Closed Bug 1436332 Opened 8 years ago Closed 7 years ago

ANGLE LoadToNative3To4 Memory Corruption

Categories

(Core :: Graphics: CanvasWebGL, defect, P1)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1458264
Tracking Flags:
Tracking Status
firefox58 --- affected

People

(Reporter: omair, Assigned: jgilbert)

Details

(5 keywords)

Attachments

(1 file, 1 obsolete file)

LoadToNative3To4unsigned.html
2.45 KB, text/html
Details
Attached file LoadToNative3To4unsigned.html (obsolete) —
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Build ID: 20180128191252 Steps to reproduce: On Firefox 58.0.1 running the attached webgl file will result in a memory corruption. (The crash sometimes takes 5-7 minutes to reproduce) Actual results: 5:228> r rax=000000a7533fc9c8 rbx=000001d192a6b007 rcx=000001d1b81b9e72 rdx=000001d192a6b007 rsi=0000000000000001 rdi=0000000000000001 rip=00007ffdc234453d rsp=000000a7533fc9c0 rbp=0000000000000001 r8=0000000000000001 r9=000001d192a6b007 r10=000001d1b81b9e72 r11=000001d1b81b9e72 r12=0000000000000004 r13=000001d1e295c8b0 r14=0000000000000001 r15=000000a7533fcbd8 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 libGLESv2!angle::LoadToNative3To4<unsigned char,255>+0x4d: 00007ffd`c234453d 8a43fe mov al,byte ptr [rbx-2] ds:000001d1`92a6b005=?? 5:228> k # Child-SP RetAddr Call Site 00 000000a7`533fc9c0 00007ffd`c22f87bb libGLESv2!angle::LoadToNative3To4<unsigned char,255>+0x4d [z:\build\build\src\gfx\angle\src\image_util\loadimage.inl @ 84] 01 000000a7`533fc9d0 00007ffd`c22d81ac libGLESv2!rx::Image11::loadData+0x23f [z:\build\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\image11.cpp @ 317] 02 000000a7`533fcad0 00007ffd`c22d9868 libGLESv2!rx::TextureD3D::setImageImpl+0x194 [z:\build\build\src\gfx\angle\src\libangle\renderer\d3d\textured3d.cpp @ 247] 03 000000a7`533fcb80 00007ffd`c23f3c6e libGLESv2!rx::TextureD3D_2D::setImage+0x21c [z:\build\build\src\gfx\angle\src\libangle\renderer\d3d\textured3d.cpp @ 795] 04 000000a7`533fcc40 00007ffd`c23cd41f libGLESv2!gl::Texture::setImage+0xf2 [z:\build\build\src\gfx\angle\src\libangle\texture.cpp @ 877] 05 000000a7`533fccf0 00007ffd`c2271181 libGLESv2!gl::Context::texImage2D+0xcb [z:\build\build\src\gfx\angle\src\libangle\context.cpp @ 3239] 06 000000a7`533fcd80 00007ffd`9a929a38 libGLESv2!gl::TexImage2D+0x135 [z:\build\build\src\gfx\angle\src\libglesv2\entry_points_gles_2_0_autogen.cpp @ 1963] 07 (Inline Function) --------`-------- xul!mozilla::gl::GLContext::raw_fTexImage2D+0x51 [z:\build\build\src\gfx\gl\glcontext.h @ 1645] 08 000000a7`533fce40 00007ffd`9af92a13 xul!mozilla::gl::GLContext::fTexImage2D+0x88 [z:\build\build\src\gfx\gl\glcontext.cpp @ 2864] 09 000000a7`533fcea0 00007ffd`9af5fcb4 xul!mozilla::DoTexImage+0xb7 [z:\build\build\src\dom\canvas\webgltextureupload.cpp @ 873] 0a 000000a7`533fcf20 00007ffd`9af5e67c xul!mozilla::WebGLContext::FakeBlackTexture::Create+0x1d0 [z:\build\build\src\dom\canvas\webglcontextdraw.cpp @ 986] 0b 000000a7`533fcfc0 00007ffd`9af5d923 xul!mozilla::WebGLContext::BindFakeBlack+0x70 [z:\build\build\src\dom\canvas\webglcontextdraw.cpp @ 220] 0c 000000a7`533fd010 00007ffd`9af614de xul!mozilla::ScopedResolveTexturesForDraw::ScopedResolveTexturesForDraw+0x17b [z:\build\build\src\dom\canvas\webglcontextdraw.cpp @ 152] 0d 000000a7`533fd0b0 