Closed Bug 1846528 Opened 1 year ago Closed 1 year ago

AddressSanitizer: heap-buffer-overflow [@ std::_Atomic_storage<unsigned int,4>::load] with READ of size 4

Categories

(Core :: Graphics: Canvas2D, defect)

x86_64
Windows
defect

Tracking

()

RESOLVED FIXED
118 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox116 --- unaffected
firefox117 --- fixed
firefox118 --- fixed

People

(Reporter: jkratzer, Assigned: tnikkel)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords)

Found while fuzzing mozilla-central rev bb8659c8d955 (built with: --enable-address-sanitizer --enable-fuzzing).

I don't currently have a working testing for this issue.

AddressSanitizer: heap-buffer-overflow [@ std::_Atomic_storage<unsigned int,4>::load] with READ of size 4

    =================================================================
    ==3852==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x1297db4d8bd8 at pc 0x7ffc2cbcabce bp 0x00c57c9fe070 sp 0x00c57c9fe0b8
    READ of size 4 at 0x1297db4d8bd8 thread T0
        #0 0x7ffc2cbcabcd in std::_Atomic_storage<unsigned int,4>::load /builds/worker/fetches/vs/VC/Tools/MSVC/14.29.30133/include/atomic:1001
        #1 0x7ffc2cbcabcd in mozilla::detail::IntrinsicMemoryOps<unsigned int,2>::load /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:195
        #2 0x7ffc2cbcabcd in mozilla::Atomic<bool,2,void>::operator bool /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:496
        #3 0x7ffc2cbcabcd in Checker::IsWritable /xpcom/ds/PLDHashTable.h:111
        #4 0x7ffc2cbcabcd in Checker::StartWriteOp /xpcom/ds/PLDHashTable.h:140
        #5 0x7ffc2cbcabcd in AutoWriteOp::AutoWriteOp /xpcom/ds/PLDHashTable.cpp:40
        #6 0x7ffc2cbcabcd in PLDHashTable::Remove(void const *) /xpcom/ds/PLDHashTable.cpp:546
        #7 0x7ffc32ac9d86 in nsTHashtable<detail::VoidPtrHashKey>::RemoveEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:346
        #8 0x7ffc32ac9d86 in nsTHashtable<nsPtrHashKey<mozilla::dom::ImageBitmap> >::RemoveEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:825
        #9 0x7ffc32ac9d86 in nsTBaseHashSet<nsPtrHashKey<mozilla::dom::ImageBitmap> >::Remove /builds/worker/workspace/obj-build/dist/include/nsTHashSet.h:117
        #10 0x7ffc32ac9d86 in mozilla::dom::ImageBitmapShutdownObserver::Untrack /dom/canvas/ImageBitmap.cpp:126
        #11 0x7ffc32ac9d86 in mozilla::dom::ImageBitmap::~ImageBitmap(void) /dom/canvas/ImageBitmap.cpp:661
        #12 0x7ffc32b0812f in mozilla::dom::ImageBitmap::DeleteCycleCollectable /dom/canvas/ImageBitmap.cpp:49
        #13 0x7ffc32b0812f in mozilla::dom::ImageBitmap::cycleCollection::DeleteCycleCollectable(void *) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/ImageBitmap.h:85
        #14 0x7ffc2cb42a76 in SnowWhiteKiller::MaybeKillObject /xpcom/base/nsCycleCollector.cpp:2486
        #15 0x7ffc2cb42a76 in SnowWhiteKiller::~SnowWhiteKiller(void) /xpcom/base/nsCycleCollector.cpp:2473
        #16 0x7ffc2cb4134e in nsCycleCollector::FreeSnowWhite(bool) /xpcom/base/nsCycleCollector.cpp:2663
        #17 0x7ffc2cb4cc85 in nsCycleCollector::BeginCollection(enum mozilla::CCReason, enum ccIsManual, class nsICycleCollectorListener *) /xpcom/base/nsCycleCollector.cpp:3660
        #18 0x7ffc2cb4bc5f in nsCycleCollector::Collect(enum mozilla::CCReason, enum ccIsManual, class js::SliceBudget &, class nsICycleCollectorListener *, bool) /xpcom/base/nsCycleCollector.cpp:3484
        #19 0x7ffc2cb4b4d0 in nsCycleCollector::ShutdownCollect(void) /xpcom/base/nsCycleCollector.cpp:3418
        #20 0x7ffc2cb51aec in nsCycleCollector::Shutdown /xpcom/base/nsCycleCollector.cpp:3722
        #21 0x7ffc2cb51aec in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:4046
        #22 0x7ffc2ce1fb10 in mozilla::ShutdownXPCOM(class nsIServiceManager *) /xpcom/build/XPCOMInit.cpp:673
        #23 0x7ffc3b7ca18f in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /toolkit/xre/nsEmbedFunctions.cpp:656
        #24 0x7ff61d422953 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57
        #25 0x7ff61d422953 in NS_internal_main(int, char **, char **) /browser/app/nsBrowserApp.cpp:375
        #26 0x7ff61d42169b in wmain /toolkit/xre/nsWindowsWMain.cpp:167
        #27 0x7ff61d503087 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
        #28 0x7ff61d503087 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
        #29 0x7ffc90654ddf  (C:\Windows\System32\KERNEL32.DLL+0x180014ddf)
        #30 0x7ffc91a1ec4a  (C:\Windows\SYSTEM32\ntdll.dll+0x18007ec4a)
    
    0x1297db4d8bd8 is located 760 bytes after 64-byte region [0x1297db4d88a0,0x1297db4d88e0)
    allocated by thread T0 here:
        #0 0x7ffc72d4f5d4 in realloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:135
        #1 0x7ffc7a30162d in moz_xrealloc /memory/mozalloc/mozalloc.cpp:72
        #2 0x7ffc2c0db001 in nsTArrayInfallibleAllocator::Realloc /builds/worker/workspace/obj-build/dist/include/nsTArray.h:259
        #3 0x7ffc2c0db001 in nsTArray_base<struct nsTArrayInfallibleAllocator, struct nsTArray_RelocateUsingMemutils>::EnsureCapacityImpl<struct nsTArrayInfallibleAllocator>(unsigned __int64, unsigned __int64) /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:221
        #4 0x7ffc2f6d867f in nsTArray_base<nsTArrayInfallibleAllocator,nsTArray_RelocateUsingMemutils>::EnsureCapacity /builds/worker/workspace/obj-build/dist/include/nsTArray.h:443
        #5 0x7ffc2f6d867f in nsTArray_Impl<nsTString<char>,nsTArrayInfallibleAllocator>::AppendElementInternal /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2687
        #6 0x7ffc2f6d867f in nsTArray<nsTString<char> >::AppendElement /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2829
        #7 0x7ffc2f6d867f in gfxDWriteFontList::GetFontSubstitutes(void) /gfx/thebes/gfxDWriteFontList.cpp:1970
        #8 0x7ffc2f6d52b0 in gfxDWriteFontList::InitSharedFontListForPlatform(void) /gfx/thebes/gfxDWriteFontList.cpp:1603
        #9 0x7ffc2f79784a in gfxPlatformFontList::InitFontList(void) /gfx/thebes/gfxPlatformFontList.cpp:594
        #10 0x7ffc2f796a4a in gfxPlatformFontList::Initialize(class gfxPlatformFontList *) /gfx/thebes/gfxPlatformFontList.cpp:282
        #11 0x7ffc2f65e1c7 in gfxWindowsPlatform::CreatePlatformFontList(void) /gfx/thebes/gfxWindowsPlatform.cpp:658
        #12 0x7ffc2f635ef1 in gfxPlatform::Init(void) /gfx/thebes/gfxPlatform.cpp:979
        #13 0x7ffc2f637cfa in gfxPlatform::InitChild(class mozilla::gfx::ContentDeviceData const &) /gfx/thebes/gfxPlatform.cpp:479
        #14 0x7ffc3592e3f9 in mozilla::dom::ContentChild::InitGraphicsDeviceData /dom/ipc/ContentChild.cpp:1307
        #15 0x7ffc3592e3f9 in mozilla::dom::ContentChild::RecvSetXPCOMProcessAttributes(class mozilla::dom::XPCOMInitData &&, class mozilla::dom::ipc::StructuredCloneData const &, class mozilla::widget::FullLookAndFeel &&, class mozilla::dom::SystemFontList &&, class mozilla::Maybe<class mozilla::UniquePtr<void *, struct mozilla::detail::FileHandleDeleter>> &&, unsigned __int64 const &, class nsTArray<class mozilla::UniquePtr<void *, struct mozilla::detail::FileHandleDeleter>> &&, bool const &) /dom/ipc/ContentChild.cpp:682
        #16 0x7ffc35cbf715 in mozilla::dom::PContentChild::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:11881
        #17 0x7ffc2e4705df in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) /ipc/glue/MessageChannel.cpp:1811
        #18 0x7ffc2e46de31 in mozilla::ipc::MessageChannel::DispatchMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::UniquePtr<class IPC::Message, class mozilla::DefaultDelete<class IPC::Message>>) /ipc/glue/MessageChannel.cpp:1736
        #19 0x7ffc2e46eccd in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::ipc::MessageChannel::MessageTask &) /ipc/glue/MessageChannel.cpp:1536
        #20 0x7ffc2e46f431 in mozilla::ipc::MessageChannel::MessageTask::Run(void) /ipc/glue/MessageChannel.cpp:1634
        #21 0x7ffc2cd53e1e in mozilla::RunnableTask::Run(void) /xpcom/threads/TaskController.cpp:559
        #22 0x7ffc2cd35b41 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /xpcom/threads/TaskController.cpp:886
        #23 0x7ffc2cd31285 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /xpcom/threads/TaskController.cpp:709
        #24 0x7ffc2cd31ed4 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:495
        #25 0x7ffc2cd57761 in mozilla::TaskController::TaskController::<lambda_5>::operator() /xpcom/threads/TaskController.cpp:218
        #26 0x7ffc2cd57761 in mozilla::detail::RunnableFunction<`lambda at /xpcom/threads/TaskController.cpp:218:7'>::Run /xpcom/threads/nsThreadUtils.h:548
        #27 0x7ffc2cd8758e in nsThread::ProcessNextEvent(bool, bool *) /xpcom/threads/nsThread.cpp:1199
        #28 0x7ffc2cd97c21 in NS_ProcessNextEvent(class nsIThread *, bool) /xpcom/threads/nsThreadUtils.cpp:480
        #29 0x7ffc2e477e67 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /ipc/glue/MessagePump.cpp:85
        #30 0x7ffc2e394dd3 in MessageLoop::RunInternal /ipc/chromium/src/base/message_loop.cc:370
        #31 0x7ffc2e394dd3 in MessageLoop::RunHandler(void) /ipc/chromium/src/base/message_loop.cc:363
        #32 0x7ffc2e394b9a in MessageLoop::Run(void) /ipc/chromium/src/base/message_loop.cc:345
        #33 0x7ffc36b1e75c in nsBaseAppShell::Run(void) /widget/nsBaseAppShell.cpp:148
        #34 0x7ffc36d3ce57 in nsAppShell::Run(void) /widget/windows/nsAppShell.cpp:466
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/fetches/vs/VC/Tools/MSVC/14.29.30133/include/atomic:1001 in std::_Atomic_storage<unsigned int,4>::load
    Shadow bytes around the buggy address:
      0x1297db4d8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x1297db4d8980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x1297db4d8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x1297db4d8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x1297db4d8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x1297db4d8b80: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
      0x1297db4d8c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x1297db4d8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x1297db4d8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x1297db4d8d80: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      0x1297db4d8e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==3852==ABORTING

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:confirm]
Group: core-security → gfx-core-security

Haven't confirmed, but this is likely a regression from bug 1839286.

Keywords: regression
Regressed by: 1839286
Keywords: pernosco-wanted

Set release status flags based on info from the regressing bug 1839286

Assignee: nobody → tnikkel

It's possible that bug 1845372 fixes this, so I'd be very interested to know if we still see this in a revision that contains that patch.

(In reply to Timothy Nikkel (:tnikkel) from comment #4)

It's possible that bug 1845372 fixes this, so I'd be very interested to know if we still see this in a revision that contains that patch.

Yeah, actually I can see how we might hit this situation before bug 1845372: we create another ImageBitmapShutdownObserver after shutdown has started, when we go to register it as an observer of shutdown we can't get the observer service because GetObserverService checks gXPCOMShuttingDown, and so that is a no-op, and we are depending on the observer service to hold a ref to the ImageBitmapShutdownObserver otherwise it will have no refs, but we hold a weak ptr to it, and we would access it via the stack in comment 0 here in this bug. So I am cautiously optimistic that bug 1845372 fixes this. I will request uplift on it now.

Severity: -- → S2

ni to check if this is still reproducing after bug 1845372.

Flags: needinfo?(jkratzer)

Reached out to Jason on Matrix about this NI.

The fuzzers have only reported this once on 2023/07/31. I think we can safely close this. If it appears again I'll file a new issue.

Flags: needinfo?(jkratzer)
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Depends on: 1845372
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.