Closed Bug 1850180 Opened 11 months ago Closed 10 months ago

AddressSanitizer: heap-buffer-overflow [@ RefPtr<mozilla::gfx::SourceSurface>::operator bool] with READ of size 8

Categories

(Core :: Graphics, defect, P2)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 118+ fixed
firefox117 --- wontfix
firefox118 + fixed
firefox119 + fixed

People

(Reporter: truber, Assigned: bobowen)

References

Details

(Keywords: crash, sec-high, testcase, Whiteboard: [adv-main118+r][adv-esr115.3+r])

Attachments

(4 files)

Detailed Crash Information
12.31 KB, text/plain
Details
Testcase
37.74 KB, application/octet-stream
Details
crash.cpp
231.48 KB, text/plain
Details
Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
pascalc
: approval-mozilla-esr115+
tjr
: sec-approval+
Details | Review

The attached testcase crashes on mozilla-central revision 20230825-e5ba3b52ebac (build with --enable-fuzzing & moz2d target patch).

==924377==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000b9728 at pc 0x7f7c6e4ef23e bp 0x7ffc66d5d270 sp 0x7ffc66d5d268
READ of size 8 at 0x6020000b9728 thread T0
    #0 0x7f7c6e4ef23d in RefPtr<mozilla::gfx::SourceSurface>::operator bool() const /obj/ff-asan-fuzzing/dist/include/mozilla/RefPtr.h:349:45
    #1 0x7f7c748d8647 in mozilla::gfx::DrawTargetSkia::PopLayer() /gfx/2d/DrawTargetSkia.cpp:2007:7
    #2 0x7f7c748b1b5f in mozilla::gfx::DrawTargetOffset::PopLayer() /gfx/2d/DrawTargetOffset.cpp:207:16
    #3 0x7f7c747bdb26 in mozilla::gfx::RecordedPopLayer::PlayEvent(mozilla::gfx::Translator*) const /gfx/2d/RecordedEventImpl.h:2895:7
    #4 0x7f7c747b1dbc in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0::operator()(mozilla::gfx::RecordedEvent*) const /gfx/2d/InlineTranslator.cpp:78:31
    #5 0x7f7c747b1b66 in std::_Function_handler<bool (mozilla::gfx::RecordedEvent*), mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0>::_M_invoke(std::_Any_data const&, mozilla::gfx::RecordedEvent*&&) /home/truber/.mozbuild/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:282:9
    #6 0x7f7c74801720 in std::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const /home/truber/.mozbuild/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
    #7 0x7f7c747a636f in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) /gfx/2d/RecordedEventImpl.h:4198:5
    #8 0x7f7c747a42bc in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) /gfx/2d/InlineTranslator.cpp:68:20
    #9 0x7f7c7617b589 in mozilla::wr::Moz2DRenderCallback(mozilla::Range<unsigned char const>, mozilla::gfx::SurfaceFormat, mozilla::wr::Box2D<int, mozilla::wr::DevicePixel> const*, mozilla::wr::Box2D<int, mozilla::wr::LayoutPixel> const*, unsigned short, mozilla::wr::Point2D<int, mozilla::wr::TileCoordinate> const*, mozilla::wr::Box2D<int, mozilla::wr::LayoutPixel> const*, mozilla::Range<unsigned char>) /gfx/webrender_bindings/Moz2DImageRenderer.cpp:450:20
    #10 0x7f7c76178f9f in wr_moz2d_render_cb /gfx/webrender_bindings/Moz2DImageRenderer.cpp:535:10

For detailed crash information, see attachment.

To reproduce the issue:

  1. Build an ASan --enable-fuzzing build including gtests with https://phabricator.services.mozilla.com/D186833 and https://phabricator.services.mozilla.com/D186161 applied.
  2. Run FUZZER=Moz2D objdir/dist/bin/firefox test.bin
Attached file Testcase 

    
    

    
  

      
      
      
      

        Attached file
          
        crash.cpp
      

    


  
Decoded test.bin



    
  
Blocks: gfx-triage
Keywords: sec-high

    
  
See Also:  → 1850072

    
    

    
  
Hey, Bob.  Could you have a look at this one, please?


Flags: needinfo?(bobowencode)

    
    

    
  
This is in the webrender use of Moz2D recording, which I'm not as familiar with, but happy to take a look.

I guess we might see a similar problem in the canvas use, although we don't use DrawTargetSkia.


truber - can you give me access to : https://phabricator.services.mozilla.com/D186833


Assignee: nobody → bobowencode
Status: NEW → ASSIGNED
Flags: needinfo?(bobowencode) → needinfo?(jschwartzentruber)

    
    

    
  
(In reply to Bob Owen (:bobowen) from comment #5)




truber - can you give me access to : https://phabricator.services.mozilla.com/D186833

done




Flags: needinfo?(jschwartzentruber)

    
    

    
  
I'm having trouble building ASan on Windows, but I think I've spotted what's happening.

My guess is that we send too many PopLayers and we hit undefined behaviour here because the vector is empty.


In this case, from the Detailed Crash Information, it results in accessing memory before the vector's storage.



    
  
No longer blocks: gfx-triage

    
    

    
  
truber - hi, as I'm having issues with the build, are you able to confirm if this patch fixes the issue?


Flags: needinfo?(jschwartzentruber)

    
    

    
  
It does fix the issue!


*** You are running in headless mode.
Running Fuzzer tests...
INFO: Seed: 3521109205
INFO: Loaded 2 modules   (3891485 inline 8-bit counters): 17517 [0x7ff3fe738830, 0x7ff3fe73cc9d), 3873968 [0x7ff3f7071d18, 0x7ff3f74239c8),
INFO: Loaded 2 PC tables (3891485 PCs): 17517 [0x7ff3fe73cca0,0x7ff3fe781370), 3873968 [0x7ff3f74239c8,0x7ff3faf404c8),
./obj/ff-asan-fuzzing/dist/bin/firefox: Running 1 inputs 1 time(s) each.
Running: /home/truber/bugs/moz2d/1850180/test.bin
[GFX1-]: Replay failure: PathCreation PLAY
[GFX1-]: Replay failure: PathCreation PLAY
Executed /home/truber/bugs/moz2d/1850180/test.bin in 5 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***
Finished running Fuzzer tests.



Flags: needinfo?(jschwartzentruber)

    
  

        Attachment #9351613 -
        Attachment description: Bug 1850180: Handle too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel! → Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!

    
    

    
  
The severity field is not set for this bug.

:bhood, could you have a look please?


For more information, please visit BugBot documentation.


Flags: needinfo?(bhood)

    
  
Severity: -- → S2
Flags: needinfo?(bhood)
Priority: -- → P2

    
    

    
  
Comment on attachment 9351613 [details]

Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!


Security Approval Request


    

  • How easily could an exploit be constructed based on the patch?: The issue is fairly obvious, but not obvious from the patch how you would trigger it. We currently believe this would require a compromised content process.
    • 

  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
    • 

  • Which older supported branches are affected by this flaw?: all
    • 

  • If not all supported branches, which bug introduced the flaw?: None
    • 

  • Do you have backports for the affected branches?: Yes
    • 

  • If not, how different, hard to create, and risky will they be?:
    • 

  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely, just changes debug assertions to release ones.
    • 

  • Is Android affected?: Unknown
    • 




        Attachment #9351613 -
        Flags: sec-approval?

    
    

    
  
Comment on attachment 9351613 [details]

Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!


Approved to land and uplift



        Attachment #9351613 -
        Flags: sec-approval? → sec-approval+

    
    

    
  
Pushed by rvandermeulen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9c9b403a485c
Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/9c9b403a485c


Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 10 months ago

          status-firefox119:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch

        Attachment #9351613 -
        Flags: approval-mozilla-esr115?

        Attachment #9351613 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 9351613 [details]

Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!


Approved for landing  on mozilla-beta before the merge, will be in the 118.0 release candidate,  thanks.



        Attachment #9351613 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
Comment on attachment 9351613 [details]

Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!


Approved for ESR 115.3, thanks.



        Attachment #9351613 -
        Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

    
  
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main118+r]
Whiteboard: [adv-main118+r] → [adv-main118+r][adv-esr115.3+r]
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.