Graphite 2 use-after-free crash

VERIFIED FIXED in Firefox 14

Status

()

Core
Graphics
--
critical
VERIFIED FIXED
5 years ago
9 months ago

People

(Reporter: posidron, Assigned: jfkthame)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla15
x86_64
Mac OS X
crash, csectype-uaf, sec-high, testcase
Points:
---

Firefox Tracking Flags

(firefox13+ affected, firefox14+ fixed, firefox15 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [asan][sg:high][advisory-tracking+])

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 621710 [details]
testcase

The testcase is reproducible with a ASAN enabled build. If necessary, reload the testcase a few times. 

If you have not a ASAN enabled build yet, follow the instructions described here: https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer
(Reporter)

Comment 1

5 years ago
Created attachment 621711 [details]
callstack

Comment 2

5 years ago
Fixed in repo. Keep 'em coming :)
(Assignee)

Comment 3

5 years ago
Created attachment 621912 [details] [diff] [review]
patch, cherry-pick fix from graphite repository
Attachment #621912 - Flags: review?(jdaggett)

Updated

5 years ago
Attachment #621912 - Flags: review?(jdaggett) → review+
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/8789a1dc555d
Target Milestone: --- → mozilla15
Keywords: sec-high
Whiteboard: [asan][sec-critical] → [asan][sg:high]

Comment 5

5 years ago
https://hg.mozilla.org/mozilla-central/rev/8789a1dc555d
Assignee: nobody → jfkthame
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox15: --- → fixed
Resolution: --- → FIXED

Comment 6

5 years ago
Is the ESR10 branch affected by this sg:high?
(Assignee)

Comment 7

5 years ago
No; the graphite lib isn't present there.
Verified fixed in my May 10 post-fix ASAN build on OS X.
Status: RESOLVED → VERIFIED
If we have graphite2 in Firefox 13 we need to uplift this patch.
status-firefox-esr10: --- → unaffected
status-firefox13: --- → affected
status-firefox14: --- → affected
tracking-firefox13: --- → +
tracking-firefox14: --- → +
(Assignee)

Comment 10

5 years ago
Comment on attachment 621912 [details] [diff] [review]
patch, cherry-pick fix from graphite repository

[Approval Request Comment]
Bug caused by (feature/regressing bug #): graphite font-shaping library

User impact if declined: users who enable graphite may be vulnerable to a crash caused by a malicious/buggy font

Testing completed (on m-c, etc.): see comment #8

Risk to taking this patch (and alternatives if risky): minimal risk, just adds a missing bounds check

String or UUID changes made by this patch: none

Nominating this for aurora (14) on the basis of comment #9.

The patch here doesn't apply to beta (13), because we took a complete graphite refresh for mozilla-14 in bug 746975.

IMO, the security concern here is relatively minor, given that graphite is preffed off by default and only likely to be enabled by a small minority of users with a specific interest in trying it (primarily for "exotic" writing systems). I see no point in trying to backport just this specific patch to the mozilla-13 version; if we're sufficiently concerned about it, we should backport the complete graphite update (but personally I don't think it is important to do so for a preffed-off feature).
Attachment #621912 - Flags: approval-mozilla-aurora?
Comment on attachment 621912 [details] [diff] [review]
patch, cherry-pick fix from graphite repository

[Triage Comment]
Approving for Aurora 14 given the sg:high rating.
Attachment #621912 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 12

5 years ago
Transplanted to aurora:
https://hg.mozilla.org/releases/mozilla-aurora/rev/9e96c2d39ced
(Assignee)

Updated

5 years ago
status-firefox14: affected → fixed
Whiteboard: [asan][sg:high] → [asan][sg:high][advisory-tracking+]
Group: core-security
Keywords: csectype-uaf
You need to log in before you can comment on or make changes to this bug.