AddressSanitizer: heap-use-after-free [@ strlen] with READ of size 21 through Mesa
Categories
(Core :: Graphics, defect)
Tracking
()
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, regression, sec-high, Whiteboard: driver-specific)
Attachments
(1 file)
16.75 KB,
text/plain
|
Details |
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 84.0a1-20201022093646-https://hg.mozilla.org/mozilla-central/rev/03de9a8a6f7c949b046b5a1197988391ede9e84f.
For detailed crash information, see attachment.
This bug is probably not in our code, but in RedHat Mesa. We should try to report this to RedHat and see if they can figure out a solution.
Reporter | ||
Comment 1•4 years ago
|
||
Reporter | ||
Comment 2•4 years ago
|
||
Dan, do we have security contacts at RedHat that we can simply Cc here?
Comment hidden (obsolete) |
Mesa bisecting:
$ git bisect log
git bisect start
# bad: [b2c737cf57382d543002177b6e4810b19ab62c74] virgl: Fixes portal2 binary name in tweak config
git bisect bad b2c737cf57382d543002177b6e4810b19ab62c74
# good: [2015a109ff287cdf04607d5acc540aae2e87daa3] anv,iris: Use the data cache for UBO pulls on Gen12+
git bisect good 2015a109ff287cdf04607d5acc540aae2e87daa3
# good: [da4c4c0e6785d48b6aa053766e73e80df292ce82] gallium/ntt: Add default compiler options for non-native-NIR drivers.
git bisect good da4c4c0e6785d48b6aa053766e73e80df292ce82
# good: [3bb7ebfc7504af0e85596f3ad4b72a2ede10d227] glx: move __glXGetUST into the DRI1 code
git bisect good 3bb7ebfc7504af0e85596f3ad4b72a2ede10d227
# bad: [9d1d3a89c49b4afab3e6ff7fcca2ac14347d4dca] ci: Move test-docs job to deploy stage
git bisect bad 9d1d3a89c49b4afab3e6ff7fcca2ac14347d4dca
# good: [c69849ef803bee8296c961df355499b42c76e973] amd: update addrlib
git bisect good c69849ef803bee8296c961df355499b42c76e973
# good: [1126b5cd2f14776b1554591e5cc238e05882b5ef] Revert "st/mesa: don't pass NIR to draw module if IO is lowered"
git bisect good 1126b5cd2f14776b1554591e5cc238e05882b5ef
# bad: [549ae5f84375dfadb86cfd465f0103acfae3249f] st/mesa: make sure prog->info is up to date for NIR (v2)
git bisect bad 549ae5f84375dfadb86cfd465f0103acfae3249f
# first bad commit: [549ae5f84375dfadb86cfd465f0103acfae3249f] st/mesa: make sure prog->info is up to date for NIR (v2)
p.s. sorry I couldn't edit/remove my previous comment.
Updated•4 years ago
|
Comment 5•4 years ago
|
||
Martin, Huzaifa: we think this is a bug in a RedHat driver. Could one of you please get us in touch with the right RedHat folks on this? Feel free to CC them here.
Updated•4 years ago
|
Comment 6•4 years ago
|
||
Since this looks like an upstream Mesa issue, not a Red Hat specific one, I'd suggest filing an issue at https://gitlab.freedesktop.org/mesa/mesa/-/issues/new with the This issue is confidential and should only be visible to team members with at least Reporter access
box checked.
Comment 7•4 years ago
|
||
Updated•4 years ago
|
Comment 8•4 years ago
|
||
Upstream issue has been fixed.
Comment 9•4 years ago
|
||
Do we need to denylist affected drivers here to prevent crashes, particularly as WR is probably staying in the Linux Parent process?
Comment 10•4 years ago
|
||
Do we have a repro case here? Since this is a crash I have some concern about webgl possibly being affected. It looks like it might be a misinterpreted shader?
Comment 12•4 years ago
|
||
Do we have a repro case here?
- Download Firefox Nightly Asan https://firefox-ci-tc.services.mozilla.com/api/index/v1/task/gecko.v2.mozilla-central.shippable.latest.firefox.linux64-asan-reporter-opt/artifacts/public/build/target.tar.bz2
- Launch Firefox Nightly Asan
- Open https://www.youtube.com/
- Try to play any video.
Here crash is happens.
Comment 13•4 years ago
|
||
Thanks!
Updated•4 years ago
|
Updated•4 years ago
|
Comment 14•4 years ago
|
||
Is everyone satisfied with the status of this bug now? Is there anything left to do here?
Comment 15•4 years ago
|
||
I don't believe there's anything left to do here. From the mesa issue:
"No released versions are affected. The bug was only in the master branch."
Comment 16•4 years ago
|
||
That's great! Sounds like we should be good then!
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Description
•