Closed Bug 1540772 Opened 5 years ago Closed 5 years ago

heap-use-after-free in [@ mozilla::layers::CompositorBridgeParent::GetCompositorBridgeParentFromWindowId]

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1540709
Tracking Flags:
Tracking Status
firefox68 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, csectype-uaf)

Attachments

(1 file)

full_asan.txt
20.73 KB, text/plain
Details
Attached file full_asan.txt

The fuzzers have only reported this once so far and the crash seems to be unreproducible.

Fuzzing with m-c 20190331-70a50fe09a18

==29773==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200085ecd0 at pc 0x7fd06710ac24 bp 0x7fcff60ceff0 sp 0x7fcff60cefe8
READ of size 4 at 0x60200085ecd0 thread T383 (WRScene~lder#86)
    #0 0x7fd06710ac23 in Length /src/obj-firefox/dist/include/nsTArray.h:347:43
    #1 0x7fd06710ac23 in GetWebRenderAPI /src/obj-firefox/dist/include/mozilla/layers/WebRenderBridgeParent.h:86
    #2 0x7fd06710ac23 in mozilla::layers::CompositorBridgeParent::GetCompositorBridgeParentFromWindowId(mozilla::wr::WrWindowId const&) /src/gfx/layers/ipc/CompositorBridgeParent.cpp:1196
    #3 0x7fd0675d57b8 in wr_finished_scene_build /src/gfx/webrender_bindings/RenderThread.cpp:912:57
    #4 0x7fd0746a6616 in _$LT$webrender_bindings..bindings..APZCallbacks$u20$as$u20$webrender..renderer..SceneBuilderHooks$GT$::post_scene_swap::h7f05197ff671266e /src/gfx/webrender_bindings/src/bindings.rs:925:17
    #5 0x7fd074733724 in webrender::scene_builder::SceneBuilder::forward_built_transaction::h7f98075f234b7fe6 /src/gfx/wr/webrender/src/scene_builder.rs:590:12
    #6 0x7fd074733724 in webrender::scene_builder::SceneBuilder::run::h0f88834cf4207e82 /src/gfx/wr/webrender/src/scene_builder.rs:326
    #7 0x7fd07472cecb in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::hfad3139c2eb2d0ee /src/gfx/wr/webrender/src/renderer.rs:2262:12
    #8 0x7fd07472cecb in std::sys_common::backtrace::__rust_begin_short_backtrace::h00068b4d13a549f7 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/sys_common/backtrace.rs:136
    #9 0x7fd07472cd9e in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h53655fede0cdb969 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/thread/mod.rs:477:16
    #10 0x7fd07472cd9e in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h5d5fcbec240d1ca4 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panic.rs:319
    #11 0x7fd07472cd9e in std::panicking::try::do_call::h3a5a40e5992cca92 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panicking.rs:310
    #12 0x7fd07472cd9e in __rust_maybe_catch_panic /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libpanic_abort/lib.rs:39
    #13 0x7fd07472cd9e in std::panicking::try::h136ada5942373c4a /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panicking.rs:289
    #14 0x7fd07472cd9e in std::panic::catch_unwind::h7d55f228ee2091c7 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panic.rs:398
    #15 0x7fd07472cd9e in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h3974181256ed3307 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/thread/mod.rs:476
    #16 0x7fd07472cd9e in _$LT$F$u20$as$u20$alloc..boxed..FnBox$LT$A$GT$$GT$::call_box::hd5705f9a8cbf33b5 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/liballoc/boxed.rs:673
    #17 0x7fd074cf4c74 in _$LT$alloc..boxed..Box$LT$$LP$dyn$u20$alloc..boxed..FnBox$LT$A$C$$u20$Output$u3d$R$GT$$u20$$u2b$$u20$$u27$a$RP$$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::hece536cf07b94f8d /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/liballoc/boxed.rs:683:8
    #18 0x7fd074cf4c74 in std::sys_common::thread::start_thread::h9605a7df0f911844 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/sys_common/thread.rs:24
    #19 0x7fd074cf4c74 in std::sys::unix::thread::Thread::new::thread_start::hca8e72c41fa9d291 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/sys/unix/thread.rs:90
    #20 0x7fd0888256b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #21 0x7fd0878a241c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x60200085ecd0 is located 0 bytes inside of 16-byte region [0x60200085ecd0,0x60200085ece0)
freed by thread T47 (Compositor) here:
    #0 0x5630b46869e2 in free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7fd0635b2ca0 in Free /src/obj-firefox/dist/include/nsTArray.h:197:34
    #2 0x7fd0635b2ca0 in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::ShrinkCapacity(unsigned long, unsigned long) /src/obj-firefox/dist/include/nsTArray-inl.h:236
    #3 0x7fd066cec8a7 in Compact /src/obj-firefox/dist/include/nsTArray.h:2130:20
    #4 0x7fd066cec8a7 in Clear /src/obj-firefox/dist/include/nsTArray.h:1764
    #5 0x7fd066cec8a7 in mozilla::layers::WebRenderBridgeParent::ClearResources() /src/gfx/layers/wr/WebRenderBridgeParent.cpp:2289
    #6 0x7fd066cea9f4 in Destroy /src/gfx/layers/wr/WebRenderBridgeParent.cpp:397:3
    #7 0x7fd066cea9f4 in mozilla::layers::WebRenderBridgeParent::HandleShutdown() /src/gfx/layers/wr/WebRenderBridgeParent.cpp:384
    #8 0x7fd065808518 in mozilla::layers::PWebRenderBridgeParent::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PWebRenderBridgeParent.cpp:829:20
    #9 0x7fd064de7457 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PCompositorManagerParent.cpp:136:28
    #10 0x7fd064b32ff9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2151:21
    #11 0x7fd064b2ed3a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2078:9
    #12 0x7fd064b30f77 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1937:3
    #13 0x7fd064b31d07 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:1968:13
    #14 0x7fd064a145ef in RunTask /src/ipc/chromium/src/base/message_loop.cc:442:9
    #15 0x7fd064a145ef in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /src/ipc/chromium/src/base/message_loop.cc:450
    #16 0x7fd064a15aeb in MessageLoop::DoWork() /src/ipc/chromium/src/base/message_loop.cc:523:13
    #17 0x7fd064a18554 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /src/ipc/chromium/src/base/message_pump_default.cc:35:31
    #18 0x7fd064a12a1e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #19 0x7fd064a12a1e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #20 0x7fd064a12a1e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #21 0x7fd064a5c957 in base::Thread::ThreadMain() /src/ipc/chromium/src/base/thread.cc:192:16
    #22 0x7fd064a2aa98 in ThreadFunc(void*) /src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #23 0x7fd0888256b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Could this also be related to bug 1538572?

Priority: -- → P3
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: