Closed Bug 1685145 (CVE-2021-23975) Opened 3 years ago Closed 3 years ago

attempting to call malloc_usable_size() for pointer which is not owned

Categories

(Core :: Graphics: WebRender, defect, P3)

Desktop
Unspecified
defect

Tracking

()

RESOLVED FIXED
87 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- fixed
firefox87 --- fixed

People

(Reporter: geeknik, Assigned: gw)

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main86+])

Attachments

(2 files)

Install Firefox Nightly Build ID 20210105094403 (ASAN) and with a clean profile go to about:memory and tap measure. The browser crashes.

==209471==ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x000000000008
    #0 0x5631fe5372bd in malloc_usable_size /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:198:3
    #1 0x5631fe4bed92 in Unwind /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h:115:5
    #2 0x5631fe4bed92 in __asan::asan_malloc_usable_size(void const*, unsigned long, unsigned long) /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_allocator.cpp:986:5
    #3 0x7f093fe8a876 in webrender::renderer::Renderer::size_of::hc672c0bdf48d101f /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:5302:18
    #4 0x7f093fe8a876 in webrender::renderer::Renderer::report_memory::h72205d5405f85baf /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:5314:36
    #5 0x7f093fe8a876 in wr_renderer_accumulate_memory_report /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:788:16
    #6 0x7f09333f6c61 in AccumulateMemoryReport /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:412:3
    #7 0x7f09333f6c61 in mozilla::wr::RenderThread::DoAccumulateMemoryReport(mozilla::wr::MemoryReport, RefPtr<mozilla::MozPromise<mozilla::wr::MemoryReport, bool, true>::Private> const&) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:167:15
    #8 0x7f093340bdfa in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::MemoryReport, const RefPtr<mozilla::MozPromise<mozilla::wr::MemoryReport, bool, true>::Private> &), StoreCopyPassByConstLRef<mozilla::wr::MemoryReport>, StoreRefPtrPassByPtr<mozilla::MozPromise<mozilla::wr::MemoryReport, bool, true>::Private> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #9 0x7f093340bdfa in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::MemoryReport, const RefPtr<mozilla::MozPromise<mozilla::wr::MemoryReport, bool, true>::Private> &)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #10 0x7f093340bdfa in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::MemoryReport, RefPtr<mozilla::MozPromise<mozilla::wr::MemoryReport, bool, true>::Private> const&), true, (mozilla::RunnableKind)0, mozilla::wr::MemoryReport, RefPtr<mozilla::MozPromise<mozilla::wr::MemoryReport, bool, true>::Private> >::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #11 0x7f093161c003 in RunTask /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:465:9
    #12 0x7f093161c003 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:473:5
    #13 0x7f093161d73b in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:548:13
    #14 0x7f093161f009 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #15 0x7f093161a592 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #16 0x7f093161a592 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #17 0x7f093161a592 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #18 0x7f0931639ddb in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191:16
    #19 0x7f093163096c in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #20 0x7f09478b8431 in start_thread (/lib64/libpthread.so.0+0x9431)
    #21 0x7f0947481912 in clone (/lib64/libc.so.6+0x101912)

