Closed
Bug 827150
Opened 11 years ago
Closed 11 years ago
Add Valgrind and ASan annotations to the pres arena
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla21
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: MatsPalmgren_bugz, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: sec-want, Whiteboard: [adv-main21-])
Attachments
(1 file)
|
4.21 KB,
patch
|
decoder
:
review+
roc
:
review+
|
Details | Diff | Splinter Review |
Currently we don't detect read access of objects in the pres arena free lists, which allows bugs like bug 824641 and bug 824643 to go undetected unless you disable the arena with -DDEBUG_TRACEMALLOC_PRESARENA
|
Assignee | |
Comment 1•11 years ago
|
||
When putting an object on a free list mark it as "deallocated". When recycling such an object in Allocate mark it as "allocated but uninitialized" (do the same before deallocating the whole arena to avoid making it look like a double free when PLArena free up the memory).
|
|
Assignee | |
Comment 2•11 years ago
|
||
decoder, could you try the wip patch in your non-Linux ASan builds please? Fwiw, it seems to work for me on Linux64 using Clang 3.3 (trunk 169730).
|
||
Comment 3•11 years ago
|
||
Does this affect debug builds only, or also optimized builds?
|
|
Assignee | |
Comment 4•11 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #3) > Does this affect debug builds only, or also optimized builds? Both.
|
|
||
Comment 6•11 years ago
|
||
Here's an OSX debug build with the patch: https://tbpl.mozilla.org/?tree=Try&rev=1919a579d2f3 (Don't mind the red and busted, that's normal ;)) I also created Linux builds and they seem to work just fine. Thanks for writing this :)
|
|
Assignee | |
Comment 7•11 years ago
|
||
Comment on attachment 698469 [details] [diff] [review] fix I don't know what to do about the asan_interface.h header file issue... I think declaring the two ASan functions we need locally is acceptable for now.
Attachment #698469 -
Attachment description: wip → fix
Attachment #698469 -
Flags: review?(choller)
|
|
||
Comment 9•11 years ago
|
||
Comment on attachment 698469 [details] [diff] [review] fix Not sure about the header problem, but I think that the solution you picked here is reasonable for now and I guess it's unlikely that these signatures will rapidly change. I cannot review anything beyond that, because I'm not a developer for this code, but what I've seen looks ok to me :)
Attachment #698469 -
Flags: review?(choller) → review+
|
|
Assignee | |
Updated•11 years ago
|
Attachment #698469 -
Flags: review?(roc)
I think we should definitely have some fuzz around this before landing. It could save us a lot of money in bug bounties. In fact, I think we should mark this bug security-sensitive for now. Doing so.
Group: core-security
|
|
||
Comment 11•11 years ago
|
||
Jesse mentioned on IRC that all bugs uncovered by this should be equivalent to problems mitigated by frame poisoning. Is that correct/incorrect?
Comment on attachment 698469 [details] [diff] [review] fix Review of attachment 698469 [details] [diff] [review]: ----------------------------------------------------------------- Please do not land this until Jesse or someone else has had a chance to fuzz with it. I expect that many or most of the bugs we find with this will be mitigated by frame poisoning, but we shall see. ::: layout/base/nsPresArena.cpp @@ +302,5 @@ > PR_CallOnce(&ARENA_POISON_guard, ARENA_POISON_init); > } > > +#if defined(MOZ_ASAN) || defined(MOZ_VALGRIND) > + static PLDHashOperator UnPoisonFreeList(FreeList* aEntry, void*) Unpoison is a single word
Attachment #698469 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 13•11 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #11) > Jesse mentioned on IRC that all bugs uncovered by this should be equivalent > to problems mitigated by frame poisoning. Is that correct/incorrect? I don't know what he means by that. "Mitigated by frame poisoning" needs to be evaluated for each bug separately. This patch makes ASan/Valgrind catch all such errors, rather than relying on the mitigation which catches most but not all errors. For example, here's two bugs that would have been caught by this patch: bug 824641 and bug 824643.
|
||
Comment 14•11 years ago
|
||
I've applied this patch on the Mac Mini I use for ASan testing. But layout is a mess right now, so I expect to have trouble interpreting the results. The mess includes: * CSS transform bugs (bug 830192, bug 830299, and the likelihood of other regressions from bug 827577) * CSS columns bugs (bug 600100, bug 743364, and the likelihood of regressions and uncovered bugs from bug 588237)
|
|
Assignee | |
Comment 15•11 years ago
|
||
Thanks Jesse. I think roc's fix in bug 830192 will fix the recent transform + position:fixed crashes. I have a fix for some columns related crashes which I'll attach soon in bug 812893. So things should look better in a few days I hope.
|
|
Assignee | |
Comment 16•11 years ago
|
||
Jesse, did fuzzing this patch uncover any new bugs?
Flags: needinfo?(jruderman)
|
|
||
Comment 17•11 years ago
|
||
No. So far, it hasn't caused any new crash signatures to appear.
Flags: needinfo?(jruderman)
|
|
Assignee | |
Comment 18•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b2f1089d6cd4
|
||
Comment 19•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b2f1089d6cd4
status-firefox21:
--- → fixed
Target Milestone: --- → mozilla21
|
|
Assignee | |
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
|
||
Comment 20•11 years ago
|
||
This helped find bug 840480 \o/
|
||
Updated•11 years ago
|
Whiteboard: [adv-main21-]
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•