Launchpad has imported 13 comments from the remote bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1694670.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2021-02-24T14:51:58+00:00 Aryx-bugmail wrote: 90 crashes with various Linux distributions in the last 6 weeks, some have beta 0 as version (distros testing?). Crash report: https://crash-stats.mozilla.org/report/index/2a7dee73 -3a4d-490a-96fd-4af7f0210224 MOZ_CRASH Reason: ```OOB``` Top 10 frames of crashing thread: ``` 0 libxul.so RustMozCrash mozglue/static/rust/wrappers.cpp:17 1 libxul.so mozglue_static::panic_hook mozglue/static/rust/lib.rs:89 2 libxul.so core::ops::function::Fn::call /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70 3 libxul.so std::panicking::rust_panic_with_hook library/std/src/panicking.rs:595 4 libxul.so std::panicking::begin_panic::{{closure}} /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:520 5 libxul.so std::sys_common::backtrace::__rust_end_short_backtrace /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:141 6 libxul.so std::panicking::begin_panic /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:519 7 libxul.so qcms_data_create_rgb_with_gamma gfx/qcms/src/c_bindings.rs:287 8 libxul.so gfxPlatformGtk::GetPlatformCMSOutputProfileData gfx/thebes/gfxPlatformGtk.cpp:483 9 libxul.so gfxPlatform::Init gfx/thebes/gfxPlatform.cpp:1005 ``` Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/0 ------------------------------------------------------------------------ On 2021-02-24T14:55:19+00:00 Jmuizelaar wrote: It doesn't seem like this should be a security bug as it is just a rust panic on startup. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/1 ------------------------------------------------------------------------ On 2021-02-24T15:37:38+00:00 Jmuizelaar wrote: Created attachment 9205116 Bug 1694670 - Fix qcms_data_create_rgb_with_gamma. This fixes a number of problems: 1. The check around get_rgb_colorants was inverted. This caused us to only continue if the colorants were wrong. 2. get_rgb_colorants can just return the Matrix instead of taking a reference to it. 3. The OOBs checks in write_u32 and write_u16 had their conditions inverted. 4. No tests Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/2 ------------------------------------------------------------------------ On 2021-02-24T15:42:48+00:00 Jmuizelaar wrote: We should just fix the reversed OOB checks here and do the other stuff elsewhere. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/3 ------------------------------------------------------------------------ On 2021-02-24T22:16:13+00:00 Dveditz wrote: So these particular crashes may not be scary, but `qcms_data_create_rgb_with_gamma` is a very large unsafe function so are we sure there aren't potentially vulnerable crashes if we've reversed the conditions? Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/4 ------------------------------------------------------------------------ On 2021-02-25T02:03:23+00:00 Jmuizelaar wrote: `qcms_data_create_rgb_with_gamma` is only called on system local data (i.e information from the user's window server). There shouldn't be any way to exploit it. Further, the out of bounds checks were only added recently, previously there was no check at all. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/5 ------------------------------------------------------------------------ On 2021-02-25T02:03:52+00:00 Jmuizelaar wrote: Created attachment 9205268 Bug 1694670. Fix the OOB check in write_u32/u16. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/6 ------------------------------------------------------------------------ On 2021-02-25T13:21:29+00:00 Jmuizelaar wrote: Comment on attachment 9205268 Bug 1694670. Fix the OOB check in write_u32/u16. ### Beta/Release Uplift Approval Request * **User impact if declined**: This fixes a startup crash that happens when users have an invalid color profile on Linux * **Is this code covered by automated tests?**: No * **Has the fix been verified in Nightly?**: No * **Needs manual test from QE?**: No * **If yes, steps to reproduce**: * **List of other uplifts needed**: None * **Risk to taking this patch**: Low * **Why is the change risky/not risky? (and alternatives if risky)**: This code path is very rare as evidenced by the low crash rate. This patch restores the behaviour to what it was prior to being regressed by bug 1684095 * **String changes made/needed**: Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/7 ------------------------------------------------------------------------ On 2021-02-25T13:21:34+00:00 Pulsebot wrote: Pushed by jmuizel...@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/95fc70920b71 Fix the OOB check in write_u32/u16. r=aosmond Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/8 ------------------------------------------------------------------------ On 2021-02-25T17:52:51+00:00 Ryanvm wrote: Comment on attachment 9205268 Bug 1694670. Fix the OOB check in write_u32/u16. Approved for 87.0b3 so we can get feedback on this ASAP. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/9 ------------------------------------------------------------------------ On 2021-02-25T17:53:43+00:00 Ryanvm wrote: https://hg.mozilla.org/releases/mozilla- beta/rev/e24e2d039a0317d0d66bdb041df65792ae69f555 Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/10 ------------------------------------------------------------------------ On 2021-02-25T21:56:07+00:00 Csabou wrote: https://hg.mozilla.org/mozilla-central/rev/95fc70920b71 Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/11 ------------------------------------------------------------------------ On 2021-02-26T01:44:32+00:00 Jmuizelaar wrote: *** Bug 1694891 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/12 ** Changed in: firefox Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1917191 Title: firefox will not start after it crashed unexpectedly To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1917191/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
