access-violation on unknown address in mozilla::gfx::RecordedPathCreation
Categories
(Core :: Graphics, defect)
Tracking
()
People
(Reporter: bo13oy, Unassigned)
Details
(Keywords: crash, reporter-external, testcase-wanted, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Tested Version: Windows 10 Pro 21H2 x64 memory 32G + firfox 102.0 (64-bit)(win64-fuzzing-asan-opt).
There is no way to reproduce the vulnerability, temporarily can not provide poc samples,I feel that this is a conditional competition vulnerability,The conditions for triggering this vulnerability are demanding. the crash report is as follows:
=================================================================
==55068==ERROR: AddressSanitizer: access-violation on unknown address 0x050dd79fc0b8 (pc 0x7ffecacf934c bp 0x00df6edfb970 sp 0x00df6edfb560 T41)
==55068==The signal is caused by a READ memory access.
#0 0x7ffecacf934b in mozilla::gfx::DrawTargetD2D1::CreatePathBuilder /builds/worker/checkouts/gecko/gfx/2d/DrawTargetD2D1.cpp:1185
#1 0x7ffecad96656 in mozilla::gfx::RecordedPathCreation::PlayEvent /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:2976
#2 0x7ffecb389d54 in std::_Func_impl_no_alloc<`lambda at /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:249:9',bool,mozilla::gfx::RecordedEvent *>::_Do_call+0x1b4 (D:\fuzzer\firefox_asan\client\browsers\firefox\xul.dll+0x1830c9d54)
#3 0x7ffecaeec8c2 in mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::EventRingBuffer> /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:4053
#4 0x7ffecb33a69a in mozilla::layers::CanvasTranslator::TranslateRecording /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:247
#5 0x7ffecb33a02a in mozilla::layers::CanvasTranslator::StartTranslation /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:170
#6 0x7ffec8cd276a in mozilla::detail::RunnableMethodImpl<nsMemoryReporterManager ,nsresult (nsMemoryReporterManager::)(),1,mozilla::RunnableKind::Standard>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200
#7 0x7ffec8e7d996 in mozilla::TaskQueue::Runner::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259
#8 0x7ffec8eb4863 in nsThreadPool::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:310
#9 0x7ffec8ea26f6 in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1174
#10 0x7ffec8eb086c in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465
#11 0x7ffeca4705ee in mozilla::ipc::MessagePumpForNonMainThreads::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
#12 0x7ffeca38e175 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373
#13 0x7ffeca38df45 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355
#14 0x7ffec8e9958f in nsThread::ThreadFunc /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:378
#15 0x7fff014696ad in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
#16 0x7fff01441a3b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
#17 0x7fff36d21bb1 in configthreadlocale+0x91 (C:\Windows\System32\ucrtbase.dll+0x180021bb1)
#18 0x7fff01849d93 in __asan::AsanThread::ThreadStart /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277
#19 0x7fff381f7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
#20 0x7fff07d36cb7 in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:572
#21 0x7fff395c2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: access-violation /builds/worker/checkouts/gecko/gfx/2d/DrawTargetD2D1.cpp:1185 in mozilla::gfx::DrawTargetD2D1::CreatePathBuilder
Thread T41 created by T4 here:
#0 0x7fff0184af32 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
#1 0x7fff36d21896 in beginthreadex+0x56 (C:\Windows\System32\ucrtbase.dll+0x180021896)
#2 0x7fff0144186d in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
#3 0x7fff0146a46a in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
#4 0x7fff0146ac03 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
#5 0x7fff01460aff in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
#6 0x7ffec8e9c4a1 in nsThread::Init /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:604
#7 0x7ffec8eadd18 in nsThreadManager::NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:533
#8 0x7ffec8eb9ccc in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:161
#9 0x7ffec8eb314f in nsThreadPool::PutEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:123
#10 0x7ffec8eb5e39 in nsThreadPool::Dispatch /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:362
#11 0x7ffec8e6a97a in mozilla::SharedThreadPool::Dispatch /builds/worker/workspace/obj-build/dist/include/mozilla/SharedThreadPool.h:72
#12 0x7ffec8e7b0ec in mozilla::TaskQueue::DispatchLocked /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:122
#13 0x7ffecb339df8 in mozilla::layers::CanvasTranslator::RecvResumeTranslation /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:162
#14 0x7ffecb3388dd in mozilla::layers::CanvasTranslator::RecvInitTranslator /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:153
#15 0x7ffecb0f9f7d in mozilla::layers::PCanvasParent::OnMessageReceived /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasParent.cpp:189
#16 0x7ffeca4665e2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1781
#17 0x7ffeca463b66 in mozilla::ipc::MessageChannel::DispatchMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1706
#18 0x7ffeca464c4d in mozilla::ipc::MessageChannel::RunMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1506
#19 0x7ffeca4653c6 in mozilla::ipc::MessageChannel::MessageTask::Run /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1604
#20 0x7ffec8e7d996 in mozilla::TaskQueue::Runner::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259
#21 0x7ffec8eb4863 in nsThreadPool::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:310
#22 0x7ffec8ea26f6 in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1174
#23 0x7ffec8eb086c in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465
#24 0x7ffeca4705ee in mozilla::ipc::MessagePumpForNonMainThreads::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
#25 0x7ffeca38e175 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373
#26 0x7ffeca38df45 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355
#27 0x7ffec8e9958f in nsThread::ThreadFunc /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:378
#28 0x7fff014696ad in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
#29 0x7fff01441a3b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
#30 0x7fff36d21bb1 in configthreadlocale+0x91 (C:\Windows\System32\ucrtbase.dll+0x180021bb1)
#31 0x7fff01849d93 in __asan::AsanThread::ThreadStart /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277
#32 0x7fff381f7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
#33 0x7fff07d36cb7 in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:572
#34 0x7fff395c2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)
Thread T4 created by T0 here:
#0 0x7fff0184af32 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
#1 0x7fff36d21896 in beginthreadex+0x56 (C:\Windows\System32\ucrtbase.dll+0x180021896)
#2 0x7fff0144186d in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
#3 0x7fff0146a46a in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
#4 0x7fff0146ac03 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
#5 0x7fff01460aff in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
#6 0x7ffec8e9c4a1 in nsThread::Init /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:604
#7 0x7ffec8eadd18 in nsThreadManager::NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:533
#8 0x7ffec8eb9ccc in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:161
#9 0x7ffec8eb314f in nsThreadPool::PutEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:123
#10 0x7ffec8eb5e39 in nsThreadPool::Dispatch /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:362
#11 0x7ffec8ea8147 in BackgroundEventTarget::Dispatch /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:161
#12 0x7ffec8ebbc15 in NS_DispatchBackgroundTask /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:504
#13 0x7ffed2421f17 in mozilla::crashreporter::LSPAnnotate /builds/worker/checkouts/gecko/widget/windows/LSPAnnotator.cpp:131
#14 0x7ffed24725d3 in nsAppShell::Init /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:502
#15 0x7ffed23a2d1f in nsWidgetWindowsModuleCtor /builds/worker/checkouts/gecko/widget/windows/nsWidgetFactory.cpp:49
#16 0x7ffec8dfabb3 in mozilla::xpcom::CreateInstanceImpl /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9842
#17 0x7ffec8e46078 in nsComponentManagerImpl::GetServiceLocked /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1283
#18 0x7ffec8e452f8 in nsComponentManagerImpl::GetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1337
#19 0x7ffec8e4f10e in nsGetServiceByCID::operator() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:217
#20 0x7ffec8c68ed3 in nsCOMPtr_base::assign_from_gs_cid /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:64
#21 0x7ffed6820d49 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:832
#22 0x7ffeca38e175 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373
#23 0x7ffeca38df45 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355
#24 0x7ffed68201be in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:734
#25 0x7ff7aa552578 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:338
#26 0x7ff7aa5517bf in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
#27 0x7ff7aa647eb7 in __scrt_common_main_seh d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#28 0x7fff381f7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
#29 0x7fff395c2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)
==55068==ABORTING
=================================================================
==10052==ERROR: AddressSanitizer: access-violation on unknown address 0x04099995280a (pc 0x7fff01840282 bp 0x0098773fb190 sp 0x0098773fb0b0 T41)
==10052==The signal is caused by a READ memory access.
#0 0x7fff01840281 in __asan_region_is_poisoned /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_poisoning.cpp:191
#1 0x7fff01839ac5 in __asan_wrap_memset /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:799
#2 0x7fff3957a1ae in RtlCreateTimer+0x45e (C:\Windows\SYSTEM32\ntdll.dll+0x18000a1ae)
#3 0x7fff3959bf5d in RtlAllocateHeap+0x15bd (C:\Windows\SYSTEM32\ntdll.dll+0x18002bf5d)
#4 0x7fff3959b3c6 in RtlAllocateHeap+0xa26 (C:\Windows\SYSTEM32\ntdll.dll+0x18002b3c6)
#5 0x7fff377f9d3f in malloc+0x6f (C:\Windows\System32\msvcrt.dll+0x110119d3f)
#6 0x7fff3342965e in D2D1MakeRotateMatrix+0x141e (C:\Windows\SYSTEM32\d2d1.dll+0x1800d965e)
#7 0x7fff33429c19 in D2D1MakeRotateMatrix+0x19d9 (C:\Windows\SYSTEM32\d2d1.dll+0x1800d9c19)
#8 0x7fff333ab773 (C:\Windows\SYSTEM32\d2d1.dll+0x18005b773)
#9 0x7fff333ab4f9 (C:\Windows\SYSTEM32\d2d1.dll+0x18005b4f9)
#10 0x7ffecadbc98c in mozilla::gfx::PathBuilderD2D::MoveTo /builds/worker/checkouts/gecko/gfx/2d/PathD2D.cpp:101
#11 0x7ffecaed69a0 in mozilla::gfx::PathOps::StreamToSink /builds/worker/checkouts/gecko/gfx/2d/PathRecording.cpp:31
#12 0x7ffecad9669e in mozilla::gfx::RecordedPathCreation::PlayEvent /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:2977
#13 0x7ffecb389d54 in std::_Func_impl_no_alloc<`lambda at /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:249:9',bool,mozilla::gfx::RecordedEvent *>::_Do_call+0x1b4 (D:\fuzzer\firefox_asan\client\browsers\firefox\xul.dll+0x1830c9d54)
#14 0x7ffecaeec8c2 in mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::EventRingBuffer> /builds/worker/checkouts/gecko/gfx/2d/RecordedEventImpl.h:4053
#15 0x7ffecb33a69a in mozilla::layers::CanvasTranslator::TranslateRecording /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:247
#16 0x7ffecb33a02a in mozilla::layers::CanvasTranslator::StartTranslation /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:170
#17 0x7ffec8cd276a in mozilla::detail::RunnableMethodImpl<nsMemoryReporterManager ,nsresult (nsMemoryReporterManager::)(),1,mozilla::RunnableKind::Standard>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200
#18 0x7ffec8e7d996 in mozilla::TaskQueue::Runner::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259
#19 0x7ffec8eb4863 in nsThreadPool::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:310
#20 0x7ffec8ea26f6 in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1174
#21 0x7ffec8eb086c in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465
#22 0x7ffeca4705ee in mozilla::ipc::MessagePumpForNonMainThreads::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
#23 0x7ffeca38e175 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373
#24 0x7ffeca38df45 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355
#25 0x7ffec8e9958f in nsThread::ThreadFunc /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:378
#26 0x7fff014696ad in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
#27 0x7fff01441a3b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
#28 0x7fff36d21bb1 in configthreadlocale+0x91 (C:\Windows\System32\ucrtbase.dll+0x180021bb1)
#29 0x7fff01849d93 in __asan::AsanThread::ThreadStart /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277
#30 0x7fff381f7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
#31 0x7fff07d36cb7 in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:572
#32 0x7fff395c2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: access-violation /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_poisoning.cpp:191 in __asan_region_is_poisoned
Thread T41 created by T4 here:
#0 0x7fff0184af32 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
#1 0x7fff36d21896 in beginthreadex+0x56 (C:\Windows\System32\ucrtbase.dll+0x180021896)
#2 0x7fff0144186d in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
#3 0x7fff0146a46a in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
#4 0x7fff0146ac03 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
#5 0x7fff01460aff in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
#6 0x7ffec8e9c4a1 in nsThread::Init /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:604
#7 0x7ffec8eadd18 in nsThreadManager::NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:533
#8 0x7ffec8eb9ccc in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:161
#9 0x7ffec8eb314f in nsThreadPool::PutEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:123
#10 0x7ffec8eb5e39 in nsThreadPool::Dispatch /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:362
#11 0x7ffec8e6a97a in mozilla::SharedThreadPool::Dispatch /builds/worker/workspace/obj-build/dist/include/mozilla/SharedThreadPool.h:72
#12 0x7ffec8e7b0ec in mozilla::TaskQueue::DispatchLocked /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:122
#13 0x7ffecb339df8 in mozilla::layers::CanvasTranslator::RecvResumeTranslation /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:162
#14 0x7ffecb3388dd in mozilla::layers::CanvasTranslator::RecvInitTranslator /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasTranslator.cpp:153
#15 0x7ffecb0f9f7d in mozilla::layers::PCanvasParent::OnMessageReceived /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasParent.cpp:189
#16 0x7ffeca4665e2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1781
#17 0x7ffeca463b66 in mozilla::ipc::MessageChannel::DispatchMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1706
#18 0x7ffeca464c4d in mozilla::ipc::MessageChannel::RunMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1506
#19 0x7ffeca4653c6 in mozilla::ipc::MessageChannel::MessageTask::Run /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1604
#20 0x7ffec8e7d996 in mozilla::TaskQueue::Runner::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259
#21 0x7ffec8eb4863 in nsThreadPool::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:310
#22 0x7ffec8ea26f6 in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1174
#23 0x7ffec8eb086c in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465
#24 0x7ffeca4705ee in mozilla::ipc::MessagePumpForNonMainThreads::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
#25 0x7ffeca38e175 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373
#26 0x7ffeca38df45 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355
#27 0x7ffec8e9958f in nsThread::ThreadFunc /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:378
#28 0x7fff014696ad in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
#29 0x7fff01441a3b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
#30 0x7fff36d21bb1 in configthreadlocale+0x91 (C:\Windows\System32\ucrtbase.dll+0x180021bb1)
#31 0x7fff01849d93 in __asan::AsanThread::ThreadStart /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277
#32 0x7fff381f7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
#33 0x7fff07d36cb7 in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:572
#34 0x7fff395c2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)
Thread T4 created by T0 here:
#0 0x7fff0184af32 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
#1 0x7fff36d21896 in beginthreadex+0x56 (C:\Windows\System32\ucrtbase.dll+0x180021896)
#2 0x7fff0144186d in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
#3 0x7fff0146a46a in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
#4 0x7fff0146ac03 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
#5 0x7fff01460aff in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
#6 0x7ffec8e9c4a1 in nsThread::Init /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:604
#7 0x7ffec8eadd18 in nsThreadManager::NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:533
#8 0x7ffec8eb9ccc in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:161
#9 0x7ffec8eb314f in nsThreadPool::PutEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:123
#10 0x7ffec8eb5e39 in nsThreadPool::Dispatch /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:362
#11 0x7ffec8ea8147 in BackgroundEventTarget::Dispatch /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:161
#12 0x7ffec8ebbc15 in NS_DispatchBackgroundTask /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:504
#13 0x7ffed2421f17 in mozilla::crashreporter::LSPAnnotate /builds/worker/checkouts/gecko/widget/windows/LSPAnnotator.cpp:131
#14 0x7ffed24725d3 in nsAppShell::Init /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:502
#15 0x7ffed23a2d1f in nsWidgetWindowsModuleCtor /builds/worker/checkouts/gecko/widget/windows/nsWidgetFactory.cpp:49
#16 0x7ffec8dfabb3 in mozilla::xpcom::CreateInstanceImpl /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9842
#17 0x7ffec8e46078 in nsComponentManagerImpl::GetServiceLocked /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1283
#18 0x7ffec8e452f8 in nsComponentManagerImpl::GetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1337
#19 0x7ffec8e4f10e in nsGetServiceByCID::operator() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:217
#20 0x7ffec8c68ed3 in nsCOMPtr_base::assign_from_gs_cid /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:64
#21 0x7ffed6820d49 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:832
#22 0x7ffeca38e175 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373
#23 0x7ffeca38df45 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355
#24 0x7ffed68201be in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:734
#25 0x7ff7aa552578 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:338
#26 0x7ff7aa5517bf in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
#27 0x7ff7aa647eb7 in __scrt_common_main_seh d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#28 0x7fff381f7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
#29 0x7fff395c2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)
==10052==ABORTING
This vuln is discovered by bo13oy of Cyber Kunlun Lab.
Thanks.
Because I have multiple instances of fuzz on one machine,I feel the vulnerability caused by not handling oom correctly。
|
||
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
The second crash looks like a problem in ASAN itself.
|
|
||
Updated•3 years ago
|
I'm not quite sure how the asan detection works either, isn't this place supposed to detect that the reallocated memory is contaminated and crashed?
|
||
Comment 4•3 years ago
|
||
Are you using a public fuzzer or a private fuzzer when you are seeing this crash (and others)?
|
|
||
Comment 6•3 years ago
|
||
(In reply to bo13oy from comment #5)
a private fuzzer
Have you by any chance tried creating a Grizzly adapter for your fuzzer and running it via Grizzly? There has been a lot of work done to make sure that test cases that trigger crashes are identified and saved. It also has a replay feature to help verify test cases and a test case reducer feature.
All of the details and examples are on the wiki. If you have any questions #fuzzing on matrix (chat.mozilla.org) is a good place to start.
I use it( Grizzly adapter ),but I have tried many times and have not been able to reproduce the vulnerability.
|
|
||
Comment 8•3 years ago
|
||
(In reply to bo13oy from comment #7)
I use it( Grizzly adapter ),but I have tried many times and have not been able to reproduce the vulnerability.
Oh that's great!
You could try running Grizzly with -c 3 --relaunch 3 when fuzzing. This will collect the last 3 test cases and relaunch the browser every 3 iterations. That way you know you have the test case that triggered the issue.
Once you get a result you could try running Grizzly replay with --repeat 25. Hopefully that helps find a semi reliable test case. If you are able to get something I'd be happy to try reducing.
This all assumes that the test cases that are generated by your fuzzer are deterministic and the crash happens periodically. I hope that helps :)
|
||
Comment 10•3 years ago
|
||
The severity field is not set for this bug.
:bhood, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Updated•3 years ago
|
|
||
Comment 12•3 years ago
|
||
(In reply to Bob Hood from comment #11)
Bob, remote D2D bug?
Quite possibly, although it's not clear that this wouldn't/couldn't have been triggered with DrawTargetD2D1 being used for canvas acceleration in the content process.
I guess it's even possible that there is some problem in d2d1.dll itself here.
It would be interesting to see if it reproduces with the following prefs set to false in about:config (requires browser restart) gfx.canvas.remote and security.sandbox.content.win32k-disable.
Aside from that I think I need a test case to reproduce this to work out what might be going on.
|
Reporter | |
Comment 13•3 years ago
|
||
There is no way to reproduce the vulnerability and I cannot provide a sample for testing.
|
|
||
Comment 14•3 years ago
|
||
Dan, Bob - not sure what you want to do here without a way to reproduce.
I don't see any similar crashes on crash-stats.
|
|
||
Comment 15•3 years ago
|
||
We could let it simmer a while and see if anybody else duplicates it. When the nag bot subsequently complains about a lack of activity, we could probably consider that a checkered flag to retire it. Just a thought.
|
||
Comment 16•3 years ago
|
||
Doesn't seem like there's enough here to figure anything out, unfortunately.
|
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•