Closed Bug 1010090 Opened 10 years ago Closed 10 years ago

UAF [@ mozilla::WebGLFramebufferAttachable::NotifyFBsStatusChanged] after frame buffer is cycle-collected

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1028891
Tracking Flags:
Tracking Status
firefox32 --- affected
firefox33 + affected

People

(Reporter: jruderman, Assigned: wlitwinczyk)

References

Details

(4 keywords)

Crash Data

Attachments

(4 files)

testcase (requires extension for CC) (requires ASan)
609 bytes, text/html
Details
stack
22.83 KB, text/plain
Details
linux x64 FF build asan output
23.29 KB, text/plain
Details
framebuffer_crash_patch
997 bytes, patch
Details | Diff | Splinter Review 
0. Create a new profile
1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi
2. Run an ASan build of Firefox
3. Load the testcase
Attached file stack 

    
    

    
  
Haven't managed to reproduce on non-asan build on linux (with fuzz addon), but stack the 
stack is hopefully obvious to whoever knows this code.

    
    

    
  
CC :jgilbert and :djg, not me, on new WebGL security bugs.
Group: gfx-core-security

    
    

    
  
Milan, can anyone take this?

          status-firefox32:
          --- → affected
Flags: needinfo?(milan)

    
    

    
  
Walter, see if you can set up ASAN build (https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer) and reproduce this?
Flags: needinfo?(milan) → needinfo?(wlitwinczyk)

    
    

    
  
Ok, here is what I've tried (I believe this is correct).

1.) Went to https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer and downloaded an optimized and a debug build (latest).

2.) Ran each separately with 'firefox -p foo --no-remote' and created a new profile when prompted.

3.) Downloaded the plugin from the URL above

4.) Clicked 'restart' after the plugin downloaded

5.) After firefox restarted I did "File -> Open File" and loaded the attached page

6.) Nothing happened, received no crashes or errors in the terminal window.

Hardware:

OS:
Ubuntu 14.04 64-bit
Linux walter-mac 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

RAM: 16 GiB

Processor: Intel(R) Core(TM) i7-4960HQ CPU @ 2.60GHz

Video Card: Geforce GT 750M Mac Edition

Can provide lshw output if desired.
Flags: needinfo?(wlitwinczyk)

    
    

    
  
Thanks.  Jesse, are you still seeing this problem?
Flags: needinfo?(jruderman)

    
    

    
  
WFM on trunk
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jruderman)
Resolution: --- → WORKSFORME

    
    

    
  
Oops. I *do* still see this on trunk.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

    
    

    
  
Graphics
--------

Device ID: 0x d26
GPU Accelerated Windows: 1/1 OpenGL (OMTC)
Vendor ID: 0x8086
WebGL Renderer: NVIDIA Corporation -- NVIDIA GeForce GT 750M OpenGL Engine
windowLayerManagerRemote: true
AzureCanvasBackend: quartz
AzureContentBackend: quartz
AzureFallbackCanvasBackend: none
AzureSkiaAccelerated: 0

    
    

    
  
(In reply to Jesse Ruderman from comment #9)
> Oops. I *do* still see this on trunk.

Is this with a locally built ASAN build or with the prebuilt ones like Walter was using?

    
    

    
  
I'm using a locally-built ASan build.
* Before today, I used:       LLVM 185949 + cherry-pick LLVM 191081
* Today, I have upgraded to:  LLVM 209703 + work around bug 982693

    
    

    
  
Walter, can you retry this and figure out with Jesse how to repro this?  Thanks.

          status-firefox33:
          --- → affected
Flags: needinfo?(wlitwinczyk)

    
    

    
  


  
(In reply to Jesse Ruderman from comment #12)
> I'm using a locally-built ASan build.
> * Before today, I used:       LLVM 185949 + cherry-pick LLVM 191081
> * Today, I have upgraded to:  LLVM 209703 + work around bug 982693

Using: Ubuntu 14.04 LTS AMD64

I do receive a crash, although I had to restart firefox twice before it happend. It now happens every time I run the page.

FF Git Rev: 403a66d9f6598ca308c10dc460e0305cd2b61dad
FF Hg Rev: 4876594bacaa

To reproduce:

1.) Create local ASAN build using these instructions https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer

2.) For LLVM make sure you checkout what Jesse had above, rev 209703 + the work round bug 982693

3.) Once built follow the steps in the first comment. It may work the first time. In that case close FF and restart it with the same profile and load the page. FF should then crash.

I have attached my crash output.
Flags: needinfo?(wlitwinczyk)

    
    

    
  
Thanks Walter, is graphics taking this bug?

    
    

    
  
Walter would love to! :)
Assignee: nobody → wlitwinczyk

    
    

    
  


  
Hi Jesse,

Would you mind applying this patch and seeing if you can reproduce the issue? It seems to have solved it on my end.

From what I could tell a framebuffer object was getting deleted and a WebGLFramebufferAttachable (WebGLRenderbuffer in this case) object still had a reference to the deleted framebuffer. So when notifyFBsStatusChanged() got called (in WebGLFramebufferAttachable) it tried to call a method on a deleted object.

This patch makes sure all attachables are detached upon a WebGLFramebuffer deletion.
Flags: needinfo?(jruderman)

    
    

    
  
This patch fixes the problem for me :) Tested on Mac.
Flags: needinfo?(jruderman)

    
    

    
  
Thanks for testing Jesse. I did just notice an error in the patch... I have mColorAttachments[0] instead of mColorAttachments[i], which worked fine in this case because there was only one renderbuffer being attached. Will fix.

    
    

    
  
There's no iterator-invalidation here, I hope?

    
    

    
  
I seem to have just spent the day looking at the same issue in bug 1028891. I believe the patch from Walter is incomplete.
Depends on: CVE-2014-1556

    
    

    
  
Critsmash triage: is there any update on this issue? This is an open sec-critical.
Flags: needinfo?(wlitwinczyk)

    
    

    
  
(In reply to Al Billings [:abillings] from comment #22)
> Critsmash triage: is there any update on this issue? This is an open
> sec-critical.

Hi Al,

This bug will be marked as Dup->Resolved once Dan's bug 1028891 has been committed.
Flags: needinfo?(wlitwinczyk)

    
  
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → DUPLICATE
Group: gfx-core-security, core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: