Closed Bug 1663466 (CVE-2020-26971) Opened 7 months ago Closed 5 months ago

Heap Overflow in webGL PixelbyPixel

Categories

(Core :: Canvas: WebGL, defect, P1)

80 Branch
defect

Tracking

()

RESOLVED FIXED
85 Branch
Tracking Status
firefox-esr78 84+ fixed
firefox83 --- wontfix
firefox84 + fixed
firefox85 + fixed

People

(Reporter: omair, Assigned: jgilbert)

References

Details

(Keywords: csectype-bounds, sec-high, Whiteboard: [sec-survey][adv-main84+][adv-esr78.6+])

Attachments

(4 files, 2 obsolete files)

Attached file poc-vcrunitme.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0

Steps to reproduce:

The crash happens at VCRUNTIME140!memcpy+0xa2 which is called by libGLESv2!rx::`anonymous namespace'::StretchedBlitNearest_PixelByPixel.
In function StretchedBlitNearest_PixelByPixel the destination address for memory write is calculated by:
uint8_t *destPixel = destData + writeRow * destRowPitch + writeColumn * destPixelStride + writeOffset;
From the above instruction writeRow and writeColumn can be controlled by the user input:
gl1.blitFramebuffer( 453, 17, 457, 21, 8400, 160, 8404, 164, gl1.STENCIL_BUFFER_BIT, gl1.NEAREST );
In the same function the source address for memory read is calculated by:
const uint8_t *sourcePixel = sourceData + readRow * sourceRowPitch + readColumn * srcPixelStride + readOffset;
The sourcePixel value can also be controlled by the user inputs readRow and readColumn.
Actual syntax for blitFramebuffer is:
void gl.blitFramebuffer(srcX0, srcY0, srcX1, srcY1,dstX0, dstY0, dstX1, dstY1, mask, filter);

User controlled values affecting source and destination addresses,
• writeRow = destY0
• writeColumn = destX0
• readRow = srcY0
• readColumn = srcX0
Additionally, the value for destRowPitch can also be modified from the below webgl function:
gl1.renderbufferStorage( gl1.RENDERBUFFER, gl1.DEPTH_STENCIL, 4, 4 );
Here the 3rd and the 4th parameter are width and height which are used for the calculation of destRowPitch.
From the values provided in the above mentioned blitFramebuffer function the source and the destination address can be modified as follows:
Register values at crash:
rax=00000150f9a04343 rbx=00000150f9a04343 rcx=0000000000000000
rdx=00000150fb671717 rsi=0000004d6d7fcfe8 rdi=0000004d6d7fd060
rip=00007ffe72bb1392 rsp=0000004d6d7fcb18 rbp=00000000000020d0
r8=0000000000000001 r9=00007ffe72bb0000 r10=00000150fb671717
r11=00000150f9a04343 r12=00000150fb671003 r13=00000000000000a0
r14=00000000000020d4 r15=0000004d6d7fd050
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
VCRUNTIME140!memcpy+0xa2:
00007ffe72bb1392 8808 mov byte ptr [rax],cl ds:00000150f9a04343=??

From the above register values, rax and rbx contain the destination address (destPixel) modifiable by the user. rdx and r10 contain the source address (sourcePixel) modifiable by the user. Registers rbp, r13 and r14 contain the values of dstX0, dstY0 and dstX1 from blitFramebuffer function.

Actual results:

00 0000004d6d7fcb18 00007ffe58a31b93 VCRUNTIME140!memcpy+0xa2 [d:\agent_work\2\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 255]
01 (Inline Function) ---------------- libGLESv2!rx::anonymous namespace'::StretchedBlitNearest_PixelByPixel+0x145 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp @ 124]
02 0000004d6d7fcb20 00007ffe58a31eaa libGLESv2!rx::anonymous namespace'::StretchedBlitNearest+0x2f3 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp @ 158] 03 0000004d6d7fcc10 00007ffe58a315c9 libGLESv2!rx::Blit11::copyAndConvertImpl+0x25a [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp @ 1271] 04 0000004d6d7fcd30 00007ffe58a31063 libGLESv2!rx::Blit11::copyAndConvert+0x199 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp @ 1308] 05 0000004d6d7fce40 00007ffe58a55a41 libGLESv2!rx::Blit11::copyDepthStencilImpl+0x193 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp @ 1211] 06 0000004d6d7fcf20 00007ffe58a40069 libGLESv2!rx::Renderer11::blitRenderbufferRect+0xb51 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Renderer11.cpp @ 0] 07 0000004d6d7fd160 00007ffe58a0207f libGLESv2!rx::Framebuffer11::blitImpl+0x3e9 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Framebuffer11.cpp @ 366] 08 0000004d6d7fd250 00007ffe589621c3 libGLESv2!rx::FramebufferD3D::blit+0x6f [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/FramebufferD3D.cpp @ 286] 09 0000004d6d7fd2d0 00007ffe5893ea22 libGLESv2!gl::Framebuffer::blit+0x53 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Framebuffer.cpp @ 1551] 0a 0000004d6d7fd320 00007ffe58afe9d9 libGLESv2!gl::Context::blitFramebuffer+0x162 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Context.cpp @ 3640] 0b 0000004d6d7fd3d0 00007ffe1fe471d7 libGLESv2!gl::BlitFramebuffer+0xb9 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libGLESv2/entry_points_gles_3_0_autogen.cpp @ 169] 0c 0000004d6d7fd480 00007ffe20ca1828 xul!mozilla::gl::GLContext::raw_fBlitFramebuffer+0x97 [/builds/worker/workspace/obj-build/dist/include/GLContext.h @ 2491] 0d (Inline Function) ---------------- xul!mozilla::gl::GLContext::fBlitFramebuffer+0x46 [/builds/worker/checkouts/gecko/gfx/gl/GLContext.h @ 2477]
0e 0000004d6d7fd530 00007ffe20c753dc xul!mozilla::WebGLFramebuffer::BlitFramebuffer+0x978 [/builds/worker/checkouts/gecko/dom/canvas/WebGLFramebuffer.cpp @ 1516]
0f 0000004d6d7fd6a0 00007ffe20c432fe xul!mozilla::WebGL2Context::BlitFramebuffer+0x22c [/builds/worker/checkouts/gecko/dom/canvas/WebGL2ContextFramebuffers.cpp @ 65]
10 0000004d6d7fd760 00007ffe20c43024 xul!mozilla::ClientWebGLContext::Run<void (mozilla::HostWebGLContext::*)(int, int, int, int, int, int, int, int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::BlitFramebuffer,int &,int &,int &,int &,int &,int &,int &,int &,unsigned int &,unsigned int &>+0x28e [/builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp @ 313]
11 0000004d6d7fd860 00007ffe20866833 xul!mozilla::ClientWebGLContext::BlitFramebuffer+0x94 [/builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp @ 3433]
12 0000004d6d7fd8e0 00007ffe1ec91711 xul!mozilla::dom::WebGL2RenderingContext_Binding::blitFramebuffer+0x213 [/builds/worker/workspace/obj-build/dom/bindings/WebGL2RenderingContextBinding.cpp @ 1489]
13 0000004d6d7fd9d0 00007ffe1eb68917 xul!mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions>+0x101 [/builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp @ 3225]
14 (Inline Function) ---------------- xul!CallJSNative+0x9e [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 485] 15 0000004d6d7fda90 00007ffe2264fffd xul!js::InternalCallOrConstruct+0x177 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 577] 16 (Inline Function) ---------------- xul!InternalCall+0x95 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 640]
17 (Inline Function) ---------------- xul!js::CallFromStack+0x95 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 644] 18 0000004d6d7fdba0 00007ffe226684d0 xul!Interpret+0x1add [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 0] 19 (Inline Function) ---------------- xul!js::RunScript+0x1e3 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 457]
1a 0000004d6d7fe0f0 00007ffe22668665 xul!js::ExecuteKernel+0x2b0 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 832]
1b 0000004d6d7fe1b0 00007ffe227102e7 xul!js::Execute+0x85 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 864]
1c 0000004d6d7fe210 00007ffe1ee035f8 xul!ExecuteScript+0x107 [/builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp @ 403]
1d 0000004d6d7fe2b0 00007ffe1ee03575 xul!JS_ExecuteScript+0x48 [/builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp @ 429]
1e 0000004d6d7fe300 00007ffe215240ec xul!nsJSUtils::ExecutionContext::ExecScript+0x25 [/builds/worker/checkouts/gecko/dom/base/nsJSUtils.cpp @ 337]

Group: firefox-core-security → gfx-core-security
Component: Untriaged → Canvas: WebGL
Product: Firefox → Core

Jeff, could you please take a look? Thanks.

Flags: needinfo?(jgilbert)

How quickly should this crash? It's been running for at least a minute on a copy of 80release with no crash. Is there additional configuration to incur the crash?

Flags: needinfo?(jgilbert) → needinfo?(omair)

This crashes within 10 seconds at max on multiple machines I have tested. Windows 10 and Firefox 80.0.1
No additional configuration changes are required. Just that ANGLE should be in use.

Flags: needinfo?(omair)

The testcase reproduces for me on Windows 10 using mozilla-central rev 8948d4a41f23.

Attached file prefs.js
Attachment #9174900 - Attachment mime type: application/x-javascript → text/plain
Status: UNCONFIRMED → NEW
Ever confirmed: true

Interesting, it definitely isn't crashing quickly for me. (no crash at all yet)
Can I get an about:support from both of you?

Flags: needinfo?(omair)

It's working for me on:

GPU #1
Active	Yes
Description	Radeon RX Vega
Vendor ID	0x1002
Device ID	0x687f
Driver Version	26.20.15019.19000
Driver Date	2-28-2020
Drivers	aticfx64 aticfx64 aticfx64 amdxc64 aticfx32 aticfx32 aticfx32 amdxc32 atiumd64 atidxx64 atidxx64 atiumdag atidxx32 atidxx32 atiumdva atiumd6a
Subsys ID	6b761002
RAM	8176
Flags: needinfo?(jkratzer)

Also ok on

GPU #1
Active	Yes
Description	AMD Radeon(TM) Graphics
Vendor ID	0x1002
Device ID	0x1636
Driver Version	26.20.14048.2
Driver Date	4-22-2020
Drivers	aticfx64 aticfx64 aticfx64 amdxc64 aticfx32 aticfx32 aticfx32 amdxc32 atiumd64 atidxx64 atidxx64 atiumdag atidxx32 atidxx32 atiumdva atiumd6a
Subsys ID	17ef1043
RAM	512

Also ok on

GPU #1
Active	Yes
Description	Intel(R) UHD Graphics 630
Vendor ID	0x8086
Device ID	0x3e9b
Driver Version	26.20.100.7263
Driver Date	9-25-2019
Drivers	igdumdim64 igd10iumd64 igd10iumd64 igd12umd64 igdumdim32 igd10iumd32 igd10iumd32 igd12umd32
Subsys ID	087c1028
RAM	0

Removed irrelevant info. :jgilbert, have you tested using an ASAN build?

Application Basics
------------------
Name: Firefox
Version: 82.0a1
Build ID: 20200910093613
Distribution ID:
Update Channel: default
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
OS: Windows_NT 10.0 18363
Launcher Process: Enabled
Multiprocess Windows: 1/1 Enabled by default
Remote Processes: 6
Enterprise Policies: Inactive
Google Location Service Key: Missing
Google Safebrowsing Key: Missing
Mozilla Location Service Key: Missing
Safe Mode: false

