Crash in [@ webrender::texture_cache::TextureCache::request]
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
People
(Reporter: gsvelto, Unassigned)
References
Details
(Keywords: crash, csectype-uaf, sec-audit)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/f1146d8e-9da8-4e74-bdb6-a88b50201205
MOZ_CRASH Reason: index out of bounds: the len is 4094 but the index is 3857049061
Top 10 frames of crashing thread:
0 XUL RustMozCrash mozglue/static/rust/wrappers.cpp:17
1 XUL mozglue_static::panic_hook mozglue/static/rust/lib.rs:89
2 XUL core::ops::function::Fn::call /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70
3 XUL std::panicking::rust_panic_with_hook library/std/src/panicking.rs:581
4 XUL std::panicking::begin_panic_handler::{{closure}} library/std/src/panicking.rs:484
5 XUL std::sys_common::backtrace::__rust_end_short_backtrace library/std/src/sys_common/backtrace.rs:153
6 XUL rust_begin_unwind library/std/src/panicking.rs:483
7 XUL core::panicking::panic_fmt library/core/src/panicking.rs:85
8 XUL core::panicking::panic_bounds_check library/core/src/panicking.rs:62
9 XUL webrender::texture_cache::TextureCache::request gfx/wr/webrender/src/texture_cache.rs:675
The index contains the poison pattern so this is an UAF of some sort. Given it appears to be macOS-only this must be yet another manifestation of bug 1676343.
Updated•3 years ago
|
Comment 1•3 years ago
|
||
(In reply to Gabriele Svelto [:gsvelto] from comment #0)
MOZ_CRASH Reason:
index out of bounds: the len is 4094 but the index is 3857049061
Took me a few headscratches to figure out what Gabriele meant--especially since "index" also appears in the crash URL--but 3857049061 is 0xe5e5e5e5 in hex.
The poison value does not appear in any of the registers in the crash, fwiw, I guess the value has been turned into a string for reporting in the error handling so the bad values aren't in the registers anymore.
Comment 2•2 years ago
|
||
What's the appropriate severity for this as I'm getting pinged about it?
Reporter | ||
Comment 3•2 years ago
|
||
I've looked at recent crashes and none of them match the original problem. All the crashes we have on file appear to be coming from machines with bad hardware so closing this is the best option.
Updated•2 months ago
|
Description
•