1423245 - IPC: stack-overflow crash [@_moz_pixman_region32_copy]

Status: NEW

(Core :: Graphics: Layers, defect, P3)

Description

[Christoph Diehl [:posidron]]

Attachment: callstack.txt

INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction.

The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting  https://html5test.com

*** Possible reproduction scenario:

pip install git+https://github.com/mozillasecurity/fuzzfetch
fuzzfetch -a --fuzzing -n firefox -o /tmp

export FAULTY_PROBABILITY=50000
export FAULTY_LARGE_VALUES=1
export FAULTY_PARENT=1
export FAULTY_ENABLE_LOGGING=1
export FAULTY_PICKLE=1
export MOZ_IPC_MESSAGE_LOG=1

*** Messages which correlate with the stack:

[...]
[time: 1512460238903582][11718<-11817] [PAPZCTreeManagerParent] Received  PAPZCTreeManager::Msg_UpdateZoomConstraints
[time: 1512460238903959][11817->11718] [PLayerTransactionChild] Sending  PLayerTransaction::Msg_NewCompositable
[time: 1512460238904001][11817->11718] [PLayerTransactionChild] Sending  PLayerTransaction::Msg_NewCompositable
[time: 1512460238904069][11718<-11817] [PLayerTransactionParent] Received  PLayerTransaction::Msg_NewCompositable
[time: 1512460238904096][11718<-11817] [PLayerTransactionParent] Received  PLayerTransaction::Msg_NewCompositable
[Faulty] pickle field {UInt64} of value: 0 changed to: 1
[time: 1512460238904147][11817->11718] [PLayerTransactionChild] Sending  PLayerTransaction::Msg_Update
[time: 1512460238904246][11817->11718] [PRenderFrameChild] Sending  PRenderFrame::Msg_NotifyCompositorTransaction
[time: 1512460238904255][11718<-11817] [PLayerTransactionParent] Received  PLayerTransaction::Msg_Update
[...]

Comment 1

[Christoph Diehl [:posidron]]

Attachment: session.txt

Comment 2

[Daniel Veditz [:dveditz]]

This looks like stack exhaustion. Any reason to think it's exploitable?
This bit loops:

...
#10 SetShadowProperties /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:915
#11 operator() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:920
#12 _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_22CompositorBridgeParent19SetShadowPropertiesES4_E3$_4ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:137
#13 _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_22CompositorBridgeParent19SetShadowPropertiesES4_E3$_4ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5
#14 ForEachNode<mozilla::layers::ForwardIterator, mozilla::layers::Layer *, (lambda at /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:917:7)> /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:165:3
...

Same loop as bug 1423251, just runs out of stack at a different random spot in the last loop.

Comment 4

[Christoph Diehl [:posidron]]

Removing need-info for dveditz, we talked briefly about it in IRC and at the summit in Austin regarding security impact.

Comment 5

[Virginia (please send need info request to Brindusa Tot)]

Removing test case wanted flag as per comment 4

Comment 6

[Timothy Nikkel (:tnikkel)]

No crashes in crash stats for _moz_pixman_region32_copy, the SetShadowProperties function that is in the infinite stack no longer exists. Lowering priority -> S3.