Closed
Bug 1420698
Opened 7 years ago
Closed 6 years ago
Heap Buffer Overflow in VertexBuffer11 (ANGLE)
Categories
(Core :: Graphics: CanvasWebGL, defect)
Core
Graphics: CanvasWebGL
Tracking
()
RESOLVED
FIXED
mozilla59
People
(Reporter: omair, Assigned: jgilbert)
Details
(Keywords: csectype-bounds, sec-high)
Attachments
(2 files, 1 obsolete file)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20171112125346 Steps to reproduce: Tested on Firefox Nightly 59.0a1 (2017-11-25) (64-bit) A heap overflow was found in Angle. Actual results: 5:248> r rax=000002bedd1c0000 rbx=000000d1681fba58 rcx=fffffffff4d69141 rdx=ffffffffff61b140 rsi=000002bedc7e2000 rdi=000002bedd1c6ec0 rip=00007ff95051c3c7 rsp=000000d1681fb758 rbp=000000d1681fb860 r8=0000000000000000 r9=000002bedd1c0000 r10=000002bedc7db140 r11=000002bed9b93000 r12=000002bed9ba1800 r13=000002bedad88e80 r14=0000000000000001 r15=0000000000000000 iopl=0 nv up ei ng nz na po cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010287 VCRUNTIME140!memcpy+0x57: 00007ff9`5051c3c7 f3a4 rep movs byte ptr [rdi],byte ptr [rsi] 5:248> k # Child-SP RetAddr Call Site 00 000000d1`681fb758 00007ff9`1ecb3ba6 VCRUNTIME140!memcpy+0x57 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 137] 01 000000d1`681fb760 00007ff9`1ec717b8 libGLESv2!rx::VertexBuffer11::storeVertexAttributes+0x18a [z:\build\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\vertexbuffer11.cpp @ 137] 02 000000d1`681fb8f0 00007ff9`1ec72fa8 libGLESv2!rx::StreamingVertexBufferInterface::storeDynamicAttribute+0x208 [z:\build\build\src\gfx\angle\src\libangle\renderer\d3d\vertexbuffer.cpp @ 178] 03 000000d1`681fbad0 00007ff9`1ec72bad libGLESv2!rx::VertexDataManager::storeDynamicAttrib+0x1bc [z:\build\build\src\gfx\angle\src\libangle\renderer\d3d\vertexdatamanager.cpp @ 533] 04 000000d1`681fbb70 00007ff9`1ecb3712 libGLESv2!rx::VertexDataManager::storeDynamicAttribs+0x3ed [z:\build\build\src\gfx\angle\src\libangle\renderer\d3d\vertexdatamanager.cpp @ 425] 05 000000d1`681fbf60 00007ff9`1ec9e0a2 libGLESv2!rx::VertexArray11::updateDirtyAndDynamicAttribs+0x3e6 [z:\build\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\vertexarray11.cpp @ 248] 06 000000d1`681fc300 00007ff9`1ec91791 libGLESv2!rx::StateManager11::applyVertexBuffer+0x96 [z:\build\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\statemanager11.cpp @ 2501] 07 000000d1`681fc410 00007ff9`1ec7e561 libGLESv2!rx::Renderer11::drawElements+0x251 [z:\build\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\renderer11.cpp @ 1669] 08 000000d1`681fc510 00007ff9`1ebfef29 libGLESv2!rx::Context11::drawElements+0x9d [z:\build\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\context11.cpp @ 184] 09 (Inline Function) --------`-------- libGLESv2!gl::Context::drawElements+0x30 [z:\build\build\src\gfx\angle\src\libangle\context.cpp @ 1814] 0a 000000d1`681fc570 00007ff9`05a659c2 libGLESv2!gl::DrawElements+0xe1 [z:\build\build\src\gfx\angle\src\libglesv2\entry_points_gles_2_0_autogen.cpp @ 767] 0b (Inline Function) --------`-------- xul!mozilla::gl::GLContext::raw_fDrawElements+0x1a [z:\build\build\src\gfx\gl\glcontext.h @ 1100] 0c 000000d1`681fc5d0 00007ff9`060c5da8 xul!mozilla::gl::GLContext::fDrawElements+0x26 [z:\build\build\src\gfx\gl\glcontext.h @ 1114] 0d 000000d1`681fc600 00007ff9`05f0e23a xul!mozilla::WebGLContext::DrawElements+0x194 [z:\build\build\src\dom\canvas\webglcontextdraw.cpp @ 748] 0e 000000d1`681fc700 00007ff9`04c8a235 xul!mozilla::dom::WebGLRenderingContextBinding::drawElements+0xb6 [z:\build\build\src\obj-firefox\dom\bindings\webglrenderingcontextbinding.cpp @ 16256] 0f 000000d1`681fc750 00007ff9`0499c9ae xul!mozilla::dom::GenericBindingMethod+0x121 [z:\build\build\src\dom\bindings\bindingutils.cpp @ 3046] 10 (Inline Function) --------`-------- xul!js::CallJSNative+0xcf [z:\build\build\src\js\src\jscntxtinlines.h @ 291] 11 000000d1`681fc7e0 00007ff9`04c669fd xul!js::InternalCallOrConstruct+0x1ae [z:\build\build\src\js\src\vm\interpreter.cpp @ 473] 12 000000d1`681fc8b0 00007ff9`05260f08 xul!Interpret+0x5fd [z:\build\build\src\js\src\vm\interpreter.cpp @ 3098] 13 000000d1`681fd660 00007ff9`048f7952 xul!js::RunScript+0x418 [z:\build\build\src\js\src\vm\interpreter.cpp @ 423] 14 000000d1`681fd7b0 00007ff9`048f7891 xul!js::ExecuteKernel+0xa2 [z:\build\build\src\js\src\vm\interpreter.cpp @ 709] 