Closed Bug 1722204 (CVE-2021-29980) Opened 1 year ago Closed 1 year ago

AddressSanitizer: attempting double-free from gfx::RecordedFillGlyphs and UAF (0xe5e5e5e5e5e5e5e5 on crash report)

Categories

(Core :: Graphics: Layers, defect, P1)

defect

Tracking

()

VERIFIED FIXED
92 Branch
Tracking Status
firefox-esr78 91+ fixed
firefox90 --- wontfix
firefox91 + verified
firefox92 + verified

People

(Reporter: sourc7, Assigned: bobowen)

References

Details

(5 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main91+][adv-esr78.13+])

Crash Data

Attachments

(7 files, 1 obsolete file)

After visiting the testcase then reloading the page I noticed Firefox window become blank for a few second after that Firefox ASan will show output logs AddressSanitizer: attempting double-free on address in thread T46 from mozilla::gfx::RecordedFillGlyphs::~RecordedFillGlyphs.

On Firefox (non-asan) some crash report contain 0xe5e5e5e5e5e5e5e5 in one of CPU registers (which I assume the UAF address). Furthermore after some crash, I observe in some crash report it show access-violation on 0x100000009, 0x10b0481d060, 0xffffffffffffffff or breakpoint on some address.

I'm currently reducing the testcase, I'll attach the testcase following with STR as soon as I'm done =).

Tested on:

  • Firefox Nightly 92.0a1 (2021-07-24) (64-bit) on Windows 10
  • m-c-20210723213232-asan-opt on Windows 10
  • m-c-20210715094037-asan-opt on Windows 10
  • Firefox 90.0.2 (64-bit) on Windows 10
  • m-c-20210406094706-asan-opt on Windows 10

ASan output:

=================================================================
==13524==ERROR: AddressSanitizer: attempting double-free on 0x11f34206ab50 in thread T46:
    #0 0x7ff963c15afb in free Z:\task_1626506473\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:82
    #1 0x7ff9500ae3ba in operator delete[] /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:60
    #2 0x7ff9500ae3ba in mozilla::gfx::RecordedFillGlyphs::~RecordedFillGlyphs /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:2366
    #3 0x7ff9500ae3ba in mozilla::gfx::RecordedEvent::DoWithEvent<class mozilla::gfx::EventRingBuffer>(class mozilla::gfx::EventRingBuffer &, enum mozilla::gfx::RecordedEvent::EventType, class std::function<(class mozilla::gfx::RecordedEvent *)> const &) /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:3989
    #4 0x7ff950858f5a in mozilla::layers::CanvasTranslator::TranslateRecording(void) /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:245
    #5 0x7ff950858837 in mozilla::layers::CanvasTranslator::StartTranslation(void) /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:168
    #6 0x7ff94d77441a in mozilla::detail::RunnableMethodArguments<>::applyImpl /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148
    #7 0x7ff94d77441a in mozilla::detail::RunnableMethodArguments<>::apply /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154
    #8 0x7ff94d77441a in mozilla::detail::RunnableMethodImpl<class nsCOMPtr<class mozilla::dom::SVGSVGElement>, void (__cdecl mozilla::dom::SVGSVGElement::*)(void), 1, 0>::Run(void) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201
    #9 0x7ff94d941d4d in mozilla::TaskQueue::Runner::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:208
    #10 0x7ff94d974808 in nsThreadPool::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:303
    #11 0x7ff94d95fc74 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1142
    #12 0x7ff94d96ff2c in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466
    #13 0x7ff94ed1413e in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
    #14 0x7ff94ec21615 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
    #15 0x7ff94ec21615 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #16 0x7ff94ec213e5 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #17 0x7ff94d958a00 in nsThread::ThreadFunc(void *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:390
    #18 0x7ff974151fbe in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #19 0x7ff97412b08b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #20 0x7ff9d1691bb1  (C:\Windows\System32\ucrtbase.dll+0x180021bb1)
    #21 0x7ff963c20617 in __asan::AsanThread::ThreadStart(unsigned __int64) Z:\task_1626506473\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:270
    #22 0x7ff9d28b7033  (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #23 0x7ff9751345ec in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /builds/worker/workspace/obj-build/dist/include/nsWindowsDllInterceptor.h:150
    #24 0x7ff9751345ec in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/mozglue/dllservices/WindowsDllBlocklist.cpp:588
    #25 0x7ff9d3982650  (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

0x11f34206ab50 is located 0 bytes inside of 12-byte region [0x11f34206ab50,0x11f34206ab5c)
freed by thread T46 here:
    #0 0x7ff963c15afb in free Z:\task_1626506473\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:82
    #1 0x7ff9500ae3ba in operator delete[] /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:60
    #2 0x7ff9500ae3ba in mozilla::gfx::RecordedFillGlyphs::~RecordedFillGlyphs /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:2366
    #3 0x7ff9500ae3ba in mozilla::gfx::RecordedEvent::DoWithEvent<class mozilla::gfx::EventRingBuffer>(class mozilla::gfx::EventRingBuffer &, enum mozilla::gfx::RecordedEvent::EventType, class std::function<(class mozilla::gfx::RecordedEvent *)> const &) /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:3989
    #4 0x7ff950858f5a in mozilla::layers::CanvasTranslator::TranslateRecording(void) /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:245
    #5 0x7ff950858837 in mozilla::layers::CanvasTranslator::StartTranslation(void) /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:168
    #6 0x7ff94d77441a in mozilla::detail::RunnableMethodArguments<>::applyImpl /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148
    #7 0x7ff94d77441a in mozilla::detail::RunnableMethodArguments<>::apply /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154
    #8 0x7ff94d77441a in mozilla::detail::RunnableMethodImpl<class nsCOMPtr<class mozilla::dom::SVGSVGElement>, void (__cdecl mozilla::dom::SVGSVGElement::*)(void), 1, 0>::Run(void) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201
    #9 0x7ff94d941d4d in mozilla::TaskQueue::Runner::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:208
    #10 0x7ff94d974808 in nsThreadPool::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:303
    #11 0x7ff94d95fc74 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1142
    #12 0x7ff94d96ff2c in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466
    #13 0x7ff94ed1413e in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
    #14 0x7ff94ec21615 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
    #15 0x7ff94ec21615 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #16 0x7ff94ec213e5 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #17 0x7ff94d958a00 in nsThread::ThreadFunc(void *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:390
    #18 0x7ff974151fbe in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #19 0x7ff97412b08b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #20 0x7ff9d1691bb1  (C:\Windows\System32\ucrtbase.dll+0x180021bb1)
    #21 0x7ff963c20617 in __asan::AsanThread::ThreadStart(unsigned __int64) Z:\task_1626506473\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:270
    #22 0x7ff9d28b7033  (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #23 0x7ff9751345ec in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /builds/worker/workspace/obj-build/dist/include/nsWindowsDllInterceptor.h:150
    #24 0x7ff9751345ec in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/mozglue/dllservices/WindowsDllBlocklist.cpp:588

previously allocated by thread T46 here:
    #0 0x7ff963c15c0b in malloc Z:\task_1626506473\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:98
    #1 0x7ff97513139d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
    #2 0x7ff9500eb502 in operator new[] /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:42
    #3 0x7ff9500eb502 in mozilla::gfx::RecordedFillGlyphs::RecordedFillGlyphs<class mozilla::gfx::EventStream>(class mozilla::gfx::EventStream &) /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:2398
    #4 0x7ff9500ae2e2 in mozilla::gfx::RecordedEvent::DoWithEvent<class mozilla::gfx::EventRingBuffer>(class mozilla::gfx::EventRingBuffer &, enum mozilla::gfx::RecordedEvent::EventType, class std::function<(class mozilla::gfx::RecordedEvent *)> const &) /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:3989
    #5 0x7ff950858f5a in mozilla::layers::CanvasTranslator::TranslateRecording(void) /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:245
    #6 0x7ff950858837 in mozilla::layers::CanvasTranslator::StartTranslation(void) /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:168
    #7 0x7ff94d77441a in mozilla::detail::RunnableMethodArguments<>::applyImpl /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148
    #8 0x7ff94d77441a in mozilla::detail::RunnableMethodArguments<>::apply /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154
    #9 0x7ff94d77441a in mozilla::detail::RunnableMethodImpl<class nsCOMPtr<class mozilla::dom::SVGSVGElement>, void (__cdecl mozilla::dom::SVGSVGElement::*)(void), 1, 0>::Run(void) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201
    #10 0x7ff94d941d4d in mozilla::TaskQueue::Runner::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:208
    #11 0x7ff94d974808 in nsThreadPool::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:303
    #12 0x7ff94d95fc74 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1142
    #13 0x7ff94d96ff2c in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466
    #14 0x7ff94ed1413e in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
    #15 0x7ff94ec21615 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
    #16 0x7ff94ec21615 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #17 0x7ff94ec213e5 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #18 0x7ff94d958a00 in nsThread::ThreadFunc(void *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:390
    #19 0x7ff974151fbe in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #20 0x7ff97412b08b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #21 0x7ff9d1691bb1  (C:\Windows\System32\ucrtbase.dll+0x180021bb1)
    #22 0x7ff963c20617 in __asan::AsanThread::ThreadStart(unsigned __int64) Z:\task_1626506473\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:270

Thread T46 created by T4 here:
    #0 0x7ff963c216b2 in __asan_wrap_CreateThread Z:\task_1626506473\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cpp:146
    #1 0x7ff9d1691896  (C:\Windows\System32\ucrtbase.dll+0x180021896)
    #2 0x7ff97412aebd in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ff974152d9c in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ff9741536f3 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ff974149abf in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ff94d95b20c in nsThread::Init(class nsTSubstring<char> const &) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:602
    #7 0x7ff94d96d53b in nsThreadManager::NewNamedThread(class nsTSubstring<char> const &, unsigned int, class nsIThread **) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:573
    #8 0x7ff94d97947c in NS_NewNamedThread(class nsTSubstring<char> const &, class nsIThread **, struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:162
    #9 0x7ff94d972be6 in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:155
    #10 0x7ff94d972be6 in nsThreadPool::PutEvent(struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:118
    #11 0x7ff94d975eeb in nsThreadPool::Dispatch(struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:354
    #12 0x7ff94d92b86a in mozilla::SharedThreadPool::Dispatch(struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/SharedThreadPool.h:73
    #13 0x7ff94d93f09a in mozilla::TaskQueue::DispatchLocked(class nsCOMPtr<class nsIRunnable> &, unsigned int, enum mozilla::AbstractThread::DispatchReason) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:68
    #14 0x7ff94d97d22b in mozilla::TaskQueue::Dispatch(struct already_AddRefed<class nsIRunnable>, enum mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:88
    #15 0x7ff9508585da in mozilla::layers::CanvasTranslator::RecvResumeTranslation(void) /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:160
    #16 0x7ff9508570cd in mozilla::layers::CanvasTranslator::RecvInitTranslator(enum mozilla::layers::TextureType const &, void *const &, void *const &, void *const &) /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:151
    #17 0x7ff94f7f20fe in mozilla::layers::PCanvasParent::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasParent.cpp:188
    #18 0x7ff94ed09904 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2084
    #19 0x7ff94ed05d6f in mozilla::ipc::MessageChannel::DispatchMessage(class IPC::Message &&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2011
    #20 0x7ff94ed07bf1 in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::MessageChannel::MessageTask &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1859
    #21 0x7ff94ed0819c in mozilla::ipc::MessageChannel::MessageTask::Run(void) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1890
    #22 0x7ff94d941d4d in mozilla::TaskQueue::Runner::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:208
    #23 0x7ff94d974808 in nsThreadPool::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:303
    #24 0x7ff94d95fc74 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1142
    #25 0x7ff94d96ff2c in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466
    #26 0x7ff94ed1413e in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
    #27 0x7ff94ec21615 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
    #28 0x7ff94ec21615 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #29 0x7ff94ec213e5 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #30 0x7ff94d958a00 in nsThread::ThreadFunc(void *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:390
    #31 0x7ff974151fbe in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #32 0x7ff97412b08b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #33 0x7ff9d1691bb1  (C:\Windows\System32\ucrtbase.dll+0x180021bb1)
    #34 0x7ff963c20617 in __asan::AsanThread::ThreadStart(unsigned __int64) Z:\task_1626506473\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:270
    #35 0x7ff9d28b7033  (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #36 0x7ff9751345ec in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /builds/worker/workspace/obj-build/dist/include/nsWindowsDllInterceptor.h:150
    #37 0x7ff9751345ec in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/mozglue/dllservices/WindowsDllBlocklist.cpp:588
    #38 0x7ff9d3982650  (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

Thread T4 created by T0 here:
    #0 0x7ff963c216b2 in __asan_wrap_CreateThread Z:\task_1626506473\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cpp:146
    #1 0x7ff9d1691896  (C:\Windows\System32\ucrtbase.dll+0x180021896)
    #2 0x7ff97412aebd in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ff974152d9c in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ff9741536f3 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ff974149abf in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ff94d95b20c in nsThread::Init(class nsTSubstring<char> const &) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:602
    #7 0x7ff94d96d53b in nsThreadManager::NewNamedThread(class nsTSubstring<char> const &, unsigned int, class nsIThread **) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:573
    #8 0x7ff94d97947c in NS_NewNamedThread(class nsTSubstring<char> const &, class nsIThread **, struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:162
    #9 0x7ff94d972be6 in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:155
    #10 0x7ff94d972be6 in nsThreadPool::PutEvent(struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:118
    #11 0x7ff94d975eeb in nsThreadPool::Dispatch(struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:354
    #12 0x7ff94d96673d in BackgroundEventTarget::Dispatch(struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:166
    #13 0x7ff94d97b825 in nsIEventTarget::Dispatch /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:41
    #14 0x7ff94d97b825 in nsThreadManager::DispatchToBackgroundThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:501
    #15 0x7ff94d97b825 in NS_DispatchBackgroundTask(struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:502
    #16 0x7ff956f9f679 in mozilla::crashreporter::LSPAnnotate(void) /builds/worker/checkouts/gecko/widget/windows/LSPAnnotator.cpp:131
    #17 0x7ff956fdd990 in nsAppShell::Init(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:501
    #18 0x7ff956f1dd4f in nsAppShellInit /builds/worker/checkouts/gecko/widget/nsAppShellSingleton.h:47
    #19 0x7ff956f1dd4f in nsWidgetWindowsModuleCtor(void) /builds/worker/checkouts/gecko/widget/windows/nsWidgetFactory.cpp:49
    #20 0x7ff94d8b7d51 in mozilla::xpcom::CallInitFunc /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:8961
    #21 0x7ff94d8b7d51 in mozilla::xpcom::CreateInstanceImpl /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11279
    #22 0x7ff94d905ad3 in `anonymous namespace'::EntryWrapper::CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:174
    #23 0x7ff94d905ad3 in nsComponentManagerImpl::GetServiceLocked /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276
    #24 0x7ff94d904c58 in nsComponentManagerImpl::GetService(struct nsID const &, struct nsID const &, void **) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1330
    #25 0x7ff94d90f74e in CallGetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:51
    #26 0x7ff94d90f74e in nsGetServiceByCID::operator()(struct nsID const &, void **) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:220
    #27 0x7ff94d706743 in nsCOMPtr_base::assign_from_gs_cid(class nsGetServiceByCID, struct nsID const &) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:64
    #28 0x7ff95b3d3219 in nsCOMPtr<nsIAppShell>::nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:611
    #29 0x7ff95b3d3219 in XRE_RunAppShell(void) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:867
    #30 0x7ff94ec21615 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
    #31 0x7ff94ec21615 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #32 0x7ff94ec213e5 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #33 0x7ff95b3d2709 in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742
    #34 0x7ff6b0631f49 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:58
    #35 0x7ff6b0631f49 in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
    #36 0x7ff6b06314d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131
    #37 0x7ff6b072f207 in invoke_main f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #38 0x7ff6b072f207 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #39 0x7ff9d28b7033  (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #40 0x7ff9d3982650  (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

SUMMARY: AddressSanitizer: double-free Z:\task_1626506473\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:82 in free
==13524==ABORTING
Flags: sec-bounty?
Attached file asan.windows.txt

The last one (TileNode::update_dirty_rects) is a Rust panic due to a failed bounds check. Clearly a bug, but not a security problem thanks to Rust's memory safety checks.

The first APZUpdater crash looks like a UAF (poison value in `rdx), the others are not as easily diagnosed. Although a reduced testcase is definitely preferable, if you can't reduce it something is better than nothing (that is, the unreduced testcase). There's not much to go on so far.

Group: firefox-core-security → core-security
Type: task → defect
Component: Security → Graphics: Layers
Flags: needinfo?(susah.yak)
Product: Firefox → Core
Group: core-security → gfx-core-security

(In reply to Daniel Veditz [:dveditz] from comment #3)

The last one (TileNode::update_dirty_rects) is a Rust panic due to a failed bounds check. Clearly a bug, but not a security problem thanks to Rust's memory safety checks.

Yup, sometimes the crash report contain WebRender hit the RustMozCrash breakpoint with various signature.

The first APZUpdater crash looks like a UAF (poison value in `rdx), the others are not as easily diagnosed.

Yes, after Firefox blank for a few second (renderer crash), the crash report contain various signature, on another crash report the crash reason
is STATUS_STACK_BUFFER_OVERRUN / FAST_FAIL_GUARD_ICALL_CHECK_FAILURE

Although a reduced testcase is definitely preferable, if you can't reduce it something is better than nothing (that is, the unreduced testcase). There's not much to go on so far.

Gladly I successfully reduced the testcase, and I also able to reproduce this on both my machine AMD Ryzen 5 PRO 4650G and Intel i5-1035G1 on Windows 10. I'll post the testcase with steps to reproduce in a moment.

On STR below I'm using FFPuppet to save ASan logs to the directory. I can reproduce the double-free with STR below on both my machine AMD Ryzen 5 PRO 4650G and Intel i5-1035G1 on Windows 10.

Steps to Reproduce (Firefox ASan on Windows 10):

  1. Open PowerShell or Command Prompt
  2. Run python3 -m pip install ffpuppet to install FFPuppet
  3. Run cd to Firefox ASan directory path (ie. cd C:\tmp\m-c-20210725212334-asan-opt)
  4. Run python3 -m ffpuppet firefox.exe
  5. Visit attached recordedfillglyphs-asan-doublefree.html
  6. After a few second, then close the tab.
  7. Firefox will blank for a few second then exited with ASan double-free (from FFPuppet logs)

If Firefox doesn't shut down after closing the tab, try re-visit the testcase and try again for a few times, or try watch attached video below.

Flags: needinfo?(susah.yak)

It turns out that by embedding the testcase in an iFrame, the double-free can be triggered by only reloading the page on Fission enabled.

Steps to Reproduce:

  1. Enable Fission (Site Isolation) and Restart Firefox
  2. Visit attached recordedfillglyphs-iframe.html
  3. After a few second, then reload the page
  4. Firefox will blank for a few second
  5. Go to about:crashes
  6. New Report ID has been added to Unsubmitted Crash Reports

Steps to Reproduce (ASan with FFPuppet)

  1. Open PowerShell or Command Prompt
  2. Run cd into ASan directory (i.e cd C:\tmp\m-c-20210725212334-asan-opt)
  3. Create prefs.js file with content user_pref("fission.autostart", true);
  4. Run python3 -m ffpuppet -p prefs.js firefox.exe
  5. Visit attached recordedfillglyphs-iframe.html
  6. After a few second, then reload the page
  7. Firefox will blank for a few second then exited with ASan double-free (from FFPuppet logs)

If Firefox doesn't blank for a second, try reloading the page few times.

Attached file prefs.js

Looks like this is a repro for bug 1715051.
I'll see if I can find out what's going on.

(In reply to Bob Owen (:bobowen) from comment #9)

Looks like this is a repro for bug 1715051.
I'll see if I can find out what's going on.

Actually this is different, but very similar code.
The STR gave me something similar to bug 1715051 though.

This is the same as bug 1715051, which because of optimisation looks like it was crashing in ~RecordedFontData, but was actually crashing in ~RecordedFillGlyphs same as this bug.

This is because in RecordedFillGlyphs::RecordedFillGlyphs(S& aStream) we don't initialise mGlyphs, so if we fail (stream is bad) before that point we try to delete something that we shouldn't.

Assignee: nobody → bobowencode
Status: NEW → ASSIGNED
Severity: -- → S2
Priority: -- → P1
Crash Signature: [@ arena_t::DallocSmall | je_free | mozilla::gfx::RecordedEvent::DoWithEvent<T>]

Comment on attachment 9233354 [details]
Bug 1722204: Fix clean up of some RecordedEvents on failure. r=lsalzman!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: We are not aware of a known exploit, however it is fairly obvious from the patch that the issue is with uninitialised pointers.
    This instance of the code for canvas runs in the GPU process as do others and the printing code uses this in the parent process.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Pretty unlikely, it is just simple pointer initialisation.
Attachment #9233354 - Flags: sec-approval?

Changed status-firefox-esr78 to affected because of printing code.
Although it's not clear how you might trigger this via printing, but having a compromised content process would probably help.
You should still need interaction from the user like for other potential attacks via printing.

Ryan: is it too late to get this safely into 91.0? The patch is straightforward and safe (initializing some variables).

Flags: needinfo?(ryanvm)

(In reply to Daniel Veditz [:dveditz] from comment #16)

Ryan: is it too late to get this safely into 91.0? The patch is straightforward and safe (initializing some variables).

Yeah, we have time still.

Flags: needinfo?(ryanvm)

cc-ing some fission folk

Comment on attachment 9233354 [details]
Bug 1722204: Fix clean up of some RecordedEvents on failure. r=lsalzman!

Approved to land and uplift

Attachment #9233354 - Flags: sec-approval? → sec-approval+

Comment on attachment 9233354 [details]
Bug 1722204: Fix clean up of some RecordedEvents on failure. r=lsalzman!

Beta/Release Uplift Approval Request

  • User impact if declined: Potentially dangerous GPU process crash.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: See comment 7.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple pointer initialization.
  • String changes made/needed: None
Attachment #9233354 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9233354 [details]
Bug 1722204: Fix clean up of some RecordedEvents on failure. r=lsalzman!

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high bug.
  • User impact if declined: Potentially dangerous GPU process crash.
  • Fix Landed on Version: 92
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple pointer initialization.
  • String or UUID changes made by this patch: None
Attachment #9233354 - Flags: approval-mozilla-esr91?
Attachment #9233354 - Flags: approval-mozilla-esr78?
Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch

Comment on attachment 9233354 [details]
Bug 1722204: Fix clean up of some RecordedEvents on failure. r=lsalzman!

Approved for uplift on the beta branch before Monday's beta to release merge.

Attachment #9233354 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]

Comment on attachment 9233354 [details]
Bug 1722204: Fix clean up of some RecordedEvents on failure. r=lsalzman!

Approved for 78.13esr. It'll make ESR91 by way of the Beta uplift already done.

Attachment #9233354 - Flags: approval-mozilla-esr91?
Attachment #9233354 - Flags: approval-mozilla-esr78?
Attachment #9233354 - Flags: approval-mozilla-esr78+
QA Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][qa-triaged]

I was able to reproduce the issue on Firefox 92.0a1 (2021-07-24) under Windows 10 by following the STR from Comment 7.

The issue is fixed on Firefox 91.0b9 and Firefox 92.0a1 (2021-08-01) on the same machine. Couldn't verify the fix on 78.13.0 esr as fission pref is locked.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Flags: sec-bounty? → sec-bounty+

Setting keyword based on affected process.

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(bobowencode)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][sec-survey]
Flags: needinfo?(bobowencode)
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey] → [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main90+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main90+] → [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main91+]
Attached file advisory.txt (obsolete) —
Alias: CVE-2021-29980
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main91+] → [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main91+][adv-esr78.13+]
Attached file advisory.txt
Attachment #9235119 - Attachment is obsolete: true
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.