Use-after-free in GTK 3.24
_gdk_wayland_cursor_get_buffer
Use-after-free in We are seeing a number of crashes in the function _gdk_wayland_cursor_get_buffer
for Firefox users in the wild and these crashes look like use-after-free bugs. Some of these crashes seem to be completely internal to gdk/gtk and are just triggered by Firefox calling g_main_context_iteration
, according to our crash reports (and "poison on free" mechanics)https://crash-stats.mozilla.org/report/index/b753399e-9754-4dca-b9e1-f5df90231121. Other crashes are triggered by gdk_window_set_cursor
:
https://crash-stats.mozilla.org/report/index/755d1ec8-fbe9-42f2-bdec-67cba0231121
All of them seem to crashing on the same bad instructions with the poison pattern 0xe5e5e5e5e5e5e5e5
as the fault address: mov r13, qword [rdx + rax * 1]
.
The code seems to be coming from GTK 3.24 https://gitlab.gnome.org/GNOME/gtk/-/blob/gtk-3-24/gdk/wayland/gdkcursor-wayland.c?ref_type=heads#L236 where it fails to load images[image_index]
, because the images
pointer is bad.
Is it possible that the if
above should handle the case where image_count
is equal to zero?
We also noticed that this whole code has been modified/replaced in GTK 4.12: https://gitlab.gnome.org/GNOME/gtk/-/blob/gtk-4-12/gdk/wayland/gdkcursor-wayland.c?ref_type=heads#L183-191.
We make no guarantees for this analysis and of course there could still be a bug in Firefox. But we're happy to provide access to our information in detail if you have someone sign up with bugzilla.mozilla.org and replying to our Mozilla security email address.