AddressSanitizer: heap-buffer-overflow [@ RefPtr<mozilla::gfx::SourceSurface>::operator bool] with READ of size 8
Categories
(Core :: Graphics, defect, P2)
Tracking
()
People
(Reporter: truber, Assigned: bobowen)
References
Details
(Keywords: crash, sec-high, testcase, Whiteboard: [adv-main118+r][adv-esr115.3+r])
Attachments
(4 files)
12.31 KB,
text/plain
|
Details | |
37.74 KB,
application/octet-stream
|
Details | |
231.48 KB,
text/plain
|
Details | |
Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
pascalc
:
approval-mozilla-esr115+
tjr
:
sec-approval+
|
Details | Review |
The attached testcase crashes on mozilla-central revision 20230825-e5ba3b52ebac (build with --enable-fuzzing & moz2d target patch).
==924377==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000b9728 at pc 0x7f7c6e4ef23e bp 0x7ffc66d5d270 sp 0x7ffc66d5d268
READ of size 8 at 0x6020000b9728 thread T0
#0 0x7f7c6e4ef23d in RefPtr<mozilla::gfx::SourceSurface>::operator bool() const /obj/ff-asan-fuzzing/dist/include/mozilla/RefPtr.h:349:45
#1 0x7f7c748d8647 in mozilla::gfx::DrawTargetSkia::PopLayer() /gfx/2d/DrawTargetSkia.cpp:2007:7
#2 0x7f7c748b1b5f in mozilla::gfx::DrawTargetOffset::PopLayer() /gfx/2d/DrawTargetOffset.cpp:207:16
#3 0x7f7c747bdb26 in mozilla::gfx::RecordedPopLayer::PlayEvent(mozilla::gfx::Translator*) const /gfx/2d/RecordedEventImpl.h:2895:7
#4 0x7f7c747b1dbc in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0::operator()(mozilla::gfx::RecordedEvent*) const /gfx/2d/InlineTranslator.cpp:78:31
#5 0x7f7c747b1b66 in std::_Function_handler<bool (mozilla::gfx::RecordedEvent*), mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0>::_M_invoke(std::_Any_data const&, mozilla::gfx::RecordedEvent*&&) /home/truber/.mozbuild/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:282:9
#6 0x7f7c74801720 in std::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const /home/truber/.mozbuild/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14
#7 0x7f7c747a636f in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) /gfx/2d/RecordedEventImpl.h:4198:5
#8 0x7f7c747a42bc in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) /gfx/2d/InlineTranslator.cpp:68:20
#9 0x7f7c7617b589 in mozilla::wr::Moz2DRenderCallback(mozilla::Range<unsigned char const>, mozilla::gfx::SurfaceFormat, mozilla::wr::Box2D<int, mozilla::wr::DevicePixel> const*, mozilla::wr::Box2D<int, mozilla::wr::LayoutPixel> const*, unsigned short, mozilla::wr::Point2D<int, mozilla::wr::TileCoordinate> const*, mozilla::wr::Box2D<int, mozilla::wr::LayoutPixel> const*, mozilla::Range<unsigned char>) /gfx/webrender_bindings/Moz2DImageRenderer.cpp:450:20
#10 0x7f7c76178f9f in wr_moz2d_render_cb /gfx/webrender_bindings/Moz2DImageRenderer.cpp:535:10
For detailed crash information, see attachment.
To reproduce the issue:
- Build an ASan
--enable-fuzzing
build including gtests with https://phabricator.services.mozilla.com/D186833 and https://phabricator.services.mozilla.com/D186161 applied. - Run
FUZZER=Moz2D objdir/dist/bin/firefox test.bin
Reporter | ||
Comment 1•11 months ago
|
||
Reporter | ||
Comment 2•11 months ago
|
||
Reporter | ||
Comment 3•11 months ago
|
||
Decoded test.bin
![]() |
||
Updated•11 months ago
|
Comment 4•11 months ago
|
||
Hey, Bob. Could you have a look at this one, please?
Assignee | ||
Comment 5•11 months ago
|
||
This is in the webrender use of Moz2D recording, which I'm not as familiar with, but happy to take a look.
I guess we might see a similar problem in the canvas use, although we don't use DrawTargetSkia
.
truber - can you give me access to : https://phabricator.services.mozilla.com/D186833
Reporter | ||
Comment 6•11 months ago
|
||
(In reply to Bob Owen (:bobowen) from comment #5)
truber - can you give me access to : https://phabricator.services.mozilla.com/D186833
done
Assignee | ||
Comment 7•11 months ago
|
||
I'm having trouble building ASan on Windows, but I think I've spotted what's happening.
My guess is that we send too many PopLayer
s and we hit undefined behaviour here because the vector is empty.
In this case, from the Detailed Crash Information, it results in accessing memory before the vector's storage.
![]() |
||
Updated•11 months ago
|
Assignee | ||
Comment 8•11 months ago
|
||
Assignee | ||
Comment 9•11 months ago
|
||
truber - hi, as I'm having issues with the build, are you able to confirm if this patch fixes the issue?
Reporter | ||
Comment 10•11 months ago
|
||
It does fix the issue!
*** You are running in headless mode.
Running Fuzzer tests...
INFO: Seed: 3521109205
INFO: Loaded 2 modules (3891485 inline 8-bit counters): 17517 [0x7ff3fe738830, 0x7ff3fe73cc9d), 3873968 [0x7ff3f7071d18, 0x7ff3f74239c8),
INFO: Loaded 2 PC tables (3891485 PCs): 17517 [0x7ff3fe73cca0,0x7ff3fe781370), 3873968 [0x7ff3f74239c8,0x7ff3faf404c8),
./obj/ff-asan-fuzzing/dist/bin/firefox: Running 1 inputs 1 time(s) each.
Running: /home/truber/bugs/moz2d/1850180/test.bin
[GFX1-]: Replay failure: PathCreation PLAY
[GFX1-]: Replay failure: PathCreation PLAY
Executed /home/truber/bugs/moz2d/1850180/test.bin in 5 ms
***
*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.
***
Finished running Fuzzer tests.
Assignee | ||
Updated•11 months ago
|
Updated•11 months ago
|
Comment 11•11 months ago
|
||
The severity field is not set for this bug.
:bhood, could you have a look please?
For more information, please visit BugBot documentation.
Updated•11 months ago
|
Assignee | ||
Comment 12•11 months ago
|
||
Comment on attachment 9351613 [details]
Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The issue is fairly obvious, but not obvious from the patch how you would trigger it. We currently believe this would require a compromised content process.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely, just changes debug assertions to release ones.
- Is Android affected?: Unknown
Updated•11 months ago
|
Comment 13•10 months ago
|
||
Comment on attachment 9351613 [details]
Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!
Approved to land and uplift
Comment 14•10 months ago
|
||
Pushed by rvandermeulen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9c9b403a485c Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel
![]() |
||
Comment 15•10 months ago
|
||
Updated•10 months ago
|
Comment 16•10 months ago
|
||
Comment on attachment 9351613 [details]
Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!
Approved for landing on mozilla-beta before the merge, will be in the 118.0 release candidate, thanks.
Comment 17•10 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/cff24fc7040d
Updated•10 months ago
|
Comment 18•10 months ago
|
||
Comment on attachment 9351613 [details]
Bug 1850180: Release assert on too many PopLayers in DrawTargetSkia and DrawTargetCairo. r=jrmuizel!
Approved for ESR 115.3, thanks.
Comment 19•10 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr115/rev/915dfe9d5146
Updated•10 months ago
|
Updated•10 months ago
|
Updated•10 months ago
|
Updated•10 months ago
|
Updated•7 months ago
|
Description
•