Closed Bug 1862777 Opened 2 years ago Closed 2 years ago

Poison crash in [@ mozilla::fontlist::FontList::ShmBlock::Memory] on Android

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
122 Branch
Tracking Flags:
Tracking Status
firefox-esr115 121+ fixed
firefox120 --- wontfix
firefox121 + fixed
firefox122 + fixed

People

(Reporter: mccr8, Assigned: jfkthame)

References

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [adv-main121+r][adv-esr115.6+r])

Crash Data

Attachments

(3 files, 2 obsolete files)

Bug 1862777 - Lock the list in UpdateShmBlocks. r=#gfx-reviewers
48 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
Bug 1862777 - Lock the list in UpdateShmBlocks. r=#gfx-reviewers
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
Bug 1862777 - Lock the list in UpdateShmBlocks. r=#gfx-reviewers
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-esr115+
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/4b03eeef-a0ba-4542-ad8c-250160231028

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libxul.so  mozilla::UniquePtr<base::SharedMemory, mozilla::DefaultDelete<base::SharedMemory> >::get const  mfbt/UniquePtr.h:286
0  libxul.so  mozilla::UniquePtr<base::SharedMemory, mozilla::DefaultDelete<base::SharedMemory> >::operator-> const  mfbt/UniquePtr.h:281
0  libxul.so  mozilla::fontlist::FontList::ShmBlock::Memory const  gfx/thebes/SharedFontList-impl.h:312
0  libxul.so  mozilla::fontlist::Pointer::ToPtr const  gfx/thebes/SharedFontList.cpp:97
0  libxul.so  mozilla::fontlist::Pointer::ToArray<char const> const  gfx/thebes/SharedFontList.h:88
0  libxul.so  mozilla::fontlist::String::BeginReading const  gfx/thebes/SharedFontList.h:133
0  libxul.so  mozilla::fontlist::FontList::FindFamily const  gfx/thebes/SharedFontList.cpp:1144
0  libxul.so  mozilla::BinarySearchIf<mozilla::fontlist::Family*, mozilla::fontlist::FontList::FindFamily  mfbt/BinarySearch.h:80
1  libxul.so  mozilla::fontlist::FontList::FindFamily  gfx/thebes/SharedFontList.cpp:1160
2  libxul.so  gfxPlatformFontList::FindAndAddFamiliesLocked  gfx/thebes/gfxPlatformFontList.cpp:1536

These crashes are mostly on Android, though I did see a couple of on MacOS (bp-c5ac2da1-b0ee-4f31-baff-3b57d0231019, bp-12aa1791-8630-4620-956c-9f0670231018), but they were both on extremely old versions of MacOS so maybe they can be disregarded. I don't know if that's a sign that the Android crashes are also from very old versions of Android...

Maybe jfkflame has some ideas, font list related.

Severity: -- → S2
Flags: needinfo?(jfkthame)
See Also: → 1848890

Jonathan, this looks similar to bug 1848890. mBlocks could be reallocated when appended to by UpdateShmBlocks(). This is called by the constructor (ie not relevant), and ToPtr(). ToPtr() takes the lock when called off main thread - but is there anything stopping it being called concurrently by the main thread and a dom worker?

Yeah, that looks like a potential problem. (I guess when this was originally written, we didn't have font usage happening from DOM workers; the only non-main-thread caller would've been stylo, and the main thread is paused during stylo traversal.)

If I'm thinking straight here, we can address this by taking the lock within UpdateShmBlocks() (which is only called in the main-thread case), and that way we can still avoid the cost on the main-thread "happy path".

Flags: needinfo?(jfkthame)
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED

Comment on attachment 9364950 [details]
Bug 1862777 - Lock the list in UpdateShmBlocks. r=#gfx-reviewers

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not readily. The patch adds locking, which implies a possible race issue, but it's unclear how to reliably reproduce it, and the most likely result is a safe crash (though that probably can't be guaranteed)
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: should backport trivially
  • How likely is this patch to cause regressions; how much testing does it need?: minimal risk, just adds a missing lock
  • Is Android affected?: Yes
Attachment #9364950 - Flags: sec-approval?

Comment on attachment 9364950 [details]
Bug 1862777 - Lock the list in UpdateShmBlocks. r=#gfx-reviewers

Approved to land and uplift

Attachment #9364950 - Flags: sec-approval? → sec-approval+
Attachment #9365022 - Flags: approval-mozilla-beta?

Uplift Approval Request

  • Risk associated with taking this patch: minimal
  • String changes made/needed: none
  • Is Android affected?: yes
  • Steps to reproduce for manual QE testing: n/a
  • Explanation of risk level: just adds a lock to existing code
  • Needs manual QE test: no
  • User impact if declined: possible UAF/poisoned-value crashes
  • Fix verified in Nightly: no
  • Code covered by automated testing: yes
Attachment #9365025 - Flags: approval-mozilla-esr115?

Uplift Approval Request

  • Is Android affected?: yes
  • Steps to reproduce for manual QE testing: n/a
  • Risk associated with taking this patch: minimal
  • String changes made/needed: none
  • Fix verified in Nightly: no
  • User impact if declined: possible UAF/poisoned-value crash
  • Code covered by automated testing: yes
  • Needs manual QE test: no
  • Explanation of risk level: just adds a lock in existing code
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c3dfc3bdc689 Lock the list in UpdateShmBlocks. r=gfx-reviewers,lsalzman

Backed out in https://hg.mozilla.org/integration/autoland/rev/f7d3d45e1f4616c30fecfdf172da1341435cbb8b for thread-safety-analysis warnings:

/builds/worker/checkouts/gecko/gfx/thebes/SharedFontList.cpp:877:17: error: recursive mutex 'PlatformFontList(#undefined).mLock' is not held on every path through here [-Werror,-Wthread-safety-analysis]
/builds/worker/checkouts/gecko/gfx/thebes/SharedFontList.cpp:887:46: error: releasing recursive mutex 'PlatformFontList(#undefined).mLock' that was not held [-Werror,-Wthread-safety-analysis]

I'll add the necessary annotations, as we're deliberately not taking the lock on all codepaths here.

Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bcdbc1e5d9a7 Lock the list in UpdateShmBlocks. r=gfx-reviewers,lsalzman
Attachment #9365022 - Attachment is obsolete: true
Attachment #9365022 - Flags: approval-mozilla-beta?
Attachment #9365025 - Attachment is obsolete: true
Attachment #9365025 - Flags: approval-mozilla-esr115?
Attachment #9365079 - Flags: approval-mozilla-beta?
Attachment #9365080 - Flags: approval-mozilla-esr115?

https://hg.mozilla.org/mozilla-central/rev/bcdbc1e5d9a7

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox120: --- → wontfix
status-firefox121: --- → affected
status-firefox122: --- → fixed
status-firefox-esr115: --- → affected
tracking-firefox121: --- → +
tracking-firefox122: --- → +
tracking-firefox-esr115: --- → 121+
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch

Comment on attachment 9365079 [details]
Bug 1862777 - Lock the list in UpdateShmBlocks. r=#gfx-reviewers

Approved for 120.0b3

Attachment #9365079 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Uplift Approval Request

  • Fix verified in Nightly: no
  • User impact if declined: possible UAF/poisoned-value crashes
  • Code covered by automated testing: yes
  • Needs manual QE test: no
  • Explanation of risk level: just adds a lock to existing code
  • Is Android affected?: yes
  • Steps to reproduce for manual QE testing: n/a
  • String changes made/needed: none
  • Risk associated with taking this patch: minimal

Comment on attachment 9365080 [details]
Bug 1862777 - Lock the list in UpdateShmBlocks. r=#gfx-reviewers

Approved for 115.6esr.

Attachment #9365080 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

Uplift Approval Request

  • Is Android affected?: yes
  • Steps to reproduce for manual QE testing: n/a
  • Risk associated with taking this patch: minimal
  • String changes made/needed: none
  • User impact if declined: possible UAF/poisoned-value crashes
  • Fix verified in Nightly: no
  • Code covered by automated testing: yes
  • Needs manual QE test: no
  • Explanation of risk level: just adds a lock to existing code
QA Whiteboard: [post-critsmash-triage]
Whiteboard: [adv-main121+r]
Whiteboard: [adv-main121+r] → [adv-main121+r][adv-esr115.6+r]

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: