack is the same.
Another variation is a UAF but happened until now only one time. ==4874==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ffaf81a7fdc at pc 0x000000440db9 bp 0x7ffb1178b840 sp 0x7ffb1178afe0 READ of size 32768 at 0x7ffaf81a7fdc thread T34 (Compositor) #0 0x440db8 in memcpy /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:5 #1 0x7ffb29053923 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x469923) #2 0x7ffb29053a57 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x469a57) #3 0x7ffb29057c70 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x46dc70) #4 0x7ffb28e281d1 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x23e1d1) #5 0x7ffb28e29c1f (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x23fc1f) #6 0x7ffb28daac72 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1c0c72) #7 0x7ffb28dacdef (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1c2def) #8 0x7ffb310c4a55 in raw_fTexImage2D /builds/worker/workspace/build/src/obj-firefox/dist/include/GLContext.h:1654:9 #9 0x7ffb310c4a55 in fTexImage2D /builds/worker/workspace/build/src/gfx/gl/GLContext.cpp:2789 #10 0x7ffb310c4a55 in TexImage2DHelper /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:361 #11 0x7ffb310c4a55 in mozilla::gl::UploadImageDataToTexture(mozilla::gl::GLContext*, unsigned char*, int, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:487 #12 0x7ffb310c021e in mozilla::gl::UploadSurfaceToTexture(mozilla::gl::GLContext*, mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:548:12 #13 0x7ffb310bfd8c in mozilla::gl::BasicTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:144:9 #14 0x7ffb310c27d6 in mozilla::gl::TiledTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:300:11 #15 0x7ffb310bee5c in mozilla::gl::TextureImage::UpdateFromDataSource(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:86:12 #16 0x7ffb31270255 in mozilla::layers::TextureImageTextureSourceOGL::Update(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/opengl/TextureHostOGL.cpp:171:14 #17 0x7ffb314cd7a6 in mozilla::layers::BufferTextureHost::Upload(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:1084:24 #18 0x7ffb314c902a in MaybeUpload /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:955:8 #19 0x7ffb314c902a in mozilla::layers::BufferTextureHost::UpdatedInternal(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:541 #20 0x7ffb31475e6c in mozilla::layers::ContentHostSingleBuffered::UpdateThebes(mozilla::layers::ThebesBufferData const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContentHost.cpp:391:17 #21 0x7ffb314df55f in mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate(mozilla::layers::CompositableOperation const&) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositableTransactionParent.cpp:92:26 #22 0x7ffb3153c1af in mozilla::layers::LayerTransactionParent::RecvUpdate(mozilla::layers::TransactionInfo const&) /builds/worker/workspace/build/src/gfx/layers/ipc/LayerTransactionParent.cpp:463:10 #23 0x7ffb2fd8669b in mozilla::layers::PLayerTransactionParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PLayerTransactionParent.cpp:135:20 #24 0x7ffb303aff95 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorManagerParent.cpp:121:28 #25 0x7ffb2fababfe in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2133:25 #26 0x7ffb2fab7c77 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2063:17 #27 0x7ffb2fab937c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1909:5 #28 0x7ffb2fab99d8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1942:15 #29 0x7ffb2fa15893 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9 #30 0x7ffb2fa15893 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460 #31 0x7ffb2fa15893 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535 #32 0x7ffb2fa17808 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31 #33 0x7ffb2fa12c79 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #34 0x7ffb2fa12c79 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #35 0x7ffb2fa12c79 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #36 0x7ffb2fa3221f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16 #37 0x7ffb2fa23c8c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13 #38 0x7ffb4f37d6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #39 0x7ffb4e40641c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 0x7ffaf81a7fdc is located 42972 bytes inside of 2062080-byte region [0x7ffaf819d800,0x7ffaf8394f00) freed by thread T34 (Compositor) here: #0 0x4c6fc2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3 #1 0x7ffb2937b4a0 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x7914a0) previously allocated by thread T34 (Compositor) here: #0 0x4c7f9e in __interceptor_posix_memalign /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:157:3 #1 0x7ffb2937b33b (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x79133b) Thread T34 (Compositor) created by T0 here: #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7ffb2fa215ef in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14 #2 0x7ffb2fa215ef in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146 #3 0x7ffb2fa31bbf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8 #4 0x7ffb3150798a in CreateCompositorThread /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:101:26 #5 0x7ffb3150798a in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:51 #6 0x7ffb31507ba3 in mozilla::layers::CompositorThreadHolder::Start() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:123:33 #7 0x7ffb315ffbd2 in gfxPlatform::InitLayersIPC() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1035:5 #8 0x7ffb315fad73 in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:779:5 #9 0x7ffb315f839b in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:538:9 #10 0x7ffb3643b9b9 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/widget/GfxInfoBase.cpp:1518:25 #11 0x7ffb2ec126a1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106 #12 0x7ffb306de5e0 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1948:12 #13 0x7ffb306de5e0 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1267 #14 0x7ffb306de5e0 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1234 #15 0x7ffb306e5659 in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1671:17 #16 0x7ffb306e5659 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965 #17 0x7ffb3ae65cae in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15 #18 0x7ffb3ae65cae in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #19 0x7ffb3ae67a02 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:516:12 #20 0x7ffb3ae67a02 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535 #21 0x7ffb3ae67a02 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:650 #22 0x7ffb3bfcbe1e in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2155:16 #23 0x7ffb3bfcbe1e in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2208 #24 0x7ffb3bfcbe1e in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2410 #25 0x7ffb3bfcbe1e in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2446 #26 0x7ffb3ae4d4c5 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1629:12 #27 0x7ffb3ae4d4c5 in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:520 #28 0x7ffb3ae4d4c5 in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:626 #29 0x7ffb3ae4d4c5 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2923 #30 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #31 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #32 0x7ffb3ae4e860 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #33 0x7ffb3ae4e860 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085 #34 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #35 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #36 0x7ffb3ae4e860 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #37 0x7ffb3ae4e860 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085 #38 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #39 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #40 0x7ffb3ae4e860 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #41 0x7ffb3ae4e860 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085 #42 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #43 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #44 0x7ffb3ae66813 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10 #45 0x7ffb3ba6bf15 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2969:12 #46 0x7ffb306c55c0 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1308:23 #47 0x7ffb2ec13c7f in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28 #48 0x7ffb2ec12c2a in SharedStub (/home/ubuntu/firefox/libxul.so+0x2251c2a) #49 0x7ffb2eb8cded in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:810:19 #50 0x7ffb3ab798cc in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1022:11 #51 0x7ffb3ab563c8 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4516:16 #52 0x7ffb3ab5997c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4814:8 #53 0x7ffb3ab5adc4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4906:21 #54 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22 #55 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304 #56 0x7ffb4e31f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:5 in memcpy ==4874==ABORTING
The original bug reported bunch messed with the buffer size, which I fixed, but the new report is a little different. I think it is causing use to use a negative point of reference against the texture, here: https://searchfox.org/mozilla-central/rev/6e96a3f1e44e286ddae5fdafab737709741d237a/gfx/gl/GLUploadHelpers.cpp#545 That could cause us to underflow.
I think the UAF could be explained under similar circumstances -- with a large enough negative (or position for that matter) offset, we could probably reach arbitrary memory that has been freed.
Target Milestone: mozilla60 → ---
What are the next steps here, Andrew?
Flags: needinfo?(aosmond)
Comment on attachment 8948998 [details] [diff] [review] [esr52] 0001-Bug-1388020.patch, v3 [carries r=nical] Clearing the ESR52 approval flag for now just to get this off the "approved & needs uplift" bug query.
Attachment #8948998 - Flags: approval-mozilla-esr52+
I *think* this should do it.
Flags: needinfo?(aosmond)
Attachment #8964939 - Flags: review?(nical.bugzilla)
Attachment #8964939 - Flags: review?(nical.bugzilla) → review+
Comment on attachment 8964939 [details] [diff] [review] [central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1 [Security approval request comment] > How easily could an exploit be constructed based on the patch? The patch will suggest there is a possible overflow/underflow on this path. You can eventually get here from an IPC message, although there is some clamping/transformations done on the input. > Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? I don't think so. > Which older supported branches are affected by this flaw? > If not all supported branches, which bug introduced the flaw? All. > Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Yes. It should apply cleanly to release/beta and with a minor tweaks, esr52. Not risky. > How likely is this patch to cause regressions; how much testing does it need? Unlikely to cause regressions. If we were under/overflowing the surface data in the normal case, we would be corrupting memory anyways, and now it would just fail to draw something instead.
Attachment #8964939 - Flags: sec-approval?
sec-approval+ for trunk. We'll want Beta and ESR52 patches made and nominated.
Attachment #8964939 - Flags: sec-approval? → sec-approval+
Comment on attachment 8964939 [details] [diff] [review] [central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1 This patch should apply cleanly on central/beta/release. try results with mozilla-central: https://treeherder.mozilla.org/#/jobs?repo=try&revision=a692edf1a895312cd197f8b5ffbd331baf3e4388
Attachment #8964939 - Attachment description: 0001-Bug-1388020.patch, secondary cause, v1 → [central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1
Comment on attachment 8964939 [details] [diff] [review] [central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1 Approval Request Comment [Feature/Bug causing the regression]: N/A [User impact if declined]: May access arbitrary memory to copy into a GL texture. Could crash or leak information from GPU or main process. [Is this code covered by automated tests?]: Yes, the bounds check to hit during normal testing. The fuzzer hits the out-of-bounds cases. [Has the fix been verified in Nightly?]: Yes. The crash has not been reproduced by the fuzzer since landing. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: No. [Why is the change risky/not risky?]: It just adds a bounds check, and ensures any failures are passed up to the caller. If we are outside the bounds, we likely would crash anyways. [String changes made/needed]: None.
Attachment #8964939 - Flags: approval-mozilla-beta?
Comment on attachment 8948998 [details] [diff] [review] [esr52] 0001-Bug-1388020.patch, v3 [carries r=nical] This is a sec-high. See comment 43 for details.
Attachment #8948998 - Flags: approval-mozilla-esr52?
Comment on attachment 8948998 [details] [diff] [review] [esr52] 0001-Bug-1388020.patch, v3 [carries r=nical] Wrong patch.
Attachment #8948998 - Flags: approval-mozilla-esr52?
Comment on attachment 8965659 [details] [diff] [review] [esr52] 0001-Bug-1388020.patch, secondary cause, v1 [carries r=nical] This is a sec-high bug. See comment 43 for details.
Attachment #8965659 - Flags: approval-mozilla-esr52?
Comment on attachment 8964939 [details] [diff] [review] [central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1 Approved for 60.0b12 and ESR 52.8.0.
Attachment #8964939 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8965659 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Target Milestone: --- → mozilla61
Whiteboard: [gfx-noted][post-critsmash-triage] → [gfx-noted][post-critsmash-triage][adv-main60+][adv-esr52.8+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: