AddressSanitizer: heap-buffer-overflow [@ RefPtr<mozilla::gfx::SourceSurface>::operator bool] with READ of size 8
Categories
(Core :: Graphics, defect, P2)
Tracking
()
People
(Reporter: truber, Assigned: bobowen)
References
Details
(Keywords: crash, sec-high, testcase, Whiteboard: [adv-main118+r][adv-esr115.3+r])
Attachments
(4 files)
|
12.31 KB,
text/plain
|
Details | |
|
37.74 KB,
application/octet-stream
|
Details | |
|
231.48 KB,
text/plain
|
Details | |
|
Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
pascalc
:
approval-mozilla-esr115+
tjr
:
sec-approval+
|
Details | Review |
The attached testcase crashes on mozilla-central revision 20230825-e5ba3b52ebac (build with --enable-fuzzing & moz2d target patch).
==924377==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000b9728 at pc 0x7f7c6e4ef23e bp 0x7ffc66d5d270 sp 0x7ffc66d5d268
READ of size 8 at 0x6020000b9728 thread T0
#0 0x7f7c6e4ef23d in RefPtr<mozilla::gfx::SourceSurface>::operator bool() const /obj/ff-asan-fuzzing/dist/include/mozilla/RefPtr.h:349:45
#1 0x7f7c748d8647 in mozilla::gfx::DrawTargetSkia::PopLayer() /gfx/2d/DrawTargetSkia.cpp:2007:7
#2 0x7f7c748b1b5f in mozilla::gfx::DrawTargetOffset::PopLayer() /gfx/2d/DrawTargetOffset.cpp:207:16
#3 0x7f7c747bdb26 in mozilla::gfx::RecordedPopLayer::PlayEvent(mozilla::gfx::Translator*) const /gfx/2d/RecordedEventImpl.h:2895:7
#4 0x7f7c747b1dbc in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0::operator()(mozilla::gfx::RecordedEvent*) const /gfx/2d/InlineTranslator.cpp:78:31
#5 0x7f7c747b1b66 in std::_Function_handler<bool (mozilla::gfx::RecordedEvent*), mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0>::_M_invoke(std::_Any_data const&, mozilla::gfx::RecordedEvent*&&) /home/truber/.mozbuild/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:282:9
#6 0x7f7c74801720 in std::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const /home/truber/.mozbuild/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
#7 0x7f7c747a636f in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) /gfx/2d/RecordedEventImpl.h:4198:5
#8 0x7f7c747a42bc in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) /gfx/2d/InlineTranslator.cpp:68:20
#9 0x7f7c7617b589 in mozilla::wr::Moz2DRenderCallback(mozilla::Range<unsigned char const>, mozilla::gfx::SurfaceFormat, mozilla::wr::Box2D<int, mozilla::wr::DevicePixel> const*, mozilla::wr::Box2D<int, mozilla::wr::LayoutPixel> const*, unsigned short, mozilla::wr::Point2D<int, mozilla::wr::TileCoordinate> const*, mozilla::wr::Box2D<int, mozilla::wr::LayoutPixel> const*, mozilla::Range<unsigned char>) /gfx/webrender_bindings/Moz2DImageRenderer.cpp:450:20
#10 0x7f7c76178f9f in wr_moz2d_render_cb /gfx/webrender_bindings/Moz2DImageRenderer.cpp:535:10
For detailed crash information, see attachment.
To reproduce the issue:
- Build an ASan
--enable-fuzzingbuild including gtests with https://phabricator.services.mozilla.com/D186833 and https://phabricator.services.mozilla.com/D186161 applied. - Run
FUZZER=Moz2D objdir/dist/bin/firefox test.bin
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
|
Reporter | |
Comment 3•2 years ago
|
||
Decoded test.bin
|
||
Updated•2 years ago
|
|
||
Comment 4•2 years ago
|
||
Hey, Bob. Could you have a look at this one, please?
|
Assignee | |
Comment 5•2 years ago
|
||
This is in the webrender use of Moz2D recording, which I'm not as familiar with, but happy to take a look.
I guess we might see a similar problem in the canvas use, although we don't use DrawTargetSkia.
truber - can you give me access to : https://phabricator.services.mozilla.com/D186833
|
|
Reporter | |
Comment 6•2 years ago
|
||
(In reply to Bob Owen (:bobowen) from comment #5)
truber - can you give me access to : https://phabricator.services.mozilla.com/D186833
done
|
|
Assignee | |
Comment 7•2 years ago
|
||
I'm having trouble building ASan on Windows, but I think I've spotted what's happening.
My guess is that we send too many PopLayers and we hit undefined behaviour here because the vector is empty.
In this case, from the Detailed Crash Information, it results in accessing memory before the vector's storage.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 8•2 years ago
|
||
|
|
Assignee | |
Comment 9•2 years ago
|
||
truber - hi, as I'm having issues with the build, are you able to confirm if this patch fixes the issue?
|
|
Reporter | |
Comment 10•2 years ago
|
||
It does fix the issue!
*** You are running in headless mode.
Running Fuzzer tests...
INFO: Seed: 3521109205
INFO: Loaded 2 modules (3891485 inline 8-bit counters): 17517 [0x7ff3fe738830, 0x7ff3fe73cc9d), 3873968 [0x7ff3f7071d18, 0x7ff3f74239c8),
INFO: Loaded 2 PC tables (3891485 PCs): 17517 [0x7ff3fe73cca0,0x7ff3fe781370), 3873968 [0x7ff3f74239c8,0x7ff3faf404c8),
./obj/ff-asan-fuzzing/dist/bin/firefox: Running 1 inputs 1 time(s) each.
Running: /home/truber/bugs/moz2d/1850180/test.bin
[GFX1-]: Replay failure: PathCreation PLAY
[GFX1-]: Replay failure: PathCreation PLAY
Executed /home/truber/bugs/moz2d/1850180/test.bin in 5 ms
***
*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.
***
Finished running Fuzzer tests.
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 11•2 years ago
|
||
The severity field is not set for this bug.
:bhood, could you have a look please?
For more information, please visit BugBot documentation.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 12•2 years ago
|
||
Comment on attachment 9351613 [details]
Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The issue is fairly obvious, but not obvious from the patch how you would trigger it. We currently believe this would require a compromised content process.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely, just changes debug assertions to release ones.
- Is Android affected?: Unknown
|
||
Updated•2 years ago
|
|
||
Comment 13•2 years ago
|
||
Comment on attachment 9351613 [details]
Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!
Approved to land and uplift
|
||
Comment 14•2 years ago
|
||
|
|
||
Comment 15•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
||
Comment 16•2 years ago
|
||
Comment on attachment 9351613 [details]
Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!
Approved for landing on mozilla-beta before the merge, will be in the 118.0 release candidate, thanks.
|
|
||
Comment 17•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
|
||
Comment 18•2 years ago
|
||
Comment on attachment 9351613 [details]
Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!
Approved for ESR 115.3, thanks.
|
|
||
Comment 19•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•