1732373 - [macOS 12] UAF crash in [@ CGFontCopyTableTags ]

Status: RESOLVED WORKSFORME

(Core :: Graphics: Text, defect, P2)

Description

[Steven Michaud [:smichaud] (Retired)]

bp-8a413372-e37f-4d78-8279-3cf070210922

    Crashing Thread (123), Name: Font Loader
    0  CoreGraphics  CGFontCopyTableTags   context
    1  CoreText  TBaseFont::HasTable(unsigned int) const   frame_pointer
    2  CoreText  TFont::SetOpticalSize(__CTFontDescriptor const*, CGFont*)   frame_pointer
    3  CoreText  TFont::FinishConstruction(__CTFontDescriptor const*, CGFont*)   frame_pointer
    4  CoreText  TFont::TFont(__CTFontDescriptor const*, double, CGAffineTransform const*, __CTFontDescriptor const*)   frame_pointer
    5  CoreText  TCFRef<CTFont*> TCFBase_NEW<CTFont, __CTFontDescriptor const*, double&, CGAffineTransform const*&, __CTFontDescriptor const*&>(__CTFontDescriptor const*, double&, CGAffineTransform const*&, __CTFontDescriptor const*&)   frame_pointer
    6  CoreText  CTFontCreateWithFontDescriptor   frame_pointer
    7  XUL  MacFontInfo::LoadFontFamilyData(nsTSubstring<char> const&)  gfx/thebes/gfxMacPlatformFontList.mm:1665  frame_pointer
    8  XUL  FontInfoData::Load()  gfx/thebes/gfxFontInfoLoader.cpp:33  frame_pointer
    9  XUL  MacFontInfo::Load()  gfx/thebes/gfxMacPlatformFontList.mm:1632  frame_pointer
    10  XUL  AsyncFontInfoLoader::Run()  gfx/thebes/gfxFontInfoLoader.cpp:106  frame_pointer
    11  XUL  nsThread::ProcessNextEvent(bool, bool*)  xpcom/threads/nsThread.cpp:1142  frame_pointer
    12  XUL  mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)  ipc/glue/MessagePump.cpp:300  frame_pointer
    13  XUL  MessageLoop::Run()  ipc/chromium/src/base/message_loop.cc:306  frame_pointer
    14  XUL  nsThread::ThreadFunc(void*)  xpcom/threads/nsThread.cpp:390  frame_pointer
    15  libnss3.dylib  _pt_root  nsprpub/pr/src/pthreads/ptthread.c:201  frame_pointer
    16  libsystem_pthread.dylib  _pthread_start   frame_pointer

These have started appearing in macOS 12 betas 6 (build 21A5506j) and 7 (build 21A5304g).

These are UAFs: Some of their addresses contain sequences of 0xe5 characters (what's used by jemalloc to poison freed memory). And in all reports, some of their registers (under Raw Data and Minidumps) also contain these sequences.

Comment 1

[Jeff Muizelaar [:jrmuizel]]

Steven, can you reproduce this?

Comment 2

[Steven Michaud [:smichaud] (Retired)]

No, I can't.

At some point I may try to use HookCase to dig further here -- by figuring out what kind(s) of objects are used after being freed, and examining their life cycles. But that's very time consuming, and there's no guarantee I'll find anything actionable.

Comment 3

[Jeff Muizelaar [:jrmuizel]]

(In reply to Steven Michaud [:smichaud] (Retired) from comment #2)

No, I can't.

Did you run into it locally? Or did you find the crash in crash stats?

Comment 4

[Steven Michaud [:smichaud] (Retired)]

Did you run into it locally? Or did you find the crash in crash stats?

I found it in crash stats.

I sometimes look through the Mac topcrashers for bugs others have missed, or which I find interesting. This one is interesting because it seems to be a continuation on macOS 12 of bug 1680458 (which is specific to macOS 11).

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:lsalzman, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 6

[Jim Mathies [:jimm]]

We're sorting out ways to get some font information in crash reports. Once we have that sorted hopefully we'll have information to help diagnose the issue.

Comment 7

[Jim Mathies [:jimm]]

Low volume, appears to happen only in late beta in 96 too, which is interesting. Waiting on newer crash reports. Also may have gotten fixed in MacOS. TBD.

Comment 8

[Steven Michaud [:smichaud] (Retired)]

These crashes do seem to have disappeared as of macOS 12.1 (build 21C52):

https://crash-stats.mozilla.org/search/?proto_signature=~CTFontCreateWithFontDescriptor&platform=Mac%20OS%20X&date=%3E%3D2021-12-07T05%3A10%3A00.000Z&date=%3C2022-01-07T05%3A10%3A00.000Z&_facets=signature&_facets=platform_version&_facets=proto_signature&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-platform_version

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:jimm, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Comment 10

[Daniel Veditz [:dveditz]]

These crashes do seem to have disappeared as of macOS 12.1 (build 21C52):

They're rare, but I do see some 12.1/12.2/12.3 crashes more recently: 13 out of 641 in the last 3 months (2%). At that frequency there should have been about 6 crashes in your comment 8 search. That's a small number and it might be just chance we didn't see any, maybe we started doing something differently, or maybe enough more people have upgraded to 12.x that we're seeing it more. Overall we appear to be crashing this way less often in the last 4-6 weeks, with 302 crashes in the mostly-December month covered in comment 8 and only 185 in the past month.

Comment 11

[Steven Michaud [:smichaud] (Retired)]

I just reran my search from comment 8, from today back to six months prior. I see 6 crashes on macOS 12.1 and 5 crashes on macOS 12.2.1 that I didn't see earlier, but none on macOS 12.3. And even now I see a much larger number of crashes (237) on 12.0.1.

https://crash-stats.mozilla.org/search/?proto_signature=~CTFontCreateWithFontDescriptor&platform=Mac%20OS%20X&date=%3E%3D2021-09-29T03%3A14%3A00.000Z&date=%3C2022-03-29T03%3A14%3A00.000Z&_facets=signature&_facets=platform_version&_facets=proto_signature&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-platform_version

So I suspect Apple did make some changes in macOS 12.1, though they may not have actually fixed this bug. I doubt that Mozilla changes have made any difference here. These crashes are too low level, and are still happening (under a slightly different signature) on macOS 11 (see bug 1680458).

They're rare, but I do see some 12.1/12.2/12.3 crashes more recently: 13 out of 641 in the last 3 months (2%).

Your results are slightly different from mine. Did you do a different kind of search? If so, how was it different?

Comment 12

[Steven Michaud [:smichaud] (Retired)]

And if I limit my search to this bug's signature exactly, I don't get any crashes on macOS versions later than 12.0.1:

https://crash-stats.mozilla.org/search/?signature=~CGFontCopyTableTags&platform=Mac%20OS%20X&date=%3E%3D2021-09-29T03%3A34%3A00.000Z&date=%3C2022-03-29T03%3A34%3A00.000Z&_facets=signature&_facets=platform_version&_facets=proto_signature&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-platform_version

Comment 13

[Jim Mathies [:jimm]]

Currently waiting on confirmation.

Comment 14

[Daniel Veditz [:dveditz]]

Your results are slightly different from mine. Did you do a different kind of search? If so, how was it different?

I'm using the links in your comments. At most I've updated the date ranges using the supplied presets (6 months, 3 months, etc). I might be able to see some protected fields you can't (crashing URL, Comments, that kind of thing) but that should not affect which bugs are found unless they're one of the search terms (and they aren't in this case).

I just now clicked your link in comment 11 and it included this macOS 12.3.0 21E230 crash in Firefox 98.0.1. I can't explain different search results.

And if I limit my search to this bug's signature exactly, I don't get any crashes on macOS versions later than 12.0.1:

same

Comment 15

[Jeff Muizelaar [:jrmuizel]]

I don't think we have enough crash volume here to justify further investigation. I suggest we close this or at least mark it as stalled.