Launchpad has imported 13 comments from the remote bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1694670.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2021-02-24T14:51:58+00:00 Aryx-bugmail wrote: 90 crashes with various Linux distributions in the last 6 weeks, some have beta 0 as version (distros testing?). Crash report: https://crash-stats.mozilla.org/report/index/2a7dee73 -3a4d-490a-96fd-4af7f0210224 MOZ_CRASH Reason: ```OOB``` Top 10 frames of crashing thread: ``` 0 libxul.so RustMozCrash mozglue/static/rust/wrappers.cpp:17 1 libxul.so mozglue_static::panic_hook mozglue/static/rust/lib.rs:89 2 libxul.so core::ops::function::Fn::call /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70 3 libxul.so std::panicking::rust_panic_with_hook library/std/src/panicking.rs:595 4 libxul.so std::panicking::begin_panic::{{closure}} /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:520 5 libxul.so std::sys_common::backtrace::__rust_end_short_backtrace /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:141 6 libxul.so std::panicking::begin_panic /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:519 7 libxul.so qcms_data_create_rgb_with_gamma gfx/qcms/src/c_bindings.rs:287 8 libxul.so gfxPlatformGtk::GetPlatformCMSOutputProfileData gfx/thebes/gfxPlatformGtk.cpp:483 9 libxul.so gfxPlatform::Init gfx/thebes/gfxPlatform.cpp:1005 ``` Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/0 ------------------------------------------------------------------------ On 2021-02-24T14:55:19+00:00 Jmuizelaar wrote: It doesn't seem like this should be a security bug as it is just a rust panic on startup. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/1 ------------------------------------------------------------------------ On 2021-02-24T15:37:38+00:00 Jmuizelaar wrote: Created attachment 9205116 Bug 1694670 - Fix qcms_data_create_rgb_with_gamma. This fixes a number of problems: 1. The check around get_rgb_colorants was inverted. This caused us to only continue if the colorants were wrong. 2. get_rgb_colorants can just return the Matrix instead of taking a reference to it. 3. The OOBs checks in write_u32 and write_u16 had their conditions inverted. 4. No tests Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/2 ------------------------------------------------------------------------ On 2021-02-24T15:42:48+00:00 Jmuizelaar wrote: We should just fix the reversed OOB checks here and do the other stuff elsewhere. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/3 ------------------------------------------------------------------------ On 2021-02-24T22:16:13+00:00 Dveditz wrote: So these particular crashes may not be scary, but `qcms_data_create_rgb_with_gamma` is a very large unsafe function so are we sure there aren't potentially vulnerable crashes if we've reversed the conditions? Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/4 ------------------------------------------------------------------------ On 2021-02-25T02:03:23+00:00 Jmuizelaar wrote: `qcms_data_create_rgb_with_gamma` is only called on system local data (i.e information from the user's window server). There shouldn't be any way to exploit it. Further, the out of bounds checks were only added recently, previously there was no check at all. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/5 ------------------------------------------------------------------------ On 2021-02-25T02:03:52+00:00 Jmuizelaar wrote: Created attachment 9205268 Bug 1694670. Fix the OOB check in write_u32/u16. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/6 ------------------------------------------------------------------------ On 2021-02-25T13:21:29+00:00 Jmuizelaar wrote: Comment on attachment 9205268 Bug 1694670. Fix the OOB check in write_u32/u16. ### Beta/Release Uplift Approval Request * **User impact if declined**: This fixes a startup crash that happens when users have an invalid color profile on Linux * **Is this code covered by automated tests?**: No * **Has the fix been verified in Nightly?**: No * **Needs manual test from QE?