Closed Bug 599068 Opened 14 years ago Closed 14 years ago

Fuzzed font crash in Apple's libTrueTypeScaler [@MapF26Dot6]

Categories

(Core :: Graphics, defect, P1)

1.9.2 Branch
x86
macOS
defect

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
blocking1.9.2 --- needed
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: bsterne, Assigned: jfkthame)

References

Details

(Keywords: verified1.9.2, Whiteboard: [sg:vector-critical (Apple)] )

Attachments

(3 files)

Attached file Testcase and supporting files (deleted) —
Marc Schoenefeld reported the following to security@m.o today. The crash on its face looks like a null-deref, but Marc thinks there are signs of heap corruption, so hiding for now. I can confirm the crash, but Crash Reporter had problems submitting the report both times I tried. ------ Hi, another crash on ffx 3.6.10/OSX 10.6 with signs of heap corruption, repeatedly trying to free the same modified object location. Crashwrangler reports exploitable=no, but afaics that just refers to the instruction the control flow finally dies, the attacker's heap magic would happen before this point. Cheers Marc Faulty glyph (id:92) outline detected - replacing with a space/null glyph - in memory font kind firefox-bin(64195,0xa033d500) malloc: *** error for object 0x18f5c04: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug firefox-bin(64195,0xa033d500) malloc: *** error for object 0x18f5c00: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug Faulty glyph (id:92) outline detected - replacing with a space/null glyph - in memory font kind firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282004: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282000: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug Faulty glyph (id:92) outline detected - replacing with a space/null glyph - in memory font kind firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282004: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282000: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug Faulty glyph (id:92) outline detected - replacing with a space/null glyph - in memory font kind firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282004: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282000: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug Faulty glyph (id:92) outline detected - replacing with a space/null glyph - in memory font kind firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282004: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug firefox-bin(64195,0xa033d500) malloc: *** error for object 0x2282000: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug Crashed thread log = 0 libmozjs.dylib 0x00fd13c1 JS_CallTracer + 129 1 libmozjs.dylib 0x010539e8 js_GetScriptLineExtent + 2248 2 libmozjs.dylib 0x00fcc587 js_PutArgsObject + 1479 3 libmozjs.dylib 0x00ff2f35 js_GetterOnlyPropertyStub + 5029 4 libmozjs.dylib 0x00fd15ad JS_CallTracer + 621 5 libmozjs.dylib 0x01053943 js_GetScriptLineExtent + 2083 6 libmozjs.dylib 0x00fcc587 js_PutArgsObject + 1479 7 libmozjs.dylib 0x00ff2f35 js_GetterOnlyPropertyStub + 5029 8 libmozjs.dylib 0x00fd15ad JS_CallTracer + 621 9 libmozjs.dylib 0x00fcc52a js_PutArgsObject + 1386 10 libmozjs.dylib 0x00ff2f35 js_GetterOnlyPropertyStub + 5029 11 libmozjs.dylib 0x00fd15ad JS_CallTracer + 621 12 libmozjs.dylib 0x00ff2edf js_GetterOnlyPropertyStub + 4943 13 libmozjs.dylib 0x00fd15ad JS_CallTracer + 621 14 libmozjs.dylib 0x00ff2f21 js_GetterOnlyPropertyStub + 5009 15 libmozjs.dylib 0x00fd15ad JS_CallTracer + 621 <snip> 180 XUL 0x0001079b XRE_main + 15723 181 org.mozilla.firefox 0x00002cb8 start + 2168 182 org.mozilla.firefox 0x00002542 start + 258 183 org.mozilla.firefox 0x00002469 start + 41 log name is: ./crashlogs/mod_after_free_retry.crashlog.txt --- exception=EXC_BAD_ACCESS:signal=10:is_exploitable= no:instruction_disassembly=divl CONSTANT(%ecx):instruction_address=0x0000000000fd13c1:access_type=unknown:access_address=0x0000000000000008: Null dereference, probably not exploitable
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Kind of odd -- the malloc errors are in fonts but the crash is in tracer. Probably a font error, maybe writing on memory that just happens to be used by JS?
blocking1.9.2: ? → needed
Attachment #478013 - Attachment mime type: application/zip → application/java-archive
Comment 1 was based on the symptoms in comment 0 -- I have not been able to reproduce the crash myself. I've been trying to load it from the attachment, though. Maybe @font-face doesn't like jar: urls?
