Closed Bug 1881076 Opened 11 months ago Closed 10 months ago

Crash [@ operator]

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox123 --- wontfix
firefox124 --- wontfix
firefox125 + fixed
firefox126 + fixed

People

(Reporter: jkratzer, Assigned: lsalzman)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed][adv-main125+r])

Crash Data

Attachments

(3 files)

Testcase
1.02 KB, text/html
Details
Bug 1881076 - Ref snapshot shmem (125). r?aosmond
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review
Bug 1881076 - Ref snapshot shmem. r?aosmond
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev ad2add2f3c60 (built with: --enable-address-sanitizer --enable-fuzzing).

I've erred on the side of caution and marked this as security sensitive simply based on the read address.

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build ad2add2f3c60 --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla --repeat 10 --relaunch 1 --no-harness ./firefox/firefox <bugid>

[@ operator]

    =================================================================
    ==1178768==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3f01ee2c54 (pc 0x7f3f23033286 bp 0x7ffebb44a1f0 sp 0x7ffebb44a1a0 T0)
    ==1178768==The signal is caused by a READ memory access.
        #0 0x7f3f23033286 in operator() /gfx/skia/skia/src/opts/SkBitmapProcState_opts.h:71:25
        #1 0x7f3f23033286 in operator() /gfx/skia/skia/src/opts/SkBitmapProcState_opts.h:82:40
        #2 0x7f3f23033286 in hsw::S32_alpha_D32_filter_DX(SkBitmapProcState const&, unsigned int const*, int, unsigned int*) /gfx/skia/skia/src/opts/SkBitmapProcState_opts.h:163:13
        #3 0x7f3f23384454 in BitmapProcShaderContext::shadeSpan(int, int, unsigned int*, int) /gfx/skia/skia/src/shaders/SkBitmapProcShader.cpp:58:13
        #4 0x7f3f22f1a7f8 in SkARGB32_Shader_Blitter::blitMask(SkMask const&, SkIRect const&) /gfx/skia/skia/src/core/SkBlitter_ARGB32.cpp:1335:29
        #5 0x7f3f237042cb in SkDraw::paintMasks(SkZip<SkGlyph const*, SkPoint>, SkPaint const&) const /gfx/skia/skia/src/core/SkDraw_text.cpp:118:30
        #6 0x7f3f2374b556 in SkGlyphRunListPainterCPU::drawForBitmapDevice(SkCanvas*, SkGlyphRunListPainterCPU::BitmapDevicePainter const*, sktext::GlyphRunList const&, SkPaint const&, SkMatrix const&) /gfx/skia/skia/src/core/SkGlyphRunPainter.cpp:276:27
        #7 0x7f3f23169633 in SkBitmapDevice::onDrawGlyphRunList(SkCanvas*, sktext::GlyphRunList const&, SkPaint const&, SkPaint const&) /gfx/skia/skia/src/core/SkBitmapDevice.cpp:526:5
        #8 0x7f3f23561d63 in SkCanvas::onDrawGlyphRunList(sktext::GlyphRunList const&, SkPaint const&) /gfx/skia/skia/src/core/SkCanvas.cpp:2380:28
        #9 0x7f3f23561a7f in SkCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&) /gfx/skia/skia/src/core/SkCanvas.cpp:2370:11
        #10 0x7f3f235636bb in SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&) /gfx/skia/skia/src/core/SkCanvas.cpp:2529:15
        #11 0x7f3f177f9518 in drawTextBlob /gfx/skia/skia/include/core/SkCanvas.h:1894:15
        #12 0x7f3f177f9518 in mozilla::gfx::DrawTargetSkia::DrawGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const*, mozilla::gfx::DrawOptions const&) /gfx/2d/DrawTargetSkia.cpp:1305:14
        #13 0x7f3f183b5484 in FlushStroke /gfx/thebes/gfxFont.cpp:1952:20
        #14 0x7f3f183b5484 in GlyphBufferAzure::DrawStroke(gfxContext::AzureState const&, mozilla::gfx::GlyphBuffer&) /gfx/thebes/gfxFont.cpp:1943:9
        #15 0x7f3f183b4bfa in GlyphBufferAzure::FlushGlyphs() /gfx/thebes/gfxFont.cpp:1924:7
        #16 0x7f3f183332fe in ~GlyphBufferAzure /gfx/thebes/gfxFont.cpp:1804:7
        #17 0x7f3f183332fe in gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, TextRunDrawParams&, mozilla::gfx::ShapedTextFlags) /gfx/thebes/gfxFont.cpp:2598:3
        #18 0x7f3f18476870 in gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, gfxTextRun::PropertyProvider const*, gfxTextRun::Range, TextRunDrawParams&, mozilla::gfx::ShapedTextFlags) const /gfx/thebes/gfxTextRun.cpp:435:10
        #19 0x7f3f184796af in gfxTextRun::Draw(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>, gfxTextRun::DrawParams const&) const /gfx/thebes/gfxTextRun.cpp:689:5
        #20 0x7f3f1ba4eb6b in mozilla::dom::CanvasBidiProcessor::DrawText(int) /dom/canvas/CanvasRenderingContext2D.cpp:4560:15
        #21 0x7f3f20ee619b in nsBidiPresUtils::ProcessSimpleRun(char16_t const*, unsigned long, mozilla::intl::BidiEmbeddingLevel, nsPresContext*, nsBidiPresUtils::BidiProcessor&, nsBidiPresUtils::Mode, nsBidiPositionResolve*, int, int*) /layout/base/nsBidiPresUtils.cpp:2388:16
        #22 0x7f3f20ee5913 in nsBidiPresUtils::ProcessText(char16_t const*, unsigned long, mozilla::intl::BidiEmbeddingLevel, nsPresContext*, nsBidiPresUtils::BidiProcessor&, nsBidiPresUtils::Mode, nsBidiPositionResolve*, int, int*, mozilla::intl::Bidi&) /layout/base/nsBidiPresUtils.cpp:2166:5
        #23 0x7f3f1b8f0f74 in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContext2D.cpp:4917:12
        #24 0x7f3f1b8f2141 in mozilla::dom::CanvasRenderingContext2D::StrokeText(nsTSubstring<char16_t> const&, double, double, mozilla::dom::Optional<double> const&, mozilla::ErrorResult&) /dom/canvas/CanvasRenderingContext2D.cpp:4242:47
        #25 0x7f3f1a2b9480 in mozilla::dom::CanvasRenderingContext2D_Binding::strokeText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./CanvasRenderingContext2DBinding.cpp:7533:24
        #26 0x7f3f1b695124 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3258:13
        #27 0x7f3f25918a15 in CallJSNative /js/src/vm/Interpreter.cpp:480:13
        #28 0x7f3f25918a15 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:574:12
        #29 0x7f3f2593de15 in InternalCall /js/src/vm/Interpreter.cpp:641:10
        #30 0x7f3f2593de15 in CallFromStack /js/src/vm/Interpreter.cpp:646:10
        #31 0x7f3f2593de15 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3061:16
        #32 0x7f3f25917797 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:394:10
        #33 0x7f3f25917797 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:452:13
        #34 0x7f3f25918b7e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:606:13
        #35 0x7f3f2591ab06 in InternalCall /js/src/vm/Interpreter.cpp:641:10
        #36 0x7f3f2591ab06 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:673:8
        #37 0x7f3f25f0bbc3 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1585:10
        #38 0x7f3f25a7c64f in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:151:8
        #39 0x7f3f25dec3ef in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2127:12
        #40 0x7f3f25dec3ef in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2190:12
        #41 0x7f3f25918a15 in CallJSNative /js/src/vm/Interpreter.cpp:480:13
        #42 0x7f3f25918a15 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:574:12
        #43 0x7f3f2591ab06 in InternalCall /js/src/vm/Interpreter.cpp:641:10
        #44 0x7f3f2591ab06 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:673:8
        #45 0x7f3f25ad8ddb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #46 0x7f3f19e941f5 in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./PromiseBinding.cpp:83:8
        #47 0x7f3f14d91eaa in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #48 0x7f3f14d91eaa in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #49 0x7f3f14d91eaa in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:210:18
        #50 0x7f3f14d6894e in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:712:17
        #51 0x7f3f1b6bde29 in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:241:7
        #52 0x7f3f1b6bde29 in mozilla::dom::CallbackObject::CallSetup::~CallSetup() /dom/bindings/CallbackObject.cpp:394:11
        #53 0x7f3f1f78c5f7 in ReceiveMessage /builds/worker/workspace/obj-build/dist/include/mozilla/dom/MessageManagerBinding.h:655:3
        #54 0x7f3f1f78c5f7 in mozilla::dom::JSActor::CallReceiveMessage(JSContext*, mozilla::dom::JSActorMessageMeta const&, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /dom/ipc/jsactor/JSActor.cpp:288:22
        #55 0x7f3f1f78d024 in mozilla::dom::JSActor::ReceiveMessage(JSContext*, mozilla::dom::JSActorMessageMeta const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/ipc/jsactor/JSActor.cpp:304:3
        #56 0x7f3f1f7952e0 in mozilla::dom::JSActorManager::ReceiveRawMessage(mozilla::dom::JSActorMessageMeta const&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&) /dom/ipc/jsactor/JSActorManager.cpp:220:14
        #57 0x7f3f1f29cb52 in mozilla::dom::WindowGlobalChild::RecvRawMessage(mozilla::dom::JSActorMessageMeta const&, mozilla::Maybe<mozilla::dom::ClonedMessageData> const&, mozilla::Maybe<mozilla::dom::ClonedMessageData> const&) /dom/ipc/WindowGlobalChild.cpp:553:3
        #58 0x7f3f1f743aa2 in mozilla::dom::PWindowGlobalChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWindowGlobalChild.cpp:1712:85
        #59 0x7f3f1f4cbdba in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8276:32
        #60 0x7f3f16cccd05 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1813:25
        #61 0x7f3f16cc870b in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1732:9
        #62 0x7f3f16cc9ab9 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
        #63 0x7f3f16ccb033 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
        #64 0x7f3f14fe056a in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:578:16
        #65 0x7f3f14fc63eb in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:905:26
        #66 0x7f3f14fc2fc8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:728:15
        #67 0x7f3f14fc36c9 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:514:36
        #68 0x7f3f14fe8661 in operator() /xpcom/threads/TaskController.cpp:232:37
        #69 0x7f3f14fe8661 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #70 0x7f3f150105df in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
        #71 0x7f3f1501e31a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #72 0x7f3f16cd630e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #73 0x7f3f16af52ea in RunInternal /ipc/chromium/src/base/message_loop.cc:370:10
        #74 0x7f3f16af52ea in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #75 0x7f3f16af52ea in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #76 0x7f3f204c74c9 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #77 0x7f3f206d3b12 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:470:33
        #78 0x7f3f254c68ae in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
        #79 0x7f3f16af52ea in RunInternal /ipc/chromium/src/base/message_loop.cc:370:10
        #80 0x7f3f16af52ea in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #81 0x7f3f16af52ea in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #82 0x7f3f254c5e53 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
        #83 0x55edc64b853c in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #84 0x55edc64b853c in main /browser/app/nsBrowserApp.cpp:375:18
        #85 0x7f3f3d9d9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #86 0x7f3f3d9d9e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #87 0x55edc63dc848 in _start (/home/jkratzer/builds/m-c-20240220094730-fuzzing-asan-opt/firefox+0xdc848) (BuildId: adcf29930d20af1b1c487ab52484075cec03f444)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /gfx/skia/skia/src/opts/SkBitmapProcState_opts.h:71:25 in operator()
    ==1178768==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20240220212334-bf0897ec442e.
The bug appears to have been introduced in the following build range:

Start: f92c77fccb76549171ecc809818a26b1eb883b43 (20240211090343)
End: 13676fc9b0cd8461cb9863d3a2d1b9a696a9c0f5 (20240211152551)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f92c77fccb76549171ecc809818a26b1eb883b43&tochange=13676fc9b0cd8461cb9863d3a2d1b9a696a9c0f5

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Group: core-security → gfx-core-security

Setting Regressed by field after analyzing regression range found by bugmon in comment #2.

Regressed by: 1879743

The regression range doesn't seem all that likely for this Skia crash, but of the three the stylo change at least involves drawing things somehow. Probably just moved things around such that this testcase started working rather than actually regressed it.

Flags: needinfo?(emilio)
Keywords: csectype-wildptr, sec-high

Set release status flags based on info from the regressing bug 1879743

status-firefox123: --- → unaffected
status-firefox124: --- → affected
status-firefox125: --- → affected
status-firefox-esr115: --- → unaffected
Attachment #9381036 - Attachment mime type: application/octet-stream → text/html
Flags: needinfo?(emilio)

Yeah there are no custom properties on that patch, I think bugmon must have hallucinated.

Flags: needinfo?(jkratzer)

Lee, anything we can do here? Also, can you put a Severity on this when you get a chance?

Flags: needinfo?(lsalzman)
Flags: needinfo?(jkratzer)
Keywords: pernosco-wanted

(In reply to Emilio Cobos Álvarez (:emilio) from comment #6)

Yeah there are no custom properties on that patch, I think bugmon must have hallucinated.

Looks like the testcase isn't too reliable. I've made some minor tweaks and ran the bisection again locally. Could this be a regression from bug 1880523?

Start: dbe553dd13b79a3c4821f203f3adca31fe71cc56 (20240215210102)
End: 02d5bc9805676f9a22f3cef50c86ddc38e7534d9 (20240215204446)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=dbe553dd13b79a3c4821f203f3adca31fe71cc56&tochange=02d5bc9805676f9a22f3cef50c86ddc38e7534d9

A pernosco session for this bug can be found here.

Keywords: pernosco-wantedpernosco

I had a look at the pernosco trace. The invalid address 0x7f5202e12c20 is computed from offsetting the base pixmap pointer 0x7f5202e11000 by a rather small amount (7200 bytes). The memory comes from a read-only shmem mapped in CanvasChild::RecvSnapshotShmem. The shmem size is 180224 bytes. The mapping happens here, the code looks straightforward and it succeeds.

At the moment of the crash the base address 0x7f5202e11000 is invalid but the same address is valid just after the shmem is mapped. Unmapping happens here.

So it looks like somewhere under CanvasRenderingContext2D::ClearTarget we are letting go of a shmem which unmaps it, but there is still a DataSourceSurface wrapped around that shmem that is used later in CanvasRenderingContext2D::StrokeText.

I'm away until monday. I can continue then or someone else can pick it up from the pernosco links in the mean time.

It seems like the symptoms are different, but for what it's worth, bug 1879651 is also concerned with mishandling of a shmem from a SnapshotShmem IPDL message. In that case, the Shmem was still alive, but its contents had been mapped read-only, and we were trying to write to them.

In the test case, it seems like the assignment to canvas.width is responsible for freeing the shmem. Then the subsequent call to strokeText is still using that memory.

We create a SkImage pointing to the freed buffer here.

In the test case, assigning to canvas.width causes the shmem holding the canvas's old pixels to be freed, while pattern is still pointing to them. At this point in the call to context.strokeText, pat->mSurface.mRawPtr->mDataSourceSurface.mRawPtr->mRawData is pointing at the freed bytes.

I'm not sure I'm keeping all the characters in this story straight, but here's what I believe is going on:

First, for the call to canvas.toBlob, SourceSurfaceCanvasRecording::EnsureDataSurfaceOnMainThread calls CanvasChild::GetDataSurface and stashes the result in its mDataSourceSurface field. CanvasChild::GetDataSurface returns a surface whose pixels are owned by the shmem held by CanvasChild::mTextureInfo, but the returned surface does not hold a refcounted pointer to that shmem.

Then, in response to the assignment to canvas.width, CanvasRenderingContext2D::ResetBitmap causes that CanvasChild::mTextureInfo entry to be removed, leaving the SourceSurfaceCanvasRecording with a dangling mDataSourceSurface.

Finally, the call to context.strokeText retrieves that SourceSurfaceCanvasRecording from pattern.

It seems to me that if CanvasChild::GetDataSurface wants to borrow the contents of one of its shmems, it had better return a DataSourceSurface that holds a reference-counted pointer to that shmem, or perhaps to the TextureClient that owns its id? I don't understand the purposes of these types well enough to say.

This needs to change:

CanvasChild::GetDataSurface returns a surface whose pixels are owned by the shmem held by CanvasChild::mTextureInfo, but the returned surface does not hold a refcounted pointer to that shmem.

Assignee: nobody → jimb

The type returned by CanvasChild::GetDataSurface must own/share-ownership of its bytes, so maybe this needs a new SourceSurfaceData internal type that holds a ref to the shmem.

BTW: this does need to be security-sensitive, as pattern is pointing to memory freed when the shmem is dropped.

maybe this needs a new SourceSurfaceData internal type that holds a ref to the shmem.

DataSourceSurface has many subclasses, some of which seem promising.

  • At present, CanvasChild::GetDataSurface returns a SourceSurfaceRawData. It seems that SourceSurfaceRawData can take a deallocation callback with a closure. However, its SizeOfExcludingThis method suggests that the presence of a deallocation callback implies that it owns the data exclusively. So this subclass may not be appropriate when it is pointing into a shared buffer.

  • It seems like SourceSurfaceSharedData is custom-built for the case of pointing into a shared shmem. But then I wonder why the path in GetDataSurface that uses the entry from mTextureInfo wasn't already using that.

Severity: -- → S2
Flags: needinfo?(lsalzman)
Assignee: jimb → lsalzman
Status: NEW → ASSIGNED

Comment on attachment 9390326 [details]
Bug 1881076 - Ref snapshot shmem (125). r?aosmond

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: This is just a read of a use-after-free with shared memory.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: 123+
  • If not all supported branches, which bug introduced the flaw?: Bug 1829026
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9390326 - Flags: sec-approval?
status-firefox123: unaffectedaffected
OS: Linux → Unspecified
Regressed by: 1829026
No longer regressed by: 1879743
Hardware: x86_64 → Unspecified
Flags: needinfo?(dveditz)

I assume the needinfo for me is about the pending sec-approval. We don't so sec-approvals during the "release candidate" phase of each cycle unless they are stop-ship issues. See the key dates on the release calendars: https://whattrainisitnow.com/release/?version=beta

Beta 9 Go to build Last beta uplifts (sec-approval request deadline) April 5

I don't know why they take all these dates off the just-shipped release. Makes it hard to figure this out retrospectively, but I think it was March 8 for the Fx124 cycle. sec-approvals should open up soon (pwn2own chaos might delay it)

Flags: needinfo?(dveditz) → needinfo?(tom)

This will end up stalling work in several other bugs around the area for several weeks, and I would like to be able to finally start landing some of the other important bug fixes that need to be layered on top of this. There are other engineers who are blocked on this as well.

Alternatively, I can choose to complicate landing the sec bug here slightly, by landing my other non-sec works first that conflict with this patch. That means we will be forced to take up divergent versions of the patches to deal with the merge conflicts that would be created. But that seems like what we might have to do if the delay is really going to be that long. Maybe that is really the lesser evil here.

Comment on attachment 9390326 [details]
Bug 1881076 - Ref snapshot shmem (125). r?aosmond

sec-approvals were paused for a few days after merge, thanks for the patience. Approved to land and uplift; since this is shared memory related, could it be used as a sandbox escape?

Flags: needinfo?(tom)
Attachment #9390326 - Flags: sec-approval? → sec-approval+

The shmem is read-only and used in read-only contexts. I couldn't really imagine how you would craft an escape.

Attachment #9390326 - Attachment description: Bug 1881076 - Ref snapshot shmem. r?aosmond → Bug 1881076 - Ref snapshot shmem (125). r?aosmond

Comment on attachment 9390326 [details]
Bug 1881076 - Ref snapshot shmem (125). r?aosmond

Beta/Release Uplift Approval Request

  • User impact if declined: Potential read-only use-after-free of a shmem when using Canvas2D.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9390326 - Attachment description: Bug 1881076 - Ref snapshot shmem (125). r?aosmond → Bug 1881076 - Ref snapshot shmem. r?aosmond
Attachment #9390326 - Flags: approval-mozilla-beta?
Attachment #9392650 - Flags: approval-mozilla-beta?
Backout by smolnar@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5d6efea5e0bb Backed out changeset 968097672e64 for causing assertion failures @ gfx/layers/ipc/CanvasChild.cpp CLOSED TREE

Backed out for asserting in gfx/layers/ipc/CanvasChild.cpp:
https://hg.mozilla.org/integration/autoland/rev/5d6efea5e0bbc9c3cb2231d09450c2c7dd045122

Push with failuresFailure log -> Assertion failure: !mDataSurfaceShmemAvailable, at /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasChild.cpp

[task 2024-03-22T05:25:15.872Z] 05:25:15     INFO - TEST-START | toolkit/components/pdfjs/test/browser_pdfjs_filters.js
[task 2024-03-22T05:25:15.890Z] 05:25:15     INFO - GECKO(9908) | [Child 10019: Main Thread]: I/DocShellAndDOMWindowLeak ++DOCSHELL 7f706cb80000 == 2 [pid = 10019] [id = 4]
[task 2024-03-22T05:25:15.891Z] 05:25:15     INFO - GECKO(9908) | [Child 10019: Main Thread]: I/DocShellAndDOMWindowLeak ++DOMWINDOW == 4 (7f706c227020) [pid = 10019] [serial = 12] [outer = 0]
[task 2024-03-22T05:25:15.892Z] 05:25:15     INFO - GECKO(9908) | [Child 10019: Main Thread]: I/DocShellAndDOMWindowLeak ++DOMWINDOW == 5 (7f706cb80800) [pid = 10019] [serial = 13] [outer = 7f706c227020]
[task 2024-03-22T05:25:15.972Z] 05:25:15     INFO - GECKO(9908) | [Child 10019: Main Thread]: I/DocShellAndDOMWindowLeak ++DOMWINDOW == 6 (7f706cb7a000) [pid = 10019] [serial = 14] [outer = 7f706c227020]
[task 2024-03-22T05:25:16.393Z] 05:25:16     INFO - GECKO(9908) | [Child 10344: Main Thread]: I/DocShellAndDOMWindowLeak ++DOCSHELL 7f7158b60400 == 1 [pid = 10344] [id = 0]
[task 2024-03-22T05:25:16.395Z] 05:25:16     INFO - GECKO(9908) | [Child 10344: Main Thread]: I/DocShellAndDOMWindowLeak ++DOMWINDOW == 1 (7f7176ec1020) [pid = 10344] [serial = 1] [outer = 0]
[task 2024-03-22T05:25:16.395Z] 05:25:16     INFO - GECKO(9908) | [Child 10344: Main Thread]: I/DocShellAndDOMWindowLeak ++DOMWINDOW == 2 (7f7158b63400) [pid = 10344] [serial = 2] [outer = 7f7176ec1020]
[task 2024-03-22T05:25:16.502Z] 05:25:16     INFO - GECKO(9908) | [Child 10344: Main Thread]: I/DocShellAndDOMWindowLeak ++DOMWINDOW == 3 (7f7158b66800) [pid = 10344] [serial = 3] [outer = 7f7176ec1020]
[task 2024-03-22T05:25:16.522Z] 05:25:16     INFO - GECKO(9908) | [Child 10344, Main Thread] WARNING: '!ClientIsValidCreationURL(mClientInfo.PrincipalInfo(), aArgs.url())', file /builds/worker/checkouts/gecko/dom/clients/manager/ClientSource.cpp:65
[task 2024-03-22T05:25:16.523Z] 05:25:16     INFO - GECKO(9908) | [Child 10344, Main Thread] WARNING: Listener is not retargetable: file /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:3089
[task 2024-03-22T05:25:16.524Z] 05:25:16     INFO - GECKO(9908) | [Child 10344, Main Thread] WARNING: Failed to retarget HTML data delivery to the parser thread.: file /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:1215
[task 2024-03-22T05:25:17.223Z] 05:25:17     INFO - GECKO(9908) | [Child 9989: Main Thread]: I/DocShellAndDOMWindowLeak --DOMWINDOW == 11 (7fa1df73c980) [pid = 9989] [serial = 5] [outer = 0] [url = moz-extension://a382660d-ebf8-4278-8eb2-12a850b9c0fe/_generated_background_page.html]
[task 2024-03-22T05:25:17.476Z] 05:25:17     INFO - GECKO(9908) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpkdbeoppd.mozrunner/runtests_leaks_tab_pid10452.log
[task 2024-03-22T05:25:17.565Z] 05:25:17     INFO - GECKO(9908) | [Child 10452, Main Thread] WARNING: could not set real-time limit in CubebUtils::InitLibrary: file /builds/worker/checkouts/gecko/dom/media/CubebUtils.cpp:693
[task 2024-03-22T05:25:17.841Z] 05:25:17     INFO - GECKO(9908) | [Parent 9908, CanvasRenderer] WARNING: Failed to create EGLContext with khr_rbab_attribs: file /builds/worker/checkouts/gecko/gfx/gl/GLContextProviderEGL.cpp:723
[task 2024-03-22T05:25:17.842Z] 05:25:17     INFO - GECKO(9908) | [Parent 9908, CanvasRenderer] WARNING: Failed to create EGLContext with khr_robustness_attribs: file /builds/worker/checkouts/gecko/gfx/gl/GLContextProviderEGL.cpp:735
[task 2024-03-22T05:25:17.842Z] 05:25:17     INFO - GECKO(9908) | Initializing context 7efdfb790eb0 surface 0 on display 7efe237c5100
[task 2024-03-22T05:25:17.849Z] 05:25:17     INFO - GECKO(9908) | [Parent 9908, CanvasRenderer] WARNING: robust_buffer_access_behavior marked as unsupported: file /builds/worker/checkouts/gecko/gfx/gl/GLContextFeatures.cpp:638
[task 2024-03-22T05:25:17.850Z] 05:25:17     INFO - GECKO(9908) | [Parent 9908, CanvasRenderer] WARNING: Robustness supported, strategy is not LOSE_CONTEXT_ON_RESET!: file /builds/worker/checkouts/gecko/gfx/gl/GLContext.cpp:980
[task 2024-03-22T05:25:17.850Z] 05:25:17     INFO - GECKO(9908) | [Parent 9908, CanvasRenderer] WARNING: robustness marked as unsupported: file /builds/worker/checkouts/gecko/gfx/gl/GLContextFeatures.cpp:638
[task 2024-03-22T05:25:17.917Z] 05:25:17     INFO - GECKO(9908) | [Parent 9908, CanvasRenderer] WARNING: Failed to make an ideal SurfaceFactory.: file /builds/worker/checkouts/gecko/dom/canvas/WebGLContext.cpp:1067
[task 2024-03-22T05:25:18.320Z] 05:25:18     INFO - GECKO(9908) | [Parent 9908, CanvasRenderer] WARNING: FuncScope not on stack!: file /builds/worker/checkouts/gecko/dom/canvas/WebGLContext.cpp:1898
[task 2024-03-22T05:25:18.321Z] 05:25:18     INFO - GECKO(9908) | [Parent 9908, CanvasRenderer] WARNING: FuncScope not on stack!: file /builds/worker/checkouts/gecko/dom/canvas/WebGLContext.cpp:1898
[task 2024-03-22T05:25:18.405Z] 05:25:18     INFO - GECKO(9908) | Assertion failure: !mDataSurfaceShmemAvailable, at /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasChild.cpp:597
[task 2024-03-22T05:25:18.444Z] 05:25:18     INFO -  Initializing stack-fixing for the first stack frame, this may take a while...
[task 2024-03-22T05:26:01.191Z] 05:26:01     INFO - GECKO(9908) | #01: mozilla::layers::CanvasChild::ReturnDataSurfaceShmem(already_AddRefed<mozilla::ipc::SharedMemoryBasic>) [gfx/layers/ipc/CanvasChild.cpp:597]
[task 2024-03-22T05:26:01.194Z] 05:26:01     INFO - GECKO(9908) | #02: mozilla::layers::CanvasDataShmemHolder::Destroy() [gfx/layers/ipc/CanvasChild.cpp:255]
[task 2024-03-22T05:26:01.196Z] 05:26:01     INFO - GECKO(9908) | #03: mozilla::gfx::SourceSurfaceRawData::~SourceSurfaceRawData() [gfx/2d/SourceSurfaceRawData.h:61]
[task 2024-03-22T05:26:01.197Z] 05:26:01     INFO - GECKO(9908) | #04: mozilla::SupportsThreadSafeWeakPtr<mozilla::gfx::SourceSurface>::Release() const [mfbt/ThreadSafeWeakPtr.h:0]
[task 2024-03-22T05:26:01.203Z] 05:26:01     INFO - GECKO(9908) | #05: mozilla::layers::SourceSurfaceCanvasRecording::~SourceSurfaceCanvasRecording() [gfx/layers/ipc/CanvasChild.cpp:118]
[task 2024-03-22T05:26:01.203Z] 05:26:01     INFO - GECKO(9908) | #06: mozilla::layers::SourceSurfaceCanvasRecording::~SourceSurfaceCanvasRecording() [gfx/layers/ipc/CanvasChild.cpp:102]
[task 2024-03-22T05:26:01.204Z] 05:26:01     INFO - GECKO(9908) | #07: mozilla::SupportsThreadSafeWeakPtr<mozilla::gfx::SourceSurface>::Release() const [mfbt/ThreadSafeWeakPtr.h:0]
[task 2024-03-22T05:26:01.206Z] 05:26:01     INFO - GECKO(9908) | #08: mozilla::layers::RecordedTextureData::BorrowDrawTarget() [gfx/layers/client/TextureRecorded.cpp:130]
[task 2024-03-22T05:26:01.207Z] 05:26:01     INFO - GECKO(9908) | #09: mozilla::layers::TextureClient::BorrowDrawTarget() [gfx/layers/client/TextureClient.cpp:992]
[task 2024-03-22T05:26:01.207Z] 05:26:01     INFO - GECKO(9908) | #10: mozilla::layers::TextureClient::Lock(mozilla::layers::OpenMode) [gfx/layers/client/TextureClient.cpp:784]
[task 2024-03-22T05:26:01.208Z] 05:26:01     INFO - GECKO(9908) | #11: mozilla::layers::PersistentBufferProviderAccelerated::BorrowDrawTarget(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) [gfx/layers/PersistentBufferProvider.cpp:191]
[task 2024-03-22T05:26:01.209Z] 05:26:01     INFO - GECKO(9908) | #12: mozilla::dom::CanvasRenderingContext2D::BorrowTarget(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool) [dom/canvas/CanvasRenderingContext2D.cpp:1415]
[task 2024-03-22T05:26:01.220Z] 05:26:01     INFO - GECKO(9908) | #13: mozilla::dom::CanvasRenderingContext2D::EnsureTarget(mozilla::ErrorResult&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, bool) [dom/canvas/CanvasRenderingContext2D.cpp:0]
[task 2024-03-22T05:26:01.220Z] 05:26:01     INFO - GECKO(9908) | #14: mozilla::dom::CanvasRenderingContext2D::UpdateWebRenderCanvasData(mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderCanvasData*) [dom/canvas/CanvasRenderingContext2D.cpp:6348]
[task 2024-03-22T05:26:01.220Z] 05:26:01     INFO - GECKO(9908) | #15: nsDisplayCanvas::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) [layout/generic/nsHTMLCanvasFrame.cpp:150]
[task 2024-03-22T05:26:01.220Z] 05:26:01     INFO - GECKO(9908) | #16: mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) [gfx/layers/wr/WebRenderCommandBuilder.cpp:1867]
[task 2024-03-22T05:26:01.220Z] 05:26:01     INFO - GECKO(9908) | #17: mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) [gfx/layers/wr/WebRenderCommandBuilder.cpp:0]
[task 2024-03-22T05:26:01.224Z] 05:26:01     INFO - GECKO(9908) | #18: mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) [layout/painting/nsDisplayList.cpp:5213]
[task 2024-03-22T05:26:01.225Z] 05:26:01     INFO - GECKO(9908) | #19: mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) [gfx/layers/wr/WebRenderCommandBuilder.cpp:1867]
[task 2024-03-22T05:26:01.232Z] 05:26:01     INFO - GECKO(9908) | #20: mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) [gfx/layers/wr/WebRenderCommandBuilder.cpp:0]
[task 2024-03-22T05:26:01.235Z] 05:26:01     INFO - GECKO(9908) | #21: mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) [gfx/layers/wr/WebRenderCommandBuilder.cpp:1785]
[task 2024-03-22T05:26:01.237Z] 05:26:01     INFO - GECKO(9908) | #22: mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) [gfx/layers/wr/WebRenderLayerManager.cpp:368]
[task 2024-03-22T05:26:01.238Z] 05:26:01     INFO - GECKO(9908) | #23: mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) [layout/painting/nsDisplayList.cpp:2274]
[task 2024-03-22T05:26:01.244Z] 05:26:01     INFO - GECKO(9908) | #24: nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) [layout/base/nsLayoutUtils.cpp:3316]
[task 2024-03-22T05:26:01.245Z] 05:26:01     INFO - GECKO(9908) | #25: mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) [layout/base/PresShell.cpp:6500]
[task 2024-03-22T05:26:01.248Z] 05:26:01     INFO - GECKO(9908) | #26: nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) [view/nsViewManager.cpp:409]
[task 2024-03-22T05:26:01.252Z] 05:26:01     INFO - GECKO(9908) | #27: nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) [view/nsViewManager.cpp:344]
[task 2024-03-22T05:26:01.253Z] 05:26:01     INFO - GECKO(9908) | #28: nsViewManager::ProcessPendingUpdates() [view/nsViewManager.cpp:917]
[task 2024-03-22T05:26:01.254Z] 05:26:01     INFO - GECKO(9908) | #29: nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) [layout/base/nsRefreshDriver.cpp:2821]
[task 2024-03-22T05:26:01.255Z] 05:26:01     INFO - GECKO(9908) | #30: mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) [layout/base/nsRefreshDriver.cpp:345]
[task 2024-03-22T05:26:01.256Z] 05:26:01     INFO - GECKO(9908) | #31: mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [layout/base/nsRefreshDriver.cpp:363]
[task 2024-03-22T05:26:01.257Z] 05:26:01     INFO - GECKO(9908) | #32: mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [layout/base/nsRefreshDriver.cpp:952]
[task 2024-03-22T05:26:01.258Z] 05:26:01     INFO - GECKO(9908) | #33: mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [layout/base/nsRefreshDriver.cpp:863]
[task 2024-03-22T05:26:01.261Z] 05:26:01     INFO - GECKO(9908) | #34: mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() [layout/base/nsRefreshDriver.cpp:593]
[task 2024-03-22T05:26:01.261Z] 05:26:01     INFO - GECKO(9908) | #35: mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) [dom/ipc/VsyncMainChild.cpp:67]
[task 2024-03-22T05:26:01.262Z] 05:26:01     INFO - GECKO(9908) | #36: mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) [s3:gecko-generated-sources:f9ff542c6e5e2edb4b81610938f318481db54d58dc29d4953f317310cfcba6ae4b47f755eba281552e1bad3625793bd462aa70401898494444a085de30b5a58e/ipc/ipdl/PVsyncChild.cpp::0]
[task 2024-03-22T05:26:01.268Z] 05:26:01     INFO - GECKO(9908) | #37: mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) [s3:gecko-generated-sources:0dc8bf5e3bea75eaeb1725cb4eeeefe54ad7f3584d36f5535b045639506d3f1ffcb7edad2e2b4866396bb8aa42fc8a9fcbae6f7788d7d0c7c4cdea2837946935/ipc/ipdl/PBackgroundChild.cpp::5559]
[task 2024-03-22T05:26:01.275Z] 05:26:01     INFO - GECKO(9908) | #38: mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) [ipc/glue/MessageChannel.cpp:1818]
[task 2024-03-22T05:26:01.275Z] 05:26:01     INFO - GECKO(9908) | #39: mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) [ipc/glue/MessageChannel.cpp:0]
[task 2024-03-22T05:26:01.276Z] 05:26:01     INFO - GECKO(9908) | #40: mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) [ipc/glue/MessageChannel.cpp:1530]
[task 2024-03-22T05:26:01.276Z] 05:26:01     INFO - GECKO(9908) | #41: mozilla::ipc::MessageChannel::MessageTask::Run() [ipc/glue/MessageChannel.cpp:1637]
[task 2024-03-22T05:26:01.277Z] 05:26:01     INFO - GECKO(9908) | #42: mozilla::RunnableTask::Run() [xpcom/threads/TaskController.cpp:579]
[task 2024-03-22T05:26:01.277Z] 05:26:01     INFO - GECKO(9908) | #43: mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) [xpcom/threads/TaskController.cpp:905]
[task 2024-03-22T05:26:01.278Z] 05:26:01     INFO - GECKO(9908) | #44: mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) [xpcom/threads/TaskController.cpp:0]
[task 2024-03-22T05:26:01.278Z] 05:26:01     INFO - GECKO(9908) | #45: mozilla::TaskController::ProcessPendingMTTask(bool) [xpcom/threads/TaskController.cpp:514]
[task 2024-03-22T05:26:01.279Z] 05:26:01     INFO - GECKO(9908) | #46: mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() [xpcom/threads/nsThreadUtils.h:549]
[task 2024-03-22T05:26:01.279Z] 05:26:01     INFO - GECKO(9908) | #47: nsThread::ProcessNextEvent(bool, bool*) [xpcom/threads/nsThread.cpp:1203]
[task 2024-03-22T05:26:01.280Z] 05:26:01     INFO - GECKO(9908) | #48: NS_ProcessNextEvent(nsIThread*, bool) [xpcom/threads/nsThreadUtils.cpp:480]
[task 2024-03-22T05:26:01.285Z] 05:26:01     INFO - GECKO(9908) | #49: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [ipc/glue/MessagePump.cpp:0]
[task 2024-03-22T05:26:01.285Z] 05:26:01     INFO - GECKO(9908) | #50: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:346]
[task 2024-03-22T05:26:01.286Z] 05:26:01     INFO - GECKO(9908) | #51: nsBaseAppShell::Run() [widget/nsBaseAppShell.cpp:150]
[task 2024-03-22T05:26:01.286Z] 05:26:01     INFO - GECKO(9908) | #52: nsAppShell::Run() [widget/gtk/nsAppShell.cpp:470]
[task 2024-03-22T05:26:01.286Z] 05:26:01     INFO - GECKO(9908) | #53: XRE_RunAppShell() [toolkit/xre/nsEmbedFunctions.cpp:712]
[task 2024-03-22T05:26:01.287Z] 05:26:01     INFO - GECKO(9908) | #54: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) [ipc/glue/MessagePump.cpp:235]
[task 2024-03-22T05:26:01.287Z] 05:26:01     INFO - GECKO(9908) | #55: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:346]
[task 2024-03-22T05:26:01.288Z] 05:26:01     INFO - GECKO(9908) | #56: XRE_InitChildProcess(int, char**, XREChildData const*) [toolkit/xre/nsEmbedFunctions.cpp:651]
[task 2024-03-22T05:26:01.539Z] 05:26:01     INFO - GECKO(9908) | #57: main [browser/app/nsBrowserApp.cpp:375]
[task 2024-03-22T05:26:01.546Z] 05:26:01     INFO - GECKO(9908) | #58: __libc_start_main [/lib/x86_64-linux-gnu/libc.so.6 + 0x21b97]
[task 2024-03-22T05:26:01.554Z] 05:26:01     INFO - GECKO(9908) | #59: ??? [/builds/worker/workspace/build/application/firefox/firefox-bin + 0x3dfc9]
[task 2024-03-22T05:26:01.554Z] 05:26:01     INFO - GECKO(9908) | #60: ??? (???:???)
Flags: needinfo?(lsalzman)
Flags: needinfo?(lsalzman)

Testcase crashes using the initial build (mozilla-central 20240220094730-ad2add2f3c60) but not with tip (mozilla-central 20240322093041-5d6efea5e0bb.)

Unable to bisect testcase (End build crashes!):

Start: ad2add2f3c608b924436c34684c1a775130e74ce (20240220094730)
End: 5d6efea5e0bbc9c3cb2231d09450c2c7dd045122 (20240322093041)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

https://hg.mozilla.org/mozilla-central/rev/aa152449515d

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
status-firefox126: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch

Does the Beta patch need revising to address the reasons it was backed out from autoland or is it not impacted?

Flags: needinfo?(lsalzman)
Attachment #9392650 - Flags: approval-mozilla-beta?

It was a merge conflict due to patches that landed before sec approval was granted, which I subsequently fixed.

However, the bad news is more patches landed to beta meanwhile, so neither of these patches apply cleanly to beta anymore. The one that went into nightly should apply with some fuzz, I think.

But I am also fine with just wontfixing 125 if you are. I am not entirely sure this is very exploitable due to the read only nature of the memory use?

Flags: needinfo?(lsalzman)

Comment on attachment 9390326 [details]
Bug 1881076 - Ref snapshot shmem (125). r?aosmond

Better safe than sorry I think. Approved for 125.0b4.

Attachment #9390326 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9390326 - Attachment description: Bug 1881076 - Ref snapshot shmem. r?aosmond → Bug 1881076 - Ref snapshot shmem (125). r?aosmond
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][adv-main125+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: