Open Bug 1819488 Opened 2 years ago Updated 2 years ago

Assertion failure: gShmemMapped >= mMappedSize (Can't unmap more than mapped), at /builds/worker/checkouts/gecko/ipc/glue/SharedMemory.cpp:70

Categories

(Core :: IPC, defect, P3)

defect

Tracking

()

Tracking Status
firefox111 --- affected
firefox112 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached file testcase.html

Found while fuzzing m-c 20230131-351f3b41f9fb (--enable-debug --enable-fuzzing)

The attached test case only reproduces the issue on 32 bit builds. Marking as s-s to be safe.

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --cpu x86 -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: gShmemMapped >= mMappedSize (Can't unmap more than mapped), at /builds/worker/checkouts/gecko/ipc/glue/SharedMemory.cpp:70

#0 0xe589fcb0 in mozilla::ipc::SharedMemory::Unmapped() /builds/worker/checkouts/gecko/ipc/glue/SharedMemory.cpp:70:3
#1 0xe57b7cd1 in ~SharedMemory /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/SharedMemory.h:36:5
#2 0xe57b7cd1 in ~SharedMemoryBasic /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/SharedMemoryBasic_chromium.h:79:32
#3 0xe57b7cd1 in mozilla::ipc::SharedMemoryBasic::~SharedMemoryBasic() /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/SharedMemoryBasic_chromium.h:79:32
#4 0xe5e90cb5 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/SharedMemory.h:78:3
#5 0xe5e90cb5 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#6 0xe5e90cb5 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#7 0xe5e90cb5 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#8 0xe5e90cb5 in mozilla::gfx::SourceSurfaceSharedDataWrapper::~SourceSurfaceSharedDataWrapper() /builds/worker/workspace/obj-build/dist/include/mozilla/layers/SourceSurfaceSharedData.h:35:7
#9 0xe5e90e62 in mozilla::gfx::SourceSurfaceSharedDataWrapper::~SourceSurfaceSharedDataWrapper() /builds/worker/workspace/obj-build/dist/include/mozilla/layers/SourceSurfaceSharedData.h:35:7
#10 0xe5ceff5d in mozilla::SupportsThreadSafeWeakPtr<mozilla::gfx::SourceSurface>::Release() const /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadSafeWeakPtr.h:179:7
#11 0xe637cc72 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#12 0xe637cc72 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#13 0xe637cc72 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#14 0xe637cc72 in ~RenderSharedSurfaceTextureHost /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderSharedSurfaceTextureHost.cpp:25:1
#15 0xe637cc72 in mozilla::wr::RenderSharedSurfaceTextureHost::~RenderSharedSurfaceTextureHost() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderSharedSurfaceTextureHost.cpp:23:67
#16 0xe6388f6e in Release /builds/worker/workspace/obj-build/dist/include/mozilla/webrender/RenderTextureHost.h:42:3
#17 0xe6388f6e in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#18 0xe6388f6e in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#19 0xe6388f6e in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#20 0xe6388f6e in destroy<RefPtr<mozilla::wr::RenderTextureHost> > /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:140:28
#21 0xe6388f6e in destroy<RefPtr<mozilla::wr::RenderTextureHost> > /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:487:8
#22 0xe6388f6e in std::__cxx11::_List_base<RefPtr<mozilla::wr::RenderTextureHost>, std::allocator<RefPtr<mozilla::wr::RenderTextureHost>>>::_M_clear() /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/list.tcc:76:4
#23 0xe6385186 in clear /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_list.h:1406:9
#24 0xe6385186 in mozilla::wr::RenderThread::DeferredRenderTextureHostDestroy() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:903:27
#25 0xe638e2e2 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#26 0xe638e2e2 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
#27 0xe638e2e2 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
#28 0xe4be7812 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
#29 0xe4bee012 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#30 0xe587bd49 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#31 0xe5798fcc in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#32 0xe5798eda in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#33 0xe5798eda in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#34 0xe4be2c8a in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
#35 0xf6ff9a30 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#36 0xf798eb90  (/lib/i386-linux-gnu/libc.so.6+0x86b90) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
#37 0xf7a2b64b  (/lib/i386-linux-gnu/libc.so.6+0x12364b) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
Flags: in-testsuite?
Group: gfx-core-security

gShmemMapped is only used by memory reporting so this shouldn't be exploitable. (will break tests though)

Group: gfx-core-security
Component: Graphics: WebRender → IPC

It's unfortunately a somewhat known issue that the counters for SharedMemory are a bit messed up right now, so I'm not too surprised that we have some situation like this where we try to unmap more memory than we had previously mapped. At some point we should probably clean up this code and make sure that the about:memory shared memory reporter is working correctly going forward, but for now this is S3 unless it becomes a fuzz blocker.

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: