Closed
Bug 961517
Opened 12 years ago
Closed 11 years ago
Heap-use-after-free in mozilla::gfx::(anonymous namespace)::PowCache::Pow
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 960178
People
(Reporter: inferno, Assigned: mstange)
References
Details
(Keywords: csectype-uaf, regression, Whiteboard: [asan])
Attachments
(2 files)
Testcase
==7860==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700030fa08 at pc 0x7faeea9828c3 bp 0x7fffde7fb430 sp 0x7fffde7fb428
READ of size 2 at 0x61700030fa08 thread T0
#0 0x7faeea9828c2 in mozilla::gfx::(anonymous namespace)::PowCache::Pow(unsigned short) gfx/2d/FilterNodeSoftware.cpp:84
#1 0x7faeea99a7f1 in mozilla::gfx::(anonymous namespace)::SpotLightSoftware::GetColor(unsigned int, mozilla::gfx::Point3DTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:3121
#2 0x7faeea9a1298 in mozilla::TemporaryRef<mozilla::gfx::DataSourceSurface> mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::SpotLightSoftware, mozilla::gfx::(anonymous namespace)::DiffuseLightingSoftware>::DoRender<int>(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, int) gfx/2d/FilterNodeSoftware.cpp:3259
#3 0x7faeea99e410 in mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::SpotLightSoftware, mozilla::gfx::(anonymous namespace)::DiffuseLightingSoftware>::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:3191
#4 0x7faeea7e2735 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:615
#5 0x7faeea7e712e in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:701
#6 0x7faeea831d83 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:2856
#7 0x7faeea7e2735 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:615
#8 0x7faeea777797 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/2d/FilterNodeSoftware.cpp:573
#9 0x7faeea776a78 in mozilla::gfx::DrawTargetCairo::DrawFilter(mozilla::gfx::FilterNode*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/2d/DrawTargetCairo.cpp:567
#10 0x7faed569b15b in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<mozilla::RefPtr<mozilla::gfx::SourceSurface> >&) gfx/src/FilterSupport.cpp:1116
#11 0x7faee21def47 in nsSVGFilterInstance::Render(gfxContext*) layout/svg/nsSVGFilterInstance.cpp:503
#12 0x7faee21dd568 in nsSVGFilterFrame::PaintFilteredFrame(nsRenderingContext*, nsIFrame*, nsSVGFilterPaintCallback*, nsRect const*, nsIFrame*) layout/svg/nsSVGFilterFrame.cpp:456
#13 0x7faee22681de in nsSVGIntegrationUtils::PaintFramesWithEffects(nsRenderingContext*, nsIFrame*, nsRect const&, nsDisplayListBuilder*, mozilla::layers::LayerManager*) layout/svg/nsSVGIntegrationUtils.cpp:520
#14 0x7faee16c87e6 in nsDisplaySVGEffects::PaintAsLayer(nsDisplayListBuilder*, nsRenderingContext*, mozilla::layers::LayerManager*) layout/base/nsDisplayList.cpp:4758
#15 0x7faee13c11cc in mozilla::PaintInactiveLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, gfxContext*, nsRenderingContext*) layout/base/FrameLayerBuilder.cpp:2182
#16 0x7faee13c0560 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, nsIntRect const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, nsIntPoint const&, float, float, int) layout/base/FrameLayerBuilder.cpp:3475
#17 0x7faee13c3ffc in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:3649
#18 0x7faed5ee7ebd in mozilla::layers::BasicThebesLayer::PaintBuffer(gfxContext*, nsIntRegion const&, nsIntRegion const&, nsIntRegion const&, bool, mozilla::layers::DrawRegionClip, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicThebesLayer.h:114
#19 0x7faed5e9177e in mozilla::layers::BasicThebesLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicThebesLayer.cpp:202
#20 0x7faed5e920a4 in non-virtual thunk to mozilla::layers::BasicThebesLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) objdir-ff-asan-sym/gfx/layers/Unified_cpp_gfx_layers1.cpp:220
#21 0x7faed5e74f21 in mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicContainerLayer.cpp:124
#22 0x7faed5e753a4 in non-virtual thunk to mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) objdir-ff-asan-sym/gfx/layers/Unified_cpp_gfx_layers1.cpp:130
#23 0x7faed5e74f21 in mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicContainerLayer.cpp:124
#24 0x7faed5e753a4 in non-virtual thunk to mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) objdir-ff-asan-sym/gfx/layers/Unified_cpp_gfx_layers1.cpp:130
#25 0x7faed5e7cba8 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:597
#26 0x7faed5e7c251 in mozilla::layers::BasicLayerManager::EndTransaction(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:531
#27 0x7faee165ee51 in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const layout/base/nsDisplayList.cpp:1231
#28 0x7faee165bf40 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const layout/base/nsDisplayList.cpp:1076
#29 0x7faee1711ba5 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:2339
#30 0x7faee12b8b13 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:5857
#31 0x7faeddbba679 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/src/nsViewManager.cpp:420
#32 0x7faeddbbfb01 in nsViewManager::ProcessPendingUpdates(nsViewManager::UpdatingMode) view/src/nsViewManager.cpp:1053
#33 0x7faee13377bc in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1207
#34 0x7faee1357019 in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:168
#35 0x7faee13566bf in mozilla::RefreshDriverTimer::Tick() layout/base/nsRefreshDriver.cpp:160
#36 0x7faee1355bc6 in mozilla::RefreshDriverTimer::TimerTick(nsITimer*, void*) layout/base/nsRefreshDriver.cpp:185
#37 0x7faed05f5c15 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:551
#38 0x7faed05f71d6 in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:635
#39 0x7faed05d7866 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:637
#40 0x7faecffe9e62 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:263
#41 0x7faed2809178 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:95
#42 0x7faed24ccb17 in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:226
#43 0x7faed24cc76a in MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:219
#44 0x7faed24cc645 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:193
#45 0x7faedb23c40f in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:157
#46 0x7faee57a4239 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:276
#47 0x7faee4fe2d05 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4023
#48 0x7faee4fe75aa in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4091
#49 0x7faee4fe9f74 in XRE_main toolkit/xre/nsAppRunner.cpp:4331
#50 0x44dc07 in do_main(int, char**, nsIFile*) browser/app/nsBrowserApp.cpp:280
#51 0x44abe5 in main browser/app/nsBrowserApp.cpp:648
#52 0x7faefa96776c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
#53 0x44a33c in _start
0x61700030fa08 is located 136 bytes inside of 720-byte region [0x61700030f980,0x61700030fc50)
freed by thread T0 here:
#0 0x433f05 in __interceptor_free _asan_rtl_
#1 0x7faeccd27ffe in
previously allocated by thread T0 here:
#0 0x434065 in malloc _asan_rtl_
#1 0x7faeccd2647f in
Shadow bytes around the buggy address:
0x0c2e80059ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e80059f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e80059f10: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c2e80059f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e80059f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e80059f40: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e80059f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e80059f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e80059f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e80059f80: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c2e80059f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==7860==ABORTING
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → mstange
Status: NEW → ASSIGNED
|
Reporter | |
Comment 1•12 years ago
|
||
Another testcase with stack similar to bug 944579
>==10123==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6220000e9fc0 at pc 0x7fecfc229787 bp 0x7fffa7905cf0 sp 0x7fffa7905ce8
>READ of size 16 at 0x6220000e9fc0 thread T0
> #0 0x7fecfc229786 in mozilla::gfx::FilterProcessing::ApplyMorphologyHorizontal_SSE2(unsigned char*, int, unsigned char*, int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, mozilla::gfx::MorphologyOperator) gfx/2d/FilterProcessingSSE2.cpp:44
> #1 0x7fecfc27a6a4 in mozilla::gfx::FilterNodeMorphologySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterProcessing.cpp:63
> #2 0x7fecfc26f3df in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:605
> #3 0x7fecfc273466 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*)
|
||
Updated•12 years ago
|
Keywords: csectype-uaf,
sec-critical
Whiteboard: [asan]
|
||
Comment 2•12 years ago
|
||
We should hold off on the rating until we understand this better. 2-bytes sounds more like an integer value than a pointer, and we're drawing stuff based on the value. Might leak some memory into an image, but is it otherwise exploitable?
Keywords: sec-critical
|
|
||
Comment 3•12 years ago
|
||
Is this fixed by the patch in bug 960178? Both are reads of size 2 in the PoWCache, although this one is UAF and that one is OBR.
|
|
Assignee | |
Comment 4•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
> 2-bytes sounds more like an integer value than a pointer,
It's an uint16_t from the mPowTable array. (It represents a value between 0.0 to 1.0 in 8 bit fixed point.)
> and we're drawing stuff
> based on the value. Might leak some memory into an image,
The resulting pixel values can be read by JS on the page by drawing a standalone SVG image (i.e. not one that's part of the page itself) that has such a filter into a canvas. So the leaked memory does not only end up on the screen but may also be reported back to the attacker.
> but is it
> otherwise exploitable?
Other than reading bits of memory I can't think of any attacks.
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Is this fixed by the patch in bug 960178?
Apparently yes. Otherwise I'd expect the assertions that patch added to fire, and I don't see any in these testcases.
Depends on: 960178
Flags: needinfo?(mstange)
|
|
Assignee | |
Updated•12 years ago
|
Attachment #8362273 -
Attachment mime type: image/svg+xml → text/html
|
||
Comment 5•11 years ago
|
||
Resolving this as a duplicate of bug 960178 since it fixes the issue.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•