Closed Bug 1850072 Opened 11 months ago Closed 10 months ago

UndefinedBehaviorSanitizer:: load of value 120, which is not a valid value for type 'bool'

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox117 --- wontfix
firefox118 --- wontfix
firefox119 --- fixed

People

(Reporter: tsmith, Assigned: bobowen)

References

Details

(Keywords: csectype-undefined, sec-other, testcase, Whiteboard: [fuzzblocker][adv-main119-])

Attachments

(3 files)

test.bin
1.08 KB, application/octet-stream
Details
crash.cpp
6.93 KB, text/plain
Details
Bug 1850072: Initialize RecordedDrawTargetCreation::mHasExistingData. r=jrmuizel!
48 bytes, text/x-phabricator-request
Details | Review
Attached file test.bin

The attached testcase crashes on mozilla-central revision 20230824-014c9a0ccc44 (build with --enable-fuzzing & moz2d target patch).

To reproduce the issue:

  1. Build an ASan --enable-fuzzing build including gtests with https://phabricator.services.mozilla.com/D186833 applied.
  2. Run FUZZER=Moz2D objdir/dist/bin/firefox test.bin

This is likely due to reading uninitialized memory.

Marking s-s to avoid highlighting current fuzzing work in this area. This issue is triggered within seconds of launching the fuzzer. Marking as fuzzblocker.

gfx/2d/RecordedEventImpl.h:1991:7: runtime error: load of value 120, which is not a valid value for type 'bool'
    #0 0x7f89a1da0736 in mozilla::gfx::RecordedDrawTargetCreation::RecordedDrawTargetCreation<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&) gfx/2d/RecordedEventImpl.h:1991:7
    #1 0x7f89a1d9d86d in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) gfx/2d/RecordedEventImpl.h:4198:5
    #2 0x7f89a1d9cc8c in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) gfx/2d/InlineTranslator.cpp:68:20
    #3 0x7f89a3773029 in mozilla::wr::Moz2DRenderCallback(mozilla::Range<unsigned char const>, mozilla::gfx::SurfaceFormat, mozilla::wr::Box2D<int, mozilla::wr::DevicePixel> const*, mozilla::wr::Box2D<int, mozilla::wr::LayoutPixel> const*, unsigned short, mozilla::wr::Point2D<int, mozilla::wr::TileCoordinate> const*, mozilla::wr::Box2D<int, mozilla::wr::LayoutPixel> const*, mozilla::Range<unsigned char>) gfx/webrender_bindings/Moz2DImageRenderer.cpp:450:20
    #4 0x7f89a3770a3f in wr_moz2d_render_cb gfx/webrender_bindings/Moz2DImageRenderer.cpp:535:10
    #5 0x7f899b86a00f in testMoz2DRenderCallback(unsigned char const*, unsigned long) gfx/tests/fuzz/TestMoz2D.cpp:91:3
    #6 0x55bd9227fadb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
    #7 0x55bd9227f428 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:479:7
    #8 0x55bd922806cd in fuzzer::Fuzzer::MutateAndTestOne() tools/fuzzing/libfuzzer/FuzzerLoop.cpp:717:19
    #9 0x55bd9228121d in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile>>&) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:861:9
    #10 0x55bd92266aaa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:864:14
    #11 0x7f89bae46a5d in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:75:13
    #12 0x7f89bacc2453 in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:4661:35
    #13 0x7f89bacd27bf in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:5862:12
    #14 0x7f89bacd2fcc in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:5930:21
    #15 0x7f89bad08596 in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/Bootstrap.cpp:45:12
    #16 0x55bd91f4116d in do_main(int, char**, char**) browser/app/nsBrowserApp.cpp:227:22
    #17 0x55bd91f3fdae in main browser/app/nsBrowserApp.cpp:445:16
    #18 0x7f89e38461c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7f89e3846284 in __libc_start_main csu/../csu/libc-start.c:360:3
    #20 0x55bd91e694b3 in _start (obj/ff-asan-fuzzing/dist/bin/firefox+0xab4b3) (BuildId: 01ca9622f8ea90f8ce3754a5512a6047)
Attached file crash.cpp

Decoded test.bin call.

Blocks: gfx-triage

Bob, would you mind having a look here? Team thinks this is likely in your wheelhouse.

Flags: needinfo?(bobowencode)
See Also: → 1850180

(In reply to Bob Hood [:bhood] from comment #2)

Bob, would you mind having a look here? Team thinks this is likely in your wheelhouse.

Yes, I can look at this as well.

Assignee: nobody → bobowencode
Status: NEW → ASSIGNED
Flags: needinfo?(bobowencode)

I can't reproduce this issue.
I've tested on a linux ASan build with the same revision as stated.
This is the output I get.
Can you still reproduce?

My guess is we just want to specialize for bool and restrict the allowed values.

*** You are running in headless mode.
Running Fuzzer tests...
INFO: Seed: 1559639114
INFO: Loaded 2 modules   (1574802 inline 8-bit counters): 11238 [0x7f7062da47c0, 0x7f7062da73a6), 1563564 [0x7f705f005108, 0x7f705f182cb4), 
INFO: Loaded 2 PC tables (1574802 PCs): 11238 [0x7f7062da73a8,0x7f7062dd3208), 1563564 [0x7f705f182cb8,0x7f706095e778), 
objdir-ff-asan/dist/bin/firefox: Running 1 inputs 1 time(s) each.
Running: bug1850072test.bin
[GFX1-]: Replay failure: DrawTarget Creation READ
[GFX1-]: Replay failure: DrawTarget Creation READ
Executed bug1850072test.bin in 1 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***
Finished running Fuzzer tests.
Flags: needinfo?(twsmith)

Oh sorry I forgot to include this requires the build flag --enable-undefined-sanitizer.

The bug itself is likely an uninitialized bool.

Flags: needinfo?(twsmith)

Removing from triage. Bob is on the case! 🔍

No longer blocks: gfx-triage
Pushed by bobowencode@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/8cc123060102
Initialize RecordedDrawTargetCreation::mHasExistingData. r=jrmuizel

https://hg.mozilla.org/mozilla-central/rev/8cc123060102

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
status-firefox119: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [fuzzblocker] → [fuzzblocker][adv-main119-]

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.