1449420 - IPC: crash with Msg_SetCursor [@mozilla::dom::TabParent::RecvSetCursor]

Status: RESOLVED DUPLICATE of bug 1445234

(Core :: DOM: Content Processes, defect)

Description

[Christoph Diehl [:posidron]]

The following message was identified to be responsible for this crash and got blacklisted from fuzzing until fixed.

$ hexdump -C /tmp/faulty/message.18379.69
00000000  08 00 00 00 03 00 00 00  2e 00 15 00 01 00 00 00  |................|
00000010  00 00 00 00 ff ff ff ff  ff ff ff ff 00 00 00 00  |................|
00000020  64 00 00 00 01 00 00 00                           |d.......|
00000028


[...]
[Faulty] (18379) FUZZING (2 bytes): PBrowser::Msg_SetCursor
[Faulty] (18379) Process: 2 | Size:         40 | message.18379.69     | Channel::ChannelImpl::Send => PBrowser::Msg_SetCursor
ASAN:DEADLYSIGNAL
=================================================================
==18331==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5585699cdf bp 0x6250000154c0 sp 0x7fff1be37a58 T0)
==18331==The signal is caused by a READ memory access.
==18331==Hint: address points to the zero page.
    #0 0x7f5585699cde in g_type_check_instance_is_fundamentally_a (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x35cde)
    #1 0x7f5585678abd in g_object_ref (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x14abd)
    #2 0x7f5587d30e1d in gdk_window_set_cursor (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x4de1d)
    #3 0x7f5572892ffc in mozilla::dom::TabParent::RecvSetCursor(unsigned int const&, bool const&) /home/posidron/dev/mozilla/mozilla-inbound/dom/ipc/TabParent.cpp:1737:15
    #4 0x7f556c562a07 in mozilla::dom::PBrowserParent::OnMessageReceived(IPC::Message const&) /home/posidron/dev/mozilla/mozilla-inbound/obj/ff-asan-release/ipc/ipdl/PBrowserParent.cpp:2770:20
    #5 0x7f556c702da5 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /home/posidron/dev/mozilla/mozilla-inbound/obj/ff-asan-release/ipc/ipdl/PContentParent.cpp:3319:28
    #6 0x7f556bcbda99 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/posidron/dev/mozilla/mozilla-inbound/ipc/glue/MessageChannel.cpp:2133:25
    #7 0x7f556bcba387 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/posidron/dev/mozilla/mozilla-inbound/ipc/glue/MessageChannel.cpp:2063:17
    #8 0x7f556bcbbf19 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/posidron/dev/mozilla/mozilla-inbound/ipc/glue/MessageChannel.cpp:1909:5
    #9 0x7f556bcbc868 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/posidron/dev/mozilla/mozilla-inbound/ipc/glue/MessageChannel.cpp:1942:15
    #10 0x7f556aab7426 in nsThread::ProcessNextEvent(bool, bool*) /home/posidron/dev/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:1040:14
    #11 0x7f556aaddc80 in NS_ProcessNextEvent(nsIThread*, bool) /home/posidron/dev/mozilla/mozilla-inbound/xpcom/threads/nsThreadUtils.cpp:517:10
    #12 0x7f556bcc609a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/posidron/dev/mozilla/mozilla-inbound/ipc/glue/MessagePump.cpp:97:21
    #13 0x7f556bb78bc8 in RunInternal /home/posidron/dev/mozilla/mozilla-inbound/ipc/chromium/src/base/message_loop.cc:326:10
    #14 0x7f556bb78bc8 in RunHandler /home/posidron/dev/mozilla/mozilla-inbound/ipc/chromium/src/base/message_loop.cc:319
    #15 0x7f556bb78bc8 in MessageLoop::Run() /home/posidron/dev/mozilla/mozilla-inbound/ipc/chromium/src/base/message_loop.cc:299
    #16 0x7f5572ffff6a in nsBaseAppShell::Run() /home/posidron/dev/mozilla/mozilla-inbound/widget/nsBaseAppShell.cpp:157:27
    #17 0x7f5577aed79b in nsAppStartup::Run() /home/posidron/dev/mozilla/mozilla-inbound/toolkit/components/startup/nsAppStartup.cpp:288:30
    #18 0x7f5577d2b1e2 in XREMain::XRE_mainRun() /home/posidron/dev/mozilla/mozilla-inbound/toolkit/xre/nsAppRunner.cpp:4679:22
    #19 0x7f5577d2e0f9 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/posidron/dev/mozilla/mozilla-inbound/toolkit/xre/nsAppRunner.cpp:4814:8
    #20 0x7f5577d2f545 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/posidron/dev/mozilla/mozilla-inbound/toolkit/xre/nsAppRunner.cpp:4906:21
    #21 0x51bbd5 in do_main /home/posidron/dev/mozilla/mozilla-inbound/browser/app/nsBrowserApp.cpp:231:22
    #22 0x51bbd5 in main /home/posidron/dev/mozilla/mozilla-inbound/browser/app/nsBrowserApp.cpp:304
    #23 0x7f558b5b61c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #24 0x424409 in _start (/home/posidron/dev/mozilla/mozilla-inbound/obj/ff-asan-release/dist/bin/firefox+0x424409)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x35cde) in g_type_check_instance_is_fundamentally_a
==18331==ABORTING

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

This is an unchecked cast of an untrusted uint32_t to an enum: https://searchfox.org/mozilla-central/rev/7e663b9fa578d425684ce2560e5fa2464f504b34/dom/ipc/TabParent.cpp#1728

And this looks like we might wind up indexing a fixed-size array with that value: https://searchfox.org/mozilla-central/rev/7e663b9fa578d425684ce2560e5fa2464f504b34/widget/gtk/nsWindow.cpp#5298

Comment 2

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

…okay, now that I've read bug 1445234, it's basically the same thing as what I said in comment #1.

Anyway, given that I found that with just the stack in comment #0 and a few minutes of poking around in searchfox, this should probably stay hidden as long as bug 1445234 is hidden.

Comment 3

[Alex Gaynor [:Alex_Gaynor]]

Will use bug 1445234 to track this.