Closed Bug 1901700 Opened 1 year ago Closed 1 year ago

Crash in [@ hwy::N_AVX3::LoadU]

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- disabled
firefox127 --- unaffected
firefox128 --- disabled
firefox129 --- fixed

People

(Reporter: aryx, Assigned: saschanaz)

References

(Regression)

Details

(4 keywords, Whiteboard: [sec-high if included in release or default "on" on any channel])

Crash Data

7 crashes from 5 installs of 128.0a1 and 129.0a1 on Windows. libjxl had been updated on June 7 in bug 1900670.

Kagami, please evaluate this bug.

Crash report: https://crash-stats.mozilla.org/report/index/18f5cb97-9cb2-4167-9944-1cb630240611

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames:

0  xul.dll  hwy::N_AVX3::LoadU(hwy::N_AVX3::Simd<float, 16, 0>, float const*)  third_party/jpeg-xl/lib/jxl/render_pipeline/stage_gaborish.cc:68
0  xul.dll  jxl::N_AVX3::GaborishStage::ProcessRow(std::vector<std::vector<float*, std::a...  third_party/jpeg-xl/lib/jxl/render_pipeline/stage_gaborish.cc:71
1  xul.dll  jxl::LowMemoryRenderPipeline::RenderRect(unsigned long long, std::vector<jxl:...  third_party/jpeg-xl/lib/jxl/render_pipeline/low_memory_render_pipeline.cc:725
2  xul.dll  jxl::LowMemoryRenderPipeline::ProcessBuffers(unsigned long long, unsigned lon...  third_party/jpeg-xl/lib/jxl/render_pipeline/low_memory_render_pipeline.cc:892
3  xul.dll  jxl::RenderPipeline::InputReady(unsigned long long, unsigned long long, std::...  third_party/jpeg-xl/lib/jxl/render_pipeline/render_pipeline.cc:121
3  xul.dll  jxl::RenderPipelineInput::Done()  third_party/jpeg-xl/lib/jxl/render_pipeline/render_pipeline.cc:135
4  xul.dll  jxl::FrameDecoder::ProcessACGroup(unsigned long long, jxl::BitReader**, unsig...  third_party/jpeg-xl/lib/jxl/dec_frame.cc:547
5  xul.dll  jxl::FrameDecoder::ProcessSections::<lambda_2>::operator()(unsigned long long...  third_party/jpeg-xl/lib/jxl/dec_frame.cc:700
5  xul.dll  jxl::ThreadPool::RunCallState<`lambda at /builds/worker/checkouts/gecko/third...  third_party/jpeg-xl/lib/jxl/base/data_parallel.h:94
6  xul.dll  jpegxl::ThreadParallelRunner::RunRange(jpegxl::ThreadParallelRunner*, unsigne...  third_party/jpeg-xl/lib/threads/thread_parallel_runner_internal.cc:145
Flags: needinfo?(krosylight)

Without a testcase I can't say much, but I can try updating highway and see if it helps.

Assignee: nobody → krosylight
Flags: needinfo?(krosylight)
See Also: → 1901750
See Also: → 1901751
Depends on: 1901754
Group: media-core-security → gfx-core-security

jpeg xl is nightly only and presumably one has to enable the jpegxl pref for this too, so S3.

Severity: -- → S3
Duplicate of this bug: 1901750
Duplicate of this bug: 1901751

I tagged this "csectype-wildptr", but given the crashing instruction it could be just a plain bounds issue. Do we test this code under ASAN?

Copying crash signatures from duplicate bugs.

Crash Signature: [@ hwy::N_AVX3::LoadU] → [@ hwy::N_AVX3::LoadU] [@ _ZN3hwy6N_NEONL5LoadUINS0_4SimdIfLm4ELi0EEETnPNS_9EnableIfTIXeqmlsrT_13kPrivateLanesstNS5_1TELi16EEE4typeELPv0ETnPNS4_IXcl6IsSameIS6_fEEEE4typeELSA_0EEENS0_6Vec128IfLm4EEES5_PKf]

Copying crash signatures from duplicate bugs.

Crash Signature: [@ hwy::N_AVX3::LoadU] [@ _ZN3hwy6N_NEONL5LoadUINS0_4SimdIfLm4ELi0EEETnPNS_9EnableIfTIXeqmlsrT_13kPrivateLanesstNS5_1TELi16EEE4typeELPv0ETnPNS4_IXcl6IsSameIS6_fEEEE4typeELSA_0EEENS0_6Vec128IfLm4EEES5_PKf] → [@ hwy::N_AVX3::LoadU] [@ _ZN3hwy6N_NEONL5LoadUINS0_4SimdIfLm4ELi0EEETnPNS_9EnableIfTIXeqmlsrT_13kPrivateLanesstNS5_1TELi16EEE4typeELPv0ETnPNS4_IXcl6IsSameIS6_fEEEE4typeELSA_0EEENS0_6Vec128IfLm4EEES5_PKf] [@ _ZN3hwy6N_AVX3L5LoadUINS0_4SimdIfLm16ELi0EEETnP…

(In reply to Daniel Veditz [:dveditz] from comment #5)

Do we test this code under ASAN?

There are some jpegxl reftests, gtests, and webplatform tests. I'm not sure which suites we regularly run under asan.

Crash Signature: [@ hwy::N_AVX3::LoadU] [@ _ZN3hwy6N_NEONL5LoadUINS0_4SimdIfLm4ELi0EEETnPNS_9EnableIfTIXeqmlsrT_13kPrivateLanesstNS5_1TELi16EEE4typeELPv0ETnPNS4_IXcl6IsSameIS6_fEEEE4typeELSA_0EEENS0_6Vec128IfLm4EEES5_PKf] [@ → [@ hwy::N_AVX3::LoadU] [@ _ZN3hwy6N_NEONL5LoadUINS0_4SimdIfLm4ELi0EEETnPNS_9EnableIfTIXeqmlsrT_13kPrivateLanesstNS5_1TELi16EEE4typeELPv0ETnPNS4_IXcl6IsSameIS6_fEEEE4typeELSA_0EEENS0_6Vec128IfLm4EEES5_PKf] [@

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:saschanaz, could you consider increasing the severity of this security bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(krosylight)

Should this remain sec-high even if it's disabled by default and included only on nightly (non-nightly cannot enable this) ?

Flags: needinfo?(krosylight) → needinfo?(dveditz)

It's sec-high with a status of "disabled". If we downrate the security severity there is nothing that would trigger us to uprate it again if we change the build such that this feature makes it into release. This is not a common situation thus the bugbot comment, but I agree this is definitely not an "S2" bug as long as it's disabled.

Flags: needinfo?(dveditz)

Maybe you have a point; JXL is in a weird limbo. It exists, but doesn't seem like we plan to ship it. Is there a master JXL bug this could block?

Keywords: sec-highsec-moderate
Whiteboard: [sec-high if included in release or default "on" on any channel]

I don't see a sec bug there, but I don't have a permission to see one either. We can try pinging them if needed.

Looks like this is still happening after lib update, I'll ping the authors.

Duplicate of this bug: 1903932

Copying crash signatures from duplicate bugs.

Crash Signature: _ZN3hwy6N_AVX3L5LoadUINS0_4SimdIfLm16ELi0EEETnPNS_9EnableIfTIXeqmlsrT_13kPrivateLanesstNS5_1TELi64EEE4typeELPv0EEENS0_6Vec512IfEES5_PKf] → _ZN3hwy6N_AVX3L5LoadUINS0_4SimdIfLm16ELi0EEETnPNS_9EnableIfTIXeqmlsrT_13kPrivateLanesstNS5_1TELi64EEE4typeELPv0EEENS0_6Vec512IfEES5_PKf] [@ _ZN3hwy6N_NEONL5LoadUINS0_4SimdIfLm4ELi0EEETnPNS_9EnableIfTIXeqmlsrT_13kPrivateLanesstNS5_1TELi16EEE4typeELPv0ETnP…

So Google pointed out it's fixed a few days ago but one shouldn't be affected by this with tagged releases. So far we have been sticking with the main branch, we should stop that. That's bug 1904318.

Crash Signature: [@ hwy::N_AVX3::LoadU] [@ _ZN3hwy6N_NEONL5LoadUINS0_4SimdIfLm4ELi0EEETnPNS_9EnableIfTIXeqmlsrT_13kPrivateLanesstNS5_1TELi16EEE4typeELPv0ETnPNS4_IXcl6IsSameIS6_fEEEE4typeELSA_0EEENS0_6Vec128IfLm4EEES5_PKf] [@ _ZN3hwy6N_AVX3L5LoadUINS0_4SimdIfLm16ELi0EEET… → [@ hwy::N_AVX3::LoadU]
See Also: → 1904318

Wait why the signature change? Can't roll it back because it's not fully shown in comment #16 😬

Crash Signature: [@ hwy::N_AVX3::LoadU] → [@ hwy::N_AVX3::LoadU] [@ _ZN3hwy6N_NEONL5LoadUINS0_4SimdIfLm4ELi0EEETnPNS_9EnableIfTIXeqmlsrT_13kPrivateLanesstNS5_1TELi16EEE4typeELPv0ETnPNS4_IXcl6IsSameIS6_fEEEE4typeELSA_0EEENS0_6Vec128IfLm4EEES5_PKf] [@ _ZN3hwy6N_NEONL5LoadUINS0_4SimdIfLm4ELi0EEETn…

It's gone after bug 1904318.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
status-firefox129: disabledfixed
status-firefox-esr128: --- → disabled
Target Milestone: --- → 129 Branch
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.