Closed Bug 1874773 Opened 1 year ago Closed 1 year ago

stack-use-after-scope [@ WaylandMessage::Write] as startup

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
123 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox121 --- unaffected
firefox122 --- unaffected
firefox123 --- fixed

People

(Reporter: tsmith, Assigned: stransky)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-moderate)

Attachments

(1 file)

Bug 1874773 [Wayland] Initialize cmsgu right after start r?emilio
48 bytes, text/x-phabricator-request
Details | Review

Found while fuzzing m-c 20240115-16becc119397 (--enable-address-sanitizer --enable-fuzzing)

This is triggered on launch when using an ASan build on Ubuntu 22.04.

==10742==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f3474cfd940 at pc 0x560e75b1a3e7 bp 0x7f3474cfd860 sp 0x7f3474cfd000
READ of size 8 at 0x7f3474cfd940 thread T2
    #0 0x560e75b1a3e6 in read_msghdr_control /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3174:5
    #1 0x560e75b1a3e6 in read_msghdr(void*, __sanitizer::__sanitizer_msghdr*, long) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3212:5
    #2 0x560e75b19257 in sendmsg /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3227:5
    #3 0x7f345ab9705d in WaylandMessage::Write(int) /builds/worker/checkouts/gecko/third_party/wayland-proxy/wayland-proxy.cpp:245:17
    #4 0x7f345ab98349 in ProxiedConnection::TransferOrQueue(int, int, int, std::vector<std::unique_ptr<WaylandMessage, std::default_delete<WaylandMessage>>, std::allocator<std::unique_ptr<WaylandMessage, std::default_delete<WaylandMessage>>>>*) /builds/worker/checkouts/gecko/third_party/wayland-proxy/wayland-proxy.cpp:388:19
    #5 0x7f345ab98b31 in ProxiedConnection::Process() /builds/worker/checkouts/gecko/third_party/wayland-proxy/wayland-proxy.cpp:459:8
    #6 0x7f345ab9a54a in WaylandProxy::ProcessConnections() /builds/worker/checkouts/gecko/third_party/wayland-proxy/wayland-proxy.cpp:653:25
    #7 0x7f345ab9a82b in WaylandProxy::Run() /builds/worker/checkouts/gecko/third_party/wayland-proxy/wayland-proxy.cpp:669:58
    #8 0x7f345ab9abec in WaylandProxy::RunProxyThread(WaylandProxy*) /builds/worker/checkouts/gecko/third_party/wayland-proxy/wayland-proxy.cpp:691:11
    #9 0x560e75b79b4a in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:225:31
    #10 0x7f3477094ac2 in start_thread nptl/pthread_create.c:442:8
    #11 0x7f347712684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Address 0x7f3474cfd940 is located in stack of thread T2 at offset 160 in frame
    #0 0x7f345ab96caf in WaylandMessage::Write(int) /builds/worker/checkouts/gecko/third_party/wayland-proxy/wayland-proxy.cpp:204

  This frame has 3 object(s):
    [32, 88) 'msg' (line 209)
    [128, 144) 'iov' (line 210)
    [160, 288) 'cmsgu' (line 228) <== Memory access at offset 160 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T2 created by T0 here:
    #0 0x560e75b632ed in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:237:3
    #1 0x7f345ab9b0e5 in WaylandProxy::RunThread() /builds/worker/checkouts/gecko/third_party/wayland-proxy/wayland-proxy.cpp:743:20
    #2 0x7f345f99e6f4 in XREMain::XRE_mainStartup(bool*) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4743:24
    #3 0x7f345f9af136 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5940:12
    #4 0x7f345f9b04a1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6009:21
    #5 0x560e75bbd182 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227:22
    #6 0x560e75bbd182 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445:16
    #7 0x7f3477029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: stack-use-after-scope /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3174:5 in read_msghdr_control
Shadow bytes around the buggy address:
  0x7f3474cfd680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f3474cfd700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f3474cfd780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f3474cfd800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f3474cfd880: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f2
=>0x7f3474cfd900: f2 f2 f2 f2 00 00 f2 f2[f8]f8 f8 f8 f8 f8 f8 f8
  0x7f3474cfd980: f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 00 00 00 00
  0x7f3474cfda00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f3474cfda80: 00 00 00 00 f1 f1 f1 f1 04 f2 00 f3 f3 f3 f3 f3
  0x7f3474cfdb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f3474cfdb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10742==ABORTING
Flags: needinfo?(stransky)
Flags: needinfo?(stransky)
Assignee: nobody → stransky
Status: NEW → ASSIGNED

Affects nightly only.

Pushed by archaeopteryx@coole-files.de: https://hg.mozilla.org/integration/autoland/rev/b3320921a0a6 [Wayland] Initialize cmsgu right after start r=emilio

https://hg.mozilla.org/mozilla-central/rev/b3320921a0a6

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox123: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: