Closed Bug 1672920 Opened 4 years ago Closed 4 years ago

AddressSanitizer: heap-use-after-free [@ strlen] with READ of size 21 through Mesa

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, regression, sec-high, Whiteboard: driver-specific)

Attachments

(1 file)

Detailed Crash Information
16.75 KB, text/plain
Details

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 84.0a1-20201022093646-https://hg.mozilla.org/mozilla-central/rev/03de9a8a6f7c949b046b5a1197988391ede9e84f.

For detailed crash information, see attachment.

This bug is probably not in our code, but in RedHat Mesa. We should try to report this to RedHat and see if they can figure out a solution.

Dan, do we have security contacts at RedHat that we can simply Cc here?

Flags: needinfo?(dveditz)

Mesa bisecting:

$ git bisect log
git bisect start
# bad: [b2c737cf57382d543002177b6e4810b19ab62c74] virgl: Fixes portal2 binary name in tweak config
git bisect bad b2c737cf57382d543002177b6e4810b19ab62c74
# good: [2015a109ff287cdf04607d5acc540aae2e87daa3] anv,iris: Use the data cache for UBO pulls on Gen12+
git bisect good 2015a109ff287cdf04607d5acc540aae2e87daa3
# good: [da4c4c0e6785d48b6aa053766e73e80df292ce82] gallium/ntt: Add default compiler options for non-native-NIR drivers.
git bisect good da4c4c0e6785d48b6aa053766e73e80df292ce82
# good: [3bb7ebfc7504af0e85596f3ad4b72a2ede10d227] glx: move __glXGetUST into the DRI1 code
git bisect good 3bb7ebfc7504af0e85596f3ad4b72a2ede10d227
# bad: [9d1d3a89c49b4afab3e6ff7fcca2ac14347d4dca] ci: Move test-docs job to deploy stage
git bisect bad 9d1d3a89c49b4afab3e6ff7fcca2ac14347d4dca
# good: [c69849ef803bee8296c961df355499b42c76e973] amd: update addrlib
git bisect good c69849ef803bee8296c961df355499b42c76e973
# good: [1126b5cd2f14776b1554591e5cc238e05882b5ef] Revert "st/mesa: don't pass NIR to draw module if IO is lowered"
git bisect good 1126b5cd2f14776b1554591e5cc238e05882b5ef
# bad: [549ae5f84375dfadb86cfd465f0103acfae3249f] st/mesa: make sure prog->info is up to date for NIR (v2)
git bisect bad 549ae5f84375dfadb86cfd465f0103acfae3249f
# first bad commit: [549ae5f84375dfadb86cfd465f0103acfae3249f] st/mesa: make sure prog->info is up to date for NIR (v2)

p.s. sorry I couldn't edit/remove my previous comment.

Group: core-security → gfx-core-security

Martin, Huzaifa: we think this is a bug in a RedHat driver. Could one of you please get us in touch with the right RedHat folks on this? Feel free to CC them here.

Flags: needinfo?(stransky)
Flags: needinfo?(huzaifas)
Flags: needinfo?(dveditz)
Keywords: sec-high
Whiteboard: driver-specific
Blocks: gfx-triage

Since this looks like an upstream Mesa issue, not a Red Hat specific one, I'd suggest filing an issue at https://gitlab.freedesktop.org/mesa/mesa/-/issues/new with the This issue is confidential and should only be visible to team members with at least Reporter access box checked.

Flags: needinfo?(stransky)

Upstream issue has been fixed.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

Do we need to denylist affected drivers here to prevent crashes, particularly as WR is probably staying in the Linux Parent process?

Flags: needinfo?(huzaifas) → needinfo?(jmuizelaar)

Do we have a repro case here? Since this is a crash I have some concern about webgl possibly being affected. It looks like it might be a misinterpreted shader?

I've asked for more information on mesa issue

Flags: needinfo?(jmuizelaar)

Do we have a repro case here?

  1. Download Firefox Nightly Asan https://firefox-ci-tc.services.mozilla.com/api/index/v1/task/gecko.v2.mozilla-central.shippable.latest.firefox.linux64-asan-reporter-opt/artifacts/public/build/target.tar.bz2
  2. Launch Firefox Nightly Asan
  3. Open https://www.youtube.com/
  4. Try to play any video.
    Here crash is happens.

Thanks!

Group: gfx-core-security → core-security-release

Is everyone satisfied with the status of this bug now? Is there anything left to do here?

Flags: needinfo?(jmuizelaar)
Flags: needinfo?(jgilbert)

I don't believe there's anything left to do here. From the mesa issue:
"No released versions are affected. The bug was only in the master branch."

Flags: needinfo?(jmuizelaar)

That's great! Sounds like we should be good then!

Flags: needinfo?(jgilbert)
No longer blocks: gfx-triage
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: