Graphite 2 crash [@graphite2::Silf::readClassMap]

VERIFIED FIXED in Firefox 15

Status

()

Core
Graphics
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: posidron, Assigned: jfkthame)

Tracking

(Blocks: 1 bug, {crash, sec-high, testcase})

Trunk
mozilla15
x86_64
Mac OS X
crash, sec-high, testcase
Points:
---

Firefox Tracking Flags

(firefox15 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [asan][sg:high][advisory-tracking+])

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 622274 [details]
testcase
(Reporter)

Comment 1

5 years ago
Created attachment 622275 [details]
callstack

Comment 2

5 years ago
now fixed in repo. Thanks. BTW I would class all the bugs found so far as impossible to exploit for security purposes. Most have been off by 1 type errors.
(Reporter)

Comment 3

5 years ago
Off-by-N does not classify bugs which are impossible to exploit.
(In reply to martin_hosken from comment #2)
> now fixed in repo. 

Whose repo? Upstream? mozilla-central? What steps stand between now and this bug being fixed in a mozilla-central release, and who should be assigned to do it?

Looks like there's only 8 lines between the alloc and bad read. Is the bad read only in the loop checking the invariants being off, but everywhere else gets the math right? Or is it trusting the data and somewhere else does, too? Somewhere between there is the difference between exploitable and not, so I guess we wait to see the patch before we can classify things for sure.
Keywords: sec-high
Whiteboard: [asan][sec-critical] → [asan][sg:high]
(Assignee)

Comment 5

5 years ago
He means it's fixed in the upstream graphite repository. I'll take care of getting the patch into mozilla-central within a few days, unless someone else jumps in first.
Jonathan, friendly ping :)
(Assignee)

Comment 7

5 years ago
Created attachment 625139 [details] [diff] [review]
patch, update graphite2 to upstream rev 978:c418207451a7

This is to pick up the most recent fuzzbug-fixes from upstream, specifically this issue and bug 753623.

Tryserver build at https://tbpl.mozilla.org/?tree=Try&rev=4a8f82ece1ed confirms that it still builds happily.
Assignee: nobody → jfkthame
Attachment #625139 - Flags: review?(jdaggett)

Updated

5 years ago
Attachment #625139 - Flags: review?(jdaggett) → review+
(Assignee)

Comment 8

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/de36859eb332
Target Milestone: --- → mozilla15
https://hg.mozilla.org/mozilla-central/rev/de36859eb332
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox15: --- → fixed
Resolution: --- → FIXED
status-firefox-esr10: --- → unaffected
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
Whiteboard: [asan][sg:high] → [asan][sg:high][advisory-tracking+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.