Closed Bug 1610652 Opened 5 years ago Closed 3 years ago

heap-use-after-free in [@ wgpu_server_delete]

Categories

(Core :: Graphics: WebGPU, defect, P3)

Product:
Core
Component:
Graphics: WebGPU
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1746538
Tracking Flags:
Tracking Status
thunderbird_esr60 --- unaffected
thunderbird_esr68 --- unaffected
firefox-esr68 --- unaffected
firefox74 --- disabled
firefox76 --- disabled
firefox77 --- disabled
firefox78 --- disabled

People

(Reporter: tsmith, Assigned: kvark)

References

Details

(Keywords: csectype-uaf, oss-fuzz, sec-moderate)

Info

Found with: 20200120-e5860143f434
Fuzz Target: CompositorManagerParentIPC
Reliably Reproduces: No

This was found by oss-fuzz but is not reproducible. If nothing can be done with out more information or a reproducible test case please feel free to close the issue. If a reliable test case is found it will be attached.

Callstack

==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000b5dc80 at pc 0x564552206fc7 bp 0x7ffec69dab20 sp 0x7ffec69da2e0
READ of size 848 at 0x618000b5dc80 thread T0
SCARINESS: 54 (multi-byte-read-heap-use-after-free)
    #0 0x564552206fc6 in memcpy
    #1 0x7fcceccd83ea in wgpu_server_delete gfx/wgpu/wgpu-remote/src/server.rs:20:13
    #2 0x7fcce6a8171f in mozilla::webgpu::WebGPUParent::RecvShutdown() dom/webgpu/ipc/WebGPUParent.cpp:85:3
    #3 0x7fcce3508e38 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /work/obj-fuzz/ipc/ipdl/PWebGPUParent.cpp:496:56
    #4 0x7fcce2dbb69f in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /work/obj-fuzz/ipc/ipdl/PCompositorManagerParent.cpp:197:32
    #5 0x7fcce0ff7a62 in void mozilla::ipc::FuzzProtocol<mozilla::layers::CompositorManagerParent>(mozilla::layers::CompositorManagerParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /work/obj-fuzz/dist/include/ProtocolFuzzer.h:96:18
    #6 0x7fcce0ff7358 in RunCompositorManagerParentIPCFuzzing(unsigned char const*, unsigned long) gfx/layers/ipc/fuzztest/compositor_manager_parent_ipc_libfuzz.cpp:30:3
    #7 0x5645523da69f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
    #8 0x5645523da225 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)
    #9 0x5645523daeb8 in fuzzer::Fuzzer::MutateAndTestOne()
    #10 0x5645523db495 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&)
    #11 0x5645523c8927 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
    #12 0x7fcceb2b0363 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
    #13 0x7fcceb1f698a in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3755:35
    #14 0x7fcceb1feaed in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4725:12
    #15 0x7fcceb1ff473 in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4821:21
    #16 0x56455229ac34 in do_main(int, char**, char**)
    #17 0x56455229a48b in main
    #18 0x7fccfef7a82f in __libc_start_main
    #19 0x5645521f0028 in _start

0x618000b5dc80 is located 0 bytes inside of 848-byte region [0x618000b5dc80,0x618000b5dfd0)
freed by thread T0 here:
    #0 0x564552267ccd in free
    #1 0x7fcceccd83fb in wgpu_server_delete gfx/wgpu/wgpu-remote/src/server.rs:20:45
    #2 0x7fcce6a8171f in mozilla::webgpu::WebGPUParent::RecvShutdown() dom/webgpu/ipc/WebGPUParent.cpp:85:3
    #3 0x7fcce3508e38 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /work/obj-fuzz/ipc/ipdl/PWebGPUParent.cpp:496:56
    #4 0x7fcce2dbb69f in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /work/obj-fuzz/ipc/ipdl/PCompositorManagerParent.cpp:197:32
    #5 0x7fcce0ff7a62 in void mozilla::ipc::FuzzProtocol<mozilla::layers::CompositorManagerParent>(mozilla::layers::CompositorManagerParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /work/obj-fuzz/dist/include/ProtocolFuzzer.h:96:18
    #6 0x7fcce0ff7358 in RunCompositorManagerParentIPCFuzzing(unsigned char const*, unsigned long) gfx/layers/ipc/fuzztest/compositor_manager_parent_ipc_libfuzz.cpp:30:3
    #7 0x5645523da69f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
    #8 0x5645523da225 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)
    #9 0x5645523daeb8 in fuzzer::Fuzzer::MutateAndTestOne()
    #10 0x5645523db495 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&)
    #11 0x5645523c8927 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
    #12 0x7fcceb2b0363 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
    #13 0x7fcceb1f698a in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3755:35
    #14 0x7fcceb1feaed in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4725:12
    #15 0x7fcceb1ff473 in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4821:21
    #16 0x56455229ac34 in do_main(int, char**, char**)
    #17 0x56455229a48b in main
    #18 0x7fccfef7a82f in __libc_start_main

previously allocated by thread T0 here:
    #0 0x564552267f4d in malloc
    #1 0x7fcceccd7f21 in alloc::alloc::exchange_malloc::h4ed529a7aa347ab4 /rustc/73528e339aae0f17a15ffa49a8ac608f50c6cf14/src/liballoc/alloc.rs:206:18
    #2 0x7fcceccd8305 in alloc::boxed::Box$LT$T$GT$::new::hd0b07b429dc8439a /rustc/73528e339aae0f17a15ffa49a8ac608f50c6cf14/src/liballoc/boxed.rs:121:8
    #3 0x7fcceccd8305 in wgpu_server_new gfx/wgpu/wgpu-remote/src/server.rs:14:18
    #4 0x7fcce6a80fb9 in mozilla::webgpu::WebGPUParent::WebGPUParent() dom/webgpu/ipc/WebGPUParent.cpp:12:41
    #5 0x7fcce4606b32 in mozilla::layers::ContentCompositorBridgeParent::AllocPWebGPUParent() gfx/layers/ipc/ContentCompositorBridgeParent.cpp:278:38
    #6 0x7fcce2dabb7d in mozilla::layers::PCompositorBridgeParent::OnMessageReceived(IPC::Message const&) /work/obj-fuzz/ipc/ipdl/PCompositorBridgeParent.cpp:1219:86
    #7 0x7fcce2dbb69f in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /work/obj-fuzz/ipc/ipdl/PCompositorManagerParent.cpp:197:32
    #8 0x7fcce0ff7a62 in void mozilla::ipc::FuzzProtocol<mozilla::layers::CompositorManagerParent>(mozilla::layers::CompositorManagerParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /work/obj-fuzz/dist/include/ProtocolFuzzer.h:96:18
    #9 0x7fcce0ff7358 in RunCompositorManagerParentIPCFuzzing(unsigned char const*, unsigned long) gfx/layers/ipc/fuzztest/compositor_manager_parent_ipc_libfuzz.cpp:30:3
    #10 0x5645523da69f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
    #11 0x5645523da225 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)
    #12 0x5645523daeb8 in fuzzer::Fuzzer::MutateAndTestOne()
    #13 0x5645523db495 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&)
    #14 0x5645523c8927 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
    #15 0x7fcceb2b0363 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
    #16 0x7fcceb1f698a in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3755:35
    #17 0x7fcceb1feaed in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4725:12
    #18 0x7fcceb1ff473 in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4821:21
    #19 0x56455229ac34 in do_main(int, char**, char**)
    #20 0x56455229a48b in main
    #21 0x7fccfef7a82f in __libc_start_main
Assignee: nobody → dmalyshau
Status: NEW → ASSIGNED
Priority: -- → P3

Stack kind of looks like a shutdown race, so maybe sec-moderate?

Keywords: sec-moderate
Blocks: webgpu-mvp
Severity: normal → S3
Blocks: webgpu-in-nightly

I believe I fixed this as part of bug 1746538. The problem was likely that the fuzzer sent the Shutdown message twice. Now that it relies upon ActorDestroy, the content process won't have the option to call that twice and trigger the use after free.

It also prevents similar bugs where Shutdown was sent and another message that accessed mContext was sent after. ActorDestroy can only be called once, and no messages can come after it has been called.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.