I do sometimes get weird visual effects, the page becomes essentially unreadable with vertical lines of varying heights and widths and right triangles always in the same orientation (acute angle on the left, right angle at the top right). Memory corruption? or just visual? I see it a lot more consistently when I load the testcase unzipped into a local directory, but I saw it once or twice when loaded from the bugzilla attachment.
Assignee: nobody → jdaggett
I can't reproduce a crash on either the latest 10.6.4 build (10.6.4 10F569) or with the latest seed build (10.6.5 10H542). Lots of "Faulty glyph (id:92) outline detected - replacing with a space/null glyph - in memory font kind" errors, wacky looking rendering but no crash. Does the testcase need to sit and run before the crash occurs? I was running with Crashwrangler: MOZ_CRASHREPORTER_DISABLE=1 CW_CURRENT_CASE=b599068 ./exc_handler "/Applications/Firefox.app/Contents/MacOS/firefox-bin" "file:///crashes/b599068/index_mod.html" I also ran with libgmalloc, also with no crash or access fault: DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib MALLOC_ALLOW_READS= MOZ_CRASHREPORTER_DISABLE=1 CW_CURRENT_CASE=b599068 ./exc_handler "/Applications/Firefox.app/Contents/MacOS/firefox-bin" "file:///crashes/b599068/index_mod.html" If the reporter or someone else can reproduce the problem, please attach the output of a run with Crashwrangler and libgmalloc enabled. Also, the exact steps and the system version (use 'sw_vers').
D'oh! didn't notice it was 10.6 in the initial description, I was using 10.5.8
(In reply to comment #5) > D'oh! didn't notice it was 10.6 in the initial description, I was using 10.5.8 Yeah, we need to be clear about 10.5 or 10.6 on all these sorts of bugs, the underlying OS code is very different.
Whiteboard: [sg:vector-critical (Apple)]
Random crashes. Looks familiar. https://bugzilla.mozilla.org/show_bug.cgi?id=594638 - OOO.crashlog.txt
Attached file callstacks-cw (deleted) —
John, I can verify that it crashes on both MacOSX versions. In 10.6.5 you have to reload the document twice to make Firefox crash. The callstack is always different. Three CW callstacks are attached. Some font information: Tag: b'OS/2' Checksum: 0x4340c2d5 Offset: 312/0x00000138 Length: 86 Tag: b'cmap' Checksum: 0x79e7b7c0 Offset: 1044/0x00000414 Length: 340 Tag: b'gasp' Checksum: 0xffff0003 Offset: 14644/0x00003934 Length: 8 Tag: b'glyf' Checksum: 0x269b08af Offset: 1840/0x00000730 Length: 11666 Tag: b'head' Checksum: 0xcf28d95e Offset: 188/0x000000bc Length: 54 Tag: b'hhea' Checksum: 0x1064081e Offset: 244/0x000000f4 Length: 36 Tag: b'hmtx' Checksum: 0xaacd406b Offset: 400/0x00000190 Length: 642 Tag: b'loca' Checksum: 0x70396610 Offset: 1384/0x00000568 Length: 454 Tag: b'maxp' Checksum: 0x01f6014d Offset: 280/0x00000118 Length: 32 Tag: b'name' Checksum: 0x98f8c784 Offset: 13508/0x000034c4 Length: 602 Tag: b'post' Checksum: 0x03cb818d Offset: 14112/0x00003720 Length: 530
Severity: normal → critical
Priority: -- → P1
Attached file callstack with libgmalloc (deleted) —
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Reproduced with modified version of the testcase with 5-second refresh enabled. Running with libgmalloc on 10.6.5 10H542 crashes in libTrueTypeScaler code. exception=EXC_BAD_ACCESS:signal=10:is_exploitable=yes:instruction_disassembly=movl %eax,(%ebx):instruction_address=0x0000000094fc5956:access_type=write:access_address=0x00000000150dd000: Command line used: DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib MALLOC_ALLOW_READS= NO_EM_RESTART=1 MOZ_CRASHREPORTER_DISABLE=1 CW_CURRENT_CASE=b599068 ./exc_handler "/Applications/Firefox.app/Contents/MacOS/firefox-bin" -P default "file:///crashes/b599068/index-jd.html"
No crash on trunk with harfbuzz disabled. Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b7pre) Gecko/20100928 Firefox/4.0b7pre 10.6.5 10H542
(In reply to comment #10) > No crash on trunk with harfbuzz disabled. I don't think this needs to block on trunk.
Summary: Investigate potential double-free crash from fuzzed font → Fuzzed font crash in Apple's libTrueTypeScaler [@MapF26Dot6]
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
blocking2.0: ? → final+
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified for 1.9.2. Crashed hard in 1.9.2.12 after a brief wait but working fine in Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13pre) Gecko/20101117 Namoroka/3.6.13pre. Rendering artifacts are all over 1.9.2.12 as well, which are not present in 1.9.2.13pre.
Keywords: verified1.9.2
OTS landed on 1.9.1 as well.
Blocks: 594536
Attachment #495182 - Attachment description: Bug Bounty Nomination → Bug Bounty non-qual
Group: core-security
Group: core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: