1010090 - UAF [@ mozilla::WebGLFramebufferAttachable::NotifyFBsStatusChanged] after frame buffer is cycle-collected

Status: RESOLVED DUPLICATE of bug 1028891

(Core :: Graphics: CanvasWebGL, defect)

Description

[Jesse Ruderman]

Attachment: testcase (requires extension for CC) (requires ASan)

0. Create a new profile
1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi
2. Run an ASan build of Firefox
3. Load the testcase

Comment 1

[Jesse Ruderman]

Attachment: stack

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

Haven't managed to reproduce on non-asan build on linux (with fuzz addon), but stack the 
stack is hopefully obvious to whoever knows this code.

Comment 3

[Benoit Jacob [:bjacob] (mostly away)]

CC :jgilbert and :djg, not me, on new WebGL security bugs.

Comment 4

[Al Billings [:abillings - ex-MoCo]]

Milan, can anyone take this?

Comment 5

[Milan Sreckovic [:milan] (needinfo for best results)]

Walter, see if you can set up ASAN build (https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer) and reproduce this?

Comment 6

[Walter Litwinczyk [:walter]]

Ok, here is what I've tried (I believe this is correct).

1.) Went to https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer and downloaded an optimized and a debug build (latest).

2.) Ran each separately with 'firefox -p foo --no-remote' and created a new profile when prompted.

3.) Downloaded the plugin from the URL above

4.) Clicked 'restart' after the plugin downloaded

5.) After firefox restarted I did "File -> Open File" and loaded the attached page

6.) Nothing happened, received no crashes or errors in the terminal window.

Hardware:

OS:
Ubuntu 14.04 64-bit
Linux walter-mac 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

RAM: 16 GiB

Processor: Intel(R) Core(TM) i7-4960HQ CPU @ 2.60GHz

Video Card: Geforce GT 750M Mac Edition

Can provide lshw output if desired.

Comment 7

[Milan Sreckovic [:milan] (needinfo for best results)]

Thanks.  Jesse, are you still seeing this problem?

Comment 8

[Jesse Ruderman]

WFM on trunk

Comment 9

[Jesse Ruderman]

Oops. I *do* still see this on trunk.

Comment 10

[Jesse Ruderman]

Graphics
--------

Device ID: 0x d26
GPU Accelerated Windows: 1/1 OpenGL (OMTC)
Vendor ID: 0x8086
WebGL Renderer: NVIDIA Corporation -- NVIDIA GeForce GT 750M OpenGL Engine
windowLayerManagerRemote: true
AzureCanvasBackend: quartz
AzureContentBackend: quartz
AzureFallbackCanvasBackend: none
AzureSkiaAccelerated: 0

Comment 11

[Milan Sreckovic [:milan] (needinfo for best results)]

(In reply to Jesse Ruderman from comment #9)
> Oops. I *do* still see this on trunk.

Is this with a locally built ASAN build or with the prebuilt ones like Walter was using?

Comment 12

[Jesse Ruderman]

I'm using a locally-built ASan build.
* Before today, I used:       LLVM 185949 + cherry-pick LLVM 191081
* Today, I have upgraded to:  LLVM 209703 + work around bug 982693

Comment 13

[Andrew McCreight [:mccr8]]

Walter, can you retry this and figure out with Jesse how to repro this?  Thanks.

Comment 14

[Walter Litwinczyk [:walter]]

Attachment: linux x64 FF build asan output

(In reply to Jesse Ruderman from comment #12)
> I'm using a locally-built ASan build.
> * Before today, I used:       LLVM 185949 + cherry-pick LLVM 191081
> * Today, I have upgraded to:  LLVM 209703 + work around bug 982693

Using: Ubuntu 14.04 LTS AMD64

I do receive a crash, although I had to restart firefox twice before it happend. It now happens every time I run the page.

FF Git Rev: 403a66d9f6598ca308c10dc460e0305cd2b61dad
FF Hg Rev: 4876594bacaa

To reproduce:

1.) Create local ASAN build using these instructions https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer

2.) For LLVM make sure you checkout what Jesse had above, rev 209703 + the work round bug 982693

3.) Once built follow the steps in the first comment. It may work the first time. In that case close FF and restart it with the same profile and load the page. FF should then crash.

I have attached my crash output.

Comment 15

[David Bolter [:davidb] (NeedInfo me for attention)]

Thanks Walter, is graphics taking this bug?

Comment 16

[Milan Sreckovic [:milan] (needinfo for best results)]

Walter would love to! :)

Comment 17

[Walter Litwinczyk [:walter]]

Attachment: framebuffer_crash_patch

Hi Jesse,

Would you mind applying this patch and seeing if you can reproduce the issue? It seems to have solved it on my end.

From what I could tell a framebuffer object was getting deleted and a WebGLFramebufferAttachable (WebGLRenderbuffer in this case) object still had a reference to the deleted framebuffer. So when notifyFBsStatusChanged() got called (in WebGLFramebufferAttachable) it tried to call a method on a deleted object.

This patch makes sure all attachables are detached upon a WebGLFramebuffer deletion.

Comment 18

[Jesse Ruderman]

This patch fixes the problem for me :) Tested on Mac.

Comment 19

[Walter Litwinczyk [:walter]]

Thanks for testing Jesse. I did just notice an error in the patch... I have mColorAttachments[0] instead of mColorAttachments[i], which worked fine in this case because there was only one renderbuffer being attached. Will fix.

Comment 20

[Jesse Ruderman]

There's no iterator-invalidation here, I hope?

Comment 21

[u480271]

I seem to have just spent the day looking at the same issue in bug 1028891. I believe the patch from Walter is incomplete.

Comment 22

[Al Billings [:abillings - ex-MoCo]]

Critsmash triage: is there any update on this issue? This is an open sec-critical.

Comment 23

[Walter Litwinczyk [:walter]]

(In reply to Al Billings [:abillings] from comment #22)
> Critsmash triage: is there any update on this issue? This is an open
> sec-critical.

Hi Al,

This bug will be marked as Dup->Resolved once Dan's bug 1028891 has been committed.