Closed
Bug 1570612
Opened 5 years ago
Closed 1 years ago
Crash in [@ gdk_broadway_get_last_seen_time] with use-after-free
Categories
(Core :: Widget: Gtk, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-uaf, sec-moderate)
Crash Data
This bug is for crash report bp-93433b1e-7b1a-4d20-a038-faee50190729.
Top 10 frames of crashing thread:
0 libgdk-3.so.0.2404.4 gdk_broadway_get_last_seen_time
1 libffi.so.6.0.4 libffi.so.6.0.4@0x681d
2 libffi.so.6.0.4 libffi.so.6.0.4@0x61ee
3 libxul.so _fini
4 libgdk-3.so.0.2404.4 gdk_broadway_get_last_seen_time
5 libwayland-client.so.0.3.0 wl_array_copy
6 libgdk-3.so.0.2404.4 gdk_wayland_window_set_transient_for_exported
7 libwayland-client.so.0.3.0 wl_log_set_handler_client
8 libwayland-client.so.0.3.0 libwayland-client.so.0.3.0@0x5968
9 libwayland-client.so.0.3.0 wl_display_dispatch_queue_pending
This is a PHC report, manually symbolized PHC stacks:
Free stack:
#0 gdk_window_geometry_changed
#1 gdk_broadway_get_last_seen_time
#2 (missing symbols for module libffi.so.6.0.4)
#3 (missing symbols for module libffi.so.6.0.4)
#4 wl_log_set_handler_client
#5 ??? (unresolved symbol in libwayland-client.so.0.3.0)
#6 wl_display_dispatch_queue_pending
#7 gdk_wayland_display_query_registry
#8 gdk_display_get_event
#9 gdk_wayland_display_query_registry
#10 g_main_context_dispatch
#11 g_main_context_dispatch
#12 g_main_context_iteration
#13 nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool)
in file hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 259
#14 nsThread::ProcessNextEvent(bool, bool*)
in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 1120
#15 <name omitted>
in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 486
Alloc stack:
#0 <name omitted>
in file hg:hg.mozilla.org/mozilla-central:memory/build/malloc_decls.h:1416771db267f77fa6bd28b2eaa214a706427f55 line 38
#1 g_malloc
#2 g_slice_alloc
#3 g_slice_alloc0
#4 gdk_event_new
#5 gdk_broadway_get_last_seen_time
#6 gdk_broadway_get_last_seen_time
#7 (missing symbols for module libffi.so.6.0.4)
#8 (missing symbols for module libffi.so.6.0.4)
#9 wl_log_set_handler_client
#10 ??? (unresolved symbol in libwayland-client.so.0.3.0)
#11 wl_display_dispatch_queue_pending
#12 gdk_wayland_display_query_registry
#13 gdk_display_get_event
#14 gdk_wayland_display_query_registry
#15 g_main_context_dispatch
Judging from the stacks, this could be a bug in GDK, in particular in gdk_broadway_get_last_seen_time
where an event is used after it was freed in gdk_window_geometry_changed
.
Updated•5 years ago
|
Component: Other → Widget: Gtk
Product: External Software Affecting Firefox → Core
Comment 1•5 years ago
|
||
I happen to have the same version of ubuntu installed as the bug reporter, so I can symbolize some of the things that are ???
in the stack trace from comment 0. I hope it helps.
Free stack:
#0 gdk_window_geometry_changed (libgdk-3.so.0.2404.4 +0x4f798)
gdk_windowing_got_event ./debian/build/deb/gdk/../../../../gdk/gdkwindow.c:10101
#1 gdk_broadway_get_last_seen_time (libgdk-3.so.0.2404.4 +0x8bd0f)
gdk_wayland_tablet_flush_frame_event ./debian/build/deb/gdk/wayland/../../../../../gdk/wayland/gdkdevice-wayland.c:3507
#2 ffi_call_unix64 in ./build/../src/x86/unix64.S:79 (libffi.so.6.0.4 0x681e)
#3 ffi_call in ./build/../src/x86/ffi64.c:527 (libffi.so.6.0.4 0x61ef)
#4 wl_closure_invoke in ./build/../src/connection.c:1008 (wl_log_set_handler_client (libwayland-client.so.0.3.0 +0x912d))
#5 dispatch_event in ./build/../src/wayland-client.c:1427 (libwayland-client.so.0.3.0 +0x5969)
#6 dispatch_queue in ./build/../src/wayland-client.c:1574
wl_display_dispatch_queue_pending (libwayland-client.so.0.3.0 +0x6e34)
#7 gdk_wayland_display_query_registry (libgdk-3.so.0.2404.4 +0x949a4)
#8 gdk_display_get_event (libgdk-3.so.0.2404.4 +0x34ad0)
#9 gdk_wayland_display_query_registry (libgdk-3.so.0.2404.4 +0x946c2)
#10 g_main_context_dispatch (libglib-2.0.so.0.6000.4 +0x4e9ee)
#11 g_main_context_dispatch (libglib-2.0.so.0.6000.4 +0x4ec88)
#12 g_main_context_iteration (libglib-2.0.so.0.6000.4 +0x4ed1c)
#13 nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool)
in file hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 259
#14 nsThread::ProcessNextEvent(bool, bool*)
in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 1120
#15 <name omitted>
in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:1416771db267f77fa6bd28b2eaa214a706427f55 line 486
Alloc stack:
#0 <name omitted>
in file hg:hg.mozilla.org/mozilla-central:memory/build/malloc_decls.h:1416771db267f77fa6bd28b2eaa214a706427f55 line 38
#1 g_malloc (libglib-2.0.so.0.6000.4 +0x544e1)
#2 g_slice_alloc (libglib-2.0.so.0.6000.4 +0x6c583)
#3 g_slice_alloc0 (libglib-2.0.so.0.6000.4 +0x6cbb9)
#4 gdk_event_new (libgdk-3.so.0.2404.4 +0x39b60)
#5 gdk_broadway_get_last_seen_time (libgdk-3.so.0.2404.4 +0x8be22)
#6 gdk_broadway_get_last_seen_time (libgdk-3.so.0.2404.4 +0x8c09d)
#7 (missing symbols for module libffi.so.6.0.4)
#8 (missing symbols for module libffi.so.6.0.4)
#9 wl_log_set_handler_client (libwayland-client.so.0.3.0 +0x912d)
#10 dispatch_event in ./build/../src/wayland-client.c:1427 (libwayland-client.so.0.3.0 +0x5969)
#11 wl_display_dispatch_queue_pending (libwayland-client.so.0.3.0 +0x6e34)
#12 gdk_wayland_display_query_registry (libgdk-3.so.0.2404.4 +0x949a4)
#13 gdk_display_get_event (libgdk-3.so.0.2404.4 +0x34ad0)
#14 gdk_wayland_display_query_registry (libgdk-3.so.0.2404.4 +0x946c2)
#15 g_main_context_dispatch (libglib-2.0.so.0.6000.4 +0x4e9ee)
Updated•5 years ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-moderate
Updated•2 years ago
|
Severity: critical → S2
Comment 2•1 years ago
|
||
We have not seen any reports for a year.
Status: NEW → RESOLVED
Closed: 1 years ago
Resolution: --- → WORKSFORME
Updated•1 year ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•