1699077 - (CVE-2021-23994) webgl OOBW in drawbuffers

Omair

Reporter

Description

•

4 years ago

Attached file drawbuffers-fill-memset-poc.html — Details

##Crash Environment:
Firefox Nightly : 88.0a1 (2021-03-16) (64-bit)

##Crash Analysis:
Crash occurs in VCRUNTIME140!memset+0xd0 at the following instruction:

movntps xmmword ptr [rcx],xmm0

Further analyzing the crash from PoC we can confirm that the crash occurs while executing drawBuffers() function after calling deleteFramebuffer() function.
When debugging the PoC, at the start of libGLESv2!gl::Framebuffer::setDrawBuffers function the values for mDrawBufferStates and mReadBufferState is 0x405. Whereas when we remove deleteFramebuffer call from the PoC the states value is 0x8ce0 for both mDrawBufferStates and mReadBufferState.

From the debugger we can see that the value at gl context + 120h stores the pointer for the start of mDrawBuffer and context + 128h contains the end pointer of mDrawBuffer. In case of PoC the difference between the start and end is 4 bytes whereas the difference when not using deleteFramebuffer in PoC is 32 bytes.

Thus, when executing the function std::fill we see the following assembly instructions:

  18004c18f 48 8b 87 20 01 00 00           MOV        RAX,qword ptr [RDI + 0x120]
  18004c196 48 8b 97 28 01 00 00           MOV        RDX,qword ptr [RDI + 0x128]
  18004c19d 4a 8d 0c b8                    LEA        RCX,[RAX + R15*0x4]
  18004c1a1 48 39 d1                       CMP        RCX,RDX
  18004c1a4 74 1c                          JZ         libGLESv2!gl::Framebuffer::setDrawBuffers+0x72
  18004c1a6 4c 89 fd                       MOV        RBP,R15
  18004c1a9 48 f7 d5                       NOT        RBP
  18004c1ac 4c 8d 04 aa                    LEA        R8,[param_1 + RBP*0x4]
  18004c1b0 49 29 c0                       SUB        R8,RAX
  18004c1b3 49 83 c0 04                    ADD        R8,0x4
  18004c1b7 49 83 e0 fc                    AND        R8,-0x4
  18004c1bb 31 d2                          XOR        EDX,EDX
  18004c1bd e8 1e 13                       CALL       libGLESV2!memset

In the second instruction rdx is loaded with end pointer for the mDrawBufferStates and in third instruction rcx is loaded with start pointer for mDrawBufferStates + 8 * 4. Now rcx points to start of mDrawBufferStates +20h whereas rdx points to end of mDrwaBufferStates which is start + 04h. After the cmp instruction program does not jump and continues till memset call. Just before memset call we calculate r8 to contain 0xffffffffffffe4, this huge unsigned value is passed as the count parameter to memset and thus leads to Out of Bounds Write.

##Registry Values at Crash:

2:042> r
rax=0000025dc3b35b50 rbx=0000025dc3b56000 rcx=0000025dc3bff000
rdx=0000000000000000 rsi=0000025dc3b56000 rdi=0000025dc3b8c400
rip=00007ffe1f5017d0 rsp=000000b1ee10ea78 rbp=fffffffffffffff7
 r8=ffffffffffffffd4  r9=01ffffffffffe6d6 r10=0000025dc21fbe20
r11=0000025dc3b35b70 r12=0000025dc3b485a0 r13=0000000000000000
r14=0000000000000000 r15=0000000000000008
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
VCRUNTIME140!memset+0xd0:
00007ffe`1f5017d0 0f2b01          movntps xmmword ptr [rcx],xmm0 ds:0000025d`c3bff000=????????????????????????????????

##Call Stack:

