Closed Bug 1557405 Opened 5 years ago Closed 3 years ago

AddressSanitizer: heap-buffer-overflow /src/gfx/layers/composite/AsyncCompositionManager.cpp:105:33 in operator()

Categories

(Core :: Graphics: Layers, defect, P3)

Product:
Core
Component:
Graphics: Layers
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox69 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [gfx-noted])

Found while fuzzing mozilla-central rev 155a7e2117e5. Unfortunately, I don't currently have a working testcase but will update if one becomes available.

==426834==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000a4c980 at pc 0x7eff7c83ba54 bp 0x7eff6ec53fe0 sp 0x7eff6ec53fd8
READ of size 8 at 0x619000a4c980 thread T3 (Compositor)
    #0 0x7eff7c83ba53 in operator() /src/gfx/layers/composite/AsyncCompositionManager.cpp:105:33
    #1 0x7eff7c83ba53 in mozilla::EnableIf<(IsSame<decltype(fp0(fp)), void>::value) && (IsSame<decltype(fp1(fp)), void>::value), void>::Type mozilla::layers::ForEachNode<mozilla::layers::ForwardIterator, mozilla::layers::Layer*, mozilla::layers::AsyncCompositionManager::ResolveRefLayers(mozilla::layers::CompositorBridgeParent*, bool*, bool*)::$_0, mozilla::EnableIf<IsSame<decltype(fp0(fp)), void>::value, void>::Type mozilla::layers::ForEachNode<mozilla::layers::ForwardIterator, mozilla::layers::Layer*, mozilla::layers::AsyncCompositionManager::ResolveRefLayers(mozilla::layers::CompositorBridgeParent*, bool*, bool*)::$_0>(mozilla::layers::Layer*, mozilla::layers::AsyncCompositionManager::ResolveRefLayers(mozilla::layers::CompositorBridgeParent*, bool*, bool*)::$_0 const&)::'lambda'(mozilla::layers::Layer*)>(mozilla::layers::Layer*, mozilla::layers::AsyncCompositionManager::ResolveRefLayers(mozilla::layers::CompositorBridgeParent*, bool*, bool*)::$_0 const&, mozilla::EnableIf<IsSame<decltype(fp0(fp)), void>::value, void>::Type mozilla::layers::ForEachNode<mozilla::layers::ForwardIterator, mozilla::layers::Layer*, mozilla::layers::AsyncCompositionManager::ResolveRefLayers(mozilla::layers::CompositorBridgeParent*, bool*, bool*)::$_0>(mozilla::layers::Layer*, mozilla::layers::AsyncCompositionManager::ResolveRefLayers(mozilla::layers::CompositorBridgeParent*, bool*, bool*)::$_0 const&)::'lambda'(mozilla::layers::Layer*) const&) /src/gfx/layers/TreeTraversal.h:138
    #2 0x7eff7c7eea0f in ForEachNode<mozilla::layers::ForwardIterator, mozilla::layers::Layer *, (lambda at /builds/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:104:58)> /src/gfx/layers/TreeTraversal.h:166:3
    #3 0x7eff7c7eea0f in mozilla::layers::AsyncCompositionManager::ResolveRefLayers(mozilla::layers::CompositorBridgeParent*, bool*, bool*) /src/gfx/layers/composite/AsyncCompositionManager.cpp:104
    #4 0x7eff7c8eeba2 in AutoResolveRefLayers /src/obj-firefox/dist/include/mozilla/layers/AsyncCompositionManager.h:264:17
    #5 0x7eff7c8eeba2 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /src/gfx/layers/ipc/CompositorBridgeParent.cpp:949
    #6 0x7eff7c9139b8 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:249:27
    #7 0x7eff7c96421b in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> >, StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0, 1> /src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
    #8 0x7eff7c96421b in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)> /src/obj-firefox/dist/include/nsThreadUtils.h:1128
    #9 0x7eff7c96421b in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1174
    #10 0x7eff7a1b040f in RunTask /src/ipc/chromium/src/base/message_loop.cc:442:9
    #11 0x7eff7a1b040f in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /src/ipc/chromium/src/base/message_loop.cc:450
    #12 0x7eff7a1b190b in MessageLoop::DoWork() /src/ipc/chromium/src/base/message_loop.cc:523:13
    #13 0x7eff7a1b4364 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /src/ipc/chromium/src/base/message_pump_default.cc:35:31
    #14 0x7eff7a1ae83e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #15 0x7eff7a1ae83e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #16 0x7eff7a1ae83e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #17 0x7eff7a1f8d07 in base::Thread::ThreadMain() /src/ipc/chromium/src/base/thread.cc:192:16
    #18 0x7eff7a1c66f8 in ThreadFunc(void*) /src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #19 0x7eff9e3f66da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #20 0x7eff9d3d488e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Address 0x619000a4c980 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/gfx/layers/composite/AsyncCompositionManager.cpp:105:33 in operator()
Shadow bytes around the buggy address:
  0x0c32801418e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32801418f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280141900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280141910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280141920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3280141930:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280141940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280141950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280141960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280141970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280141980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
Thread T3 (Compositor) created by T0 (GPU Process) here:
    #0 0x55f078bb3d4d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7eff7a1c2ec2 in CreateThread /src/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7eff7a1c2ec2 in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /src/ipc/chromium/src/base/platform_thread_posix.cc:134
    #3 0x7eff7a1f80c8 in base::Thread::StartWithOptions(base::Thread::Options const&) /src/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7eff7c910d8a in CreateCompositorThread /src/gfx/layers/ipc/CompositorThread.cpp:90:26
    #5 0x7eff7c910d8a in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /src/gfx/layers/ipc/CompositorThread.cpp:42
    #6 0x7eff7c9114f1 in mozilla::layers::CompositorThreadHolder::Start() /src/gfx/layers/ipc/CompositorThread.cpp:111:33
    #7 0x7eff7cbd3730 in mozilla::gfx::GPUParent::Init(int, char const*, MessageLoop*, IPC::Channel*) /src/gfx/ipc/GPUParent.cpp:126:3
    #8 0x7eff7cbe49ba in mozilla::gfx::GPUProcessImpl::Init(int, char**) /src/gfx/ipc/GPUProcessImpl.cpp:72:15
    #9 0x7eff87ef61b7 in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:719:21
    #10 0x55f078bfe66e in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #11 0x55f078bfe66e in main /src/browser/app/nsBrowserApp.cpp:263
    #12 0x7eff9d2d4b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==426834==ABORTING
Group: core-security → gfx-core-security
Priority: -- → P3
Whiteboard: [gfx-noted]

I'm not sure there's enough info here to find this bug, but it doesn't look good.

Keywords: csectype-bounds, sec-high

Sotaro - could you take a look to see if this is actionable?

Flags: needinfo?(sotaro.ikeda.g)

Hmm, it seems not actionable with current information. It is nice if there is a STR to reproduce it.

I wonder if a pointer of Layer was invalid.
https://searchfox.org/mozilla-central/source/gfx/layers/composite/AsyncCompositionManager.cpp#105

Flags: needinfo?(sotaro.ikeda.g)
Keywords: stalled

Marking as stalled until we can reproduce and take action

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.