Closed
Bug 1490106
Opened 7 years ago
Closed 4 years ago
[libFuzzer] Null-deref crash [@ mozilla::gfx::RecordedSnapshot::PlayEvent]
Categories
(Core :: Graphics: WebRender, defect, P2)
Core
Graphics: WebRender
Tracking
()
RESOLVED
INCOMPLETE
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | affected |
People
(Reporter: truber, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
The following call to wr_moz2d_render_cb causes a null dereference in m-c rev b8905df54d0128248bbeccf59d0bd8eba90ff642.
const uint8_t blob_buffer[] = {
0xED, 0xFE, 0x01, 0xC0, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x30, 0x19, 0x00,
0xB0, 0x60, 0x00, 0x00, 0x03, 0x14, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
0x00, 0x00, 0x00, 0x50, 0x30, 0x19, 0x00, 0xB0, 0x60, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3F, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3F, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x50, 0x30, 0x19, 0x00, 0xB0, 0x60, 0x00, 0x00, 0x25,
0x49, 0x12, 0x3F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x49, 0x12, 0x3F, 0x10,
0x49, 0x12, 0x3E, 0x00, 0x00, 0x00, 0xC0, 0x07, 0x00, 0x00, 0x00, 0x50, 0x30, 0x19, 0x00, 0xB0,
0x60, 0x00, 0x00, 0xB8, 0x6D, 0x5B, 0x3F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB8,
0x6D, 0x5B, 0x3F, 0x10, 0xC0, 0x49, 0x11, 0x3E, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x20,
0xAB, 0x27, 0x00, 0x80, 0x60, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x41, 0x00, 0x00, 0x70, 0x41, 0x02, 0x00, 0x00, 0x00,
0x39, 0x06, 0xB8, 0x41, 0x40, 0x82, 0x78, 0x41, 0x91, 0x5C, 0xB6, 0x41, 0x54, 0x58, 0x80, 0x41,
0x42, 0x60, 0xB3, 0x41, 0x42, 0x60, 0x83, 0x41, 0x01, 0x2F, 0x00, 0x00, 0x00, 0x00, 0x44, 0x41,
0x83, 0xC0, 0xD4, 0x41, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3E, 0x41, 0xBE, 0x9F, 0xD7, 0x41,
0x77, 0xBE, 0x35, 0x41, 0x41, 0x60, 0xD9, 0x41, 0x7D, 0x3F, 0x2D, 0x41, 0x41, 0x60, 0xD9, 0x41,
0x02, 0x00, 0x00, 0x00, 0x83, 0xC0, 0x24, 0x41, 0x41, 0x60, 0xD9, 0x41, 0x83, 0xC0, 0x1C, 0x41,
0xBE, 0x9F, 0xD7, 0x41, 0x83, 0xC0, 0x16, 0x41, 0x83, 0x3C, 0x2B, 0xBE, 0xFE, 0xFF, 0xFF, 0xFF,
0xFF, 0x00, 0x04, 0x41, 0x42, 0x60, 0xCB, 0x41, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFC, 0x40,
0x42, 0x60, 0xC8, 0x41, 0xF4, 0xFD, 0xF4, 0x40, 0x7D, 0x3F, 0xC4, 0x41, 0xF4, 0xFD, 0xF4, 0x40,
0x00, 0x00, 0xC0, 0x41, 0x02, 0x00, 0x00, 0x00, 0xF4, 0xFD, 0xF4, 0x40, 0x83, 0xC0, 0xBB, 0x41,
0x00, 0x00, 0xFC, 0x40, 0xBE, 0x9F, 0xB7, 0x41, 0x00, 0x00, 0x04, 0x41, 0xBE, 0x9F, 0xB4, 0x41,
0x01, 0x00, 0x00, 0x00, 0x7D, 0x3F, 0x4D, 0x41, 0x00, 0x00, 0x70, 0xC2, 0x01, 0x00, 0x00, 0x00,
0xE8, 0xFB, 0xE9, 0x3F, 0x00, 0x00, 0x90, 0x41, 0x02, 0x00, 0x00, 0x00, 0xCF, 0xF7, 0x33, 0x3F,
0x00, 0x00, 0x90, 0x41, 0x00, 0x00, 0x00, 0x00, 0xFA, 0x7E, 0x88, 0x41, 0x00, 0x00, 0x93, 0x00,
0x00, 0x00, 0x80, 0x41, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x41,
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x02, 0x4F, 0x41, 0xCF, 0xF7, 0x33, 0x3F,
0x00, 0x00, 0x40, 0x41, 0xE7, 0xFB, 0xE9, 0x3F, 0x00, 0x00, 0x40, 0x41, 0x01, 0x00, 0x00, 0x00,
0x7D, 0x3F, 0x6D, 0x41, 0x00, 0x00, 0x40, 0x41, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x41,
0xF4, 0xFD, 0xEC, 0x40, 0x02, 0x00, 0x00, 0x00, 0xFB, 0xD6, 0xFB, 0x40, 0x77, 0x2E, 0xE1, 0x40,
0x60, 0xFA, 0xF4, 0x40, 0xA1, 0xF3, 0xD0, 0x40, 0x60, 0xFA, 0xF4, 0x40, 0x00, 0x00, 0xC0, 0x40,
0x02, 0x00, 0x00, 0x00, 0x60, 0xFA, 0xF4, 0x40, 0x5F, 0x0C, 0xAF, 0x40, 0xFB, 0xD6, 0xFB, 0x40,
0x89, 0xD1, 0x9E, 0x40, 0x00, 0x00, 0x04, 0x41, 0x0C, 0x02, 0x93, 0x40, 0x01, 0x00, 0x00, 0x00,
0x83, 0xC0, 0x16, 0x41, 0x0C, 0x02, 0x5B, 0x40, 0x02, 0x00, 0x00, 0x00, 0x83, 0xC0, 0x1C, 0x41,
0x0C, 0x02, 0x43, 0x40, 0x83, 0xC0, 0x24, 0x41, 0xF4, 0xFD, 0x34, 0xC7, 0x82, 0xC0, 0xD2, 0x41,
0xF4, 0xFD, 0x34, 0x40, 0x02, 0x00, 0x00, 0x00, 0x77, 0xBE, 0x35, 0x41, 0xF4, 0xFD, 0x34, 0x40,
0x00, 0x29, 0x3E, 0x41, 0x0D, 0x02, 0x43, 0x40, 0x00, 0x00, 0x44, 0x41, 0x0C, 0x02, 0x5B, 0x40,
0x01, 0x00, 0x00, 0x00, 0x42, 0x60, 0xB3, 0x41, 0x06, 0x81, 0x59, 0x41, 0x02, 0x00, 0x00, 0x00,
0x42, 0x60, 0xB6, 0x41, 0x7D, 0x3F, 0x5F, 0x41, 0x00, 0x00, 0xB8, 0x41, 0x06, 0x81, 0x67, 0x41,
0x00, 0x00, 0xB8, 0x41, 0x00, 0x00, 0x70, 0x41, 0x04, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00,
0x50, 0x30, 0x19, 0x00, 0xB0, 0x60, 0x00, 0x00, 0x20, 0xAB, 0x27, 0x00, 0x80, 0x60, 0x00, 0x00,
0x08, 0x00, 0x80, 0x3F, 0x00, 0x07, 0x00, 0x00, 0x00, 0xA5, 0xA4, 0x24, 0x3E, 0xC6, 0xC4, 0xC4,
0x3E, 0xFE, 0xFC, 0xFC, 0x3E, 0x00, 0x00, 0x80, 0x3F, 0x12, 0x00, 0x00, 0x00, 0x20, 0xAB, 0x27,
0x00, 0x80, 0x60, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x50, 0x30, 0x19, 0x00, 0xB0, 0x60, 0x00,
0x00, 0x25, 0x49, 0x12, 0x3F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x49, 0x12,
0x3F, 0x10, 0x49, 0x12, 0x3E, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xED, 0xFE, 0x01, 0xC0, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x30, 0x19,
0x00, 0xB0, 0x60, 0x00, 0x00, 0x03, 0x14, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00,
0x07, 0x00, 0x00, 0x00, 0x50, 0x30, 0x19, 0x00, 0xB0, 0x60, 0x00, 0x00, 0x25, 0x49, 0x12, 0x3F,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x49, 0x12, 0x3F, 0x10, 0x49, 0x12, 0x3E,
0x00, 0x00, 0x00, 0xC0, 0xC9, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD1, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
0x16, 0x00, 0x00, 0x00, 0x14, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
uint8_t output_buffer[1760];
wr_moz2d_render_cb(
mozilla::wr::ByteSlice { .buffer: blob_buffer, .len: 828 },
20, 22,
mozilla:wr::ImageFormat::BGRA8,
nullptr, nullptr, nullptr,
mozilla::wr::MutByteSlice { .buffer: output_buffer, .len: 1760 });
==5621==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa50f04c14e bp 0x7ffd99bc32b0 sp 0x7ffd99bc3280 T0)
==5621==The signal is caused by a READ memory access.
