IPC: heap-buffer-overflow [@raw_fTexImage2D]

RESOLVED FIXED in Firefox -esr52

Status

()

defect
P3
critical
RESOLVED FIXED
2 years ago
9 months ago

People

(Reporter: posidron, Assigned: aosmond)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla61
Unspecified
Linux
Points:
---
Dependency tree / graph
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox-esr5260+ fixed, firefox57 wontfix, firefox58 wontfix, firefox59+ wontfix, firefox60+ fixed, firefox61+ fixed)

Details

(Whiteboard: [gfx-noted][post-critsmash-triage][adv-main60+][adv-esr52.8+])

Attachments

(6 attachments, 3 obsolete attachments)

Reporter

Description

2 years ago
Posted file callstack.txt
The following crash occurs consistently on mozilla-central. Last tested revision is 20170805-933a04a91ce3.

INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction.

The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting  https://html5test.com

Possible reproduction scenario:

pip install git+https://github.com/mozillasecurity/fuzzfetch
fuzzfetch -a --fuzzing -n firefox -o /tmp

export FAULTY_PROBABILITY=50000
export FAULTY_LARGE_VALUES=1
export FAULTY_PARENT=1
export FAULTY_ENABLE_LOGGING=1
export FAULTY_PICKLE=1
export MOZ_IPC_MESSAGE_LOG=1


Messages which correlate with the stack:

[time: 1501976606668217][2079<-2079] [PCompositorBridgeChild] Received  PCompositorBridge::Msg_DidComposite
[time: 1501976606684187][2079->2130] [PVsyncParent] Sending  PVsync::Msg_Notify
[Faulty] pickle field {int} of value: 1139 changed to: 1140
[time: 1501976606687402][2130->2079] [PCompositorBridgeChild] Sending  PCompositorBridge::Msg_PTextureConstructor
[time: 1501976606689924][2130->2079] [PLayerTransactionChild] Sending  PLayerTransaction::Msg_NewCompositable


Calls before "swrast_dri.so":

#8 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLContext.h#1629
#9 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLContext.cpp#2857
#10 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLUploadHelpers.cpp#361
#11 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLUploadHelpers.cpp#479
#12 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLUploadHelpers.cpp#540
#13 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLTextureImage.cpp#144
#14 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/gl/GLTextureImage.cpp#86
#15 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/opengl/TextureHostOGL.cpp#185
#16 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/TextureHost.cpp#1047
#17 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/TextureHost.cpp#918
#18 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/TextureHost.cpp#500
#19 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/composite/ContentHost.cpp#390
#20 http://searchfox.org/mozilla-central/rev/b52285ff/gfx/layers/ipc/CompositableTransactionParent.cpp#93
Reporter

Comment 1

2 years ago
Posted file session.txt
Group: core-security → gfx-core-security
We may not know how to create corrupted messages like this from web content, but a compromised child process could use something like this as a sandbox escape.
Keywords: sec-high
Whiteboard: [gfx-noted]
Has STR: --- → no
Keywords: testcase-wanted

Comment 3

2 years ago
Hi Milan:

I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them.

Thanks!

Wennie
Assignee: nobody → milan
If something stands out in the code
Assignee: milan → aosmond
What's the status here, Andrew?
Anything we can do to unblock you?
Flags: needinfo?(aosmond)
Assignee

Comment 6

a year ago
At this point I do not have a smoking gun, as I have not been able to reproduce the same crash, but suspect where we create ShmemTextureHost objects:

https://searchfox.org/mozilla-central/rev/03877052c151a8f062eea177f684a2743cd7b1d5/gfx/layers/composite/TextureHost.cpp#272

This is a bit removed from the callstack, but from what I can tell, we don't seem to do any verification of the shmem itself (e.g. mapped in N bytes) and the buffer descriptor (W x H pixels in format F => should expect < N bytes). My best guess is the buffer descriptor is too big in the fuzzing.

> [Faulty] pickle field {int} of value: 1139 changed to: 1140

> ==2079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f276b7c3000 at pc 0x00000043a850 bp 0x7f27918abcb0 sp 0x7f27918ab458
> READ of size 4560 at 0x7f276b7c3000 thread T34 (Compositor)

This is corroborating evidence, in that 4560 bytes is what OpenGL tried to read, and 4560/1140 = 4, which is a common pixel size if the texture uses a BGRA or similar format. It may have tried to read a row from the image, but since we were always reading 1 extra pixel, eventually it overflowed the buffer.

I will write a patch to check for these sorts of overflow conditions in TextureHost::Create and its children.
Flags: needinfo?(aosmond)
Thanks for taking a look, that sounds great!
Assignee

Comment 8

a year ago
Posted patch 0001-Bug-1388020.patch, v1 (obsolete) — Splinter Review
try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=54a4fc7740b829eb27f68fa29fdedc8341e3ce8f

Note that failing to create a TextureHost (due to a violation such as the shmem discrepancy) kills the process because it is an IPDL actor creation failure. I expanded on a few existing potential null pointer conventions in the subclasses to cover bad handles being passed in.
Assignee

Updated

a year ago
Attachment #8941951 - Flags: review?(nical.bugzilla)
Attachment #8941951 - Flags: review?(nical.bugzilla) → review+
Assignee

Comment 9

a year ago
Comment on attachment 8941951 [details] [diff] [review]
0001-Bug-1388020.patch, v1

Not fixing security bugs on a regular basis, it completely slipped my mind do sec-approval first. Ugh! I landed on inbound and backed out right away, but it is obviously out there now.

[Security approval request comment]
> How easily could an exploit be constructed based on the patch?

If you can gain control of the content process, it is trivial -- just send a too small shmem with the appropriate graphics IPC message, and boom overflow when that texture is used.

> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No comments or tests were provided.

> Which older supported branches are affected by this flaw?

If not all supported branches, which bug introduced the flaw?

> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

No, but they are trivial to write. I will have them ready for ESR/release/beta just in case.

> How likely is this patch to cause regressions; how much testing does it need?

Very low. We just make sure the buffer is big enough, which is always should be right now.
Attachment #8941951 - Flags: sec-approval?
Assignee

Comment 10

a year ago
(In reply to Andrew Osmond [:aosmond] from comment #9)
> Comment on attachment 8941951 [details] [diff] [review]
> 0001-Bug-1388020.patch, v1
> 
> Which older supported branches are affected by this flaw?

Bug 858914 introduced the issue. So all supported branches.

> If not all supported branches, which bug introduced the flaw?

See above.
There are also GTest failures for the push to inbound: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=ca1b397bffcfba088c848692e455e551459bc0ae&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=retry&filter-resultStatus=usercancel&filter-resultStatus=runnable

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=156576116&repo=mozilla-inbound
[task 2018-01-16T13:17:38.366Z] 13:17:38     INFO -  TEST-START | Gfx.TestTextureCompatibility
[task 2018-01-16T13:17:38.366Z] 13:17:38     INFO -  ExceptionHandler::GenerateDump cloned child 9950
[task 2018-01-16T13:17:38.366Z] 13:17:38     INFO -  ExceptionHandler::SendContinueSignalToChild sent continue signal to child
[task 2018-01-16T13:17:38.367Z] 13:17:38     INFO -  ExceptionHandler::WaitForContinueSignal waiting for continue signal...
[task 2018-01-16T13:17:38.730Z] 13:17:38     INFO -  mozcrash INFO | Copy/paste: /usr/local/bin/linux64-minidump_stackwalk /builds/worker/workspace/build/tests/gtest/485dc6e4-46cf-69c5-aee6-1027aa6d532b.dmp /builds/worker/workspace/build/symbols
[task 2018-01-16T13:17:47.673Z] 13:17:47     INFO -  mozcrash INFO | Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/485dc6e4-46cf-69c5-aee6-1027aa6d532b.dmp
[task 2018-01-16T13:17:47.683Z] 13:17:47     INFO -  mozcrash INFO | Saved app info as /builds/worker/workspace/build/blobber_upload_dir/485dc6e4-46cf-69c5-aee6-1027aa6d532b.extra
[task 2018-01-16T13:17:47.683Z] 13:17:47  WARNING -  PROCESS-CRASH | gtest | application crashed [@ mozilla::layers::CreateBackendIndependentTextureHost]
[task 2018-01-16T13:17:47.684Z] 13:17:47     INFO -  Crash dump filename: /builds/worker/workspace/build/tests/gtest/485dc6e4-46cf-69c5-aee6-1027aa6d532b.dmp
[task 2018-01-16T13:17:47.684Z] 13:17:47     INFO -  Operating system: Linux
[task 2018-01-16T13:17:47.685Z] 13:17:47     INFO -                    0.0.0 Linux 4.4.0-98-generic #121~14.04.1-Ubuntu SMP Wed Oct 11 11:54:55 UTC 2017 x86_64
[task 2018-01-16T13:17:47.685Z] 13:17:47     INFO -  CPU: amd64
[task 2018-01-16T13:17:47.686Z] 13:17:47     INFO -       family 6 model 62 stepping 4
[task 2018-01-16T13:17:47.686Z] 13:17:47     INFO -       4 CPUs
[task 2018-01-16T13:17:47.686Z] 13:17:47     INFO -  GPU: UNKNOWN
[task 2018-01-16T13:17:47.687Z] 13:17:47     INFO -  Crash reason:  SIGSEGV
[task 2018-01-16T13:17:47.687Z] 13:17:47     INFO -  Crash address: 0x0
[task 2018-01-16T13:17:47.687Z] 13:17:47     INFO -  Process uptime: not available
[task 2018-01-16T13:17:47.688Z] 13:17:47     INFO -  Thread 0 (crashed)
[task 2018-01-16T13:17:47.688Z] 13:17:47     INFO -   0  libxul.so!mozilla::layers::CreateBackendIndependentTextureHost [TextureHost.cpp:ca1b397bffcf : 297 + 0x0]
[task 2018-01-16T13:17:47.688Z] 13:17:47     INFO -      rax = 0x0000000000000001   rdx = 0x0000000000000000
[task 2018-01-16T13:17:47.689Z] 13:17:47     INFO -      rcx = 0x0000000000000001   rbx = 0x00007ffe12094700
[task 2018-01-16T13:17:47.689Z] 13:17:47     INFO -      rsi = 0x0000000000000001   rdi = 0x0000000000000001
[task 2018-01-16T13:17:47.689Z] 13:17:47     INFO -      rbp = 0x00007ffe12094660   rsp = 0x00007ffe12094490
[task 2018-01-16T13:17:47.690Z] 13:17:47     INFO -       r8 = 0x0000000000000040    r9 = 0x00007ffe120946f0
[task 2018-01-16T13:17:47.690Z] 13:17:47     INFO -      r10 = 0x00007f6b4faec000   r11 = 0x0000000000000008
[task 2018-01-16T13:17:47.690Z] 13:17:47     INFO -      r12 = 0x00007ffe12094698   r13 = 0x00007ffe120944a8
[task 2018-01-16T13:17:47.690Z] 13:17:47     INFO -      r14 = 0x00007ffe12094740   r15 = 0x0000000000000000
[task 2018-01-16T13:17:47.691Z] 13:17:47     INFO -      rip = 0x00007f6b5c13f265
[task 2018-01-16T13:17:47.691Z] 13:17:47     INFO -      Found by: given as instruction pointer in context
[task 2018-01-16T13:17:47.691Z] 13:17:47     INFO -   1  libxul.so!mozilla::layers::TextureHost::Create [TextureHost.cpp:ca1b397bffcf : 208 + 0x13]
[task 2018-01-16T13:17:47.692Z] 13:17:47     INFO -      rbx = 0x00007ffe12094700   rbp = 0x00007ffe120946d0
[task 2018-01-16T13:17:47.692Z] 13:17:47     INFO -      rsp = 0x00007ffe12094670   r12 = 0x0000000000000000
[task 2018-01-16T13:17:47.692Z] 13:17:47     INFO -      r13 = 0x0000000000000040   r14 = 0x0000000000000001
[task 2018-01-16T13:17:47.693Z] 13:17:47     INFO -      r15 = 0x00007ffe12094690   rip = 0x00007f6b5c13f466
[task 2018-01-16T13:17:47.693Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.694Z] 13:17:47     INFO -   2  libxul.so!mozilla::layers::CreateTextureHostWithBackend [TextureHelper.h:ca1b397bffcf : 157 + 0x5]
[task 2018-01-16T13:17:47.694Z] 13:17:47     INFO -      rbx = 0x00007ffe12094808   rbp = 0x00007ffe12094790
[task 2018-01-16T13:17:47.694Z] 13:17:47     INFO -      rsp = 0x00007ffe120946e0   r12 = 0x00007ffe12094700
[task 2018-01-16T13:17:47.695Z] 13:17:47     INFO -      r13 = 0x00007f6b4f746f40   r14 = 0x00007f6b4fbdddb8
[task 2018-01-16T13:17:47.695Z] 13:17:47     INFO -      r15 = 0x00007f6b4fbdddb8   rip = 0x00007f6b5e61107e
[task 2018-01-16T13:17:47.695Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.696Z] 13:17:47     INFO -   3  libxul.so!CreateTextureWithBackend [TestTextureCompatibility.cpp:ca1b397bffcf : 46 + 0x14]
[task 2018-01-16T13:17:47.696Z] 13:17:47     INFO -      rbx = 0x0000000000000000   rbp = 0x00007ffe12094890
[task 2018-01-16T13:17:47.696Z] 13:17:47     INFO -      rsp = 0x00007ffe120947a0   r12 = 0x00007ffe120947e8
[task 2018-01-16T13:17:47.697Z] 13:17:47     INFO -      r13 = 0x00007ffe120948c8   r14 = 0x00007ffe120947d8
[task 2018-01-16T13:17:47.697Z] 13:17:47     INFO -      r15 = 0x00007f6b4fbdddb8   rip = 0x00007f6b5e6113f5
[task 2018-01-16T13:17:47.697Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.698Z] 13:17:47     INFO -   4  libxul.so!Gfx_TestTextureCompatibility_Test::TestBody [TestTextureCompatibility.cpp:ca1b397bffcf : 121 + 0xb]
[task 2018-01-16T13:17:47.698Z] 13:17:47     INFO -      rbx = 0x00007ffe120948b8   rbp = 0x00007ffe12094900
[task 2018-01-16T13:17:47.698Z] 13:17:47     INFO -      rsp = 0x00007ffe120948a0   r12 = 0x0000000000000000
[task 2018-01-16T13:17:47.699Z] 13:17:47     INFO -      r13 = 0x00007ffe120948c8   r14 = 0x00007ffe120948c0
[task 2018-01-16T13:17:47.699Z] 13:17:47     INFO -      r15 = 0x0000000000000000   rip = 0x00007f6b5e61150f
[task 2018-01-16T13:17:47.699Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.700Z] 13:17:47     INFO -   5  libxul.so!testing::Test::Run [gtest.cc:ca1b397bffcf : 2477 + 0xf]
[task 2018-01-16T13:17:47.700Z] 13:17:47     INFO -      rbx = 0x00007f6b4fbd6eb0   rbp = 0x00007ffe12094920
[task 2018-01-16T13:17:47.701Z] 13:17:47     INFO -      rsp = 0x00007ffe12094910   r12 = 0x00007f6b6cb4f3e0
[task 2018-01-16T13:17:47.701Z] 13:17:47     INFO -      r13 = 0x00007f6b6cb4f3e0   r14 = 0x00007f6b6cb5d640
[task 2018-01-16T13:17:47.701Z] 13:17:47     INFO -      r15 = 0x00000160ff1e36b1   rip = 0x00007f6b5e59d14c
[task 2018-01-16T13:17:47.702Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.702Z] 13:17:47     INFO -   6  libxul.so!testing::TestInfo::Run [gtest.cc:ca1b397bffcf : 2658 + 0x8]
[task 2018-01-16T13:17:47.703Z] 13:17:47     INFO -      rbx = 0x00007f6b57f771c0   rbp = 0x00007ffe12094970
[task 2018-01-16T13:17:47.703Z] 13:17:47     INFO -      rsp = 0x00007ffe12094930   r12 = 0x00007f6b4fbd6eb0
[task 2018-01-16T13:17:47.703Z] 13:17:47     INFO -      r13 = 0x00007f6b6cb4f3e0   r14 = 0x00007f6b6cb5d640
[task 2018-01-16T13:17:47.704Z] 13:17:47     INFO -      r15 = 0x00000160ff1e36b1   rip = 0x00007f6b5e59d25c
[task 2018-01-16T13:17:47.704Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.705Z] 13:17:47     INFO -   7  libxul.so!testing::TestCase::Run [gtest.cc:ca1b397bffcf : 2776 + 0xd]
[task 2018-01-16T13:17:47.705Z] 13:17:47     INFO -      rbx = 0x00007f6b57f699e0   rbp = 0x00007ffe120949b0
[task 2018-01-16T13:17:47.706Z] 13:17:47     INFO -      rsp = 0x00007ffe12094980   r12 = 0x00007f6b6cb4f3e0
[task 2018-01-16T13:17:47.706Z] 13:17:47     INFO -      r13 = 0x00007f6b6cb5d640   r14 = 0x00000160ff1e364e
[task 2018-01-16T13:17:47.707Z] 13:17:47     INFO -      r15 = 0x0000000000000024   rip = 0x00007f6b5e59d2fa
[task 2018-01-16T13:17:47.707Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.708Z] 13:17:47     INFO -   8  libxul.so!testing::internal::UnitTestImpl::RunAllTests [gtest.cc:ca1b397bffcf : 4651 + 0x15]
[task 2018-01-16T13:17:47.708Z] 13:17:47     INFO -      rbx = 0x00007f6b6cb4f3e0   rbp = 0x00007ffe12094a10
[task 2018-01-16T13:17:47.708Z] 13:17:47     INFO -      rsp = 0x00007ffe120949c0   r12 = 0x00007f6b6cb5d640
[task 2018-01-16T13:17:47.709Z] 13:17:47     INFO -      r13 = 0x00007ffe12094a00   r14 = 0x0000000000000000
[task 2018-01-16T13:17:47.709Z] 13:17:47     INFO -      r15 = 0x0000000000001464   rip = 0x00007f6b5e5a024a
[task 2018-01-16T13:17:47.710Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.710Z] 13:17:47     INFO -   9  libxul.so!testing::UnitTest::Run [gtest.cc:ca1b397bffcf : 2460 + 0x8]
[task 2018-01-16T13:17:47.711Z] 13:17:47     INFO -      rbx = 0x00007f6b6cb4f3e0   rbp = 0x00007ffe12094a40
[task 2018-01-16T13:17:47.711Z] 13:17:47     INFO -      rsp = 0x00007ffe12094a20   r12 = 0x00007ffe12094a98
[task 2018-01-16T13:17:47.711Z] 13:17:47     INFO -      r13 = 0x00007ffe12094a70   r14 = 0x00007ffe12094a68
[task 2018-01-16T13:17:47.712Z] 13:17:47     INFO -      r15 = 0x0000000000000000   rip = 0x00007f6b5e5a036f
[task 2018-01-16T13:17:47.712Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.713Z] 13:17:47     INFO -  10  libxul.so!mozilla::RunGTestFunc [gtest.h:ca1b397bffcf : 2233 + 0xd]
[task 2018-01-16T13:17:47.713Z] 13:17:47     INFO -      rbx = 0x00007ffe12094a78   rbp = 0x00007ffe12094b10
[task 2018-01-16T13:17:47.714Z] 13:17:47     INFO -      rsp = 0x00007ffe12094a50   r12 = 0x00007ffe12094a98
[task 2018-01-16T13:17:47.714Z] 13:17:47     INFO -      r13 = 0x00007ffe12094a70   r14 = 0x00007ffe12094a68
[task 2018-01-16T13:17:47.715Z] 13:17:47     INFO -      r15 = 0x0000000000000000   rip = 0x00007f6b5e5a2477
[task 2018-01-16T13:17:47.715Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.715Z] 13:17:47     INFO -  11  libxul.so!XREMain::XRE_mainStartup [nsAppRunner.cpp:ca1b397bffcf : 3906 + 0x10]
[task 2018-01-16T13:17:47.716Z] 13:17:47     INFO -      rbx = 0x0000000000000000   rbp = 0x00007ffe12094d30
[task 2018-01-16T13:17:47.716Z] 13:17:47     INFO -      rsp = 0x00007ffe12094b20   r12 = 0x00007ffe12094da0
[task 2018-01-16T13:17:47.716Z] 13:17:47     INFO -      r13 = 0x00007ffe12094e78   r14 = 0x00007ffe12094c60
[task 2018-01-16T13:17:47.717Z] 13:17:47     INFO -      r15 = 0x00007ffe12094e00   rip = 0x00007f6b5e2f2ab2
[task 2018-01-16T13:17:47.717Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.717Z] 13:17:47     INFO -  12  libxul.so!XREMain::XRE_main [nsAppRunner.cpp:ca1b397bffcf : 4826 + 0xb]
[task 2018-01-16T13:17:47.718Z] 13:17:47     INFO -      rbx = 0x00007ffe12094e00   rbp = 0x00007ffe12094de0
[task 2018-01-16T13:17:47.718Z] 13:17:47     INFO -      rsp = 0x00007ffe12094d40   r12 = 0x00007ffe12094da0
[task 2018-01-16T13:17:47.719Z] 13:17:47     INFO -      r13 = 0x00007ffe12094e78   r14 = 0x00007ffe12094d88
[task 2018-01-16T13:17:47.719Z] 13:17:47     INFO -      r15 = 0x0000000000000000   rip = 0x00007f6b5e2f6f95
[task 2018-01-16T13:17:47.719Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.720Z] 13:17:47     INFO -  13  libxul.so!XRE_main [nsAppRunner.cpp:ca1b397bffcf : 4933 + 0x5]
[task 2018-01-16T13:17:47.720Z] 13:17:47     INFO -      rbx = 0x00007ffe12094e00   rbp = 0x00007ffe12094fb0
[task 2018-01-16T13:17:47.720Z] 13:17:47     INFO -      rsp = 0x00007ffe12094df0   r12 = 0x0000000000000003
[task 2018-01-16T13:17:47.721Z] 13:17:47     INFO -      r13 = 0x00007ffe120960f8   r14 = 0x00007ffe12094fc0
[task 2018-01-16T13:17:47.721Z] 13:17:47     INFO -      r15 = 0x0000000000000000   rip = 0x00007f6b5e2f7329
[task 2018-01-16T13:17:47.722Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.722Z] 13:17:47     INFO -  14  firefox!do_main [nsBrowserApp.cpp:ca1b397bffcf : 231 + 0x22]
[task 2018-01-16T13:17:47.722Z] 13:17:47     INFO -      rbx = 0x0000000000000003   rbp = 0x00007ffe12095fe0
[task 2018-01-16T13:17:47.723Z] 13:17:47     INFO -      rsp = 0x00007ffe12094fc0   r12 = 0x00007ffe120960f8
[task 2018-01-16T13:17:47.723Z] 13:17:47     INFO -      r13 = 0x0000000000000000   r14 = 0x00007ffe12096118
[task 2018-01-16T13:17:47.723Z] 13:17:47     INFO -      r15 = 0x0000000000000000   rip = 0x0000000000406b7d
[task 2018-01-16T13:17:47.724Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.724Z] 13:17:47     INFO -  15  firefox!main [nsBrowserApp.cpp:ca1b397bffcf : 304 + 0xd]
[task 2018-01-16T13:17:47.724Z] 13:17:47     INFO -      rbx = 0x0000000000000003   rbp = 0x00007ffe12096010
[task 2018-01-16T13:17:47.725Z] 13:17:47     INFO -      rsp = 0x00007ffe12095ff0   r12 = 0x00007ffe120960f8
[task 2018-01-16T13:17:47.725Z] 13:17:47     INFO -      r13 = 0x00007ffe12096118   r14 = 0x00000abe747a8ab9
[task 2018-01-16T13:17:47.725Z] 13:17:47     INFO -      r15 = 0x0000000000000000   rip = 0x0000000000406474
[task 2018-01-16T13:17:47.726Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.726Z] 13:17:47     INFO -  16  libc-2.23.so + 0x20830
[task 2018-01-16T13:17:47.726Z] 13:17:47     INFO -      rbx = 0x0000000000000000   rbp = 0x000000000042d900
[task 2018-01-16T13:17:47.727Z] 13:17:47     INFO -      rsp = 0x00007ffe12096020   r12 = 0x00000000004066a8
[task 2018-01-16T13:17:47.727Z] 13:17:47     INFO -      r13 = 0x00007ffe120960f0   r14 = 0x0000000000000000
[task 2018-01-16T13:17:47.727Z] 13:17:47     INFO -      r15 = 0x0000000000000000   rip = 0x00007f6b6cdd0830
[task 2018-01-16T13:17:47.727Z] 13:17:47     INFO -      Found by: call frame info
[task 2018-01-16T13:17:47.728Z] 13:17:47     INFO -  17  firefox!MOZ_ReportAssertionFailure [Assertions.h:ca1b397bffcf : 165 + 0x5]
[task 2018-01-16T13:17:47.728Z] 13:17:47     INFO -      rsp = 0x00007ffe12096040   rip = 0x00000000004063ee
[task 2018-01-16T13:17:47.729Z] 13:17:47     INFO -      Found by: stack scanning
Flags: needinfo?(aosmond)
We can't take this until February 6. This is too big of a patch to put into 58 with zero betas left and us about to make the release candidate.

