Closed Bug 1487020 Opened 7 years ago Closed 7 years ago

AddressSanitizer: heap-use-after-free [@ nsDisplayRemote::CreateWebRenderCommands] with READ of size 8

Categories

(Core :: Graphics: WebRender, defect, P2)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86_64
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- disabled
firefox63 --- disabled
firefox64 --- fixed

People

(Reporter: decoder, Assigned: mikokm)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(2 files)

Detailed Crash Information
11.06 KB, text/plain
Details
Bug 1487020 - Do not reuse nsDisplayRemote if RenderFrameParent has been destroyed
46 bytes, text/x-phabricator-request
mattwoodrow
: review+
Details | Review
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 63.0a1-20180827100129-https://hg.mozilla.org/mozilla-central/rev/768eef11f5ff119fc3b63221e326db16986900cb. For detailed crash information, see attachment.
Flags: sec-bounty?
Group: core-security → gfx-core-security
Jeff, can you please help triage this?
Flags: needinfo?(jmuizelaar)
We're not shipping this so it's probably not bounty eligible unless it's triggered without flipping the webrender pref.
Component: Graphics → Graphics: WebRender
Flags: needinfo?(jmuizelaar)
So it looks like we're trying to use the RenderFrameParent after it's gone away.
Matt do you know what mechanism nsDisplayRemote uses to make sure it's RenderFrameParent is still alive?
Flags: needinfo?(matt.woodrow)
There is a known issue with nsDisplayRemote not getting invalidated when the RenderFrameParent is deleted, Miko is looking into fixing it in bug 1413546. However, that should only affect configurations with RDL enabled, which should not be true for the parent process, and we should never have nsDisplayRemote in the content process (until Fission is done). Does this crash require any pref changes?
Flags: needinfo?(matt.woodrow)
We have an email address for the original reporter, so if you want me to reach out and ask for any specific prefs, that would be possible if you let me know which ones that would be.
Priority: -- → P2
Assignee: nobody → mikokm
changing fx63 status to "disabled" because we have this turned off in release builds and don't plan to enable it for at least another two cycles afaik.
status-firefox63: affecteddisabled
status-firefox-esr60: --- → unaffected
Keywords: csectype-uaf, sec-high
Fwiw, I reached out to the original reporter, asking if any of the "gfx.webrender" prefs were in a non-default state, but I haven't received a response yet. I will update the bug, once I have it.
The original reporter told me that they have modified the pref "gfx.webrender.all" and set it to "true". No other gfx.webrender prefs where changed, I can ask for other prefs if you need them, just let me know which. Matt, does that help you here?
Flags: needinfo?(matt.woodrow)
I guess it would need layout.display-list.retain.chrome to be true for this to happen.
Flags: needinfo?(matt.woodrow)
(In reply to Matt Woodrow (:mattwoodrow) from comment #12) > I guess it would need layout.display-list.retain.chrome to be true for this > to happen. This is not needed, just enabling WebRender crashes the same test that caused backout of bug 1413546. This test is not run by default with WR enabled.
Status: NEW → ASSIGNED
Comment on attachment 9006079 [details] Bug 1487020 - Do not reuse nsDisplayRemote if RenderFrameParent has been destroyed Matt Woodrow (:mattwoodrow) has approved the revision.
Attachment #9006079 - Flags: review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/99bfc4e1be4d https://hg.mozilla.org/mozilla-central/rev/99bfc4e1be4d
Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox64: --- → disabled
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
(In reply to Miko Mynttinen [:miko] from comment #13) > This is not needed, just enabling WebRender crashes the same test that > caused backout of bug 1413546. This test is not run by default with WR > enabled. Does that mean we already knew about this crash? Or that we disabled it for WebRender for other reasons and that it _could_ have caught this bug if we had remembered to re-enable it?
Flags: needinfo?(mikokm)
(In reply to Daniel Veditz [:dveditz] from comment #17) > (In reply to Miko Mynttinen [:miko] from comment #13) > > This is not needed, just enabling WebRender crashes the same test that > > caused backout of bug 1413546. This test is not run by default with WR > > enabled. > > Does that mean we already knew about this crash? Or that we disabled it for > WebRender for other reasons and that it _could_ have caught this bug if we > had remembered to re-enable it? The root cause of this problem was RenderFrameParent being used through a dangling pointer in nsDisplayRemote display item. This crash was blocking bug 1413546 from landing, and it was triggered by one Windows specific Firefox UI functional test, that does not seem to run by default on WebRender CI.
Flags: needinfo?(mikokm)
And to further clarify: the crash was not WebRender specific, it was also triggered by enabling parent process retained display lists.
status-firefox62: --- → disabled
status-firefox64: disabledfixed
Target Milestone: mozilla63 → mozilla64
WebRender was prefed-off for a reason -- it's a huge and incomplete project that needs testing over several cycles. It is not eligible for a bounty at this time.
Flags: sec-bounty? → sec-bounty-
Depends on: 1496839
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: