Closed Bug 1696370 Opened 4 years ago Closed 2 years ago

Crash in [@ __GI_getenv]

Categories

(Core :: Graphics: WebRender, defect, P3)

Unspecified
Linux
defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: gsvelto, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf, sec-vector)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/e3255a63-cf2d-41bb-95ec-141230210228

Reason: SIGSEGV /0x00000080

Top 10 frames of crashing thread:

0 libc.so.6 __GI_getenv 
1 libc.so.6 __dcigettext 
2 libdl.so.2 libdl.so.2@0x2a7b 
3 libnspr4.so pr_FindSymbolInLib nsprpub/pr/src/linking/prlink.c:793
4 libnspr4.so PR_FindFunctionSymbol nsprpub/pr/src/linking/prlink.c:845
5 libxul.so mozilla::gl::SymbolLoader::GetProcAddress const gfx/gl/GLLibraryLoader.cpp:65
6 libxul.so get_proc_address_from_glcontext gfx/layers/wr/WebRenderBridgeParent.cpp:145
7 libxul.so webrender_bindings::bindings::get_proc_address gfx/webrender_bindings/src/bindings.rs:506
8 libxul.so gleam::ffi_gl::Gl::load_with::do_metaloadfn x86_64-unknown-linux-gnu/release/build/gleam-31df811bc4bf24c1/out/gl_bindings.rs:2677
9 libxul.so gleam::ffi_gl::Gl::load_with x86_64-unknown-linux-gnu/release/build/gleam-31df811bc4bf24c1/out/gl_bindings.rs:2770

This is an use-after-free crash that seems to mostly affect users on Arch Linux (Arch Firefox' mainter is CC'd). If you look at the raw data you'll notice that r12 always contains the poison pattern.

There are crash reports with this same stack for other distros too but they're a very small number compared to Arch so I suspect something specific is making it more common on that distro.

Keywords: csectype-uaf

I suspect something corrupted the environment earlier and we're just tripping over it here.

(Most of the crashes with that signature seem to be for Thunderbird 78 on Ubuntu.)

Group: core-security → gfx-core-security

Most of the Thunderbird crashes look like they're related to loading an external smartcard crypto library. Won't be related to the Firefox web Render crash

Keywords: sec-high

Firefox uses symbol interposition to replace realloc and make it poison the old allocation?

AFAICT reading the assembly for getenv, we're indeed trying to dereference r12, and it contains an element from the environ array, i.e. it is the array itself that got poisoned, not a string.

Blocks: gfx-triage

Might coincide with Arch's upgrade to GLibC 2.33 (testing started Feb 4).

Never mind, I confused Feb and Mar.

I don't think this is a security bug it looks like a startup crash that's happening only happening Arch Linux. I think we can wait until someone experiencing this shows up before doing anything about it.

Can we get this downgraded from sec-high?

Blocks: gfx-stalled
No longer blocks: gfx-triage
Flags: needinfo?(dveditz)
Keywords: stalled

The March spike is all Thunderbird; Firefox crash levels are relatively consistent over the past 6 months. This really does look like a pure start-up crash: even the half-a-percent that aren't marked as such have extremely short (often 1 sec) uptimes.

Hiding this isn't protecting any Firefox users from anything.

Group: gfx-core-security
Flags: needinfo?(dveditz)
Keywords: sec-highsec-vector
Severity: -- → S3
Priority: -- → P3
See Also: → 1784813

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
You need to log in before you can comment on or make changes to this bug.