Remote Processes
----------------

Type: Web Content
Count: 1 / 4

Type: Privileged About
Count: 1

Type: Extension
Count: 1

Type: Preallocated
Count: 1

Type: GPU
Count: 1

Type: Socket
Count: 1

Graphics
--------
Features
Compositing: Basic
Asynchronous Pan/Zoom: wheel input enabled; scrollbar drag enabled; keyboard enabled; autoscroll enabled; smooth pinch-zoom enabled
WebGL 1 Driver WSI Info: EGL_VENDOR: Google Inc. (adapter LUID: 0000000000004ef6) EGL_VERSION: 1.4 (ANGLE 2.1.0.6c72b64f910d) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_ANDROID_blob_cache EGL_ANDROID_recordable EGL_ANGLE_image_d3d11_texture EGL_ANGLE_create_context_backwards_compatible EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_ANGLE_explicit_context EGL_ANGLE_feature_control IsWebglOutOfProcessEnabled: 0
WebGL 1 Driver Renderer: Google Inc. -- ANGLE (Microsoft Basic Render Driver Direct3D11 vs_5_0 ps_5_0)
WebGL 1 Driver Version: OpenGL ES 2.0.0 (ANGLE 2.1.0.6c72b64f910d)
WebGL 1 Driver Extensions: GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_memory_size GL_ANGLE_multi_draw GL_ANGLE_multiview_multisample GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_provoking_vertex GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_lose_context GL_CHROMIUM_sync_query GL_EXT_blend_func_extended GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_float_blend GL_EXT_frag_depth GL_EXT_instanced_arrays GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_bptc GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_parallel_shader_compile GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_depth24 GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_3D GL_OES_texture_border_clamp GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture
WebGL 1 Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_float_blend EXT_frag_depth EXT_shader_texture_lod EXT_sRGB EXT_texture_compression_bptc EXT_texture_filter_anisotropic MOZ_debug OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
WebGL 2 Driver WSI Info: -
WebGL 2 Driver Renderer: WebGL creation failed: * Refused to create WebGL2 context because of blacklist entry: FEATURE_FAILURE_VM_VENDOR
WebGL 2 Driver Version: -
WebGL 2 Driver Extensions: -
WebGL 2 Extensions: -
Direct2D: Blocked for your graphics card because of unresolved driver issues.
Uses Tiling (Content): true
Off Main Thread Painting Enabled: true
Off Main Thread Painting Worker Count: 3
Target Frame Rate: 64
DirectWrite: true (10.0.18362.1082)
GPU #1
Active: Yes
Description: VirtualBox Graphics Adapter (WDDM)
Vendor ID: 0x80ee
Device ID: 0xbeef
Driver Version: 6.0.24.0
Driver Date: 7-9-2020
Drivers: VBoxDispD3D
Subsys ID: 040515ad
RAM: 0
GPU #2
Active: No
RAM: 0
Diagnostics
AzureCanvasBackend: skia
AzureCanvasBackend (UI Process): skia
AzureContentBackend: skia
AzureContentBackend (UI Process): skia
AzureFallbackCanvasBackend (UI Process): none
CMSOutputProfile: AAAMSExpbm8CEAAAbW50clJHQiBYWVogB84AAgAJAAYAMQAAYWNzcE1TRlQAAAAASUVDIHNSR0IAAAAAAAAAAAAAAAAAAPbWAAEAAAAA0y1IUCAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARY3BydAAAAVAAAAAzZGVzYwAAAYQAAABsd3RwdAAAAfAAAAAUYmtwdAAAAgQAAAAUclhZWgAAAhgAAAAUZ1hZWgAAAiwAAAAUYlhZWgAAAkAAAAAUZG1uZAAAAlQAAABwZG1kZAAAAsQAAACIdnVlZAAAA0wAAACGdmlldwAAA9QAAAAkbHVtaQAAA/gAAAAUbWVhcwAABAwAAAAkdGVjaAAABDAAAAAMclRSQwAABDwAAAgMZ1RSQwAABDwAAAgMYlRSQwAABDwAAAgMdGV4dAAAAABDb3B5cmlnaHQgKGMpIDE5OTggSGV3bGV0dC1QYWNrYXJkIENvbXBhbnkAAGRlc2MAAAAAAAAAEnNSR0IgSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFhZWiAAAAAAAADzUQABAAAAARbMWFlaIAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAAb6IAADj1AAADkFhZWiAAAAAAAABimQAAt4UAABjaWFlaIAAAAAAAACSgAAAPhAAAts9kZXNjAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5nIENvbmRpdGlvbiBpbiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAACxSZWZlcmVuY2UgVmlld2luZyBDb25kaXRpb24gaW4gSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2aWV3AAAAAAATpP4AFF8uABDPFAAD7cwABBMLAANcngAAAAFYWVogAAAAAABMCVYAUAAAAFcf521lYXMAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAKPAAAAAnNpZyAAAAAAQ1JUIGN1cnYAAAAAAAAEAAAAAAUACgAPABQAGQAeACMAKAAtADIANwA7AEAARQBKAE8AVABZAF4AYwBoAG0AcgB3AHwAgQCGAIsAkACVAJoAnwCkAKkArgCyALcAvADBAMYAywDQANUA2wDgAOUA6wDwAPYA+wEBAQcBDQETARkBHwElASsBMgE4AT4BRQFMAVIBWQFgAWcBbgF1AXwBgwGLAZIBmgGhAakBsQG5AcEByQHRAdkB4QHpAfIB+gIDAgwCFAIdAiYCLwI4AkECSwJUAl0CZwJxAnoChAKOApgCogKsArYCwQLLAtUC4ALrAvUDAAMLAxYDIQMtAzgDQwNPA1oDZgNyA34DigOWA6IDrgO6A8cD0wPgA+wD+QQGBBMEIAQtBDsESARVBGMEcQR+BIwEmgSoBLYExATTBOEE8AT+BQ0FHAUrBToFSQVYBWcFdwWGBZYFpgW1BcUF1QXlBfYGBgYWBicGNwZIBlkGagZ7BowGnQavBsAG0QbjBvUHBwcZBysHPQdPB2EHdAeGB5kHrAe/B9IH5Qf4CAsIHwgyCEYIWghuCIIIlgiqCL4I0gjnCPsJEAklCToJTwlkCXkJjwmkCboJzwnlCfsKEQonCj0KVApqCoEKmAquCsUK3ArzCwsLIgs5C1ELaQuAC5gLsAvIC+EL+QwSDCoMQwxcDHUMjgynDMAM2QzzDQ0NJg1ADVoNdA2ODakNww3eDfgOEw4uDkkOZA5/DpsOtg7SDu4PCQ8lD0EPXg96D5YPsw/PD+wQCRAmEEMQYRB+EJsQuRDXEPURExExEU8RbRGMEaoRyRHoEgcSJhJFEmQShBKjEsMS4xMDEyMTQxNjE4MTpBPFE+UUBhQnFEkUahSLFK0UzhTwFRIVNBVWFXgVmxW9FeAWAxYmFkkWbBaPFrIW1hb6Fx0XQRdlF4kXrhfSF/cYGxhAGGUYihivGNUY+hkgGUUZaxmRGbcZ3RoEGioaURp3Gp4axRrsGxQbOxtjG4obshvaHAIcKhxSHHscoxzMHPUdHh1HHXAdmR3DHeweFh5AHmoelB6+HukfEx8+H2kflB+/H+ogFSBBIGwgmCDEIPAhHCFIIXUhoSHOIfsiJyJVIoIiryLdIwojOCNmI5QjwiPwJB8kTSR8JKsk2iUJJTglaCWXJccl9yYnJlcmhya3JugnGCdJJ3onqyfcKA0oPyhxKKIo1CkGKTgpaymdKdAqAio1KmgqmyrPKwIrNitpK50r0SwFLDksbiyiLNctDC1BLXYtqy3hLhYuTC6CLrcu7i8kL1ovkS/HL/4wNTBsMKQw2zESMUoxgjG6MfIyKjJjMpsy1DMNM0YzfzO4M/E0KzRlNJ402DUTNU01hzXCNf02NzZyNq426TckN2A3nDfXOBQ4UDiMOMg5BTlCOX85vDn5OjY6dDqyOu87LTtrO6o76DwnPGU8pDzjPSI9YT2hPeA+ID5gPqA+4D8hP2E/oj/iQCNAZECmQOdBKUFqQaxB7kIwQnJCtUL3QzpDfUPARANER0SKRM5FEkVVRZpF3kYiRmdGq0bwRzVHe0fASAVIS0iRSNdJHUljSalJ8Eo3Sn1KxEsMS1NLmkviTCpMcky6TQJNSk2TTdxOJU5uTrdPAE9JT5NP3VAnUHFQu1EGUVBRm1HmUjFSfFLHUxNTX1OqU/ZUQlSPVNtVKFV1VcJWD1ZcVqlW91dEV5JX4FgvWH1Yy1kaWWlZuFoHWlZaplr1W0VblVvlXDVchlzWXSddeF3JXhpebF69Xw9fYV+zYAVgV2CqYPxhT2GiYfViSWKcYvBjQ2OXY+tkQGSUZOllPWWSZedmPWaSZuhnPWeTZ+loP2iWaOxpQ2maafFqSGqfavdrT2una/9sV2yvbQhtYG25bhJua27Ebx5veG/RcCtwhnDgcTpxlXHwcktypnMBc11zuHQUdHB0zHUodYV14XY+dpt2+HdWd7N4EXhueMx5KnmJeed6RnqlewR7Y3vCfCF8gXzhfUF9oX4BfmJ+wn8jf4R/5YBHgKiBCoFrgc2CMIKSgvSDV4O6hB2EgITjhUeFq4YOhnKG14c7h5+IBIhpiM6JM4mZif6KZIrKizCLlov8jGOMyo0xjZiN/45mjs6PNo+ekAaQbpDWkT+RqJIRknqS45NNk7aUIJSKlPSVX5XJljSWn5cKl3WX4JhMmLiZJJmQmfyaaJrVm0Kbr5wcnImc951kndKeQJ6unx2fi5/6oGmg2KFHobaiJqKWowajdqPmpFakx6U4pammGqaLpv2nbqfgqFKoxKk3qamqHKqPqwKrdavprFys0K1ErbiuLa6hrxavi7AAsHWw6rFgsdayS7LCszizrrQltJy1E7WKtgG2ebbwt2i34LhZuNG5SrnCuju6tbsuu6e8IbybvRW9j74KvoS+/796v/XAcMDswWfB48JfwtvDWMPUxFHEzsVLxcjGRsbDx0HHv8g9yLzJOsm5yjjKt8s2y7bMNcy1zTXNtc42zrbPN8+40DnQutE80b7SP9LB00TTxtRJ1MvVTtXR1lXW2Ndc1+DYZNjo2WzZ8dp22vvbgNwF3IrdEN2W3hzeot8p36/gNuC94UThzOJT4tvjY+Pr5HPk/OWE5g3mlucf56noMui86Ubp0Opb6uXrcOv77IbtEe2c7ijutO9A78zwWPDl8XLx//KM8xnzp/Q09ML1UPXe9m32+/eK+Bn4qPk4+cf6V/rn+3f8B/yY/Sn9uv5L/tz/bf//
Display0: 3756x2026@64Hz
DisplayCount: 1
GPUProcessPid: 6896
GPUProcess: Terminate GPU Process
Device Reset: Trigger Device Reset
ClearType Parameters: Gamma: 1.8 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 50
Decision Log
HW_COMPOSITING:
available by default
D3D11_COMPOSITING:
available by default
Blocklisted; failure code BLOCKLIST_FEATURE_FAILURE_VM_VENDOR
DIRECT2D:
unavailable by default: Direct2D requires Direct3D 11 compositing
D3D11_HW_ANGLE:
unavailable by default: D3D11 compositing is disabled
disabled by env: D3D11 compositing is disabled
GPU_PROCESS:
available by default
WEBRENDER:
opt-in by default: WebRender is an opt-in feature
unavailable-no-angle by runtime: ANGLE is disabled
WEBRENDER_QUALIFIED:
available by default
blocklisted by env: No qualified hardware
WEBRENDER_COMPOSITOR:
available by default
blocklisted by env: Blocklisted by gfxInfo
unavailable by runtime: No DirectComposition usage
WEBRENDER_ANGLE:
opt-in by default: WebRender ANGLE is an opt-in feature
WEBRENDER_DCOMP_PRESENT:
opt-in by default: WebRender DirectComposition is an opt-in feature
OMTP:
available by default
WEBGPU:
disabled by default: Disabled by default

Media
-----
Audio Backend: wasapi
Max Channels: 2
Preferred Sample Rate: 44100
Roundtrip latency (standard deviation): 57.68ms (3.66)
Output Devices
Name: Group
Speakers (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_8384&DEV_7680&SUBSYS_83847680&REV_1034\4&22a99211&0&0001
Headphones (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_8384&DEV_7680&SUBSYS_83847680&REV_1034\4&22a99211&0&0001
Input Devices
Name: Group
Internal AUX Jack (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_8384&DEV_7680&SUBSYS_83847680&REV_1034\4&22a99211&0&0001
Microphone (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_8384&DEV_7680&SUBSYS_83847680&REV_1034\4&22a99211&0&0001
Media Capabilities
Enumerate database
Flags: needinfo?(jkratzer)

I have not tried ASAN builds.

My guess is that, even though it's crashing in ANGLE and not the driver, it's a difference in driver vendor/gpu that causes ANGLE to only take this affected codepath on certain systems/configurations.

It crashes for me on

GPU #1
Active Yes
Description NVIDIA GeForce GTX 1060 6GB
Vendor ID 0x10de
Device ID 0x1c03
Driver Version 27.21.14.5182
Driver Date 7-19-2020
Drivers C:\Windows\System32\DriverStore\FileRepository\nv_dispui.inf_amd64_44810405883ed093\nvldumdx.dll,C:\Windows\System32\DriverStore\FileRepository\nv_dispui.inf_amd64_44810405883ed093\nvldumdx.dll,C:\Windows\System32\DriverStore\FileRepository\nv_dispui.inf_amd64_44810405883ed093\nvldumdx.dll,C:\Windows\System32\DriverStore\FileRepository\nv_dispui.inf_amd64_44810405883ed093\nvldumdx.dll C:\Windows\System32\DriverStore\FileRepository\nv_dispui.inf_amd64_44810405883ed093\nvldumd.dll,C:\Windows\System32\DriverStore\FileRepository\nv_dispui.inf_amd64_44810405883ed093\nvldumd.dll,C:\Windows\System32\DriverStore\FileRepository\nv_dispui.inf_amd64_44810405883ed093\nvldumd.dll,C:\Windows\System32\DriverStore\FileRepository\nv_dispui.inf_amd64_44810405883ed093\nvldumd.dll
Subsys ID 37161458
RAM 6144

And this as well

GPU #1
Active Yes
Description Intel(R) HD Graphics 4600
Vendor ID 0x8086
Device ID 0x0412
Driver Version 20.19.15.4835
Driver Date 10-16-2017
Drivers igdumdim64 igd10iumd64 igd10iumd64 igd12umd64 igdumdim32 igd10iumd32 igd10iumd32 igd12umd32
Subsys ID 00000000
RAM 0

Flags: needinfo?(omair)
Flags: sec-bounty?

I can't reproduce either, on a standard Release build (82.0) or ASAN Nightly. vcruntime140.dll is the one in \Windows\System32 and is version 14.26.28720.3 on my up-to-date version of Windows 10. Graphics is "NVIDIA Quadro M2000"

ASAN Nightly doesn't crash for me either.
But this still works on FF 82 on Windows 10 with vcruntime140.dll being version 14.27.29016.0 for me.

I also updated my nvidia drivers, still the same crash.

GPU #1
Active Yes
Description NVIDIA GeForce GTX 1060 6GB
Vendor ID 0x10de
Device ID 0x1c03
Driver Version 27.21.14.5671
Driver Date 9-30-2020

I am planning to disclose this bug on Dec 10th. Let me know if I can do it earlier i.e. if you don't intend to fix this.

Assignee: nobody → jgilbert
Severity: -- → S3
Priority: -- → P1

Reformatted:

00 0000004d6d7fcb18 00007ffe58a31b93 VCRUNTIME140!memcpy+0xa2 [d:\agent_work\2\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 255]
01 (Inline Function) ---------------- libGLESv2!rx::anonymous namespace'::StretchedBlitNearest_PixelByPixel+0x145 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp @ 124]
02 0000004d6d7fcb20 00007ffe58a31eaa libGLESv2!rx::anonymous namespace'::StretchedBlitNearest+0x2f3 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp @ 158]
03 0000004d6d7fcc10 00007ffe58a315c9 libGLESv2!rx::Blit11::copyAndConvertImpl+0x25a [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp @ 1271]
04 0000004d6d7fcd30 00007ffe58a31063 libGLESv2!rx::Blit11::copyAndConvert+0x199 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp @ 1308]
05 0000004d6d7fce40 00007ffe58a55a41 libGLESv2!rx::Blit11::copyDepthStencilImpl+0x193 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp @ 1211]
06 0000004d6d7fcf20 00007ffe58a40069 libGLESv2!rx::Renderer11::blitRenderbufferRect+0xb51 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Renderer11.cpp @ 0]
07 0000004d6d7fd160 00007ffe58a0207f libGLESv2!rx::Framebuffer11::blitImpl+0x3e9 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Framebuffer11.cpp @ 366]
08 0000004d6d7fd250 00007ffe589621c3 libGLESv2!rx::FramebufferD3D::blit+0x6f [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/FramebufferD3D.cpp @ 286]
09 0000004d6d7fd2d0 00007ffe5893ea22 libGLESv2!gl::Framebuffer::blit+0x53 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Framebuffer.cpp @ 1551]
0a 0000004d6d7fd320 00007ffe58afe9d9 libGLESv2!gl::Context::blitFramebuffer+0x162 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Context.cpp @ 3640]
0b 0000004d6d7fd3d0 00007ffe1fe471d7 libGLESv2!gl::BlitFramebuffer+0xb9 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libGLESv2/entry_points_gles_3_0_autogen.cpp @ 169]
0c 0000004d6d7fd480 00007ffe20ca1828 xul!mozilla::gl::GLContext::raw_fBlitFramebuffer+0x97 [/builds/worker/workspace/obj-build/dist/include/GLContext.h @ 2491]
0d (Inline Function) ---------------- xul!mozilla::gl::GLContext::fBlitFramebuffer+0x46 [/builds/worker/checkouts/gecko/gfx/gl/GLContext.h @ 2477]
0e 0000004d6d7fd530 00007ffe20c753dc xul!mozilla::WebGLFramebuffer::BlitFramebuffer+0x978 [/builds/worker/checkouts/gecko/dom/canvas/WebGLFramebuffer.cpp @ 1516]
0f 0000004d6d7fd6a0 00007ffe20c432fe xul!mozilla::WebGL2Context::BlitFramebuffer+0x22c [/builds/worker/checkouts/gecko/dom/canvas/WebGL2ContextFramebuffers.cpp @ 65]
10 0000004d6d7fd760 00007ffe20c43024 xul!mozilla::ClientWebGLContext::Run<void (mozilla::HostWebGLContext::*)(int, int, int, int, int, int, int, int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::BlitFramebuffer,int &,int &,int &,int &,int &,int &,int &,int &,unsigned int &,unsigned int &>+0x28e [/builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp @ 313]
11 0000004d6d7fd860 00007ffe20866833 xul!mozilla::ClientWebGLContext::BlitFramebuffer+0x94 [/builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp @ 3433]
12 0000004d6d7fd8e0 00007ffe1ec91711 xul!mozilla::dom::WebGL2RenderingContext_Binding::blitFramebuffer+0x213 [/builds/worker/workspace/obj-build/dom/bindings/WebGL2RenderingContextBinding.cpp @ 1489]
13 0000004d6d7fd9d0 00007ffe1eb68917 xul!mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions>+0x101 [/builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp @ 3225]
14 (Inline Function) ---------------- xul!CallJSNative+0x9e [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 485] 15 0000004d6d7fda90 00007ffe2264fffd xul!js::InternalCallOrConstruct+0x177 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 577] 16 (Inline Function) ---------------- xul!InternalCall+0x95 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 640]
17 (Inline Function) ---------------- xul!js::CallFromStack+0x95 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 644] 18 0000004d6d7fdba0 00007ffe226684d0 xul!Interpret+0x1add [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 0] 19 (Inline Function) ---------------- xul!js::RunScript+0x1e3 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 457]
1a 0000004d6d7fe0f0 00007ffe22668665 xul!js::ExecuteKernel+0x2b0 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 832]
1b 0000004d6d7fe1b0 00007ffe227102e7 xul!js::Execute+0x85 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 864]
1c 0000004d6d7fe210 00007ffe1ee035f8 xul!ExecuteScript+0x107 [/builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp @ 403]
1d 0000004d6d7fe2b0 00007ffe1ee03575 xul!JS_ExecuteScript+0x48 [/builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp @ 429]
1e 0000004d6d7fe300 00007ffe215240ec xul!nsJSUtils::ExecutionContext::ExecScript+0x25 [/builds/worker/checkouts/gecko/dom/base/nsJSUtils.cpp @ 337]

The core of this is:

  • blit of STENCIL_BUFFER_BIT
  • from a 4x4 rect "at" (453 ,17) "within" a 4x4 DEPTH_STENCIL format RB attached only to STENCIL_ATTACHMENT
  • to a 4x4 rect "at" (8400, 160) "within" the 1024x1024 (depth:true) stencil:true antialias:false backbuffer

I'm surprised we're even letting this fully-out-of-bounds blit get all the way to the driver!

This might be as easy as turning off no-error mode so that ANGLE validates better.

I have a patch to do this properly in our own code, but it's pretty complicated to drop on e.g. ESR or Release without testing on Nightly/Beta.

I can probably land that as a "behavior improvement" without being a sec-bug, and we can uplift it if it works out well there.

(In reply to Omair from comment #17)

I am planning to disclose this bug on Dec 10th. Let me know if I can do it earlier i.e. if you don't intend to fix this.

Can we embargo until Firefox 84's release on Dec 15?

Flags: needinfo?(omair)

(In reply to Jason Kratzer [:jkratzer] from comment #10)

Removed irrelevant info. :jgilbert, have you tested using an ASAN build?

Application Basics
------------------
Name: Firefox
Version: 82.0a1
Build ID: 20200910093613
Distribution ID:
Update Channel: default
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
OS: Windows_NT 10.0 18363
Launcher Process: Enabled
Multiprocess Windows: 1/1 Enabled by default
Remote Processes: 6
Enterprise Policies: Inactive
Google Location Service Key: Missing
Google Safebrowsing Key: Missing
Mozilla Location Service Key: Missing
Safe Mode: false

Remote Processes
----------------

Type: Web Content
Count: 1 / 4

Type: Privileged About
Count: 1

Type: Extension
Count: 1

Type: Preallocated
Count: 1

Type: GPU
Count: 1

Type: Socket
Count: 1

Graphics
--------
Features
Compositing: Basic
Asynchronous Pan/Zoom: wheel input enabled; scrollbar drag enabled; keyboard enabled; autoscroll enabled; smooth pinch-zoom enabled
WebGL 1 Driver WSI Info: EGL_VENDOR: Google Inc. (adapter LUID: 0000000000004ef6) EGL_VERSION: 1.4 (ANGLE 2.1.0.6c72b64f910d) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_ANDROID_blob_cache EGL_ANDROID_recordable EGL_ANGLE_image_d3d11_texture EGL_ANGLE_create_context_backwards_compatible EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_ANGLE_explicit_context EGL_ANGLE_feature_control IsWebglOutOfProcessEnabled: 0
WebGL 1 Driver Renderer: Google Inc. -- ANGLE (Microsoft Basic Render Driver Direct3D11 vs_5_0 ps_5_0)
WebGL 1 Driver Version: OpenGL ES 2.0.0 (ANGLE 2.1.0.6c72b64f910d)
WebGL 1 Driver Extensions: GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_memory_size GL_ANGLE_multi_draw GL_ANGLE_multiview_multisample GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_provoking_vertex GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_lose_context GL_CHROMIUM_sync_query GL_EXT_blend_func_extended GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_float_blend GL_EXT_frag_depth GL_EXT_instanced_arrays GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_bptc GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_parallel_shader_compile GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_depth24 GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_3D GL_OES_texture_border_clamp GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture
WebGL 1 Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_float_blend EXT_frag_depth EXT_shader_texture_lod EXT_sRGB EXT_texture_compression_bptc EXT_texture_filter_anisotropic MOZ_debug OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
WebGL 2 Driver WSI Info: -
WebGL 2 Driver Renderer: WebGL creation failed: * Refused to create WebGL2 context because of blacklist entry: FEATURE_FAILURE_VM_VENDOR
WebGL 2 Driver Version: -
WebGL 2 Driver Extensions: -
WebGL 2 Extensions: -
Direct2D: Blocked for your graphics card because of unresolved driver issues.
Uses Tiling (Content): true
Off Main Thread Painting Enabled: true
Off Main Thread Painting Worker Count: 3
Target Frame Rate: 64
DirectWrite: true (10.0.18362.1082)
GPU #1
Active: Yes
Description: VirtualBox Graphics Adapter (WDDM)
Vendor ID: 0x80ee
Device ID: 0xbeef
Driver Version: 6.0.24.0
Driver Date: 7-9-2020
Drivers: VBoxDispD3D
Subsys ID: 040515ad
RAM: 0
GPU #2
Active: No
RAM: 0
Diagnostics
AzureCanvasBackend: skia
AzureCanvasBackend (UI Process): skia
AzureContentBackend: skia
AzureContentBackend (UI Process): skia
AzureFallbackCanvasBackend (UI Process): none
CMSOutputProfile: AAAMSExpbm8CEAAAbW50clJHQiBYWVogB84AAgAJAAYAMQAAYWNzcE1TRlQAAAAASUVDIHNSR0IAAAAAAAAAAAAAAAAAAPbWAAEAAAAA0y1IUCAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARY3BydAAAAVAAAAAzZGVzYwAAAYQAAABsd3RwdAAAAfAAAAAUYmtwdAAAAgQAAAAUclhZWgAAAhgAAAAUZ1hZWgAAAiwAAAAUYlhZWgAAAkAAAAAUZG1uZAAAAlQAAABwZG1kZAAAAsQAAACIdnVlZAAAA0wAAACGdmlldwAAA9QAAAAkbHVtaQAAA/gAAAAUbWVhcwAABAwAAAAkdGVjaAAABDAAAAAMclRSQwAABDwAAAgMZ1RSQwAABDwAAAgMYlRSQwAABDwAAAgMdGV4dAAAAABDb3B5cmlnaHQgKGMpIDE5OTggSGV3bGV0dC1QYWNrYXJkIENvbXBhbnkAAGRlc2MAAAAAAAAAEnNSR0IgSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFhZWiAAAAAAAADzUQABAAAAARbMWFlaIAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAAb6IAADj1AAADkFhZWiAAAAAAAABimQAAt4UAABjaWFlaIAAAAAAAACSgAAAPhAAAts9kZXNjAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5nIENvbmRpdGlvbiBpbiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAACxSZWZlcmVuY2UgVmlld2luZyBDb25kaXRpb24gaW4gSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2aWV3AAAAAAATpP4AFF8uABDPFAAD7cwABBMLAANcngAAAAFYWVogAAAAAABMCVYAUAAAAFcf521lYXMAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAKPAAAAAnNpZyAAAAAAQ1JUIGN1cnYAAAAAAAAEAAAAAAUACgAPABQAGQAeACMAKAAtADIANwA7AEAARQBKAE8AVABZAF4AYwBoAG0AcgB3AHwAgQCGAIsAkACVAJoAnwCkAKkArgCyALcAvADBAMYAywDQANUA2wDgAOUA6wDwAPYA+wEBAQcBDQETARkBHwElASsBMgE4AT4BRQFMAVIBWQFgAWcBbgF1AXwBgwGLAZIBmgGhAakBsQG5AcEByQHRAdkB4QHpAfIB+gIDAgwCFAIdAiYCLwI4AkECSwJUAl0CZwJxAnoChAKOApgCogKsArYCwQLLAtUC4ALrAvUDAAMLAxYDIQMtAzgDQwNPA1oDZgNyA34DigOWA6IDrgO6A8cD0wPgA+wD+QQGBBMEIAQtBDsESARVBGMEcQR+BIwEmgSoBLYExATTBOEE8AT+BQ0FHAUrBToFSQVYBWcFdwWGBZYFpgW1BcUF1QXlBfYGBgYWBicGNwZIBlkGagZ7BowGnQavBsAG0QbjBvUHBwcZBysHPQdPB2EHdAeGB5kHrAe/B9IH5Qf4CAsIHwgyCEYIWghuCIIIlgiqCL4I0gjnCPsJEAklCToJTwlkCXkJjwmkCboJzwnlCfsKEQonCj0KVApqCoEKmAquCsUK3ArzCwsLIgs5C1ELaQuAC5gLsAvIC+EL+QwSDCoMQwxcDHUMjgynDMAM2QzzDQ0NJg1ADVoNdA2ODakNww3eDfgOEw4uDkkOZA5/DpsOtg7SDu4PCQ8lD0EPXg96D5YPsw/PD+wQCRAmEEMQYRB+EJsQuRDXEPURExExEU8RbRGMEaoRyRHoEgcSJhJFEmQShBKjEsMS4xMDEyMTQxNjE4MTpBPFE+UUBhQnFEkUahSLFK0UzhTwFRIVNBVWFXgVmxW9FeAWAxYmFkkWbBaPFrIW1hb6Fx0XQRdlF4kXrhfSF/cYGxhAGGUYihivGNUY+hkgGUUZaxmRGbcZ3RoEGioaURp3Gp4axRrsGxQbOxtjG4obshvaHAIcKhxSHHscoxzMHPUdHh1HHXAdmR3DHeweFh5AHmoelB6+HukfEx8+H2kflB+/H+ogFSBBIGwgmCDEIPAhHCFIIXUhoSHOIfsiJyJVIoIiryLdIwojOCNmI5QjwiPwJB8kTSR8JKsk2iUJJTglaCWXJccl9yYnJlcmhya3JugnGCdJJ3onqyfcKA0oPyhxKKIo1CkGKTgpaymdKdAqAio1KmgqmyrPKwIrNitpK50r0SwFLDksbiyiLNctDC1BLXYtqy3hLhYuTC6CLrcu7i8kL1ovkS/HL/4wNTBsMKQw2zESMUoxgjG6MfIyKjJjMpsy1DMNM0YzfzO4M/E0KzRlNJ402DUTNU01hzXCNf02NzZyNq426TckN2A3nDfXOBQ4UDiMOMg5BTlCOX85vDn5OjY6dDqyOu87LTtrO6o76DwnPGU8pDzjPSI9YT2hPeA+ID5gPqA+4D8hP2E/oj/iQCNAZECmQOdBKUFqQaxB7kIwQnJCtUL3QzpDfUPARANER0SKRM5FEkVVRZpF3kYiRmdGq0bwRzVHe0fASAVIS0iRSNdJHUljSalJ8Eo3Sn1KxEsMS1NLmkviTCpMcky6TQJNSk2TTdxOJU5uTrdPAE9JT5NP3VAnUHFQu1EGUVBRm1HmUjFSfFLHUxNTX1OqU/ZUQlSPVNtVKFV1VcJWD1ZcVqlW91dEV5JX4FgvWH1Yy1kaWWlZuFoHWlZaplr1W0VblVvlXDVchlzWXSddeF3JXhpebF69Xw9fYV+zYAVgV2CqYPxhT2GiYfViSWKcYvBjQ2OXY+tkQGSUZOllPWWSZedmPWaSZuhnPWeTZ+loP2iWaOxpQ2maafFqSGqfavdrT2una/9sV2yvbQhtYG25bhJua27Ebx5veG/RcCtwhnDgcTpxlXHwcktypnMBc11zuHQUdHB0zHUodYV14XY+dpt2+HdWd7N4EXhueMx5KnmJeed6RnqlewR7Y3vCfCF8gXzhfUF9oX4BfmJ+wn8jf4R/5YBHgKiBCoFrgc2CMIKSgvSDV4O6hB2EgITjhUeFq4YOhnKG14c7h5+IBIhpiM6JM4mZif6KZIrKizCLlov8jGOMyo0xjZiN/45mjs6PNo+ekAaQbpDWkT+RqJIRknqS45NNk7aUIJSKlPSVX5XJljSWn5cKl3WX4JhMmLiZJJmQmfyaaJrVm0Kbr5wcnImc951kndKeQJ6unx2fi5/6oGmg2KFHobaiJqKWowajdqPmpFakx6U4pammGqaLpv2nbqfgqFKoxKk3qamqHKqPqwKrdavprFys0K1ErbiuLa6hrxavi7AAsHWw6rFgsdayS7LCszizrrQltJy1E7WKtgG2ebbwt2i34LhZuNG5SrnCuju6tbsuu6e8IbybvRW9j74KvoS+/796v/XAcMDswWfB48JfwtvDWMPUxFHEzsVLxcjGRsbDx0HHv8g9yLzJOsm5yjjKt8s2y7bMNcy1zTXNtc42zrbPN8+40DnQutE80b7SP9LB00TTxtRJ1MvVTtXR1lXW2Ndc1+DYZNjo2WzZ8dp22vvbgNwF3IrdEN2W3hzeot8p36/gNuC94UThzOJT4tvjY+Pr5HPk/OWE5g3mlucf56noMui86Ubp0Opb6uXrcOv77IbtEe2c7ijutO9A78zwWPDl8XLx//KM8xnzp/Q09ML1UPXe9m32+/eK+Bn4qPk4+cf6V/rn+3f8B/yY/Sn9uv5L/tz/bf//
Display0: 3756x2026@64Hz
DisplayCount: 1
GPUProcessPid: 6896
GPUProcess: Terminate GPU Process
Device Reset: Trigger Device Reset
ClearType Parameters: Gamma: 1.8 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 50
Decision Log
HW_COMPOSITING:
available by default
D3D11_COMPOSITING:
available by default
Blocklisted; failure code BLOCKLIST_FEATURE_FAILURE_VM_VENDOR
DIRECT2D:
unavailable by default: Direct2D requires Direct3D 11 compositing
D3D11_HW_ANGLE:
unavailable by default: D3D11 compositing is disabled
disabled by env: D3D11 compositing is disabled
GPU_PROCESS:
available by default
WEBRENDER:
opt-in by default: WebRender is an opt-in feature
unavailable-no-angle by runtime: ANGLE is disabled
WEBRENDER_QUALIFIED:
available by default
blocklisted by env: No qualified hardware
WEBRENDER_COMPOSITOR:
available by default
blocklisted by env: Blocklisted by gfxInfo
unavailable by runtime: No DirectComposition usage
WEBRENDER_ANGLE:
opt-in by default: WebRender ANGLE is an opt-in feature
WEBRENDER_DCOMP_PRESENT:
opt-in by default: WebRender DirectComposition is an opt-in feature
OMTP:
available by default
WEBGPU:
disabled by default: Disabled by default

Media
-----
Audio Backend: wasapi
Max Channels: 2
Preferred Sample Rate: 44100
Roundtrip latency (standard deviation): 57.68ms (3.66)
Output Devices
Name: Group
Speakers (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_8384&DEV_7680&SUBSYS_83847680&REV_1034\4&22a99211&0&0001
Headphones (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_8384&DEV_7680&SUBSYS_83847680&REV_1034\4&22a99211&0&0001
Input Devices
Name: Group
Internal AUX Jack (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_8384&DEV_7680&SUBSYS_83847680&REV_1034\4&22a99211&0&0001
Microphone (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_8384&DEV_7680&SUBSYS_83847680&REV_1034\4&22a99211&0&0001
Media Capabilities
Enumerate database

Wait did this actually repro for you? This says webgl2 is not available.

Flags: needinfo?(jkratzer)

:jgilbert, yes - it did. I have noticed however, that under my Windows 10 VM, WebGL2 can't be detected unless I set webgl2.force-enabled == true.

Flags: needinfo?(jkratzer)

(In reply to Jason Kratzer [:jkratzer] from comment #23)

:jgilbert, yes - it did. I have noticed however, that under my Windows 10 VM, WebGL2 can't be detected unless I set webgl2.force-enabled == true.

I need the about:support from the exact instance of the browser that reproduces the crash. (about:support is not consistent for a given machine) Can you test again for me?

Flags: needinfo?(jkratzer)

Some drivers have trouble with this.

(In reply to Jeff Gilbert [:jgilbert] from comment #21)

(In reply to Omair from comment #17)

I am planning to disclose this bug on Dec 10th. Let me know if I can do it earlier i.e. if you don't intend to fix this.

Can we embargo until Firefox 84's release on Dec 15?

Yes, let's do that.

Flags: needinfo?(omair)

Thanks!

E.g. Blitting 1,1,-1,-1 to 0,2,2,0.
Primarily tested by
conformance2/rendering/blitframebuffer-filter-outofbounds.html.

Because this passes a new test, we can sneak this out in bug 1679052, and backport it as needed.

Flags: needinfo?(jkratzer)
See Also: → 1679052

(In reply to Jeff Gilbert [:jgilbert] from comment #32)

Omair, does this patched (asan) build fix it? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/f9NaWNpvSFKnAW_OTZOLzw/runs/0/artifacts/public/build/target.zip

I have reported many crashes in Firefox related to webGL. But I have never been able to reproduce even one on the ASAN Windows build. I will give it a try nonetheless.

Flags: needinfo?(omair)

Oof, ok! Not what we expect, for sure!
Here's our "Windows 2012 x64 shippable opt" build instead: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Lln_8b7KT5yZyr2z5xvDPw/runs/0/artifacts/public/build/target.zip

Doesn't crash on either of these builds.

Attachment #9188687 - Attachment is obsolete: true
Attachment #9188692 - Attachment is obsolete: true

Hi Jeff, is this ready for sec-approval and landing?

Flags: needinfo?(jgilbert)

In discussions with lsalzman we decided to use the full fix even for backports, instead of the less-risky-but-backwards-incompatible patch. Since that patch fixes tests we have, I landed the full fix there as an ostensibly non-sec defect fix. This is therefore fixed now in 85, and we need only backport to beta and esr(s?).

Flags: needinfo?(jgilbert)
Attached file backport plan

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Difficult: Even understanding how this behavior might misbehave on drivers, it's difficult to find a way to leverage this into something actionable, much less reliable.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Only the names (and nature) of the now-passing test allude to the problem, and it's not clear from there how to apply it. Commit comments mention (truly) that only some drivers have problems with this, which is fairly common phrasing for our other driver bug workarounds.

Which older supported branches are affected by this flaw?
All older supported.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
The patches should graft cleanly onto older branches.

How likely is this patch to cause regressions; how much testing does it need?
Unlikely to cause regressions: It's a great sign that the only CI test outcome this changed was an unexpected-pass, that was previously marked as expected-fail. I don't think we need targetted testing, and we've landed this already on 85 nightly to no known ill effect.

Attachment #9190462 - Flags: sec-approval?
Depends on: 1679052
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
Flags: sec-bounty? → sec-bounty+

Comment on attachment 9190462 [details]
backport plan

sec-approval+

Attachment #9190462 - Flags: sec-approval? → sec-approval+

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(jgilbert)
Whiteboard: [sec-survey]

Comment on attachment 9190462 [details]
backport plan

Beta/Release Uplift Approval Request

  • User impact if declined: sec-high
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: esr78
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Not risky for Beta: While the code is a little complicated, this has been baking on Nightly already so the chance of regressions that we haven't found yet is fairly low.
  • String changes made/needed: none
Flags: needinfo?(jgilbert)
Attachment #9190462 - Flags: approval-mozilla-beta?

Comment on attachment 9190462 [details]
backport plan

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
  • User impact if declined: sec-high
  • Fix Landed on Version: 85
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Less risky:
  • We're already shipping this fix on Nightly
  • I don't believe the surrounding code has changed (much)
  • We have a test on CI that should give us a signal if we broke anything
  • String or UUID changes made by this patch: none
Attachment #9190462 - Flags: approval-mozilla-esr78?

Comment on attachment 9190462 [details]
backport plan

Approved for 84.0b8 and 78.6esr.

Attachment #9190462 - Flags: approval-mozilla-esr78?
Attachment #9190462 - Flags: approval-mozilla-esr78+
Attachment #9190462 - Flags: approval-mozilla-beta?
Attachment #9190462 - Flags: approval-mozilla-beta+
Whiteboard: [sec-survey] → [sec-survey][adv-main84+]
Attached file advisory.txt

Here's an attempt at an advisory. I am unclear on if this is Windows only, or the type of overflow (I'm guessing it must be a write to cause the crash.)

Flags: needinfo?(jgilbert)
Whiteboard: [sec-survey][adv-main84+] → [sec-survey][adv-main84+][adv-esr78.6+]

That sounds accurate, and I'm fine with it being imprecise.

Flags: needinfo?(jgilbert)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.