Closed Bug 1608330 Opened 3 years ago Closed 3 years ago

AddressSanitizer: heap-use-after-free [@ mozilla::WebGLContext::FuncScope::~FuncScope]

Categories

(Core :: Graphics: CanvasWebGL, defect, P1)

Unspecified
Windows
defect

Tracking

()

RESOLVED FIXED
mozilla74
Tracking Status
firefox-esr68 --- unaffected
firefox72 --- unaffected
firefox73 --- unaffected
firefox74 --- fixed

People

(Reporter: truber, Assigned: jgilbert)

References

(Blocks 2 open bugs, Regression)

Details

(5 keywords, Whiteboard: [post-critsmash-triage])

Crash Data

Attachments

(2 files)

See below heap use-after-free on Windows 10 on m-c build 20200109-40f3654a935a found while fuzzing. I'm reducing the testcase now.

I wasn't able to reproduce locally with NVidia hardware, but it reproduces reliably in EC2.

==1188==ERROR: AddressSanitizer: heap-use-after-free on address 0x12871b835170 at pc 0x7ffc237ca08f bp 0x00e2b8ff5ee0 sp 0x00e2b8ff5f28
WRITE of size 8 at 0x12871b835170 thread T0
    #0 0x7ffc237ca08e in mozilla::WebGLContext::FuncScope::~FuncScope \src\dom\canvas\WebGLContext.cpp:1799
    #1 0x7ffc237ede45 in mozilla::WebGLContext::PresentScreenBuffer \src\dom\canvas\WebGLContext.cpp:1052
    #2 0x7ffc237f7312 in mozilla::WebGLContext::Present \src\dom\canvas\WebGLContext.cpp:1087
    #3 0x7ffc1fbb6858 in mozilla::layers::ShareableCanvasRenderer::UpdateCompositableClient \src\gfx\layers\ShareableCanvasRenderer.cpp:202
    #4 0x7ffc1fd42863 in mozilla::layers::ClientCanvasLayer::RenderLayer \src\gfx\layers\client\ClientCanvasLayer.cpp:25
    #5 0x7ffc1fd6d838 in mozilla::layers::ClientContainerLayer::RenderLayer \src\gfx\layers\client\ClientContainerLayer.h:53
    #6 0x7ffc1fd4b34c in mozilla::layers::ClientLayerManager::EndTransactionInternal \src\gfx\layers\client\ClientLayerManager.cpp:352
    #7 0x7ffc1fd4cf11 in mozilla::layers::ClientLayerManager::EndTransaction \src\gfx\layers\client\ClientLayerManager.cpp:415
    #8 0x7ffc277e754c in nsDisplayList::PaintRoot \src\layout\painting\nsDisplayList.cpp:3291
    #9 0x7ffc26d9bbc1 in nsLayoutUtils::PaintFrame \src\layout\base\nsLayoutUtils.cpp:4132
    #10 0x7ffc26c4deb1 in mozilla::PresShell::Paint \src\layout\base\PresShell.cpp:6040
    #11 0x7ffc2634d751 in nsViewManager::ProcessPendingUpdatesPaint \src\view\nsViewManager.cpp:461
    #12 0x7ffc2634c505 in nsViewManager::ProcessPendingUpdatesForView \src\view\nsViewManager.cpp:396
    #13 0x7ffc26352e99 in nsViewManager::ProcessPendingUpdates \src\view\nsViewManager.cpp:1019
    #14 0x7ffc26b9d36c in nsRefreshDriver::Tick \src\layout\base\nsRefreshDriver.cpp:2177
    #15 0x7ffc26bb1dda in mozilla::RefreshDriverTimer::TickRefreshDrivers \src\layout\base\nsRefreshDriver.cpp:351
    #16 0x7ffc26bb17f9 in mozilla::RefreshDriverTimer::Tick \src\layout\base\nsRefreshDriver.cpp:368
    #17 0x7ffc26bb0466 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver \src\layout\base\nsRefreshDriver.cpp:740
    #18 0x7ffc26baf308 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync \src\layout\base\nsRefreshDriver.cpp:635
    #19 0x7ffc275e52df in mozilla::layout::VsyncChild::RecvNotify \src\layout\ipc\VsyncChild.cpp:65
    #20 0x7ffc1e54274a in mozilla::layout::PVsyncChild::OnMessageReceived \src\obj-firefox\ipc\ipdl\PVsyncChild.cpp:187
    #21 0x7ffc1e0e44ec in mozilla::ipc::PBackgroundChild::OnMessageReceived \src\obj-firefox\ipc\ipdl\PBackgroundChild.cpp:5876
    #22 0x7ffc1db56adb in mozilla::ipc::MessageChannel::DispatchAsyncMessage \src\ipc\glue\MessageChannel.cpp:2212
    #23 0x7ffc1db525d9 in mozilla::ipc::MessageChannel::DispatchMessage \src\ipc\glue\MessageChannel.cpp:2134
    #24 0x7ffc1db54796 in mozilla::ipc::MessageChannel::RunMessage \src\ipc\glue\MessageChannel.cpp:1973
    #25 0x7ffc1db54e46 in mozilla::ipc::MessageChannel::MessageTask::Run \src\ipc\glue\MessageChannel.cpp:2004
    #26 0x7ffc1c8ab5e8 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1248
    #27 0x7ffc1c8b7c18 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
    #28 0x7ffc1db5ec9f in mozilla::ipc::MessagePump::Run \src\ipc\glue\MessagePump.cpp:87
    #29 0x7ffc1daa07ce in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #30 0x7ffc1daa0565 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #31 0x7ffc2644701a in nsBaseAppShell::Run \src\widget\nsBaseAppShell.cpp:137
    #32 0x7ffc265e8a88 in nsAppShell::Run \src\widget\windows\nsAppShell.cpp:406
    #33 0x7ffc2a7ad6d8 in XRE_RunAppShell \src\toolkit\xre\nsEmbedFunctions.cpp:946
    #34 0x7ffc1daa07ce in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #35 0x7ffc1daa0565 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #36 0x7ffc2a7ac7a6 in XRE_InitChildProcess \src\toolkit\xre\nsEmbedFunctions.cpp:781
    #37 0x7ff68e932142 in NS_internal_main \src\browser\app\nsBrowserApp.cpp:303
    #38 0x7ff68e931501 in wmain \src\toolkit\xre\nsWindowsWMain.cpp:131
    #39 0x7ff68ea2cdb7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #40 0x7ffc714c7bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)
    #41 0x7ffc7346cee0 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006cee0)

