Closed Bug 1423251 Opened 2 years ago Closed 2 years ago

IPC: stack-overflow crash [@SetShadowBaseTransform]

Categories

(Core :: Graphics: Layers, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1423245
Tracking Status
firefox59 --- affected

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-dos, testcase-wanted)

Attachments

(2 files)

Attached file callstack.txt
INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction.

The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting  https://html5test.com

*** Possible reproduction scenario:

pip install git+https://github.com/mozillasecurity/fuzzfetch
fuzzfetch -a --fuzzing -n firefox -o /tmp

export FAULTY_PROBABILITY=50000
export FAULTY_LARGE_VALUES=1
export FAULTY_PARENT=1
export FAULTY_ENABLE_LOGGING=1
export FAULTY_PICKLE=1
export MOZ_IPC_MESSAGE_LOG=1

*** Messages which correlate with the stack:

[...]
[time: 1512478414336927][8125<-8235] [PBrowserParent] Received  PBrowser::Msg_AsyncMessage
[time: 1512478414337436][8235->8125] [PBrowserChild] Sending  PBrowser::Msg_SetInputContext
[time: 1512478414337696][8235->8125] [PAPZCTreeManagerChild] Sending  PAPZCTreeManager::Msg_UpdateZoomConstraints
[time: 1512478414337813][8125<-8235] [PBrowserParent] Received  PBrowser::Msg_AsyncMessage
[time: 1512478414337815][8125<-8235] [PAPZCTreeManagerParent] Received  PAPZCTreeManager::Msg_UpdateZoomConstraints
[time: 1512478414337975][8125<-8125] [PCompositorBridgeChild] Received  PCompositorBridge::Msg_DidComposite
[time: 1512478414338017][8235->8125] [PBrowserChild] Sending  PBrowser::Msg_SetInputContext
[time: 1512478414338419][8235->8125] [PBrowserChild] Sending  PBrowser::Msg_EnableDisableCommands
[time: 1512478414338660][8235<-8125] [PBrowserChild] Received  PBrowser::Msg_AsyncMessage
[time: 1512478414339204][8235<-8125] [PBrowserChild] Received  PBrowser::Msg_AsyncMessage
[time: 1512478414339514][8235<-8125] [PBrowserChild] Received  PBrowser::Msg_AsyncMessage
[time: 1512478414340056][8235->8125] [PContentChild] Sending  PContent::Msg_AsyncMessage
[time: 1512478414340236][8235<-8125] [PJavaScriptChild] Received  PJavaScript::Msg_DropTemporaryStrongReferences
[time: 1512478414340298][8235<-8125] [PClientSourceChild] Received  PClientSource::Msg___delete__
[time: 1512478414340435][8235<-8125] [PBrowserChild] Received  PBrowser::Msg_AsyncMessage
[time: 1512478414340632][8235<-8125] [PBrowserChild] Received  PBrowser::Msg_AsyncMessage
[time: 1512478414341951][8235->8125] [PLayerTransactionChild] Sending  PLayerTransaction::Msg_NewCompositable
[time: 1512478414342016][8235->8125] [PLayerTransactionChild] Sending  PLayerTransaction::Msg_NewCompositable
[time: 1512478414342104][8125<-8235] [PLayerTransactionParent] Received  PLayerTransaction::Msg_NewCompositable
[time: 1512478414342134][8125<-8235] [PLayerTransactionParent] Received  PLayerTransaction::Msg_NewCompositable
[Faulty] pickle field {size_t} of value: 0 changed to: 1
[time: 1512478414342209][8235->8125] [PLayerTransactionChild] Sending  PLayerTransaction::Msg_Update
[time: 1512478414342305][8125<-8235] [PLayerTransactionParent] Received  PLayerTransaction::Msg_Update
[...]
Attached file session.txt
See Also: → 1423245
Group: core-security → gfx-core-security
This looks like stack exhaustion due to recursion, with the following chunk repeating over and over.

...
#5 0x7f6141cef53e in SetShadowProperties /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:919
#6 0x7f6141cef53e in operator() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:924
#7 0x7f6141cef53e in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_22CompositorBridgeParent19SetShadowPropertiesES4_E3$_4ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:137
#8 0x7f6141cef79c in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_22CompositorBridgeParent19SetShadowPropertiesES4_E3$_4ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5
#9 0x7f6141cef53e in ForEachNode<mozilla::layers::ForwardIterator, mozilla::layers::Layer *, (lambda at /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:921:7)> /builds/worker/workspace/build/src/gfx/layers/TreeTraversal.h:165:3
...

Any particular reason to think this is exploitable?
Flags: needinfo?(cdiehl)
This appears to be a dupe of bug 1423245: same repeating chunk, just happens to hit the limit at a different place in the loop.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1423245
Group: gfx-core-security
Flags: needinfo?(cdiehl)
You need to log in before you can comment on or make changes to this bug.