Closed Bug 961517 Opened 6 years ago Closed 6 years ago

Heap-use-after-free in mozilla::gfx::(anonymous namespace)::PowCache::Pow

Categories

(Core :: Graphics, defect)

x86_64
All
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 960178

People

(Reporter: inferno, Assigned: mstange)

References

Details

(Keywords: csectype-uaf, regression, Whiteboard: [asan])

Attachments

(2 files)

Attached image Testcase
==7860==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700030fa08 at pc 0x7faeea9828c3 bp 0x7fffde7fb430 sp 0x7fffde7fb428
READ of size 2 at 0x61700030fa08 thread T0
    #0 0x7faeea9828c2 in mozilla::gfx::(anonymous namespace)::PowCache::Pow(unsigned short) gfx/2d/FilterNodeSoftware.cpp:84
    #1 0x7faeea99a7f1 in mozilla::gfx::(anonymous namespace)::SpotLightSoftware::GetColor(unsigned int, mozilla::gfx::Point3DTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:3121
    #2 0x7faeea9a1298 in mozilla::TemporaryRef<mozilla::gfx::DataSourceSurface> mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::SpotLightSoftware, mozilla::gfx::(anonymous namespace)::DiffuseLightingSoftware>::DoRender<int>(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, int) gfx/2d/FilterNodeSoftware.cpp:3259
    #3 0x7faeea99e410 in mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::SpotLightSoftware, mozilla::gfx::(anonymous namespace)::DiffuseLightingSoftware>::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:3191
    #4 0x7faeea7e2735 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:615
    #5 0x7faeea7e712e in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:701
    #6 0x7faeea831d83 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:2856
    #7 0x7faeea7e2735 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:615
    #8 0x7faeea777797 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/2d/FilterNodeSoftware.cpp:573
    #9 0x7faeea776a78 in mozilla::gfx::DrawTargetCairo::DrawFilter(mozilla::gfx::FilterNode*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/2d/DrawTargetCairo.cpp:567
    #10 0x7faed569b15b in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<mozilla::RefPtr<mozilla::gfx::SourceSurface> >&) gfx/src/FilterSupport.cpp:1116
    #11 0x7faee21def47 in nsSVGFilterInstance::Render(gfxContext*) layout/svg/nsSVGFilterInstance.cpp:503
    #12 0x7faee21dd568 in nsSVGFilterFrame::PaintFilteredFrame(nsRenderingContext*, nsIFrame*, nsSVGFilterPaintCallback*, nsRect const*, nsIFrame*) layout/svg/nsSVGFilterFrame.cpp:456
    #13 0x7faee22681de in nsSVGIntegrationUtils::PaintFramesWithEffects(nsRenderingContext*, nsIFrame*, nsRect const&, nsDisplayListBuilder*, mozilla::layers::LayerManager*) layout/svg/nsSVGIntegrationUtils.cpp:520
    #14 0x7faee16c87e6 in nsDisplaySVGEffects::PaintAsLayer(nsDisplayListBuilder*, nsRenderingContext*, mozilla::layers::LayerManager*) layout/base/nsDisplayList.cpp:4758
    #15 0x7faee13c11cc in mozilla::PaintInactiveLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, gfxContext*, nsRenderingContext*) layout/base/FrameLayerBuilder.cpp:2182
    #16 0x7faee13c0560 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, nsIntRect const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, nsIntPoint const&, float, float, int) layout/base/FrameLayerBuilder.cpp:3475
    #17 0x7faee13c3ffc in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:3649
    #18 0x7faed5ee7ebd in mozilla::layers::BasicThebesLayer::PaintBuffer(gfxContext*, nsIntRegion const&, nsIntRegion const&, nsIntRegion const&, bool, mozilla::layers::DrawRegionClip, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicThebesLayer.h:114
    #19 0x7faed5e9177e in mozilla::layers::BasicThebesLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicThebesLayer.cpp:202
    #20 0x7faed5e920a4 in non-virtual thunk to mozilla::layers::BasicThebesLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) objdir-ff-asan-sym/gfx/layers/Unified_cpp_gfx_layers1.cpp:220
    #21 0x7faed5e74f21 in mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicContainerLayer.cpp:124
    #22 0x7faed5e753a4 in non-virtual thunk to mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) objdir-ff-asan-sym/gfx/layers/Unified_cpp_gfx_layers1.cpp:130
    #23 0x7faed5e74f21 in mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicContainerLayer.cpp:124
    #24 0x7faed5e753a4 in non-virtual thunk to mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) objdir-ff-asan-sym/gfx/layers/Unified_cpp_gfx_layers1.cpp:130
    #25 0x7faed5e7cba8 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:597
    #26 0x7faed5e7c251 in mozilla::layers::BasicLayerManager::EndTransaction(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:531
    #27 0x7faee165ee51 in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const layout/base/nsDisplayList.cpp:1231
    #28 0x7faee165bf40 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const layout/base/nsDisplayList.cpp:1076
    #29 0x7faee1711ba5 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:2339
    #30 0x7faee12b8b13 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:5857
    #31 0x7faeddbba679 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/src/nsViewManager.cpp:420
    #32 0x7faeddbbfb01 in nsViewManager::ProcessPendingUpdates(nsViewManager::UpdatingMode) view/src/nsViewManager.cpp:1053
    #33 0x7faee13377bc in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1207
    #34 0x7faee1357019 in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:168
    #35 0x7faee13566bf in mozilla::RefreshDriverTimer::Tick() layout/base/nsRefreshDriver.cpp:160
    #36 0x7faee1355bc6 in mozilla::RefreshDriverTimer::TimerTick(nsITimer*, void*) layout/base/nsRefreshDriver.cpp:185
    #37 0x7faed05f5c15 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:551
    #38 0x7faed05f71d6 in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:635
    #39 0x7faed05d7866 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:637
    #40 0x7faecffe9e62 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:263
    #41 0x7faed2809178 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:95
    #42 0x7faed24ccb17 in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:226
    #43 0x7faed24cc76a in MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:219
    #44 0x7faed24cc645 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:193
    #45 0x7faedb23c40f in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:157
    #46 0x7faee57a4239 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:276
    #47 0x7faee4fe2d05 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4023
    #48 0x7faee4fe75aa in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4091
    #49 0x7faee4fe9f74 in XRE_main toolkit/xre/nsAppRunner.cpp:4331
    #50 0x44dc07 in do_main(int, char**, nsIFile*) browser/app/nsBrowserApp.cpp:280
    #51 0x44abe5 in main browser/app/nsBrowserApp.cpp:648
    #52 0x7faefa96776c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
    #53 0x44a33c in _start
0x61700030fa08 is located 136 bytes inside of 720-byte region [0x61700030f980,0x61700030fc50)
freed by thread T0 here:
    #0 0x433f05 in __interceptor_free _asan_rtl_
    #1 0x7faeccd27ffe in
previously allocated by thread T0 here:
    #0 0x434065 in malloc _asan_rtl_
    #1 0x7faeccd2647f in
Shadow bytes around the buggy address:
  0x0c2e80059ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e80059f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e80059f10: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c2e80059f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e80059f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e80059f40: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80059f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80059f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80059f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80059f80: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c2e80059f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==7860==ABORTING
Assignee: nobody → mstange
Status: NEW → ASSIGNED
Attached file Testcase 2
Another testcase with stack similar to bug 944579
>==10123==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6220000e9fc0 at pc 0x7fecfc229787 bp 0x7fffa7905cf0 sp 0x7fffa7905ce8
>READ of size 16 at 0x6220000e9fc0 thread T0
>    #0 0x7fecfc229786 in mozilla::gfx::FilterProcessing::ApplyMorphologyHorizontal_SSE2(unsigned char*, int, unsigned char*, int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, mozilla::gfx::MorphologyOperator) gfx/2d/FilterProcessingSSE2.cpp:44
>    #1 0x7fecfc27a6a4 in mozilla::gfx::FilterNodeMorphologySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterProcessing.cpp:63
>    #2 0x7fecfc26f3df in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:605
>    #3 0x7fecfc273466 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*)
Whiteboard: [asan]
We should hold off on the rating until we understand this better. 2-bytes sounds more like an integer value than a pointer, and we're drawing stuff based on the value. Might leak some memory into an image, but is it otherwise exploitable?
Keywords: sec-critical
Is this fixed by the patch in bug 960178? Both are reads of size 2 in the PoWCache, although this one is UAF and that one is OBR.
Blocks: 924102
Flags: needinfo?(mstange)
Keywords: regression
(In reply to Daniel Veditz [:dveditz] from comment #2)
> 2-bytes sounds more like an integer value than a pointer,

It's an uint16_t from the mPowTable array. (It represents a value between 0.0 to 1.0 in 8 bit fixed point.)

> and we're drawing stuff
> based on the value. Might leak some memory into an image,

The resulting pixel values can be read by JS on the page by drawing a standalone SVG image (i.e. not one that's part of the page itself) that has such a filter into a canvas. So the leaked memory does not only end up on the screen but may also be reported back to the attacker.

> but is it
> otherwise exploitable?

Other than reading bits of memory I can't think of any attacks.

(In reply to Daniel Veditz [:dveditz] from comment #3)
> Is this fixed by the patch in bug 960178?

Apparently yes. Otherwise I'd expect the assertions that patch added to fire, and I don't see any in these testcases.
Depends on: 960178
Flags: needinfo?(mstange)
Attachment #8362273 - Attachment mime type: image/svg+xml → text/html
Resolving this as a duplicate of bug 960178 since it fixes the issue.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 960178
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.