So, sec-approval+ for checkin on February 6 (no earlier!). At that point, we'll want a Beta and ESR52 patch as well.
Whiteboard: [gfx-noted] → [gfx-noted][checkin on 2/6]
Attachment #8941951 - Flags: sec-approval? → sec-approval+
Whiteboard: [gfx-noted][checkin on 2/6] → [gfx-noted]
Assignee

Comment 13

a year ago
This fixes the broken gtests. Will land and attach the ESR52 patch as well. The mozilla-inbound patch should apply cleanly to beta.
Flags: needinfo?(aosmond)
Attachment #8948865 - Flags: review+
Assignee

Updated

a year ago
Attachment #8948865 - Attachment description: 0001-Bug-1388020.patch, v2 [carries r=nical] → [central/beta] 0001-Bug-1388020.patch, v2 [carries r=nical]
Assignee

Comment 15

a year ago
Third try is the charm right? Backed out for a crash test failure on OS X only. This should fix that along with a typo.
Attachment #8948865 - Attachment is obsolete: true
Attachment #8948997 - Flags: review+
(In reply to Sebastian Hengst [:aryx][:archaeopteryx] (needinfo on intermittent or backout) from comment #17)
> diagnostics patch:
> https://hg.mozilla.org/releases/mozilla-beta/rev/a144e7e01f42
This got backed out because it didn't belong into this bug: https://hg.mozilla.org/releases/mozilla-beta/rev/58dc2e0f5a1562f390caf8ebfc517989348ddd0c
Please request uplift to beta and esr when you get a chance.
Flags: needinfo?(aosmond)
Group: gfx-core-security → core-security-release
Milan, can you request uplift here? This can still make it into Monday's beta 11.
Flags: needinfo?(milan)
Comment on attachment 8941951 [details] [diff] [review]
0001-Bug-1388020.patch, v1

Approval Request Comment
[Feature/Bug causing the regression]: 858914
[User impact if declined]: Sec bug
[Is this code covered by automated tests?]: Yes
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: 
[List of other uplifts needed for the feature/fix]:
[Is the change risky?]: No, now allocating enough memory
[Why is the change risky/not risky?]:
[String changes made/needed]:
Flags: needinfo?(milan)
Attachment #8941951 - Flags: approval-mozilla-beta?
Comment on attachment 8941951 [details] [diff] [review]
0001-Bug-1388020.patch, v1

Just to be clear, I think it's the central/beta patch that needs this request? Also, can we get an ESR52 approval request as well?
Attachment #8941951 - Attachment is obsolete: true
Attachment #8941951 - Flags: approval-mozilla-beta?
Assignee

Comment 24

a year ago
Comment on attachment 8948997 [details] [diff] [review]
[central/beta] 0001-Bug-1388020.patch, v3 [carries r=nical]

Approval Request Comment
[Feature/Bug causing the regression]: Bug 858914
[User impact if declined]: Given control of the content process, one can cause a buffer overflow by sending a too small shmem in the parent or GPU process.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: No. May follow the original STR from submitter, but I had trouble reproducing even without the fix.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Been soaking in central for some time. It mostly just adds some size checks at alloc time, which is used a lot during runtime.
[String changes made/needed]: None.
Flags: needinfo?(aosmond)
Attachment #8948997 - Flags: approval-mozilla-beta?
Assignee

Comment 25

a year ago
Comment on attachment 8948998 [details] [diff] [review]
[esr52] 0001-Bug-1388020.patch, v3 [carries r=nical]

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: Given control of the content process, one can cause a buffer overflow by sending a too small shmem in the parent or GPU process.
Fix Landed on Version: 60.0a
Risk to taking this patch (and alternatives if risky): No. Been soaking in central for some time. It mostly just adds some size checks at alloc time, which is used a lot during runtime.
String or UUID changes made by this patch: None.

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8948998 - Flags: approval-mozilla-esr52?
Comment on attachment 8948997 [details] [diff] [review]
[central/beta] 0001-Bug-1388020.patch, v3 [carries r=nical]

Let's take this for 59b12 and 52.7.0. Thanks!
Attachment #8948997 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8948998 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Flags: qe-verify-
Whiteboard: [gfx-noted] → [gfx-noted][post-critsmash-triage]
Whiteboard: [gfx-noted][post-critsmash-triage] → [gfx-noted][post-critsmash-triage][adv-main59+][adv-esr52.7+]
Reporter

Comment 29

a year ago
We need to re-open this bug because it's still being seen on our fuzzing cluster.

==22693==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7fc9a726c360 at pc 0x000000440db9 bp 0x7fc99f135b40 sp 0x7fc99f1352e0
READ of size 27754496 at 0x7fc9a726c360 thread T34 (Compositor)
    #0 0x440db8 in memcpy /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:5
    #1 0x7fc9b628dda2  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x449da2)
    #2 0x7fc9b6291d40  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x44dd40)
    #3 0x7fc9b607d3a3  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x2393a3)
    #4 0x7fc9b607ee69  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x23ae69)
    #5 0x7fc9b6001522  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1bd522)
    #6 0x7fc9b60035df  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1bf5df)
    #7 0x7fc9bde43495 in raw_fTexImage2D /builds/worker/workspace/build/src/obj-firefox/dist/include/GLContext.h:1654:9
    #8 0x7fc9bde43495 in fTexImage2D /builds/worker/workspace/build/src/gfx/gl/GLContext.cpp:2789
    #9 0x7fc9bde43495 in TexImage2DHelper /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:361
    #10 0x7fc9bde43495 in mozilla::gl::UploadImageDataToTexture(mozilla::gl::GLContext*, unsigned char*, int, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:487
    #11 0x7fc9bde3ec9e in mozilla::gl::UploadSurfaceToTexture(mozilla::gl::GLContext*, mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:548:12
    #12 0x7fc9bde3e80c in mozilla::gl::BasicTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:144:9
    #13 0x7fc9bde41216 in mozilla::gl::TiledTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:300:11
    #14 0x7fc9bde3d8dc in mozilla::gl::TextureImage::UpdateFromDataSource(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:86:12
    #15 0x7fc9be002814 in mozilla::layers::TextureImageTextureSourceOGL::Update(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/opengl/TextureHostOGL.cpp:171:14
    #16 0x7fc9be277c22 in mozilla::layers::BufferTextureHost::Upload(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:1084:24
    #17 0x7fc9be27365a in MaybeUpload /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:955:8
    #18 0x7fc9be27365a in mozilla::layers::BufferTextureHost::UpdatedInternal(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:541
    #19 0x7fc9be217e6c in mozilla::layers::ContentHostSingleBuffered::UpdateThebes(mozilla::layers::ThebesBufferData const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContentHost.cpp:391:17
    #20 0x7fc9be28943f in mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate(mozilla::layers::CompositableOperation const&) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositableTransactionParent.cpp:92:26
    #21 0x7fc9be2e7726 in mozilla::layers::LayerTransactionParent::RecvUpdate(mozilla::layers::TransactionInfo const&) /builds/worker/workspace/build/src/gfx/layers/ipc/LayerTransactionParent.cpp:462:10
    #22 0x7fc9bccdf88b in mozilla::layers::PLayerTransactionParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PLayerTransactionParent.cpp:136:20
    #23 0x7fc9bd18d3a5 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorManagerParent.cpp:121:28
    #24 0x7fc9bca0e47e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2133:25
    #25 0x7fc9bca0b401 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2063:17
    #26 0x7fc9bca0cbfc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1909:5
    #27 0x7fc9bca0d258 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1942:15
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Please ping me on release day when we reopen a bug in the advisories...
Whiteboard: [gfx-noted][post-critsmash-triage][adv-main59+][adv-esr52.7+] → [gfx-noted][post-critsmash-triage]
Reporter

Comment 31

a year ago
Noting that all crashes occurring now are "underflows" rather than "overflows" as before but the stack is the same.
Reporter

Comment 32

a year ago
Another variation is a UAF but happened until now only one time.


==4874==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ffaf81a7fdc at pc 0x000000440db9 bp 0x7ffb1178b840 sp 0x7ffb1178afe0
READ of size 32768 at 0x7ffaf81a7fdc thread T34 (Compositor)
    #0 0x440db8 in memcpy /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:5
    #1 0x7ffb29053923  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x469923)
    #2 0x7ffb29053a57  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x469a57)
    #3 0x7ffb29057c70  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x46dc70)
    #4 0x7ffb28e281d1  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x23e1d1)
    #5 0x7ffb28e29c1f  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x23fc1f)
    #6 0x7ffb28daac72  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1c0c72)
    #7 0x7ffb28dacdef  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1c2def)
    #8 0x7ffb310c4a55 in raw_fTexImage2D /builds/worker/workspace/build/src/obj-firefox/dist/include/GLContext.h:1654:9
    #9 0x7ffb310c4a55 in fTexImage2D /builds/worker/workspace/build/src/gfx/gl/GLContext.cpp:2789
    #10 0x7ffb310c4a55 in TexImage2DHelper /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:361
    #11 0x7ffb310c4a55 in mozilla::gl::UploadImageDataToTexture(mozilla::gl::GLContext*, unsigned char*, int, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:487
    #12 0x7ffb310c021e in mozilla::gl::UploadSurfaceToTexture(mozilla::gl::GLContext*, mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned long*, bool, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, unsigned int, unsigned int) /builds/worker/workspace/build/src/gfx/gl/GLUploadHelpers.cpp:548:12
    #13 0x7ffb310bfd8c in mozilla::gl::BasicTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:144:9
    #14 0x7ffb310c27d6 in mozilla::gl::TiledTextureImage::DirectUpdate(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:300:11
    #15 0x7ffb310bee5c in mozilla::gl::TextureImage::UpdateFromDataSource(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:86:12
    #16 0x7ffb31270255 in mozilla::layers::TextureImageTextureSourceOGL::Update(mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/opengl/TextureHostOGL.cpp:171:14
    #17 0x7ffb314cd7a6 in mozilla::layers::BufferTextureHost::Upload(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:1084:24
    #18 0x7ffb314c902a in MaybeUpload /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:955:8
    #19 0x7ffb314c902a in mozilla::layers::BufferTextureHost::UpdatedInternal(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:541
    #20 0x7ffb31475e6c in mozilla::layers::ContentHostSingleBuffered::UpdateThebes(mozilla::layers::ThebesBufferData const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContentHost.cpp:391:17
    #21 0x7ffb314df55f in mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate(mozilla::layers::CompositableOperation const&) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositableTransactionParent.cpp:92:26
    #22 0x7ffb3153c1af in mozilla::layers::LayerTransactionParent::RecvUpdate(mozilla::layers::TransactionInfo const&) /builds/worker/workspace/build/src/gfx/layers/ipc/LayerTransactionParent.cpp:463:10
    #23 0x7ffb2fd8669b in mozilla::layers::PLayerTransactionParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PLayerTransactionParent.cpp:135:20
    #24 0x7ffb303aff95 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorManagerParent.cpp:121:28
    #25 0x7ffb2fababfe in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2133:25
    #26 0x7ffb2fab7c77 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2063:17
    #27 0x7ffb2fab937c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1909:5
    #28 0x7ffb2fab99d8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1942:15
    #29 0x7ffb2fa15893 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
    #30 0x7ffb2fa15893 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
    #31 0x7ffb2fa15893 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
    #32 0x7ffb2fa17808 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
    #33 0x7ffb2fa12c79 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #34 0x7ffb2fa12c79 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #35 0x7ffb2fa12c79 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #36 0x7ffb2fa3221f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #37 0x7ffb2fa23c8c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #38 0x7ffb4f37d6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #39 0x7ffb4e40641c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x7ffaf81a7fdc is located 42972 bytes inside of 2062080-byte region [0x7ffaf819d800,0x7ffaf8394f00)
freed by thread T34 (Compositor) here:
    #0 0x4c6fc2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7ffb2937b4a0  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x7914a0)

previously allocated by thread T34 (Compositor) here:
    #0 0x4c7f9e in __interceptor_posix_memalign /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:157:3
    #1 0x7ffb2937b33b  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x79133b)

Thread T34 (Compositor) created by T0 here:
    #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7ffb2fa215ef in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7ffb2fa215ef in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7ffb2fa31bbf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7ffb3150798a in CreateCompositorThread /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:101:26
    #5 0x7ffb3150798a in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:51
    #6 0x7ffb31507ba3 in mozilla::layers::CompositorThreadHolder::Start() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:123:33
    #7 0x7ffb315ffbd2 in gfxPlatform::InitLayersIPC() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1035:5
    #8 0x7ffb315fad73 in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:779:5
    #9 0x7ffb315f839b in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:538:9
    #10 0x7ffb3643b9b9 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/widget/GfxInfoBase.cpp:1518:25
    #11 0x7ffb2ec126a1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #12 0x7ffb306de5e0 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1948:12
    #13 0x7ffb306de5e0 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1267
    #14 0x7ffb306de5e0 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1234
    #15 0x7ffb306e5659 in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1671:17
    #16 0x7ffb306e5659 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965
    #17 0x7ffb3ae65cae in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #18 0x7ffb3ae65cae in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #19 0x7ffb3ae67a02 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:516:12
    #20 0x7ffb3ae67a02 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
    #21 0x7ffb3ae67a02 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:650
    #22 0x7ffb3bfcbe1e in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2155:16
    #23 0x7ffb3bfcbe1e in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2208
    #24 0x7ffb3bfcbe1e in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2410
    #25 0x7ffb3bfcbe1e in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2446
    #26 0x7ffb3ae4d4c5 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1629:12
    #27 0x7ffb3ae4d4c5 in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:520
    #28 0x7ffb3ae4d4c5 in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:626
    #29 0x7ffb3ae4d4c5 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2923
    #30 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #31 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #32 0x7ffb3ae4e860 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #33 0x7ffb3ae4e860 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085
    #34 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #35 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #36 0x7ffb3ae4e860 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #37 0x7ffb3ae4e860 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085
    #38 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #39 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #40 0x7ffb3ae4e860 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #41 0x7ffb3ae4e860 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085
    #42 0x7ffb3ae30b34 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #43 0x7ffb3ae65aa7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #44 0x7ffb3ae66813 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #45 0x7ffb3ba6bf15 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2969:12
    #46 0x7ffb306c55c0 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1308:23
    #47 0x7ffb2ec13c7f in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28
    #48 0x7ffb2ec12c2a in SharedStub (/home/ubuntu/firefox/libxul.so+0x2251c2a)
    #49 0x7ffb2eb8cded in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:810:19
    #50 0x7ffb3ab798cc in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1022:11
    #51 0x7ffb3ab563c8 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4516:16
    #52 0x7ffb3ab5997c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4814:8
    #53 0x7ffb3ab5adc4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4906:21
    #54 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #55 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #56 0x7ffb4e31f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:5 in memcpy
==4874==ABORTING
Assignee

