Closed Bug 1414725 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-use-after-free (Web Content) in std::__detail::_Hash_code_base<...>::::_M_hash_code<...>

Categories

(Core :: Canvas: WebGL, defect)

58 Branch
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1417312
Tracking Status
firefox57 - unaffected
firefox58 --- fixed
firefox59 --- fixed

People

(Reporter: bc, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [gfx-noted])

Attachments

(1 file)

Attached file Linux Debug Asan Log
[Tracking Requested - why for this release]: I think this is a recent regression.

1. http://www.bild.de/regional/hamburg/hamburg-regional/home-16344102.bild.html

2. 
==22106==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020002de778 at pc 0x7fbe09d83d97 bp 0x7ffc39495250 sp 0x7ffc39495248
READ of size 8 at 0x6020002de778 thread T0 (Web Content)
    #0 0x7fbe09d83d96 in std::__detail::_Hash_code_base<mozilla::detail::CacheMapUntypedEntry const*, mozilla::detail::CacheMapUntypedEntry const*, std::__detail::_Identity, std::hash<mozilla::detail::CacheMapUntypedEntry const*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, false>::_M_hash_code(mozilla::detail::CacheMapUntypedEntry const* const&) const /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/hashtable_policy.h:1175:24
    #1 0x7fbe09d83c8c in std::_Hashtable<mozilla::detail::CacheMapUntypedEntry const*, mozilla::detail::CacheMapUntypedEntry const*, std::allocator<mozilla::detail::CacheMapUntypedEntry const*>, std::__detail::_Identity, std::equal_to<mozilla::detail::CacheMapUntypedEntry const*>, std::hash<mozilla::detail::CacheMapUntypedEntry const*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, true, true> >::find(mozilla::detail::CacheMapUntypedEntry const* const&) /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/hashtable.h:1302:34
    #2 0x7fbe09cf9a85 in mozilla::CacheMapInvalidator::InvalidateCaches() const /builds/worker/workspace/build/src/dom/canvas/CacheMap.cpp:17:9
    #3 0x7fbe09da5741 in mozilla::WebGLBuffer::Delete() /builds/worker/workspace/build/src/dom/canvas/WebGLBuffer.cpp:64:23
    #4 0x7fbe09d98bea in mozilla::WebGLRefCountedObject<mozilla::WebGLBuffer>::DeleteOnce() /builds/worker/workspace/build/src/dom/canvas/WebGLObjectModel.h:185:42
    #5 0x7fbe09daaef0 in void mozilla::ClearLinkedList<mozilla::WebGLBuffer>(mozilla::LinkedList<mozilla::WebGLBuffer>&) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:204:25

Beta/57, Nightly/58 debug asan

This is pretty recent but is now very very common with hundreds of urls reproducing. I was able to reproduce with a saved version though it may still depend
ni jgilbert to have a look since this seems to involve WebGL
Flags: needinfo?(jgilbert)
Group: core-security → gfx-core-security
Whiteboard: [gfx-noted]
Duplicate of this bug: 1414038
This is a bug in `CacheMapInvalidator::InvalidateCaches` [1]. It's invalidating an entry (which erases it from the map, or a map, it's pretty convoluted) and then reusing a ref to it (not a copy) in an assert.

>        const auto& entry = *(mCacheEntries.begin());
>        entry->Invalidate();                                          // removes the entry, now the above ref is bad
>        MOZ_ASSERT(mCacheEntries.find(entry) == mCacheEntries.end()); // uses the bad ref

`Invalidate` [2] itself asserts it was removed, we should probably just remove the assertion in `InvalidateCaches`, but whoever understands this what's going on here should make that call.

Also AFAICT this is only in debug builds, so maybe not sec-high?

[1] http://searchfox.org/mozilla-central/rev/c99d035f00dd894feff38e4ad28a73fb679c63a6/dom/canvas/CacheMap.cpp#12-19
[2] http://searchfox.org/mozilla-central/rev/c99d035f00dd894feff38e4ad28a73fb679c63a6/dom/canvas/CacheMap.h#76-78
Non-sec issue.
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(jgilbert)
Resolution: --- → DUPLICATE
Duplicate of bug: 1417312
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.