==5621==Hint: address points to the zero page.
#0 0x7fa50f04c14d in mozilla::gfx::RecordedSnapshot::PlayEvent(mozilla::gfx::Translator*) const /home/truber/src/m/u/gfx/2d/RecordedEventImpl.h:2926:67
#1 0x7fa50f0385b4 in operator() /home/truber/src/m/u/gfx/2d/InlineTranslator.cpp:84:54
#2 0x7fa50f0385b4 in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader, mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&, mozilla::gfx::RecordedEvent::EventType, mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0) /home/truber/src/m/u/gfx/2d/RecordedEventImpl.h:3493
#3 0x7fa50f02e888 in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) /home/truber/src/m/u/gfx/2d/InlineTranslator.cpp:77:20
#4 0x7fa50feeea3c in Moz2DRenderCallback /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:434:22
#5 0x7fa50feeea3c in wr_moz2d_render_cb /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:511
#6 0x7fa51c757b5f in testMoz2DRenderCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/gfx/tests/fuzzing/TestMoz2D.cpp:83:3
#7 0x3cc97d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
#8 0x3cc1fb in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3
#9 0x3cd39d in fuzzer::Fuzzer::MutateAndTestOne() /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19
#10 0x3cdaf5 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5
#11 0x3c4c56 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6
#12 0x7fa51aeaa30b in mozilla::FuzzerRunner::Run(int*, char***) /home/truber/src/m/u/tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
#13 0x7fa51adbaf55 in XREMain::XRE_mainStartup(bool*) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:3953:35
#14 0x7fa51adcf1b3 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:4912:12
#15 0x7fa51add0d2e in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:5019:21
#16 0x32ea1c in do_main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:233:22
#17 0x32ea1c in main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:315
#18 0x7fa52f8d582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#19 0x25e028 in _start (/home/truber/src/m/u/obj-x86_64-pc-linux-gnu/dist/bin/firefox+0x25e028)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/truber/src/m/u/gfx/2d/RecordedEventImpl.h:2926:67 in mozilla::gfx::RecordedSnapshot::PlayEvent(mozilla::gfx::Translator*) const
==5621==ABORTING
|
Reporter | |
Updated•7 years ago
|
No longer blocks: stage-wr-nightly
|
||
Updated•7 years ago
|
Blocks: stage-wr-trains
Priority: -- → P2
|
|
||
Updated•7 years ago
|
Priority: P2 → P3
|
|
||
Updated•7 years ago
|
Priority: P3 → P2
|
||
Comment 1•7 years ago
|
||
Not exploitable, so I don't think we should block.
|
||
Updated•7 years ago
|
|
||
Comment 2•4 years ago
|
||
Hey Jesse,
Can you still reproduce this issue or can it be closed?
Flags: needinfo?(jschwartzentruber)
|
|
||
Comment 3•4 years ago
|
||
Marking this as Resolved > Incomplete due to the lack of info.
If anyone is able to reproduce this issue re-open it or file a new bug.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
|
|
Reporter | |
Updated•2 years ago
|
Flags: needinfo?(jschwartzentruber)
You need to log in
before you can comment on or make changes to this bug.
Description
•