Closed
Bug 1414725
Opened 7 years ago
Closed 7 years ago
AddressSanitizer: heap-use-after-free (Web Content) in std::__detail::_Hash_code_base<...>::::_M_hash_code<...>
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1417312
Tracking | Status | |
---|---|---|
firefox57 | - | unaffected |
firefox58 | --- | fixed |
firefox59 | --- | fixed |
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [gfx-noted])
Attachments
(1 file)
94.48 KB,
text/plain
|
Details |
[Tracking Requested - why for this release]: I think this is a recent regression. 1. http://www.bild.de/regional/hamburg/hamburg-regional/home-16344102.bild.html 2. ==22106==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020002de778 at pc 0x7fbe09d83d97 bp 0x7ffc39495250 sp 0x7ffc39495248 READ of size 8 at 0x6020002de778 thread T0 (Web Content) #0 0x7fbe09d83d96 in std::__detail::_Hash_code_base<mozilla::detail::CacheMapUntypedEntry const*, mozilla::detail::CacheMapUntypedEntry const*, std::__detail::_Identity, std::hash<mozilla::detail::CacheMapUntypedEntry const*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, false>::_M_hash_code(mozilla::detail::CacheMapUntypedEntry const* const&) const /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/hashtable_policy.h:1175:24 #1 0x7fbe09d83c8c in std::_Hashtable<mozilla::detail::CacheMapUntypedEntry const*, mozilla::detail::CacheMapUntypedEntry const*, std::allocator<mozilla::detail::CacheMapUntypedEntry const*>, std::__detail::_Identity, std::equal_to<mozilla::detail::CacheMapUntypedEntry const*>, std::hash<mozilla::detail::CacheMapUntypedEntry const*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, true, true> >::find(mozilla::detail::CacheMapUntypedEntry const* const&) /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/hashtable.h:1302:34 #2 0x7fbe09cf9a85 in mozilla::CacheMapInvalidator::InvalidateCaches() const /builds/worker/workspace/build/src/dom/canvas/CacheMap.cpp:17:9 #3 0x7fbe09da5741 in mozilla::WebGLBuffer::Delete() /builds/worker/workspace/build/src/dom/canvas/WebGLBuffer.cpp:64:23 #4 0x7fbe09d98bea in mozilla::WebGLRefCountedObject<mozilla::WebGLBuffer>::DeleteOnce() /builds/worker/workspace/build/src/dom/canvas/WebGLObjectModel.h:185:42 #5 0x7fbe09daaef0 in void mozilla::ClearLinkedList<mozilla::WebGLBuffer>(mozilla::LinkedList<mozilla::WebGLBuffer>&) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:204:25 Beta/57, Nightly/58 debug asan This is pretty recent but is now very very common with hundreds of urls reproducing. I was able to reproduce with a saved version though it may still depend
Comment 1•7 years ago
|
||
ni jgilbert to have a look since this seems to involve WebGL
Flags: needinfo?(jgilbert)
Updated•7 years ago
|
Group: core-security → gfx-core-security
Updated•7 years ago
|
Whiteboard: [gfx-noted]
Updated•7 years ago
|
Keywords: csectype-uaf,
sec-high
Comment 3•7 years ago
|
||
This is a bug in `CacheMapInvalidator::InvalidateCaches` [1]. It's invalidating an entry (which erases it from the map, or a map, it's pretty convoluted) and then reusing a ref to it (not a copy) in an assert. > const auto& entry = *(mCacheEntries.begin()); > entry->Invalidate(); // removes the entry, now the above ref is bad > MOZ_ASSERT(mCacheEntries.find(entry) == mCacheEntries.end()); // uses the bad ref `Invalidate` [2] itself asserts it was removed, we should probably just remove the assertion in `InvalidateCaches`, but whoever understands this what's going on here should make that call. Also AFAICT this is only in debug builds, so maybe not sec-high? [1] http://searchfox.org/mozilla-central/rev/c99d035f00dd894feff38e4ad28a73fb679c63a6/dom/canvas/CacheMap.cpp#12-19 [2] http://searchfox.org/mozilla-central/rev/c99d035f00dd894feff38e4ad28a73fb679c63a6/dom/canvas/CacheMap.h#76-78
Comment 4•7 years ago
|
||
Too late for 57.
Comment 5•7 years ago
|
||
Non-sec issue.
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox59:
--- → fixed
Flags: needinfo?(jgilbert)
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•