Comment 33

a year ago
The original bug reported bunch messed with the buffer size, which I fixed, but the new report is a little different. I think it is causing use to use a negative point of reference against the texture, here:

https://searchfox.org/mozilla-central/rev/6e96a3f1e44e286ddae5fdafab737709741d237a/gfx/gl/GLUploadHelpers.cpp#545

That could cause us to underflow.
Assignee

Comment 34

a year ago
I think the UAF could be explained under similar circumstances -- with a large enough negative (or position for that matter) offset, we could probably reach arbitrary memory that has been freed.
Target Milestone: mozilla60 → ---
What are the next steps here, Andrew?
Flags: needinfo?(aosmond)
Comment on attachment 8948998 [details] [diff] [review]
[esr52] 0001-Bug-1388020.patch, v3 [carries r=nical]

Clearing the ESR52 approval flag for now just to get this off the "approved & needs uplift" bug query.
Attachment #8948998 - Flags: approval-mozilla-esr52+
Assignee

Comment 37

a year ago
I *think* this should do it.
Flags: needinfo?(aosmond)
Attachment #8964939 - Flags: review?(nical.bugzilla)
Attachment #8964939 - Flags: review?(nical.bugzilla) → review+
Assignee

Comment 38

a year ago
Comment on attachment 8964939 [details] [diff] [review]
[central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1

[Security approval request comment]
> How easily could an exploit be constructed based on the patch?

The patch will suggest there is a possible overflow/underflow on this path. You can eventually get here from an IPC message, although there is some clamping/transformations done on the input.

> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

I don't think so.

> Which older supported branches are affected by this flaw?
> If not all supported branches, which bug introduced the flaw?

All.

> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Yes. It should apply cleanly to release/beta and with a minor tweaks, esr52. Not risky.

> How likely is this patch to cause regressions; how much testing does it need?

Unlikely to cause regressions. If we were under/overflowing the surface data in the normal case, we would be corrupting memory anyways, and now it would just fail to draw something instead.
Attachment #8964939 - Flags: sec-approval?
sec-approval+ for trunk.
We'll want Beta and ESR52 patches made and nominated.
Attachment #8964939 - Flags: sec-approval? → sec-approval+
Assignee

Comment 40

a year ago
Comment on attachment 8964939 [details] [diff] [review]
[central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1

This patch should apply cleanly on central/beta/release. try results with mozilla-central: https://treeherder.mozilla.org/#/jobs?repo=try&revision=a692edf1a895312cd197f8b5ffbd331baf3e4388
Attachment #8964939 - Attachment description: 0001-Bug-1388020.patch, secondary cause, v1 → [central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1
Assignee

Comment 43

a year ago
Comment on attachment 8964939 [details] [diff] [review]
[central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1

Approval Request Comment
[Feature/Bug causing the regression]: N/A
[User impact if declined]: May access arbitrary memory to copy into a GL texture. Could crash or leak information from GPU or main process.
[Is this code covered by automated tests?]: Yes, the bounds check to hit during normal testing. The fuzzer hits the out-of-bounds cases.
[Has the fix been verified in Nightly?]: Yes. The crash has not been reproduced by the fuzzer since landing.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: It just adds a bounds check, and ensures any failures are passed up to the caller. If we are outside the bounds, we likely would crash anyways.
[String changes made/needed]: None.
Attachment #8964939 - Flags: approval-mozilla-beta?
Assignee

Comment 44

a year ago
Comment on attachment 8948998 [details] [diff] [review]
[esr52] 0001-Bug-1388020.patch, v3 [carries r=nical]

This is a sec-high. See comment 43 for details.
Attachment #8948998 - Flags: approval-mozilla-esr52?
Assignee

Comment 45

a year ago
Comment on attachment 8948998 [details] [diff] [review]
[esr52] 0001-Bug-1388020.patch, v3 [carries r=nical]

Wrong patch.
Attachment #8948998 - Flags: approval-mozilla-esr52?
Assignee

Comment 46

a year ago
Comment on attachment 8965659 [details] [diff] [review]
[esr52] 0001-Bug-1388020.patch, secondary cause, v1 [carries r=nical]

This is a sec-high bug. See comment 43 for details.
Attachment #8965659 - Flags: approval-mozilla-esr52?
Comment on attachment 8964939 [details] [diff] [review]
[central/beta/release] 0001-Bug-1388020.patch, secondary cause, v1

Approved for 60.0b12 and ESR 52.8.0.
Attachment #8964939 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8965659 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Target Milestone: --- → mozilla61
Whiteboard: [gfx-noted][post-critsmash-triage] → [gfx-noted][post-critsmash-triage][adv-main60+][adv-esr52.8+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.