0x12871b835170 is located 240 bytes inside of 1256-byte region [0x12871b835080,0x12871b835568)
freed by thread T0 here:
    #0 0x7ffc41184ae4 in free Z:\task_1578324845\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:85
    #1 0x7ffc2382f1dc in mozilla::WebGL2Context::~WebGL2Context \src\dom\canvas\WebGLContext.cpp:178
    #2 0x7ffc23738110 in mozilla::HostWebGLContext::~HostWebGLContext \src\dom\canvas\HostWebGLContext.cpp:83
    #3 0x7ffc2377240f in mozilla::HostWebGLContext::~HostWebGLContext \src\dom\canvas\HostWebGLContext.cpp:79
    #4 0x7ffc2368ff3e in mozilla::webgl::NotLostData::~NotLostData \src\dom\canvas\ClientWebGLContext.cpp:33
    #5 0x7ffc2369347d in mozilla::ClientWebGLContext::OnContextLoss \src\dom\canvas\ClientWebGLContext.cpp:183
    #6 0x7ffc2373953b in mozilla::HostWebGLContext::OnContextLoss \src\dom\canvas\HostWebGLContext.cpp:89
    #7 0x7ffc237ee742 in mozilla::WebGLContext::PresentScreenBuffer \src\dom\canvas\WebGLContext.cpp
    #8 0x7ffc237f7312 in mozilla::WebGLContext::Present \src\dom\canvas\WebGLContext.cpp:1087
    #9 0x7ffc1fbb6858 in mozilla::layers::ShareableCanvasRenderer::UpdateCompositableClient \src\gfx\layers\ShareableCanvasRenderer.cpp:202
    #10 0x7ffc1fd42863 in mozilla::layers::ClientCanvasLayer::RenderLayer \src\gfx\layers\client\ClientCanvasLayer.cpp:25
    #11 0x7ffc1fd6d838 in mozilla::layers::ClientContainerLayer::RenderLayer \src\gfx\layers\client\ClientContainerLayer.h:53
    #12 0x7ffc1fd4b34c in mozilla::layers::ClientLayerManager::EndTransactionInternal \src\gfx\layers\client\ClientLayerManager.cpp:352
    #13 0x7ffc1fd4cf11 in mozilla::layers::ClientLayerManager::EndTransaction \src\gfx\layers\client\ClientLayerManager.cpp:415
    #14 0x7ffc277e754c in nsDisplayList::PaintRoot \src\layout\painting\nsDisplayList.cpp:3291
    #15 0x7ffc26d9bbc1 in nsLayoutUtils::PaintFrame \src\layout\base\nsLayoutUtils.cpp:4132
    #16 0x7ffc26c4deb1 in mozilla::PresShell::Paint \src\layout\base\PresShell.cpp:6040
    #17 0x7ffc2634d751 in nsViewManager::ProcessPendingUpdatesPaint \src\view\nsViewManager.cpp:461
    #18 0x7ffc2634c505 in nsViewManager::ProcessPendingUpdatesForView \src\view\nsViewManager.cpp:396

previously allocated by thread T0 here:
    #0 0x7ffc41184bf4 in malloc Z:\task_1578324845\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:101
    #1 0x7ffc590e16dd in moz_xmalloc \src\memory\mozalloc\mozalloc.cpp:52
    #2 0x7ffc237ef58b in mozilla::WebGLContext::Create \src\dom\canvas\WebGLContext.cpp:636
    #3 0x7ffc23695606 in mozilla::ClientWebGLContext::CreateHostContext \src\dom\canvas\ClientWebGLContext.cpp:681
    #4 0x7ffc2369c504 in mozilla::ClientWebGLContext::SetDimensions \src\dom\canvas\ClientWebGLContext.cpp:671
    #5 0x7ffc2368ea12 in mozilla::dom::CanvasRenderingContextHelper::UpdateContext \src\dom\canvas\CanvasRenderingContextHelper.cpp:221
    #6 0x7ffc2368e248 in mozilla::dom::CanvasRenderingContextHelper::GetContext \src\dom\canvas\CanvasRenderingContextHelper.cpp:179
    #7 0x7ffc241a627c in mozilla::dom::HTMLCanvasElement::GetContext \src\dom\html\HTMLCanvasElement.cpp:915
    #8 0x7ffc2312aa90 in mozilla::dom::HTMLCanvasElement_Binding::getContext \src\obj-firefox\dom\bindings\HTMLCanvasElementBinding.cpp:294
    #9 0x7ffc23560a22 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> \src\dom\bindings\BindingUtils.cpp:3151
    #10 0x7ffc2aacd677 in js::InternalCallOrConstruct \src\js\src\vm\Interpreter.cpp:544
    #11 0x7ffc2aad093d in InternalCall \src\js\src\vm\Interpreter.cpp:608
    #12 0x7ffc2aa966d7 in Interpret \src\js\src\vm\Interpreter.cpp:3041
    #13 0x7ffc2aa9222a in js::RunScript \src\js\src\vm\Interpreter.cpp:424
    #14 0x7ffc2aacdf3d in js::InternalCallOrConstruct \src\js\src\vm\Interpreter.cpp:580
    #15 0x7ffc2aad093d in InternalCall \src\js\src\vm\Interpreter.cpp:608
    #16 0x7ffc2aad0b02 in js::Call \src\js\src\vm\Interpreter.cpp:625
    #17 0x7ffc2ac9d4b2 in JS::Call \src\js\src\jsapi.cpp:2768
    #18 0x7ffc22cff69c in mozilla::dom::EventHandlerNonNull::Call \src\obj-firefox\dom\bindings\EventHandlerBinding.cpp:267

SUMMARY: AddressSanitizer: heap-use-after-free \src\dom\canvas\WebGLContext.cpp:1799 in mozilla::WebGLContext::FuncScope::~FuncScope
Shadow bytes around the buggy address:
  0x04a3fec869d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04a3fec869e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04a3fec869f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04a3fec86a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04a3fec86a10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x04a3fec86a20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x04a3fec86a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x04a3fec86a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x04a3fec86a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x04a3fec86a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x04a3fec86a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1188==ABORTING
Assignee: nobody → jgilbert
Priority: -- → P1
Attached file reduced.html
Keywords: testcase

Hah, reduced indeed!

Group: core-security

UAF while unwinding up the call chain is generally less dangerous.

Severity: normal → minor
Has Regression Range: --- → yes

Calling Present directly skips the strong-ref we hold in Run<>, causing
this UAF when the context is lost mid-call.

Updated the commit message so as not to call out the UAF, even though this is a nightly-only bug. :P

I wasn't able to repro this locally with a debug+asan build. It probably needs opt+asan. Would you be able to confirm whether this patch addresses the issue?

Flags: needinfo?(jschwartzentruber)
Keywords: sec-high

Yes, the testcase no longer repros with the patch in an asan+opt build in EC2.

Flags: needinfo?(jschwartzentruber)

Comment on attachment 9121205 [details]
Bug 1608330 - Use Run<RPROC> instead of calling Present directly.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Very hard. I believe this ASAN trap is not generally dangerous here.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: none
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely to regress.
Attachment #9121205 - Flags: sec-approval?

Comment on attachment 9121205 [details]
Bug 1608330 - Use Run<RPROC> instead of calling Present directly.

Approved to land and request uplift.

Attachment #9121205 - Flags: sec-approval? → sec-approval+
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.