Closed
Bug 1490396
Opened 6 years ago
Closed 6 years ago
[libFuzzer] Heap-buffer-overflow [@ ReadSize | Moz2DRenderCallback]
Categories
(Core :: Graphics: WebRender, defect, P1)
Core
Graphics: WebRender
Tracking
()
RESOLVED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | fixed |
People
(Reporter: truber, Assigned: mattwoodrow)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [post-critsmash-triage])
Attachments
(1 file)
The following call to wr_moz2d_render_cb causes an input buffer over-read in m-c rev 423bdf7a802b0d302244492b423609187de39f56.
const uint8_t blob_buffer[] = {
0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x2C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF};
uint8_t output_buffer[1973790];
wr_moz2d_render_cb(
mozilla::wr::ByteSlice { .buffer: blob_buffer, .len: 19 },
187, 187,
2147483669, // mozilla:wr::ImageFormat::?
nullptr, nullptr, nullptr,
mozilla::wr::MutByteSlice { .buffer: output_buffer, .len: 1973790 });
==21189==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000306d8f at pc 0x7f0801fa8fe6 bp 0x7ffc0d759050 sp 0x7ffc0d759048
READ of size 8 at 0x603000306d8f thread T0
#0 0x7f0801fa8fe5 in ReadSize /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:380:7
#1 0x7f0801fa8fe5 in mozilla::wr::Moz2DRenderCallback(mozilla::Range<unsigned char const>, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::SurfaceFormat, unsigned short const*, mozilla::wr::TypedPoint2D<unsigned short, mozilla::wr::Tiles> const*, mozilla::wr::TypedRect<unsigned int, mozilla::wr::DevicePixel> const*, mozilla::Range<unsigned char>) /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:414
#2 0x7f0801fa3d2c in wr_moz2d_render_cb /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:473:10
#3 0x7f080e51772b in testMoz2DRenderCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/gfx/tests/fuzzing/moz2d/TestMoz2D.cpp:89:3
#4 0x561c28fcb864 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
#5 0x561c28fc88f8 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3
#6 0x561c28fcd041 in fuzzer::Fuzzer::MutateAndTestOne() /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19
#7 0x561c28fcf045 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5
#8 0x561c28faf108 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6
#9 0x7f080cfa0301 in mozilla::FuzzerRunner::Run(int*, char***) /home/truber/src/m/u/tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
#10 0x7f080ceb22b5 in XREMain::XRE_mainStartup(bool*) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:3997:35
#11 0x7f080cec6513 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:4956:12
#12 0x7f080cec808e in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:5063:21
#13 0x561c28f0f6fc in do_main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:233:22
#14 0x561c28f0f6fc in main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:315
#15 0x7f0824a7782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#16 0x561c28e0f038 in _start (/home/truber/src/m/u/obj/ff-asan-release/dist/bin/firefox+0x37038)
0x603000306d8f is located 1 bytes to the left of 19-byte region [0x603000306d90,0x603000306da3)
allocated by thread T0 here:
#0 0x561c28ed32a8 in __interceptor_malloc (/home/truber/src/m/u/obj/ff-asan-release/dist/bin/firefox+0xfb2a8)
#1 0x561c28f1081d in moz_xmalloc /home/truber/src/m/u/memory/mozalloc/mozalloc.cpp:70:17
#2 0x7f080e517674 in operator new[] /home/truber/src/m/u/obj/ff-asan-release/dist/include/mozilla/mozalloc.h:151:12
#3 0x7f080e517674 in testMoz2DRenderCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/gfx/tests/fuzzing/moz2d/TestMoz2D.cpp:85
#4 0x561c28fcb864 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
#5 0x561c28fc88f8 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3
#6 0x561c28fcd041 in fuzzer::Fuzzer::MutateAndTestOne() /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19
#7 0x561c28fcf045 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5
#8 0x561c28faf108 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6
#9 0x7f080cfa0301 in mozilla::FuzzerRunner::Run(int*, char***) /home/truber/src/m/u/tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
#10 0x7f080ceb22b5 in XREMain::XRE_mainStartup(bool*) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:3997:35
#11 0x7f080cec6513 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:4956:12
#12 0x7f080cec808e in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:5063:21
#13 0x561c28f0f6fc in do_main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:233:22
#14 0x561c28f0f6fc in main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:315
#15 0x7f0824a7782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:380:7 in ReadSize
Shadow bytes around the buggy address:
0x0c0680058d60: fa fa fa fa fa fa fa fa fa fa 00 00 00 05 fa fa
0x0c0680058d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680058d80: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c0680058d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680058da0: fa fa fa fa fa fa 00 00 00 05 fa fa fd fd fd fd
=>0x0c0680058db0: fa[fa]00 00 03 fa fa fa fa fa fa fa fa fa fa fa
0x0c0680058dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680058dd0: fa fa fa fa fa fa fd fd fd fd fa fa fa fa fa fa
0x0c0680058de0: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c0680058df0: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fa fa
0x0c0680058e00: fd fd fd fa fa fa 00 00 00 05 fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==21189==ABORTING
|
||
Updated•6 years ago
|
Blocks: stage-wr-trains
Priority: -- → P1
|
||
Comment 1•6 years ago
|
||
Not clear if this affects the actual shipping code, but I'll mark it sec-high to be safe.
Keywords: sec-high
|
Assignee | |
Comment 2•6 years ago
|
||
MozReview-Commit-ID: ElIkCKdeGgv
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → matt.woodrow
|
||
Comment 3•6 years ago
|
||
Comment on attachment 9010164 [details] Bug 1490396 - Don't let indexOffset overflow when sanity checking it. r?jrmuizel Jeff Muizelaar [:jrmuizel] has approved the revision.
Attachment #9010164 -
Flags: review+
|
|
Assignee | |
Updated•6 years ago
|
status-firefox62:
--- → unaffected
status-firefox63:
--- → unaffected
status-firefox-esr60:
--- → unaffected
|
|
Assignee | |
Comment 4•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d81fa4aed4e2
|
||
Comment 5•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d81fa4aed4e2
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
|
||
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•