15 000000d1`681fd840 00007ff9`048f7728 xul!js::Execute+0x91 [z:\build\build\src\js\src\vm\interpreter.cpp @ 738] 16 000000d1`681fd8a0 00007ff9`048f7658 xul!ExecuteScript+0xa8 [z:\build\build\src\js\src\jsapi.cpp @ 4721] 17 000000d1`681fd920 00007ff9`04b2c40e xul!nsJSUtils::ExecutionContext::CompileAndExec+0x60 [z:\build\build\src\dom\base\nsjsutils.cpp @ 266] 18 000000d1`681fd960 00007ff9`04e14bc5 xul!mozilla::dom::ScriptLoader::EvaluateScript+0x6f6 [z:\build\build\src\dom\script\scriptloader.cpp @ 2273] 19 000000d1`681fdff0 00007ff9`04edb0fd xul!mozilla::dom::ScriptLoader::ProcessRequest+0x14d [z:\build\build\src\dom\script\scriptloader.cpp @ 1914] 1a 000000d1`681fe070 00007ff9`04eda259 xul!mozilla::dom::ScriptLoader::ProcessScriptElement+0xa61 [z:\build\build\src\dom\script\scriptloader.cpp @ 1615] 1b 000000d1`681fe610 00007ff9`04ed9fbb xul!mozilla::dom::ScriptElement::MaybeProcessScript+0x151 [z:\build\build\src\dom\script\scriptelement.cpp @ 147] 1c 000000d1`681fe650 00007ff9`04ed9f0f xul!nsIScriptElement::AttemptToExecute+0x17 [z:\build\build\src\obj-firefox\dist\include\nsiscriptelement.h @ 227] 1d 000000d1`681fe680 00007ff9`04a1a287 xul!nsHtml5TreeOpExecutor::RunScript+0x6b [z:\build\build\src\parser\html\nshtml5treeopexecutor.cpp @ 739] 1e 000000d1`681fe6b0 00007ff9`050d60f1 xul!nsHtml5TreeOpExecutor::RunFlushLoop+0x22b [z:\build\build\src\parser\html\nshtml5treeopexecutor.cpp @ 542] 1f 000000d1`681fe760 00007ff9`0551283f xul!nsHtml5ExecutorFlusher::Run+0x19 [z:\build\build\src\parser\html\nshtml5streamparser.cpp @ 132] 20 000000d1`681fe790 00007ff9`04933343 xul!mozilla::SchedulerGroup::Runnable::Run+0x5f [z:\build\build\src\xpcom\threads\schedulergroup.cpp @ 397] 21 000000d1`681fe7f0 00007ff9`04c031f5 xul!nsThread::ProcessNextEvent+0x493 [z:\build\build\src\xpcom\threads\nsthread.cpp @ 1034] 22 (Inline Function) --------`-------- xul!NS_ProcessNextEvent+0x16 [z:\build\build\src\xpcom\threads\nsthreadutils.cpp @ 508] 23 000000d1`681fee70 00007ff9`05718b24 xul!mozilla::ipc::MessagePump::Run+0x91 [z:\build\build\src\ipc\glue\messagepump.cpp @ 97] 24 000000d1`681feec0 00007ff9`04e5be2f xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x70 [z:\build\build\src\ipc\glue\messagepump.cpp @ 302] 25 000000d1`681feef0 00007ff9`04e5bdde xul!MessageLoop::RunHandler+0x1b [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 320] 26 000000d1`681fef20 00007ff9`04f3a0fc xul!MessageLoop::Run+0x3e [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 300] 27 000000d1`681fef70 00007ff9`04f39dc0 xul!nsBaseAppShell::Run+0x3c [z:\build\build\src\widget\nsbaseappshell.cpp @ 159] 28 000000d1`681fefa0 00007ff9`070ac4bb xul!nsAppShell::Run+0x30 [z:\build\build\src\widget\windows\nsappshell.cpp @ 230] 29 000000d1`681fefd0 00007ff9`05718add xul!XRE_RunAppShell+0x3b [z:\build\build\src\toolkit\xre\nsembedfunctions.cpp @ 865] 2a 000000d1`681ff000 00007ff9`04e5be2f xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x29 [z:\build\build\src\ipc\glue\messagepump.cpp @ 278] 2b 000000d1`681ff030 00007ff9`04e5bdde xul!MessageLoop::RunHandler+0x1b [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 320] 2c 000000d1`681ff060 00007ff9`070ac2d4 xul!MessageLoop::Run+0x3e [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 300] 2d 000000d1`681ff0b0 00007ff6`0a20a893 xul!XRE_InitChildProcess+0x63c [z:\build\build\src\toolkit\xre\nsembedfunctions.cpp @ 695] 2e 000000d1`681ff2e0 00007ff6`0a207294 firefox!content_process_main+0xa3 [z:\build\build\src\ipc\contentproc\plugin-container.cpp @ 64] 2f 000000d1`681ff320 00007ff6`0a2011d0 firefox!NS_internal_main+0x5c34 [z:\build\build\src\browser\app\nsbrowserapp.cpp @ 283] 30 000000d1`681ff720 00007ff6`0a205b7d firefox!wmain+0x140 [z:\build\build\src\toolkit\xre\nswindowswmain.cpp @ 114] 31 (Inline Function) --------`-------- firefox!invoke_main+0x22 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 90] 32 000000d1`681ff770 00007ff9`5e781fe4 firefox!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283] 33 000000d1`681ff7b0 00007ff9`6130ef91 KERNEL32!BaseThreadInitThunk+0x14 34 000000d1`681ff7e0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
|
||
Comment 1•7 years ago
|
||
Only reproduces on Win64 builds for me. Goes back more that 2 years (having trouble running some of those older builds, so I can't get a precise regression range).
Group: firefox-core-security → gfx-core-security
Has Regression Range: --- → no
status-firefox57:
--- → affected
status-firefox58:
--- → affected
status-firefox59:
--- → affected
status-firefox-esr52:
--- → affected
tracking-firefox58:
--- → ?
tracking-firefox59:
--- → ?
tracking-firefox-esr52:
--- → ?
Component: Untriaged → Canvas: WebGL
Flags: needinfo?(jgilbert)
Product: Firefox → Core
|
||
Updated•7 years ago
|
Keywords: csectype-bounds,
sec-high
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → jgilbert
|
|
Assignee | |
Comment 4•7 years ago
|
||
I can't reproduce on Nightly 59 64-bit on Intel P530. Which driver does this reproduce under?
Flags: needinfo?(omair)
|
|
Assignee | |
Comment 5•7 years ago
|
||
Actually a regression might be in the way.
(In reply to Jeff Gilbert [:jgilbert] from comment #4) > I can't reproduce on Nightly 59 64-bit on Intel P530. > Which driver does this reproduce under? Nightly on Windows uses Angle, so will that have any effect?
Flags: needinfo?(omair)
|
|
Assignee | |
Comment 7•6 years ago
|
||
I believe this was fixed by bug 1425369. Please retest on latest Nightly.
Flags: needinfo?(omair)
Yes, doesn't crash on the latest nightly.
Flags: needinfo?(omair)
|
||
Updated•6 years ago
|
Flags: sec-bounty?
|
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 9•6 years ago
|
||
|
|
Assignee | |
Comment 10•6 years ago
|
||
Attachment #8938560 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 11•6 years ago
|
||
57.0.2 and esr52.5.0 are unaffected.
|
|
Assignee | |
Comment 12•6 years ago
|
||
Technically 58b12 is unaffected (at least for me), since it doesn't crash. It does however trigger ANGLE's DEVICE_LOST mechanism in 58, which prevents any further use of ANGLE in the process. We should fix this elsewhere. Bug 1425369 fixes this, since it pipes everything through the instanced calls. RyanVM, can you please retest on Beta58?
Flags: needinfo?(ryanvm)
|
|
Assignee | |
Comment 13•6 years ago
|
||
For clarity, the bug is when we're using the index buffer to grab a high-u32 index, with vert attrib array buffer usage of DYNAMIC_DRAW (STATIC_DRAW works fine), with instancing enabled on that attrib.
|
|
||
Comment 14•6 years ago
|
||
Confirmed that current Beta no longer crashes for me.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(ryanvm)
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
|
||
Comment 15•6 years ago
|
||
Jeff: having trouble reconciling comment 11 (57.0.2 not affected) with comment 12 (fixed by bug 1425369, wontfixed for 57). Was there maybe a regression from an ANGLE update in there? Then again, RyanVM says he can reproduce it going back years (comment 1)
Flags: needinfo?(jgilbert)
|
|
Assignee | |
Comment 16•6 years ago
|
||
I couldn't reproduce on esr52. If ryanvm can, I can check again.
Flags: needinfo?(jgilbert) → needinfo?(ryanvm)
|
|
||
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•6 years ago
|
Group: gfx-core-security → core-security-release
|
|
||
Comment 17•6 years ago
|
||
I can't reproduce on ESR52. I did confirm again that bug 1425369 fixed this on both trunk and beta for me (reliably crashing before landing, no crashing afterwards). I was still able to reproduce the crash with an arbitrary trunk build from October 2016 as well, so I don't know why ESR52 is somehow unaffected here when trunk code of the same rough age was.
Flags: needinfo?(ryanvm)
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•