Address 0x000000000008 is a wild pointer.
SUMMARY: AddressSanitizer: bad-malloc_usable_size /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:198:3 in malloc_usable_size
Thread T22 (Renderer) created by T0 here:
    #0 0x5631fe52135a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f093162a48c in CreateThread /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7f093162a48c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7f093163942e in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7f09333f5290 in mozilla::wr::RenderThread::Start() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:90:16
    #5 0x7f093314ced1 in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1336:7
    #6 0x7f093314855d in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:976:3
    #7 0x7f09331465cb in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:509:5
    #8 0x7f093904cf5b in GetPlatform /builds/worker/workspace/obj-build/dist/include/gfxPlatformGtk.h:31:29
    #9 0x7f093904cf5b in nsWindow::nsWindow() /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:440:19
    #10 0x7f093908c35a in nsIWidget::CreateTopLevelWindow() /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:8094:36
    #11 0x7f093c466f89 in mozilla::AppWindow::Initialize(nsIAppWindow*, nsIAppWindow*, int, int, bool, nsWidgetInitData&) /builds/worker/checkouts/gecko/xpfe/appshell/AppWindow.cpp:208:15
    #12 0x7f093c48c00c in nsAppShellService::JustCreateTopWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, bool, mozilla::AppWindow**) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:710:15
    #13 0x7f093c48cff2 in nsAppShellService::CreateTopLevelWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, nsIAppWindow**) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:173:8
    #14 0x7f093cd52c16 in nsAppStartup::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIOpenWindowInfo*, bool*, nsIWebBrowserChrome**) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:649:15
    #15 0x7f093cefe3a0 in nsWindowWatcher::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIOpenWindowInfo*, nsIWebBrowserChrome**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:419:33
    #16 0x7f093cef925f in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, bool, bool, bool, nsIArray*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:947:12
    #17 0x7f093cef6578 in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, nsISupports*, mozIDOMWindowProxy**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:293:3
    #18 0x7f093047b7b1 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #19 0x7f0932359aa1 in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
    #20 0x7f0932359aa1 in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #21 0x7f0932359aa1 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #22 0x7f093235f7bd in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:925:10
    #23 0x7f093d24a06b in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:503:13
    #24 0x7f093d24a06b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:594:12
    #25 0x7f093d2348ef in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
    #26 0x7f093d2348ef in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:651:10
    #27 0x7f093d2348ef in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309:16
    #28 0x7f093d219e2c in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:473:13
    #29 0x7f093d24fd5f in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:839:13
    #30 0x7f093d2e6ca8 in ExecuteInExtensibleLexicalEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/js/src/builtin/Eval.cpp:492:10
    #31 0x7f093d2e798c in JS::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::StackGCVector<JSObject*, js::TempAllocPolicy> >) /builds/worker/checkouts/gecko/js/src/builtin/Eval.cpp:599:10
    #32 0x7f093d2e7471 in JS::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/js/src/builtin/Eval.cpp:554:10
    #33 0x7f0932242d2e in mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/xpconnect/loader/mozJSComponentLoader.cpp:846:19
    #34 0x7f093224ac7a in mozJSComponentLoader::Import(JSContext*, nsTSubstring<char> const&, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSObject*>, bool) /builds/worker/checkouts/gecko/js/xpconnect/loader/mozJSComponentLoader.cpp:1250:12
    #35 0x7f09303cae3a in mozilla::xpcom::ConstructJSMComponent(nsTSubstring<char> const&, char const*, nsISupports**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:1751:3
    #36 0x7f09303b0e44 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10931:7
    #37 0x7f09303e7b1c in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:176:46
    #38 0x7f09303e7b1c in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1282:17
    #39 0x7f09303ea1bb in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1471:10
    #40 0x7f09303f00c2 in CallGetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:61:43
    #41 0x7f09303f00c2 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:253:21
    #42 0x7f0930250dee in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:91:7
    #43 0x7f093cfcc7c1 in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:1065:5
    #44 0x7f093cfcc7c1 in nsAppStartupNotifier::NotifyObservers(char const*) /builds/worker/checkouts/gecko/toolkit/xre/nsAppStartupNotifier.cpp:46:23
    #45 0x7f093cfbd983 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4908:3
    #46 0x7f093cfc08b8 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5330:8
    #47 0x7f093cfc1480 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5389:21
    #48 0x5631fe569954 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:219:22
    #49 0x5631fe569954 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:337:16
    #50 0x7f09473a7041 in __libc_start_main (/lib64/libc.so.6+0x27041)

==209471==ABORTING
Flags: sec-bounty?
Summary: attempting to call malloc_usable_size() for pointer which is not owned: → attempting to call malloc_usable_size() for pointer which is not owned
Type: task → defect
Group: firefox-core-security → gfx-core-security
Component: Security → Graphics: WebRender
Product: Firefox → Core
Hardware: Unspecified → Desktop
Blocks: gfx-triage
Severity: -- → S4
Priority: -- → P3
Flags: needinfo?(gwatson)

The calling code was directly calling the sizeof function, instead
of going via the API method that checks for invalid pointers first.

Assignee: nobody → gwatson
Status: NEW → ASSIGNED
Attachment #9199966 - Attachment description: Bug 1685145 - Fix incorrect usage of MallocSizeOfOps. → Bug 1685145 - Fix incorrect usage of memory profiling code.
Flags: needinfo?(gwatson)
Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
Flags: sec-bounty? → sec-bounty-

The patch landed in nightly and beta is affected.
:gw, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(gwatson)

Comment on attachment 9199966 [details]
Bug 1685145 - Fix incorrect usage of memory profiling code.

Beta/Release Uplift Approval Request

  • User impact if declined: Potential crash when manually invoking the memory measurement page.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Very small patch, 3 lines I think. Only affects users who are profiling memory usage.
  • String changes made/needed:
Flags: needinfo?(gwatson)
Attachment #9199966 - Flags: approval-mozilla-beta?

Comment on attachment 9199966 [details]
Bug 1685145 - Fix incorrect usage of memory profiling code.

Approved for 86 beta 6, thanks.

Attachment #9199966 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]
Flags: qe-verify-
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main86+]
Attached file advisory.txt
Alias: CVE-2021-23975
No longer blocks: gfx-triage
Flags: sec-bounty-hof+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: