Closed Bug 1974596 Opened 11 months ago Closed 8 months ago

UAF Crash in [@ gdk_x11_app_launch_context_get_type]

Categories

(Core :: Graphics, defect, P3)

Product:
Core
Component:
Graphics
Platform:
Other
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
142 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox-esr140 141+ fixed
firefox141 --- fixed
firefox142 --- fixed

People

(Reporter: release-mgmt-account-bot, Assigned: nical)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/c2af800e-22ac-4055-8b85-3f1aa0250628

Reason: SIGSEGV / SI_KERNEL

Top 10 frames of crashing thread:

0  libgdk-3.so.0  gdk_x11_app_launch_context_get_type  
1  libX11.so.6  handle_response  /build/libx11-aL6a2q/libx11-1.8.7/src/xcb_io.c:397
2  libX11.so.6  _XReply  /build/libx11-aL6a2q/libx11-1.8.7/src/xcb_io.c:747
3  libnvidia-glsi.so.570.133.07  _nv000glsi  
4  libnvidia-glsi.so.570.133.07  _nv000glsi  
5  libnvidia-eglcore.so.570.133.07  NvGlEglApiInit  
6  libnvidia-eglcore.so.570.133.07  _glDeterministicTPCModeDistParams  
7  libnvidia-eglcore.so.570.133.07  _glDeterministicTPCModeDistParams  
8  libnvidia-eglcore.so.570.133.07  NvGlEglGetFunctions  
9  libnvidia-eglcore.so.570.133.07  NvGlEglGetFunctions

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2025-04-22
  • Process type: Parent
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: No
  • Is use after free crash: Yes - 3 out of 6 crashes happened on or near an allocator poison value
Group: core-security → gfx-core-security
Component: General → Graphics
Blocks: gfx-driver-bug
Severity: -- → S3
Priority: -- → P3

I see two main types of crashes with this signature, and both have been around a while.

75% of crashes with this signature are like the one in comment 0

  • crash on address 0xe5e5e5e5e5e5ef3d—always, which is a little unusual. many UAF-type signatures vary a bit in the offset. This could mean it's always the same kind of freed object being used to get at the same member, even though there's some variation in the webrendery parts of the stack above
  • crash reason is SIGSEGV / SI_KERNEL
  • always webrender in the stack
  • always one or more libnvidia libraries in the stack
  • URLs are mostly movies (youtube, twitch, porn, ...)

Let's focus on the clear UAF in this bug.

There's another set of crashes where the thread gets killed by the OS. Ignore those for this bug—it's something different

  • crash reason is SIGABRT / SI_TKILL
  • crash address is always 0x000003e800xxxxxx, but I don't see anything like this in the captured registers
  • no webrender, appear to be processing events under nsAppShell::ProcessNextNativeEvent(bool)

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:bhood, could you consider increasing the severity of this security bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(bhood)

I suspect this might be fixed by bug #1973975

See Also: → 1973975
Flags: needinfo?(bhood)

Waiting to see if any crashes show up in 141.

The patch we think fixed it will actually be in 142, so we'll need to wait for that to see if this is resolved.

status-firefox141: --- → wontfix
status-firefox-esr115: --- → affected
status-firefox-esr128: --- → affected
status-firefox-esr140: --- → affected
Summary: Crash in [@ gdk_x11_app_launch_context_get_type] → UAF Crash in [@ gdk_x11_app_launch_context_get_type]

Waiting on Fx142 to ship.

I think the only crash we see on 142.0rc1 is a red herring https://crash-stats.mozilla.org/report/index/e66bb486-b73f-4a2e-a540-818470250816 - it may be the old NVEGL issue as that distribution version is pretty old (2023).

We will leave this open for another week, and evaluate closing it if the crash volume remains low/flat lined.

(In reply to Glenn Watson [:gw]|PTO until Sept 15 from comment #5)

The patch we think fixed it will actually be in 142, so we'll need to wait for that to see if this is resolved.

We believe this has been fixed. No crashes since August 16th, and 142 went to release on the 19th.

Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Assignee: nobody → nical.bugzilla
Group: gfx-core-security → core-security-release
status-firefox141: wontfixfixed
status-firefox142: affectedfixed
status-firefox-esr115: affectedwontfix
status-firefox-esr128: affectedwontfix
status-firefox-esr140: affectedfixed
Depends on: 1973975
See Also: 1973975
Target Milestone: --- → 142 Branch

(In reply to Glenn Watson [:gw] from comment #5)

The patch we think fixed it will actually be in 142, so we'll need to wait for that to see if this is resolved.

In comment 3 you thought it was fixed by bug 1973975 which got uplifted to 141 and 140.1 a couple of weeks before you made comment %. Does that mean you think a different bug fixed this?

Flags: needinfo?(mozilla)

I wasn't aware that patch had been uplifted, so I don't have a good explanation for why it's dropped to ~zero.

Flags: needinfo?(mozilla)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.