Open
Bug 1423245
Opened 7 years ago
Updated 2 years ago
IPC: stack-overflow crash [@_moz_pixman_region32_copy]
Categories
(Core :: Graphics: Layers, defect, P3)
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox59 | --- | affected |
People
(Reporter: posidron, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-dos, Whiteboard: [stack exhaustion][gfx-noted])
Attachments
(2 files)
INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction. The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting https://html5test.com *** Possible reproduction scenario: pip install git+https://github.com/mozillasecurity/fuzzfetch fuzzfetch -a --fuzzing -n firefox -o /tmp export FAULTY_PROBABILITY=50000 export FAULTY_LARGE_VALUES=1 export FAULTY_PARENT=1 export FAULTY_ENABLE_LOGGING=1 export FAULTY_PICKLE=1 export MOZ_IPC_MESSAGE_LOG=1 *** Messages which correlate with the stack: [...] [time: 1512460238903582][11718<-11817] [PAPZCTreeManagerParent] Received PAPZCTreeManager::Msg_UpdateZoomConstraints [time: 1512460238903959][11817->11718] [PLayerTransactionChild] Sending PLayerTransaction::Msg_NewCompositable [time: 1512460238904001][11817->11718] [PLayerTransactionChild] Sending PLayerTransaction::Msg_NewCompositable [time: 1512460238904069][11718<-11817] [PLayerTransactionParent] Received PLayerTransaction::Msg_NewCompositable [time: 1512460238904096][11718<-11817] [PLayerTransactionParent] Received PLayerTransaction::Msg_NewCompositable [Faulty] pickle field {UInt64} of value: 0 changed to: 1 [time: 1512460238904147][11817->11718] [PLayerTransactionChild] Sending PLayerTransaction::Msg_Update [time: 1512460238904246][11817->11718] [PRenderFrameChild] Sending PRenderFrame::Msg_NotifyCompositorTransaction [time: 1512460238904255][11718<-11817] [PLayerTransactionParent] Received PLayerTransaction::Msg_Update [...]
Reporter | ||
Comment 1•7 years ago
|
||
Updated•7 years ago
|
Group: core-security → gfx-core-security
Comment 2•7 years ago
|
||
This looks like stack exhaustion. Any reason to think it's exploitable? This bit loops: ... #10 SetShadowProperties /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:915 #11 operator() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:920 #12 _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_22CompositorBridgeParent19SetShadowPropertiesES4_E3$_4ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:137 #13 _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_22CompositorBridgeParent19SetShadowPropertiesES4_E3$_4ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5 #14 ForEachNode<mozilla::layers::ForwardIterator, mozilla::layers::Layer *, (lambda at /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:917:7)> /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:165:3 ... Same loop as bug 1423251, just runs out of stack at a different random spot in the last loop.
Flags: needinfo?(cdiehl)
Updated•7 years ago
|
Group: gfx-core-security
Whiteboard: [stack exhaustion]
Updated•7 years ago
|
Whiteboard: [stack exhaustion] → [stack exhaustion][gfx-noted]
Updated•6 years ago
|
Priority: -- → P3
Reporter | ||
Comment 4•6 years ago
|
||
Removing need-info for dveditz, we talked briefly about it in IRC and at the summit in Austin regarding security impact.
Updated•6 years ago
|
Flags: needinfo?(cdiehl)
Removing test case wanted flag as per comment 4
Keywords: testcase-wanted
Updated•2 years ago
|
Severity: critical → S2
Comment 6•2 years ago
|
||
No crashes in crash stats for _moz_pixman_region32_copy, the SetShadowProperties function that is in the infinite stack no longer exists. Lowering priority -> S3.
Severity: S2 → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•