**: No * **If yes, steps to reproduce**: * **List of other uplifts needed**: None * **Risk to taking this patch**: Low * **Why is the change risky/not risky? (and alternatives if risky)**: This code path is very rare as evidenced by the low crash rate. This patch restores the behaviour to what it was prior to being regressed by bug 1684095 * **String changes made/needed**: Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/7 ------------------------------------------------------------------------ On 2021-02-25T13:21:34+00:00 Pulsebot wrote: Pushed by [email protected]: https://hg.mozilla.org/integration/autoland/rev/95fc70920b71 Fix the OOB check in write_u32/u16. r=aosmond Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/8 ------------------------------------------------------------------------ On 2021-02-25T17:52:51+00:00 Ryanvm wrote: Comment on attachment 9205268 Bug 1694670. Fix the OOB check in write_u32/u16. Approved for 87.0b3 so we can get feedback on this ASAP. Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/9 ------------------------------------------------------------------------ On 2021-02-25T17:53:43+00:00 Ryanvm wrote: https://hg.mozilla.org/releases/mozilla- beta/rev/e24e2d039a0317d0d66bdb041df65792ae69f555 Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/10 ------------------------------------------------------------------------ On 2021-02-25T21:56:07+00:00 Csabou wrote: https://hg.mozilla.org/mozilla-central/rev/95fc70920b71 Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/11 ------------------------------------------------------------------------ On 2021-02-26T01:44:32+00:00 Jmuizelaar wrote: *** Bug 1694891 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1917191/comments/12 ** Changed in: firefox Status: Unknown => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1917191 Title: firefox will not start after it crashed unexpectedly Status in Mozilla Firefox: Fix Released Status in firefox package in Ubuntu: Confirmed Bug description: firefox crashed unexpectedly, and it will not start or restart. I am running the latest ubuntu-20.04.2 LTS, all updates applied. firefox 86.0+build3 --- ProblemType: Bug AddonCompatCheckDisabled: False ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC0: johnfg 1725 F.... pulseaudio /dev/snd/controlC1: johnfg 1725 F.... pulseaudio BuildID: 20210222142601 CasperMD5CheckResult: skip Channel: Unavailable CurrentDesktop: ubuntu:GNOME DefaultProfileExtensions: extensions.sqlite corrupt or missing DefaultProfileIncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite) DefaultProfileLocales: extensions.sqlite corrupt or missing DefaultProfilePrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/firefox/omni.ja:greprefs.js:348 DefaultProfilePrefSources: prefs.js DefaultProfileThemes: extensions.sqlite corrupt or missing DistroRelease: Ubuntu 20.04 ForcedLayersAccel: False InstallationDate: Installed on 2020-02-22 (371 days ago) InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) IpRoute: default via 192.168.1.1 dev wlp10s0 proto dhcp metric 600 10.8.0.0/24 via 10.8.0.17 dev tun0 10.8.0.17 dev tun0 proto kernel scope link src 10.8.0.18 169.254.0.0/16 dev wlp10s0 scope link metric 1000 192.168.1.0/24 dev wlp10s0 proto kernel scope link src 192.168.1.8 metric 600 NonfreeKernelModules: openafs Package: firefox 86.0+build3-0ubuntu0.20.04.1 PackageArchitecture: amd64 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash ProcVersionSignature: Ubuntu 5.4.0-66.74-generic 5.4.86 Profile0Extensions: extensions.sqlite corrupt or missing Profile0IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite) Profile0Locales: extensions.sqlite corrupt or missing Profile0PrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/firefox/omni.ja:greprefs.js:348 Profile0PrefSources: prefs.js Profile0Themes: extensions.sqlite corrupt or missing Profiles: Profile1 (Default) - LastVersion=80.0/20200818235255 (Out of date) Profile0 - LastVersion=86.0/20210222142601 RunningIncompatibleAddons: False Tags: focal Uname: Linux 5.4.0-66-generic x86_64 UpgradeStatus: Upgraded to focal on 2020-04-24 (309 days ago) UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo _MarkForUpload: True dmi.bios.date: 07/05/2011 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: V4.00L12 dmi.board.asset.tag: No Asset Tag dmi.board.name: CF52-4 dmi.board.vendor: Panasonic Corporation dmi.board.version: 1 dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: Panasonic Corporation dmi.chassis.version: 001 dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrV4.00L12:bd07/05/2011:svnPanasonicCorporation:pnCF-52SLGDD1M:pvr004:rvnPanasonicCorporation:rnCF52-4:rvr1:cvnPanasonicCorporation:ct10:cvr001: dmi.product.family: CF52-4 dmi.product.name: CF-52SLGDD1M dmi.product.sku: CF-52SLGDD1M dmi.product.version: 004 dmi.sys.vendor: Panasonic Corporation To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1917191/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