00007ffd`9ad82e2c xul!mozilla::WebGLContext::DrawElementsInstanced+0xa2 [z:\build\build\src\dom\canvas\webglcontextdraw.cpp @ 686] 0e (Inline Function) --------`-------- xul!mozilla::WebGLContext::DrawElements+0x34 [z:\build\build\src\dom\canvas\webglcontext.h @ 1302] 0f 000000a7`533fd1c0 00007ffd`9adae3d8 xul!mozilla::WebGL2Context::DrawRangeElements+0x80 [z:\build\build\src\dom\canvas\webgl2context.h @ 323] 10 000000a7`533fd230 00007ffd`998edad1 xul!mozilla::dom::WebGL2RenderingContextBinding::drawRangeElements+0xf0 [z:\build\build\src\obj-firefox\dom\bindings\webgl2renderingcontextbinding.cpp @ 6083] 11 000000a7`533fd2a0 00007ffd`9984e149 xul!mozilla::dom::GenericBindingMethod+0x121 [z:\build\build\src\dom\bindings\bindingutils.cpp @ 3046] 12 (Inline Function) --------`-------- xul!js::CallJSNative+0x41 [z:\build\build\src\js\src\jscntxtinlines.h @ 291] 13 000000a7`533fd330 00007ffd`999bfcef xul!js::InternalCallOrConstruct+0x119 [z:\build\build\src\js\src\vm\interpreter.cpp @ 473] 14 000000a7`533fd400 00007ffd`9a1135fd xul!Interpret+0x4a5f [z:\build\build\src\js\src\vm\interpreter.cpp @ 3098] 15 000000a7`533fe2f0 00007ffd`99ad1399 xul!js::RunScript+0x3bd [z:\build\build\src\js\src\vm\interpreter.cpp @ 423] 16 000000a7`533fe440 00007ffd`99ad12df xul!js::ExecuteKernel+0xa1 [z:\build\build\src\js\src\vm\interpreter.cpp @ 709] 17 000000a7`533fe4d0 00007ffd`99a9fae8 xul!js::Execute+0x8b [z:\build\build\src\js\src\vm\interpreter.cpp @ 738] 18 000000a7`533fe530 00007ffd`99a9fa18 xul!ExecuteScript+0xa8 [z:\build\build\src\js\src\jsapi.cpp @ 4723] 19 000000a7`533fe5b0 00007ffd`99bb9d6c xul!nsJSUtils::ExecutionContext::CompileAndExec+0x60 [z:\build\build\src\dom\base\nsjsutils.cpp @ 268] 1a 000000a7`533fe5f0 00007ffd`99dc6888 xul!mozilla::dom::ScriptLoader::EvaluateScript+0x2c8 [z:\build\build\src\dom\script\scriptloader.cpp @ 2255] 1b 000000a7`533fec30 00007ffd`99dc799f xul!mozilla::dom::ScriptLoader::ProcessRequest+0x148 [z:\build\build\src\dom\script\scriptloader.cpp @ 1894] 1c 000000a7`533fecc0 00007ffd`99dc70b5 xul!mozilla::dom::ScriptLoader::ProcessScriptElement+0x54f [z:\build\build\src\dom\script\scriptloader.cpp @ 1595] 1d 000000a7`533ff260 00007ffd`99dc6e2b xul!mozilla::dom::ScriptElement::MaybeProcessScript+0x13d [z:\build\build\src\dom\script\scriptelement.cpp @ 147] 1e 000000a7`533ff2a0 00007ffd`99dc6d7e xul!nsIScriptElement::AttemptToExecute+0x17 [z:\build\build\src\obj-firefox\dist\include\nsiscriptelement.h @ 227] 1f 000000a7`533ff2d0 00007ffd`99c02639 xul!nsHtml5TreeOpExecutor::RunScript+0x66 [z:\build\build\src\parser\html\nshtml5treeopexecutor.cpp @ 744] 20 000000a7`533ff300 00007ffd`99f9b751 xul!nsHtml5TreeOpExecutor::RunFlushLoop+0x235 [z:\build\build\src\parser\html\nshtml5treeopexecutor.cpp @ 542] 21 000000a7`533ff3b0 00007ffd`9a42b3e8 xul!nsHtml5ExecutorFlusher::Run+0x19 [z:\build\build\src\parser\html\nshtml5streamparser.cpp @ 132] 22 000000a7`533ff3e0 00007ffd`998f4c51 xul!mozilla::SchedulerGroup::Runnable::Run+0x54 [z:\build\build\src\xpcom\threads\schedulergroup.cpp @ 401] 23 000000a7`533ff410 00007ffd`998f2e19 xul!nsThread::ProcessNextEvent+0x189 [z:\build\build\src\xpcom\threads\nsthread.cpp @ 1038] 24 (Inline Function) --------`-------- xul!NS_ProcessNextEvent+0x16 [z:\build\build\src\xpcom\threads\nsthreadutils.cpp @ 513] 25 000000a7`533ff5a0 00007ffd`9a61d788 xul!mozilla::ipc::MessagePump::Run+0x91 [z:\build\build\src\ipc\glue\messagepump.cpp @ 97] 26 000000a7`533ff5f0 00007ffd`99c81abb xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x70 [z:\build\build\src\ipc\glue\messagepump.cpp @ 302] 27 000000a7`533ff620 00007ffd`99c81a6a xul!MessageLoop::RunHandler+0x1b [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 320] 28 000000a7`533ff650 00007ffd`99e40824 xul!MessageLoop::Run+0x3e [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 300] 29 000000a7`533ff6a0 00007ffd`99e404e8 xul!nsBaseAppShell::Run+0x3c [z:\build\build\src\widget\nsbaseappshell.cpp @ 161] 2a 000000a7`533ff6d0 00007ffd`9bda35c3 xul!nsAppShell::Run+0x30 [z:\build\build\src\widget\windows\nsappshell.cpp @ 232] 2b 000000a7`533ff700 00007ffd`9a61d741 xul!XRE_RunAppShell+0x3b [z:\build\build\src\toolkit\xre\nsembedfunctions.cpp @ 877] 2c 000000a7`533ff730 00007ffd`99c81abb xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x29 [z:\build\build\src\ipc\glue\messagepump.cpp @ 278] 2d 000000a7`533ff760 00007ffd`99c81a6a xul!MessageLoop::RunHandler+0x1b [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 320] 2e 000000a7`533ff790 00007ffd`9bda33dc xul!MessageLoop::Run+0x3e [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 300] 2f 000000a7`533ff7e0 00007ff7`1dd3a9d3 xul!XRE_InitChildProcess+0x63c [z:\build\build\src\toolkit\xre\nsembedfunctions.cpp @ 707] 30 000000a7`533ffa10 00007ff7`1dd37325 firefox!content_process_main+0xa3 [z:\build\build\src\ipc\contentproc\plugin-container.cpp @ 64] 31 000000a7`533ffa50 00007ff7`1dd311d0 firefox!NS_internal_main+0x5cc5 [z:\build\build\src\browser\app\nsbrowserapp.cpp @ 283] 32 000000a7`533ffe50 00007ff7`1dd35c0d firefox!wmain+0x140 [z:\build\build\src\toolkit\xre\nswindowswmain.cpp @ 114] 33 (Inline Function) --------`-------- firefox!invoke_main+0x22 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 90] 34 000000a7`533ffea0 00007ffd`f8641fe4 firefox!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283] 35 000000a7`533ffee0 00007ffd`f966ef91 KERNEL32!BaseThreadInitThunk+0x14 36 000000a7`533fff10 00000000`00000000 ntdll!RtlUserThreadStart+0x21 5:228> lmv m Firefox Browse full module list start end module name 00007ff7`1dd30000 00007ff7`1dd9f000 firefox (private pdb symbols) c:\symcache\ff_x64\firefox.pdb\E497A183EA55486F88ED92913972ED0C2\firefox.pdb Loaded symbol image file: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Image path: firefox.exe Image name: firefox.exe Browse all global symbols functions data Timestamp: Mon Jan 29 01:48:44 2018 (5A6E3024) CheckSum: 00071D60 ImageSize: 0006F000 File version: 58.0.1.6602 Product version: 58.0.1.0 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0000.04b0 CompanyName: Mozilla Corporation ProductName: Firefox InternalName: Firefox OriginalFilename: firefox.exe ProductVersion: 58.0.1 FileVersion: 58.0.1 FileDescription: Firefox LegalCopyright: ©Firefox and Mozilla Developers; available under the MPL 2 license. LegalTrademarks: Firefox is a Trademark of The Mozilla Foundation. Comments: Firefox is a Trademark of The Mozilla Foundation.
Tyson: please try this in an instrumented build so we can get a better idea what kind of error this is.
Flags: needinfo?(twsmith)
==96==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x11b286845e65 at pc 0x7ff99c1878f6 bp 0x0029f05f75f0 sp 0x0029f05f7638 READ of size 1 at 0x11b286845e65 thread T0 My build is a bit out of date so I didn't include the trace with old line numbers but it matches above.
Group: firefox-core-security → gfx-core-security
Status: UNCONFIRMED → NEW
status-firefox58: --- → affected
Component: Untriaged → Canvas: WebGL
Ever confirmed: true
Flags: needinfo?(twsmith) → in-testsuite?
Keywords: crash, csectype-bounds, testcase
OS: Unspecified → Windows
Product: Firefox → Core
Version: 58 Branch → unspecified
Jeff: what's being read here? is it going to take the out of bounds data and then write it out of bounds (completely wrong about buffer sizes) or is this strictly reading data and incorporating possible memory contents into images? Is it just an off-by-one or is this the first read of possibly many if it didn't crash?
Flags: needinfo?(jgilbert)
Assignee: nobody → jgilbert
Keywords: sec-high
Priority: -- → P1
(In reply to Daniel Veditz [:dveditz] from comment #3) > Jeff: what's being read here? is it going to take the out of bounds data and > then write it out of bounds (completely wrong about buffer sizes) or is this > strictly reading data and incorporating possible memory contents into > images? Is it just an off-by-one or is this the first read of possibly many > if it didn't crash? It's likely to be an off-by-a-few at worst. We won't know until we dig into it.
Flags: needinfo?(jgilbert)
Flags: sec-bounty?
It's been a while since there has been an update to this. Can I get an update on this?
(In reply to Jeff Gilbert [:jgilbert] from comment #4) > (In reply to Daniel Veditz [:dveditz] from comment #3) > > Jeff: what's being read here? is it going to take the out of bounds data and > > then write it out of bounds (completely wrong about buffer sizes) or is this > > strictly reading data and incorporating possible memory contents into > > images? Is it just an off-by-one or is this the first read of possibly many > > if it didn't crash? > > It's likely to be an off-by-a-few at worst. We won't know until we dig into > it. Why isn't anyone digging? This appears to be reproducible and sec-high. Am I missing something?
Flags: needinfo?(jgilbert)
No, it's on the list. This isn't the only sec bug, and I'm the only one on WebGL for the time being.
Flags: needinfo?(jgilbert)
Jeff: is it possible that the recently-fixed bug 1458264 is a duplicate of this one? dmajor: ^^^
Flags: sec-bounty?
Flags: sec-bounty+
Flags: needinfo?(jgilbert)
Flags: needinfo?(dmajor)
Flags: sec-bounty+ → sec-bounty?
Jeff would be a better authority than me, but this certainly looks similar to my eyes! Does the issue still reproduce on nightly 20180601100102 and later?
Flags: needinfo?(dmajor)
s/drawRangeElements/drawArrays/ fixes a validation error which prevents the bug from happening.
Attachment #8948971 - Attachment is obsolete: true
Flags: needinfo?(jgilbert)
Yep, these are the same. I'm duping this into that, since we investigated/fixed it there first. Thanks for the report!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(dveditz)
Flags: sec-bounty?
Flags: sec-bounty+
Flags: needinfo?(dveditz)

Removing employee no longer with company from CC list of private bugs.

Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: