Closed Bug 1573048 Opened 4 years ago Closed 4 years ago

SIGILL at [@ CFRetain]

Categories

(Core :: Graphics: CanvasWebGL, defect, P1)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 70+ verified
firefox69 --- wontfix
firefox70 + verified
firefox71 + verified

People

(Reporter: tsmith, Assigned: sotaro)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-high, testcase, Whiteboard: [post-critsmash-triage][adv-main70+][adv-main70+r][adv-esr68.2+][adv-esr68.2+r])

Attachments

(2 files)

testcase.html
1.32 KB, text/html
Details
Bug 1573048 - Add size check to WebGLContext::BufferData()
47 bytes, text/x-phabricator-request
lizzard
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr68+
abillings
: sec-approval+
Details | Review
Attached file testcase.html

Found with m-c 20190809-36c3240e5caf

==96804==ERROR: AddressSanitizer: ILL on unknown address 0x7fff51ca73f2 (pc 0x7fff51ca73f2 bp 0x7ffee437e030 sp 0x7ffee437e030 T0)
    #0 0x7fff51ca73f1 in CFRetain (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x73f1)
    #1 0x13ea09aa2 in IntelVertexArray::extractBuffers(GLDVertexArrayRec*, unsigned long long, unsigned long long) (/System/Library/Extensions/AppleIntelHD4000GraphicsGLDriver.bundle/Contents/MacOS/AppleIntelHD4000GraphicsGLDriver:x86_64+0x17aa2)
    #2 0x13ea099ae in glrUpdateVertexArrayBuffers (/System/Library/Extensions/AppleIntelHD4000GraphicsGLDriver.bundle/Contents/MacOS/AppleIntelHD4000GraphicsGLDriver:x86_64+0x179ae)
    #3 0x7fff6a79dab7 in gpusLoadCurrentVertexArray (/System/Library/PrivateFrameworks/GPUSupport.framework/Versions/A/Libraries/libGPUSupportMercury.dylib:x86_64+0x9ab7)
    #4 0x13eea0cab in Gen7::updateDispatch(GLDContextRec*, GLDRenderDispatch*, unsigned int*) (/System/Library/Extensions/AppleIntelHD4000GraphicsGLDriver.bundle/Contents/MacOS/AppleIntelHD4000GraphicsGLDriver:x86_64+0x4aecab)
    #5 0x13e9f90eb in gldUpdateDispatch (/System/Library/Extensions/AppleIntelHD4000GraphicsGLDriver.bundle/Contents/MacOS/AppleIntelHD4000GraphicsGLDriver:x86_64+0x70eb)
    #6 0x7fff5c343054 in gleDoDrawDispatchCoreGL3 (/System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine:x86_64+0x101054)
    #7 0x7fff5c2e7713 in glDrawArraysInstanced_STD_GL3Exec (/System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine:x86_64+0xa5713)
    #8 0x7fff5c2e6fbb in glDrawArrays_UnpackThread (/System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine:x86_64+0xa4fbb)
    #9 0x7fff5c33e800 in gleCmdProcessor (/System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine:x86_64+0xfc800)
    #10 0x10c295af0 in asan_dispatch_call_block_and_release (Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5faf0)
    #11 0x7fff79b8edb7 in _dispatch_client_callout (/usr/lib/system/libdispatch.dylib:x86_64+0x1db7)
    #12 0x7fff79ba21e0 in _dispatch_queue_barrier_sync_invoke_and_complete (/usr/lib/system/libdispatch.dylib:x86_64+0x151e0)
    #13 0x10c295fc9 in wrap_dispatch_sync_f (Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5ffc9)
    #14 0x7fff5c2c07e1 in glGenTextures_ExecThread (/System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine:x86_64+0x7e7e1)
    #15 0x110c06f9f in mozilla::gl::SharedSurface_IOSurface::SharedSurface_IOSurface(RefPtr<MacIOSurface> const&, mozilla::gl::GLContext*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, bool) (Nightly.app/Contents/MacOS/XUL:x86_64+0x34a4f9f)
    #16 0x110c08da3 in mozilla::gl::SurfaceFactory_IOSurface::CreateShared(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&) (Nightly.app/Contents/MacOS/XUL:x86_64+0x34a6da3)
    #17 0x110c86303 in mozilla::gl::SurfaceFactory::NewTexClient(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&) (Nightly.app/Contents/MacOS/XUL:x86_64+0x3524303)
    #18 0x110c3c91c in mozilla::gl::GLScreenBuffer::Resize(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&) (Nightly.app/Contents/MacOS/XUL:x86_64+0x34da91c)
    #19 0x114b0fb13 in mozilla::WebGLContext::PresentScreenBuffer(mozilla::gl::GLScreenBuffer*) (Nightly.app/Contents/MacOS/XUL:x86_64+0x73adb13)
    #20 0x114b126af in mozilla::WebGLContextUserData::PreTransactionCallback(void*) (Nightly.app/Contents/MacOS/XUL:x86_64+0x73b06af)
    #21 0x110e17afc in mozilla::layers::ShareableCanvasRenderer::UpdateCompositableClient(mozilla::wr::RenderRoot) (Nightly.app/Contents/MacOS/XUL:x86_64+0x36b5afc)
    #22 0x1112cdead in mozilla::layers::ClientCanvasLayer::RenderLayer() (Nightly.app/Contents/MacOS/XUL:x86_64+0x3b6bead)
    #23 0x11130e270 in mozilla::layers::ClientContainerLayer::RenderLayer() (Nightly.app/Contents/MacOS/XUL:x86_64+0x3bac270)
    #24 0x1112d710b in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) (Nightly.app/Contents/MacOS/XUL:x86_64+0x3b7510b)
    #25 0x1112d8a13 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) (Nightly.app/Contents/MacOS/XUL:x86_64+0x3b76a13)
    #26 0x11884c408 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) (Nightly.app/Contents/MacOS/XUL:x86_64+0xb0ea408)
    #27 0x117ec1b48 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) (Nightly.app/Contents/MacOS/XUL:x86_64+0xa75fb48)
    #28 0x117d9530c in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) (Nightly.app/Contents/MacOS/XUL:x86_64+0xa63330c)
    #29 0x1175c6cf9 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) (Nightly.app/Contents/MacOS/XUL:x86_64+0x9e64cf9)
    #30 0x1175c5e97 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) (Nightly.app/Contents/MacOS/XUL:x86_64+0x9e63e97)
    #31 0x1175caf01 in nsViewManager::ProcessPendingUpdates() (Nightly.app/Contents/MacOS/XUL:x86_64+0x9e68f01)
    #32 0x117cff35c in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) (Nightly.app/Contents/MacOS/XUL:x86_64+0xa59d35c)
    #33 0x117d0f6cb in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) (Nightly.app/Contents/MacOS/XUL:x86_64+0xa5ad6cb)
    #34 0x117d0eff4 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) (Nightly.app/Contents/MacOS/XUL:x86_64+0xa5acff4)
    #35 0x117d12a77 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) (Nightly.app/Contents/MacOS/XUL:x86_64+0xa5b0a77)
    #36 0x117d11c85 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) (Nightly.app/Contents/MacOS/XUL:x86_64+0xa5afc85)
    #37 0x11867e21f in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) (Nightly.app/Contents/MacOS/XUL:x86_64+0xaf1c21f)
    #38 0x10fa975a5 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) (Nightly.app/Contents/MacOS/XUL:x86_64+0x23355a5)
    #39 0x10f596f33 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) (Nightly.app/Contents/MacOS/XUL:x86_64+0x1e34f33)
    #40 0x10ed9d93d in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) (Nightly.app/Contents/MacOS/XUL:x86_64+0x163b93d)
    #41 0x10ed98726 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) (Nightly.app/Contents/MacOS/XUL:x86_64+0x1636726)
    #42 0x10ed9ad98 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) (Nightly.app/Contents/MacOS/XUL:x86_64+0x1638d98)
    #43 0x10ed9b9cf in mozilla::ipc::MessageChannel::MessageTask::Run() (Nightly.app/Contents/MacOS/XUL:x86_64+0x16399cf)
    #44 0x10da7a9ca in nsThread::ProcessNextEvent(bool, bool*) (Nightly.app/Contents/MacOS/XUL:x86_64+0x3189ca)
    #45 0x10da8152d in NS_ProcessNextEvent(nsIThread*, bool) (Nightly.app/Contents/MacOS/XUL:x86_64+0x31f52d)
    #46 0x10eda7e97 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (Nightly.app/Contents/MacOS/XUL:x86_64+0x1645e97)
    #47 0x10ec8cfc2 in MessageLoop::Run() (Nightly.app/Contents/MacOS/XUL:x86_64+0x152afc2)
    #48 0x1176867ff in nsBaseAppShell::Run() (Nightly.app/Contents/MacOS/XUL:x86_64+0x9f247ff)
    #49 0x1177c7cdc in nsAppShell::Run() (Nightly.app/Contents/MacOS/XUL:x86_64+0xa065cdc)
    #50 0x11b853375 in XRE_RunAppShell() (Nightly.app/Contents/MacOS/XUL:x86_64+0xe0f1375)
    #51 0x10ec8cfc2 in MessageLoop::Run() (Nightly.app/Contents/MacOS/XUL:x86_64+0x152afc2)
    #52 0x11b852562 in XRE_InitChildProcess(int, char**, XREChildData const*) (Nightly.app/Contents/MacOS/XUL:x86_64+0xe0f0562)
    #53 0x10b878712 in main (Nightly.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x100001712)
    #54 0x7fff79bc8014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)

==96804==Register values:
rax = 0x00007fff520760c3  rbx = 0x000062000003c080  rcx = 0x00006040001c8f50  rdx = 0xffffffffffffffff
rdi = 0x0000000000000000  rsi = 0x000061e0000c8480  rbp = 0x00007ffee437e030  rsp = 0x00007ffee437e030
 r8 = 0x000000013ea099a2   r9 = 0x0000000000000000  r10 = 0x000060c000167a40  r11 = 0x00007fff51ca7380
r12 = 0x000061d00025bce8  r13 = 0xffffffffffffffff  r14 = 0x000061e0000c84d0  r15 = 0x000061d00025c238
Flags: in-testsuite?
Priority: -- → P1

Looks sec-high but may be driver-specific.

Keywords: sec-high

This was found on a macmini6,2 (late 2012) running MacOS version 10.13.5

Sotaro - do you have any suggestions for this bug?

Flags: needinfo?(sotaro.ikeda.g)

When I tried the testcase.html on macOS 10.14.6 on nightly, the crash happened.

It seems that "gl1.bufferData(gl.ELEMENT_ARRAY_BUFFER, 2147483647, gl.STATIC_DRAW)" triggers oom and it was not handled correctly on macOS.
When the buffer size was 1200000000, it did not cause a tab crash. But when the buffer size was 1300000000, it caused a tab crash.

During the testcase.html, it also triggers the following warning in WebGLContext::DoFakeVertexAttrib0().
https://searchfox.org/mozilla-central/source/dom/canvas/WebGLContextDraw.cpp#975

:tsmith, can you check if the patch addresses the problem?

Flags: needinfo?(twsmith)
Assignee: nobody → sotaro.ikeda.g

(In reply to Sotaro Ikeda [:sotaro] from comment #9)

:tsmith, can you check if the patch addresses the problem?

The patch did the job. The issue is not reproducible with the build from try.

Flags: needinfo?(twsmith)

Comment on attachment 9090301 [details]
Bug 1573048 - Add size check to WebGLContext::BufferData()

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It might be possible.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all branches that support WebGL
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: It is easy to create a patch. The patch is simple enough.
  • How likely is this patch to cause regressions; how much testing does it need?: It is not likely to cause a regression. The patch just added a size limit. It passed the testcase in this bug.
Attachment #9090301 - Flags: sec-approval?

sec-approval+ for mozilla-central. We'll want beta and ESR68 patches as well.

status-firefox69: --- → wontfix
status-firefox71: --- → affected
status-firefox-esr60: --- → wontfix
status-firefox-esr68: --- → affected
tracking-firefox70: --- → +
tracking-firefox71: --- → +
tracking-firefox-esr68: --- → 71+
Attachment #9090301 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/mozilla-central/rev/2f09b27b60f3

Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox71: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71

Please nominate this for Beta and ESR68 approval when you get a chance.

Flags: needinfo?(sotaro.ikeda.g)

Comment on attachment 9090301 [details]
Bug 1573048 - Add size check to WebGLContext::BufferData()

Beta/Release Uplift Approval Request

  • User impact if declined: Content process could cause a crash with a content like testcase.html.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It just add size limit.
  • String changes made/needed: None

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Content process crash that seems likely to be triggered easily.
  • User impact if declined: Content process could cause a crash with a content like testcase.html.
  • Fix Landed on Version: 71
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It just add size limit.
  • String or UUID changes made by this patch: None
Flags: needinfo?(sotaro.ikeda.g)
Attachment #9090301 - Flags: approval-mozilla-esr68?
Attachment #9090301 - Flags: approval-mozilla-beta?

Comment on attachment 9090301 [details]
Bug 1573048 - Add size check to WebGLContext::BufferData()

Fix for sec-high issue, let's uplift for beta 11.

Attachment #9090301 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
QA Whiteboard: [qa-triaged]

I have managed to reproduce this issue using Firefox 70.0a1 (BuildId:20190811215021) on macOS 10.13.6

This issue is verified fixed using Firefox 71.0a1 (BuildId:20191001041624) and Firefox 70.0b11 (BuildId:20190930132843) on macOS 10.13.6

Pending esr uplift.

status-firefox70: fixedverified
status-firefox71: fixedverified
Flags: needinfo?(emil.ghitta)

Comment on attachment 9090301 [details]
Bug 1573048 - Add size check to WebGLContext::BufferData()

Fixes a webgl sec-high, approved for 68.2esr.

Attachment #9090301 - Flags: approval-mozilla-esr68? → approval-mozilla-esr68+

This issue is verified fixed using Firefox 68.2.0esr (provided in comment 21) on macOS 10.13.6.

Status: RESOLVED → VERIFIED
status-firefox-esr68: fixedverified
Flags: qe-verify+
Flags: needinfo?(emil.ghitta)
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main70+][adv-main70-rollup]
Whiteboard: [post-critsmash-triage][adv-main70+][adv-main70-rollup] → [post-critsmash-triage][adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup]
Whiteboard: [post-critsmash-triage][adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup] → [post-critsmash-triage][adv-main70+][adv-main70+r][adv-esr68.2+][adv-esr68.2+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.