AddressSanitizer: heap-use-after-free [@ mozilla::WebGLContext::FuncScope::~FuncScope]
Categories
(Core :: Graphics: CanvasWebGL, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox72 | --- | unaffected |
firefox73 | --- | unaffected |
firefox74 | --- | fixed |
People
(Reporter: truber, Assigned: jgilbert)
References
(Blocks 2 open bugs, Regression)
Details
(5 keywords, Whiteboard: [post-critsmash-triage])
Crash Data
Attachments
(2 files)
325 bytes,
text/html
|
Details | |
47 bytes,
text/x-phabricator-request
|
tjr
:
sec-approval+
|
Details | Review |
See below heap use-after-free on Windows 10 on m-c build 20200109-40f3654a935a found while fuzzing. I'm reducing the testcase now.
I wasn't able to reproduce locally with NVidia hardware, but it reproduces reliably in EC2.
==1188==ERROR: AddressSanitizer: heap-use-after-free on address 0x12871b835170 at pc 0x7ffc237ca08f bp 0x00e2b8ff5ee0 sp 0x00e2b8ff5f28
WRITE of size 8 at 0x12871b835170 thread T0
#0 0x7ffc237ca08e in mozilla::WebGLContext::FuncScope::~FuncScope \src\dom\canvas\WebGLContext.cpp:1799
#1 0x7ffc237ede45 in mozilla::WebGLContext::PresentScreenBuffer \src\dom\canvas\WebGLContext.cpp:1052
#2 0x7ffc237f7312 in mozilla::WebGLContext::Present \src\dom\canvas\WebGLContext.cpp:1087
#3 0x7ffc1fbb6858 in mozilla::layers::ShareableCanvasRenderer::UpdateCompositableClient \src\gfx\layers\ShareableCanvasRenderer.cpp:202
#4 0x7ffc1fd42863 in mozilla::layers::ClientCanvasLayer::RenderLayer \src\gfx\layers\client\ClientCanvasLayer.cpp:25
#5 0x7ffc1fd6d838 in mozilla::layers::ClientContainerLayer::RenderLayer \src\gfx\layers\client\ClientContainerLayer.h:53
#6 0x7ffc1fd4b34c in mozilla::layers::ClientLayerManager::EndTransactionInternal \src\gfx\layers\client\ClientLayerManager.cpp:352
#7 0x7ffc1fd4cf11 in mozilla::layers::ClientLayerManager::EndTransaction \src\gfx\layers\client\ClientLayerManager.cpp:415
#8 0x7ffc277e754c in nsDisplayList::PaintRoot \src\layout\painting\nsDisplayList.cpp:3291
#9 0x7ffc26d9bbc1 in nsLayoutUtils::PaintFrame \src\layout\base\nsLayoutUtils.cpp:4132
#10 0x7ffc26c4deb1 in mozilla::PresShell::Paint \src\layout\base\PresShell.cpp:6040
#11 0x7ffc2634d751 in nsViewManager::ProcessPendingUpdatesPaint \src\view\nsViewManager.cpp:461
#12 0x7ffc2634c505 in nsViewManager::ProcessPendingUpdatesForView \src\view\nsViewManager.cpp:396
#13 0x7ffc26352e99 in nsViewManager::ProcessPendingUpdates \src\view\nsViewManager.cpp:1019
#14 0x7ffc26b9d36c in nsRefreshDriver::Tick \src\layout\base\nsRefreshDriver.cpp:2177
#15 0x7ffc26bb1dda in mozilla::RefreshDriverTimer::TickRefreshDrivers \src\layout\base\nsRefreshDriver.cpp:351
#16 0x7ffc26bb17f9 in mozilla::RefreshDriverTimer::Tick \src\layout\base\nsRefreshDriver.cpp:368
#17 0x7ffc26bb0466 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver \src\layout\base\nsRefreshDriver.cpp:740
#18 0x7ffc26baf308 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync \src\layout\base\nsRefreshDriver.cpp:635
#19 0x7ffc275e52df in mozilla::layout::VsyncChild::RecvNotify \src\layout\ipc\VsyncChild.cpp:65
#20 0x7ffc1e54274a in mozilla::layout::PVsyncChild::OnMessageReceived \src\obj-firefox\ipc\ipdl\PVsyncChild.cpp:187
#21 0x7ffc1e0e44ec in mozilla::ipc::PBackgroundChild::OnMessageReceived \src\obj-firefox\ipc\ipdl\PBackgroundChild.cpp:5876
#22 0x7ffc1db56adb in mozilla::ipc::MessageChannel::DispatchAsyncMessage \src\ipc\glue\MessageChannel.cpp:2212
#23 0x7ffc1db525d9 in mozilla::ipc::MessageChannel::DispatchMessage \src\ipc\glue\MessageChannel.cpp:2134
#24 0x7ffc1db54796 in mozilla::ipc::MessageChannel::RunMessage \src\ipc\glue\MessageChannel.cpp:1973
#25 0x7ffc1db54e46 in mozilla::ipc::MessageChannel::MessageTask::Run \src\ipc\glue\MessageChannel.cpp:2004
#26 0x7ffc1c8ab5e8 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1248
#27 0x7ffc1c8b7c18 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
#28 0x7ffc1db5ec9f in mozilla::ipc::MessagePump::Run \src\ipc\glue\MessagePump.cpp:87
#29 0x7ffc1daa07ce in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
#30 0x7ffc1daa0565 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
#31 0x7ffc2644701a in nsBaseAppShell::Run \src\widget\nsBaseAppShell.cpp:137
#32 0x7ffc265e8a88 in nsAppShell::Run \src\widget\windows\nsAppShell.cpp:406
#33 0x7ffc2a7ad6d8 in XRE_RunAppShell \src\toolkit\xre\nsEmbedFunctions.cpp:946
#34 0x7ffc1daa07ce in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
#35 0x7ffc1daa0565 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
#36 0x7ffc2a7ac7a6 in XRE_InitChildProcess \src\toolkit\xre\nsEmbedFunctions.cpp:781
#37 0x7ff68e932142 in NS_internal_main \src\browser\app\nsBrowserApp.cpp:303
#38 0x7ff68e931501 in wmain \src\toolkit\xre\nsWindowsWMain.cpp:131
#39 0x7ff68ea2cdb7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#40 0x7ffc714c7bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)
#41 0x7ffc7346cee0 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006cee0)
0x12871b835170 is located 240 bytes inside of 1256-byte region [0x12871b835080,0x12871b835568)
freed by thread T0 here:
#0 0x7ffc41184ae4 in free Z:\task_1578324845\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:85
#1 0x7ffc2382f1dc in mozilla::WebGL2Context::~WebGL2Context \src\dom\canvas\WebGLContext.cpp:178
#2 0x7ffc23738110 in mozilla::HostWebGLContext::~HostWebGLContext \src\dom\canvas\HostWebGLContext.cpp:83
#3 0x7ffc2377240f in mozilla::HostWebGLContext::~HostWebGLContext \src\dom\canvas\HostWebGLContext.cpp:79
#4 0x7ffc2368ff3e in mozilla::webgl::NotLostData::~NotLostData \src\dom\canvas\ClientWebGLContext.cpp:33
#5 0x7ffc2369347d in mozilla::ClientWebGLContext::OnContextLoss \src\dom\canvas\ClientWebGLContext.cpp:183
#6 0x7ffc2373953b in mozilla::HostWebGLContext::OnContextLoss \src\dom\canvas\HostWebGLContext.cpp:89
#7 0x7ffc237ee742 in mozilla::WebGLContext::PresentScreenBuffer \src\dom\canvas\WebGLContext.cpp
#8 0x7ffc237f7312 in mozilla::WebGLContext::Present \src\dom\canvas\WebGLContext.cpp:1087
#9 0x7ffc1fbb6858 in mozilla::layers::ShareableCanvasRenderer::UpdateCompositableClient \src\gfx\layers\ShareableCanvasRenderer.cpp:202
#10 0x7ffc1fd42863 in mozilla::layers::ClientCanvasLayer::RenderLayer \src\gfx\layers\client\ClientCanvasLayer.cpp:25
#11 0x7ffc1fd6d838 in mozilla::layers::ClientContainerLayer::RenderLayer \src\gfx\layers\client\ClientContainerLayer.h:53
#12 0x7ffc1fd4b34c in mozilla::layers::ClientLayerManager::EndTransactionInternal \src\gfx\layers\client\ClientLayerManager.cpp:352
#13 0x7ffc1fd4cf11 in mozilla::layers::ClientLayerManager::EndTransaction \src\gfx\layers\client\ClientLayerManager.cpp:415
#14 0x7ffc277e754c in nsDisplayList::PaintRoot \src\layout\painting\nsDisplayList.cpp:3291
#15 0x7ffc26d9bbc1 in nsLayoutUtils::PaintFrame \src\layout\base\nsLayoutUtils.cpp:4132
#16 0x7ffc26c4deb1 in mozilla::PresShell::Paint \src\layout\base\PresShell.cpp:6040
#17 0x7ffc2634d751 in nsViewManager::ProcessPendingUpdatesPaint \src\view\nsViewManager.cpp:461
#18 0x7ffc2634c505 in nsViewManager::ProcessPendingUpdatesForView \src\view\nsViewManager.cpp:396
previously allocated by thread T0 here:
#0 0x7ffc41184bf4 in malloc Z:\task_1578324845\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:101
#1 0x7ffc590e16dd in moz_xmalloc \src\memory\mozalloc\mozalloc.cpp:52
#2 0x7ffc237ef58b in mozilla::WebGLContext::Create \src\dom\canvas\WebGLContext.cpp:636
#3 0x7ffc23695606 in mozilla::ClientWebGLContext::CreateHostContext \src\dom\canvas\ClientWebGLContext.cpp:681
#4 0x7ffc2369c504 in mozilla::ClientWebGLContext::SetDimensions \src\dom\canvas\ClientWebGLContext.cpp:671
#5 0x7ffc2368ea12 in mozilla::dom::CanvasRenderingContextHelper::UpdateContext \src\dom\canvas\CanvasRenderingContextHelper.cpp:221
#6 0x7ffc2368e248 in mozilla::dom::CanvasRenderingContextHelper::GetContext \src\dom\canvas\CanvasRenderingContextHelper.cpp:179
#7 0x7ffc241a627c in mozilla::dom::HTMLCanvasElement::GetContext \src\dom\html\HTMLCanvasElement.cpp:915
#8 0x7ffc2312aa90 in mozilla::dom::HTMLCanvasElement_Binding::getContext \src\obj-firefox\dom\bindings\HTMLCanvasElementBinding.cpp:294
#9 0x7ffc23560a22 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> \src\dom\bindings\BindingUtils.cpp:3151
#10 0x7ffc2aacd677 in js::InternalCallOrConstruct \src\js\src\vm\Interpreter.cpp:544
#11 0x7ffc2aad093d in InternalCall \src\js\src\vm\Interpreter.cpp:608
#12 0x7ffc2aa966d7 in Interpret \src\js\src\vm\Interpreter.cpp:3041
#13 0x7ffc2aa9222a in js::RunScript \src\js\src\vm\Interpreter.cpp:424
#14 0x7ffc2aacdf3d in js::InternalCallOrConstruct \src\js\src\vm\Interpreter.cpp:580
#15 0x7ffc2aad093d in InternalCall \src\js\src\vm\Interpreter.cpp:608
#16 0x7ffc2aad0b02 in js::Call \src\js\src\vm\Interpreter.cpp:625
#17 0x7ffc2ac9d4b2 in JS::Call \src\js\src\jsapi.cpp:2768
#18 0x7ffc22cff69c in mozilla::dom::EventHandlerNonNull::Call \src\obj-firefox\dom\bindings\EventHandlerBinding.cpp:267
SUMMARY: AddressSanitizer: heap-use-after-free \src\dom\canvas\WebGLContext.cpp:1799 in mozilla::WebGLContext::FuncScope::~FuncScope
Shadow bytes around the buggy address:
0x04a3fec869d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x04a3fec869e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x04a3fec869f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x04a3fec86a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x04a3fec86a10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x04a3fec86a20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x04a3fec86a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04a3fec86a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04a3fec86a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04a3fec86a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04a3fec86a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1188==ABORTING
Assignee | ||
Updated•5 years ago
|
Reporter | ||
Comment 1•5 years ago
|
||
Assignee | ||
Comment 2•5 years ago
|
||
Hah, reduced indeed!
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
UAF while unwinding up the call chain is generally less dangerous.
Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Comment 4•5 years ago
|
||
Calling Present directly skips the strong-ref we hold in Run<>, causing
this UAF when the context is lost mid-call.
Assignee | ||
Comment 5•5 years ago
|
||
Updated the commit message so as not to call out the UAF, even though this is a nightly-only bug. :P
Assignee | ||
Comment 6•5 years ago
|
||
I wasn't able to repro this locally with a debug+asan build. It probably needs opt+asan. Would you be able to confirm whether this patch addresses the issue?
Reporter | ||
Comment 7•5 years ago
|
||
Yes, the testcase no longer repros with the patch in an asan+opt build in EC2.
Assignee | ||
Comment 8•5 years ago
|
||
Comment on attachment 9121205 [details]
Bug 1608330 - Use Run<RPROC> instead of calling Present directly.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Very hard. I believe this ASAN trap is not generally dangerous here.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: none
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely to regress.
Comment 9•5 years ago
|
||
Comment on attachment 9121205 [details]
Bug 1608330 - Use Run<RPROC> instead of calling Present directly.
Approved to land and request uplift.
Assignee | ||
Updated•5 years ago
|
Comment 10•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/75ddac3e4f787f72e2b737a65353329c1e0ce0ec
https://hg.mozilla.org/mozilla-central/rev/75ddac3e4f78
Updated•5 years ago
|
Updated•5 years ago
|
Updated•4 years ago
|
Description
•