Closed Bug 1681017 Opened 3 years ago Closed 2 years ago

Crash in [@ webrender::texture_cache::TextureCache::request]

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: gsvelto, Unassigned)

References

Details

(Keywords: crash, csectype-uaf, sec-audit)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/f1146d8e-9da8-4e74-bdb6-a88b50201205

MOZ_CRASH Reason: index out of bounds: the len is 4094 but the index is 3857049061

Top 10 frames of crashing thread:

0 XUL RustMozCrash mozglue/static/rust/wrappers.cpp:17
1 XUL mozglue_static::panic_hook mozglue/static/rust/lib.rs:89
2 XUL core::ops::function::Fn::call /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70
3 XUL std::panicking::rust_panic_with_hook library/std/src/panicking.rs:581
4 XUL std::panicking::begin_panic_handler::{{closure}} library/std/src/panicking.rs:484
5 XUL std::sys_common::backtrace::__rust_end_short_backtrace library/std/src/sys_common/backtrace.rs:153
6 XUL rust_begin_unwind library/std/src/panicking.rs:483
7 XUL core::panicking::panic_fmt library/core/src/panicking.rs:85
8 XUL core::panicking::panic_bounds_check library/core/src/panicking.rs:62
9 XUL webrender::texture_cache::TextureCache::request gfx/wr/webrender/src/texture_cache.rs:675

The index contains the poison pattern so this is an UAF of some sort. Given it appears to be macOS-only this must be yet another manifestation of bug 1676343.

Group: core-security → gfx-core-security

(In reply to Gabriele Svelto [:gsvelto] from comment #0)

MOZ_CRASH Reason: index out of bounds: the len is 4094 but the index is 3857049061

Took me a few headscratches to figure out what Gabriele meant--especially since "index" also appears in the crash URL--but 3857049061 is 0xe5e5e5e5 in hex.

The poison value does not appear in any of the registers in the crash, fwiw, I guess the value has been turned into a string for reporting in the error handling so the bad values aren't in the registers anymore.

Keywords: sec-audit

What's the appropriate severity for this as I'm getting pinged about it?

Flags: needinfo?(gsvelto)

I've looked at recent crashes and none of them match the original problem. All the crashes we have on file appear to be coming from machines with bad hardware so closing this is the best option.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(gsvelto)
Resolution: --- → INCOMPLETE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.