If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Fuzzed font crash in Apple's libTrueTypeScaler [@MapF26Dot6]

RESOLVED FIXED

Status

()

Core
Graphics
P1
critical
RESOLVED FIXED
7 years ago
4 years ago

People

(Reporter: bsterne, Assigned: jfkthame)

Tracking

(Blocks: 1 bug, {verified1.9.2})

1.9.2 Branch
x86
Mac OS X
verified1.9.2
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+, blocking1.9.2 needed, status1.9.2 .13-fixed, status1.9.1 .16-fixed)

Details

(Whiteboard: [sg:vector-critical (Apple)] )

Attachments

(3 attachments)

(Reporter)

Description

7 years ago
Created attachment 478013 [details]
Testcase and supporting files

Marc Schoenefeld reported the following to security@m.o today.  The crash on its face looks like a null-deref, but Marc thinks there are signs of heap corruption, so hiding for now.

I can confirm the crash, but Crash Reporter had problems submitting the report both times I tried.
------

Hi,

another crash on ffx 3.6.10/OSX 10.6 with signs of heap corruption, repeatedly trying to free the same modified object location. Crashwrangler reports exploitable=no, but afaics that just refers to the instruction the control flow finally dies, the attacker's heap magic would happen before this point.

Cheers
Marc



Faulty glyph (id:92) outline detected - replacing with a space/null
glyph - in memory font kind
firefox-bin(64195,0xa033d500) malloc: *** error for object 0x18f5c04:
incorrect checksum for freed object - object was probably modified after
being freed.
*** set a breakpoint in malloc_error_break to debug
firefox-bin(64195,0xa033d500) malloc: *** error for object 0x18f5c00:
incorrect checksum for freed object - object was probably modified after
being freed.
*** set a breakpoint in malloc_error_break to debug
Faulty glyph (id:92) outline detected - replacing with a space/null
glyph - in memory font kind
firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282004:
incorrect checksum for freed object - object was probably modified after
being freed.
*** set a breakpoint in malloc_error_break to debug
firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282000:
incorrect checksum for freed object - object was probably modified after
being freed.
*** set a breakpoint in malloc_error_break to debug
Faulty glyph (id:92) outline detected - replacing with a space/null
glyph - in memory font kind
firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282004:
incorrect checksum for freed object - object was probably modified after
being freed.
*** set a breakpoint in malloc_error_break to debug
firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282000:
incorrect checksum for freed object - object was probably modified after
being freed.
*** set a breakpoint in malloc_error_break to debug
Faulty glyph (id:92) outline detected - replacing with a space/null
glyph - in memory font kind
firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282004:
incorrect checksum for freed object - object was probably modified after
being freed.
*** set a breakpoint in malloc_error_break to debug
firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282000:
incorrect checksum for freed object - object was probably modified after
being freed.
*** set a breakpoint in malloc_error_break to debug
Faulty glyph (id:92) outline detected - replacing with a space/null
glyph - in memory font kind
firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282004:
incorrect checksum for freed object - object was probably modified after
being freed.
*** set a breakpoint in malloc_error_break to debug
firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282000:
incorrect checksum for freed object - object was probably modified after
being freed.
*** set a breakpoint in malloc_error_break to debug

Crashed thread log =

0   libmozjs.dylib                	0x00fd13c1 JS_CallTracer + 129
1   libmozjs.dylib                	0x010539e8 js_GetScriptLineExtent + 2248
2   libmozjs.dylib                	0x00fcc587 js_PutArgsObject + 1479
3   libmozjs.dylib                	0x00ff2f35 js_GetterOnlyPropertyStub
+ 5029
4   libmozjs.dylib                	0x00fd15ad JS_CallTracer + 621
5   libmozjs.dylib                	0x01053943 js_GetScriptLineExtent + 2083
6   libmozjs.dylib                	0x00fcc587 js_PutArgsObject + 1479
7   libmozjs.dylib                	0x00ff2f35 js_GetterOnlyPropertyStub
+ 5029
8   libmozjs.dylib                	0x00fd15ad JS_CallTracer + 621
9   libmozjs.dylib                	0x00fcc52a js_PutArgsObject + 1386
10  libmozjs.dylib                	0x00ff2f35 js_GetterOnlyPropertyStub
+ 5029
11  libmozjs.dylib                	0x00fd15ad JS_CallTracer + 621
12  libmozjs.dylib                	0x00ff2edf js_GetterOnlyPropertyStub
+ 4943
13  libmozjs.dylib                	0x00fd15ad JS_CallTracer + 621
14  libmozjs.dylib                	0x00ff2f21 js_GetterOnlyPropertyStub
+ 5009
15  libmozjs.dylib                	0x00fd15ad JS_CallTracer + 621

<snip>

180 XUL                           	0x0001079b XRE_main + 15723
181 org.mozilla.firefox           	0x00002cb8 start + 2168
182 org.mozilla.firefox           	0x00002542 start + 258
183 org.mozilla.firefox           	0x00002469 start + 41

log name is: ./crashlogs/mod_after_free_retry.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=10:is_exploitable=
no:instruction_disassembly=divl
CONSTANT(%ecx):instruction_address=0x0000000000fd13c1:access_type=unknown:access_address=0x0000000000000008:
Null dereference, probably not exploitable
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Kind of odd -- the malloc errors are in fonts but the crash is in tracer. Probably a font error, maybe writing on memory that just happens to be used by JS?
blocking1.9.2: ? → needed
status1.9.2: --- → wanted
Attachment #478013 - Attachment mime type: application/zip → application/java-archive
Comment 1 was based on the symptoms in comment 0 -- I have not been able to reproduce the crash myself. I've been trying to load it from the attachment, though. Maybe @font-face doesn't like jar: urls?
I do sometimes get weird visual effects, the page becomes essentially unreadable with vertical lines of varying heights and widths and right triangles always in the same orientation (acute angle on the left, right angle at the top right). Memory corruption? or just visual?

I see it a lot more consistently when I load the testcase unzipped into a local directory, but I saw it once or twice when loaded from the bugzilla attachment.

Updated

7 years ago
Assignee: nobody → jdaggett

Comment 4

7 years ago
I can't reproduce a crash on either the latest 10.6.4 build (10.6.4 10F569) or with the latest seed build (10.6.5 10H542).  Lots of "Faulty glyph (id:92) outline detected - replacing with a space/null glyph - in memory font kind" errors, wacky looking rendering but no crash.

Does the testcase need to sit and run before the crash occurs?

I was running with Crashwrangler:

MOZ_CRASHREPORTER_DISABLE=1 CW_CURRENT_CASE=b599068 ./exc_handler "/Applications/Firefox.app/Contents/MacOS/firefox-bin" "file:///crashes/b599068/index_mod.html"

I also ran with libgmalloc, also with no crash or access fault:

DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib MALLOC_ALLOW_READS= MOZ_CRASHREPORTER_DISABLE=1 CW_CURRENT_CASE=b599068 ./exc_handler "/Applications/Firefox.app/Contents/MacOS/firefox-bin" "file:///crashes/b599068/index_mod.html"

If the reporter or someone else can reproduce the problem, please attach the output of a run with Crashwrangler and libgmalloc enabled.  Also, the exact steps and the system version (use 'sw_vers').
D'oh! didn't notice it was 10.6 in the initial description, I was using 10.5.8

Comment 6

7 years ago
(In reply to comment #5)
> D'oh! didn't notice it was 10.6 in the initial description, I was using 10.5.8

Yeah, we need to be clear about 10.5 or 10.6 on all these sorts of bugs, the underlying OS code is very different.

Updated

7 years ago
Whiteboard: [sg:vector-critical (Apple)]
Random crashes. Looks familiar.

https://bugzilla.mozilla.org/show_bug.cgi?id=594638 - OOO.crashlog.txt
Created attachment 479169 [details]
callstacks-cw

John, I can verify that it crashes on both MacOSX versions. In 10.6.5 you have to reload the document twice to make Firefox crash. The callstack is always different. Three CW callstacks are attached.


Some font information:

Tag: b'OS/2' Checksum: 0x4340c2d5 Offset:        312/0x00000138 Length: 86 
Tag: b'cmap' Checksum: 0x79e7b7c0 Offset:       1044/0x00000414 Length: 340 
Tag: b'gasp' Checksum: 0xffff0003 Offset:      14644/0x00003934 Length: 8 
Tag: b'glyf' Checksum: 0x269b08af Offset:       1840/0x00000730 Length: 11666 
Tag: b'head' Checksum: 0xcf28d95e Offset:        188/0x000000bc Length: 54 
Tag: b'hhea' Checksum: 0x1064081e Offset:        244/0x000000f4 Length: 36 
Tag: b'hmtx' Checksum: 0xaacd406b Offset:        400/0x00000190 Length: 642 
Tag: b'loca' Checksum: 0x70396610 Offset:       1384/0x00000568 Length: 454 
Tag: b'maxp' Checksum: 0x01f6014d Offset:        280/0x00000118 Length: 32 
Tag: b'name' Checksum: 0x98f8c784 Offset:      13508/0x000034c4 Length: 602 
Tag: b'post' Checksum: 0x03cb818d Offset:      14112/0x00003720 Length: 530

Updated

7 years ago
Severity: normal → critical
Priority: -- → P1

Comment 9

7 years ago
Created attachment 479327 [details]
callstack with libgmalloc

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

Reproduced with modified version of the testcase with 5-second refresh enabled.  

Running with libgmalloc on 10.6.5 10H542 crashes in libTrueTypeScaler code.

exception=EXC_BAD_ACCESS:signal=10:is_exploitable=yes:instruction_disassembly=movl	%eax,(%ebx):instruction_address=0x0000000094fc5956:access_type=write:access_address=0x00000000150dd000:

Command line used:

DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib MALLOC_ALLOW_READS= NO_EM_RESTART=1 MOZ_CRASHREPORTER_DISABLE=1 CW_CURRENT_CASE=b599068 ./exc_handler "/Applications/Firefox.app/Contents/MacOS/firefox-bin" -P default "file:///crashes/b599068/index-jd.html"

Comment 10

7 years ago
No crash on trunk with harfbuzz disabled.

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b7pre) Gecko/20100928 Firefox/4.0b7pre
10.6.5 10H542

Comment 11

7 years ago
(In reply to comment #10)
> No crash on trunk with harfbuzz disabled.

I don't think this needs to block on trunk.

Updated

7 years ago
Summary: Investigate potential double-free crash from fuzzed font → Fuzzed font crash in Apple's libTrueTypeScaler [@MapF26Dot6]
(Assignee)

Comment 12

7 years ago
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: 527276
blocking2.0: ? → final+
(Assignee)

Updated

7 years ago
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Last Resolved: 7 years ago
status1.9.2: wanted → .13-fixed
Resolution: --- → FIXED
Verified for 1.9.2. Crashed hard in 1.9.2.12 after a brief wait but working fine in Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13pre) Gecko/20101117 Namoroka/3.6.13pre. Rendering artifacts are all over 1.9.2.12 as well, which are not present in 1.9.2.13pre.
Keywords: verified1.9.2
OTS landed on 1.9.1 as well.
status1.9.1: --- → .16-fixed
Blocks: 594536
Group: core-security
Group: core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.