2:042> k
 # Child-SP          RetAddr               Call Site
00 000000b1`ee10ea78 00007ffd`e452c1c2     VCRUNTIME140!memset+0xd0 [d:\agent\_work\2\s\src\vctools\crt\vcruntime\src\string\amd64\memset.asm @ 196] 
01 (Inline Function) --------`--------     libGLESv2!std::_Fill_unchecked1+0x21 [/builds/worker/checkouts/gecko/vs2017_15.8.4/VC/include/xutility @ 2903] 
02 (Inline Function) --------`--------     libGLESv2!std::_Fill_unchecked+0x21 [/builds/worker/checkouts/gecko/vs2017_15.8.4/VC/include/xutility @ 2917] 
03 (Inline Function) --------`--------     libGLESv2!std::fill+0x21 [/builds/worker/checkouts/gecko/vs2017_15.8.4/VC/include/xutility @ 2925] 
04 000000b1`ee10ea80 00007ffd`e4504d17     libGLESv2!gl::Framebuffer::setDrawBuffers+0x72 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Framebuffer.cpp @ 946] 
05 000000b1`ee10eb00 00007ffd`e4700f81     libGLESv2!gl::Context::drawBuffers+0x17 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Context.cpp @ 4378] 
06 000000b1`ee10eb30 00007ffd`d788f9b1     libGLESv2!gl::DrawBuffers+0x81 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libGLESv2/entry_points_gles_3_0_autogen.cpp @ 685] 
07 000000b1`ee10eb80 00007ffd`d788fae1     xul!mozilla::gl::GLContext::fDrawBuffers+0x31 [/builds/worker/checkouts/gecko/gfx/gl/GLContext.h @ 2437] 
08 000000b1`ee10ebc0 00007ffd`d788fce8     xul!mozilla::WebGLFramebuffer::RefreshDrawBuffers+0x101 [/builds/worker/checkouts/gecko/dom/canvas/WebGLFramebuffer.cpp @ 1075] 
09 000000b1`ee10ec30 00007ffd`d787d9bb     xul!mozilla::WebGLFramebuffer::DrawBuffers+0x138 [/builds/worker/checkouts/gecko/dom/canvas/WebGLFramebuffer.cpp @ 1144] 
0a 000000b1`ee10ecd0 00007ffd`d7895154     xul!mozilla::WebGLContext::DrawBuffers+0x6b [/builds/worker/checkouts/gecko/dom/canvas/WebGLContextFramebufferOperations.cpp @ 148] 
0b (Inline Function) --------`--------     xul!mozilla::HostWebGLContext::DrawBuffers+0x11 [/builds/worker/checkouts/gecko/dom/canvas/HostWebGLContext.h @ 729] 
0c (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,98,void (mozilla::HostWebGLContext::*)(const std::vector<unsigned int,std::allocator<unsigned int> > &) const,&mozilla::HostWebGLContext::DrawBuffers>::DispatchCommand<mozilla::HostWebGLContext>::<unnamed-tag>::operator()+0x1a [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 231] 
0d (Inline Function) --------`--------     xul!std::_C__Invoker_functor::_Call+0x1a [/builds/worker/checkouts/gecko/vs2017_15.8.4/VC/include/type_traits @ 16707566] 
0e (Inline Function) --------`--------     xul!std::_C_invoke+0x1a [/builds/worker/checkouts/gecko/vs2017_15.8.4/VC/include/type_traits @ 16707566] 
0f (Inline Function) --------`--------     xul!std::_Apply_impl+0x1a [/builds/worker/checkouts/gecko/vs2017_15.8.4/VC/include/tuple @ 1233] 
10 (Inline Function) --------`--------     xul!std::apply+0x1a [/builds/worker/checkouts/gecko/vs2017_15.8.4/VC/include/tuple @ 1241] 
11 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,98,void (mozilla::HostWebGLContext::*)(const std::vector<unsigned int,std::allocator<unsigned int> > &) const,&mozilla::HostWebGLContext::DrawBuffers>::DispatchCommand+0x2105 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 228] 
12 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,97,void (mozilla::HostWebGLContext::*)(unsigned long long, const std::vector<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::allocator<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > &, unsigned int) const,&mozilla::HostWebGLContext::TransformFeedbackVaryings>::DispatchCommand+0x2105 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
13 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,96,void (mozilla::HostWebGLContext::*)() const,&mozilla::HostWebGLContext::ResumeTransformFeedback>::DispatchCommand+0x2112 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
14 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,95,void (mozilla::HostWebGLContext::*)() const,&mozilla::HostWebGLContext::PauseTransformFeedback>::DispatchCommand+0x2112 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
15 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,94,void (mozilla::HostWebGLContext::*)() const,&mozilla::HostWebGLContext::EndTransformFeedback>::DispatchCommand+0x2112 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
16 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,93,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::BeginTransformFeedback>::DispatchCommand+0x2157 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
17 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,92,void (mozilla::HostWebGLContext::*)(unsigned long long) const,&mozilla::HostWebGLContext::BindTransformFeedback>::DispatchCommand+0x2157 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
18 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,91,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int, float) const,&mozilla::HostWebGLContext::SamplerParameterf>::DispatchCommand+0x2157 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
19 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,90,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int, int) const,&mozilla::HostWebGLContext::SamplerParameteri>::DispatchCommand+0x2222 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
1a (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,89,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long) const,&mozilla::HostWebGLContext::BindSampler>::DispatchCommand+0x2222 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
1b (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,88,void (mozilla::HostWebGLContext::*)(const mozilla::webgl::ReadPixelsDesc &, unsigned long long) const,&mozilla::HostWebGLContext::ReadPixelsPbo>::DispatchCommand+0x2222 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
1c (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,87,void (mozilla::HostWebGLContext::*)(unsigned int, int, float, int) const,&mozilla::HostWebGLContext::ClearBufferfi>::DispatchCommand+0x2222 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
1d (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,86,void (mozilla::HostWebGLContext::*)(unsigned int, int, const mozilla::webgl::TypedQuad &) const,&mozilla::HostWebGLContext::ClearBufferTv>::DispatchCommand+0x2338 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
1e (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,85,void (mozilla::HostWebGLContext::*)(unsigned int, const mozilla::webgl::VertAttribPointerDesc &) const,&mozilla::HostWebGLContext::VertexAttribPointer>::DispatchCommand+0x2338 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
1f (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,84,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::DisableVertexAttribArray>::DispatchCommand+0x2338 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
20 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,83,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::EnableVertexAttribArray>::DispatchCommand+0x2338 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
21 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,82,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::UniformBlockBinding>::DispatchCommand+0x2338 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
22 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,81,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int) const,&mozilla::HostWebGLContext::VertexAttribDivisor>::DispatchCommand+0x2338 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
23 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,80,void (mozilla::HostWebGLContext::*)(unsigned int, const mozilla::webgl::TypedQuad &) const,&mozilla::HostWebGLContext::VertexAttrib4T>::DispatchCommand+0x2400 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
24 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,79,void (mozilla::HostWebGLContext::*)(unsigned int, bool, const mozilla::RawBuffer<unsigned char> &) const,&mozilla::HostWebGLContext::UniformData>::DispatchCommand+0x2400 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
25 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,78,void (mozilla::HostWebGLContext::*)(unsigned long long) const,&mozilla::HostWebGLContext::UseProgram>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
26 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,77,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, const mozilla::FloatOrInt &) const,&mozilla::HostWebGLContext::TexParameter_base>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
27 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,76,void (mozilla::HostWebGLContext::*)(bool, unsigned int, unsigned int, unsigned int, const mozilla::avec3<unsigned int> &, const mozilla::avec3<unsigned int> &, const mozilla::RawBuffer<unsigned char> &, unsigned int, const mozilla::Maybe<unsigned long long> &) const,&mozilla::HostWebGLContext::CompressedTexImage>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
28 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,75,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, const mozilla::avec3<unsigned int> &, const mozilla::webgl::PackingInfo &, const mozilla::webgl::TexUnpackBlobDesc &) const,&mozilla::HostWebGLContext::TexImage>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
29 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,74,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, const mozilla::avec3<unsigned int> &) const,&mozilla::HostWebGLContext::TexStorage>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
2a (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,73,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, const mozilla::avec3<unsigned int> &, const mozilla::avec2<int> &, const mozilla::avec2<unsigned int> &) const,&mozilla::HostWebGLContext::CopyTexImage>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
2b (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,72,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::GenerateMipmap>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
2c (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,71,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long) const,&mozilla::HostWebGLContext::BindTexture>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
2d (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,70,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::ActiveTexture>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
2e (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,69,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int, unsigned int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::RenderbufferStorageMultisample>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
2f (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,68,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::ReadBuffer>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
30 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,67,void (mozilla::HostWebGLContext::*)(unsigned int, const mozilla::RawBuffer<const unsigned int> &, int, int, int, int) const,&mozilla::HostWebGLContext::InvalidateSubFramebuffer>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
31 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,66,void (mozilla::HostWebGLContext::*)(unsigned int, const mozilla::RawBuffer<const unsigned int> &) const,&mozilla::HostWebGLContext::InvalidateFramebuffer>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
32 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,65,void (mozilla::HostWebGLContext::*)(int, int, int, int, int, int, int, int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::BlitFramebuffer>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
33 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,64,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long, const mozilla::RawBuffer<unsigned char> &) const,&mozilla::HostWebGLContext::BufferSubData>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
34 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,63,void (mozilla::HostWebGLContext::*)(unsigned int, const mozilla::RawBuffer<unsigned char> &, unsigned int) const,&mozilla::HostWebGLContext::BufferData>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
35 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,62,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned long long, unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::CopyBufferSubData>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
36 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,61,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned long long, unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::BindBufferRange>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
37 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,60,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long) const,&mozilla::HostWebGLContext::BindBuffer>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
38 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,59,void (mozilla::HostWebGLContext::*)(int, int, int, int) const,&mozilla::HostWebGLContext::Viewport>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
39 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,58,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::StencilOpSeparate>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
3a (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,57,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int) const,&mozilla::HostWebGLContext::StencilMaskSeparate>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
3b (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,56,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, int, unsigned int) const,&mozilla::HostWebGLContext::StencilFuncSeparate>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
3c (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,55,void (mozilla::HostWebGLContext::*)(unsigned long long, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &) const,&mozilla::HostWebGLContext::ShaderSource>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
3d (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,54,void (mozilla::HostWebGLContext::*)(int, int, int, int) const,&mozilla::HostWebGLContext::Scissor>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
3e (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,53,void (mozilla::HostWebGLContext::*)(float, bool) const,&mozilla::HostWebGLContext::SampleCoverage>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
3f (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,52,void (mozilla::HostWebGLContext::*)(unsigned long long, mozilla::layers::TextureType, bool) const,&mozilla::HostWebGLContext::Present>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
40 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,51,void (mozilla::HostWebGLContext::*)(float, float) const,&mozilla::HostWebGLContext::PolygonOffset>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
41 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,50,void (mozilla::HostWebGLContext::*)(unsigned long long) const,&mozilla::HostWebGLContext::LinkProgram>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
42 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,49,void (mozilla::HostWebGLContext::*)(float) const,&mozilla::HostWebGLContext::LineWidth>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
43 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,48,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int) const,&mozilla::HostWebGLContext::Hint>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
44 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,47,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::FrontFace>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
45 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,46,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, unsigned long long, int, int, int) const,&mozilla::HostWebGLContext::FramebufferAttach>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
46 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,45,void (mozilla::HostWebGLContext::*)() const,&mozilla::HostWebGLContext::Flush>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
47 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,44,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::DetachShader>::DispatchCommand+0x2463 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
48 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,43,void (mozilla::HostWebGLContext::*)(float, float) const,&mozilla::HostWebGLContext::DepthRange>::DispatchCommand+0x2ed4 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
49 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,42,void (mozilla::HostWebGLContext::*)(bool) const,&mozilla::HostWebGLContext::DepthMask>::DispatchCommand+0x2ed4 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
4a (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,41,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::DepthFunc>::DispatchCommand+0x34a9 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
4b (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,40,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::CullFace>::DispatchCommand+0x34a9 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
4c (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,39,void (mozilla::HostWebGLContext::*)(unsigned long long) const,&mozilla::HostWebGLContext::CompileShader>::DispatchCommand+0x354a [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
4d (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,38,void (mozilla::HostWebGLContext::*)(bool, bool, bool, bool) const,&mozilla::HostWebGLContext::ColorMask>::DispatchCommand+0x354a [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
4e (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,37,void (mozilla::HostWebGLContext::*)(int) const,&mozilla::HostWebGLContext::ClearStencil>::DispatchCommand+0x354a [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
4f (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,36,void (mozilla::HostWebGLContext::*)(float) const,&mozilla::HostWebGLContext::ClearDepth>::DispatchCommand+0x3592 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
50 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,35,void (mozilla::HostWebGLContext::*)(float, float, float, float) const,&mozilla::HostWebGLContext::ClearColor>::DispatchCommand+0x3592 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
51 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,34,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::Clear>::DispatchCommand+0x3592 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
52 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,33,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::BlendFuncSeparate>::DispatchCommand+0x3592 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
53 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,32,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int) const,&mozilla::HostWebGLContext::BlendEquationSeparate>::DispatchCommand+0x3592 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
54 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,31,void (mozilla::HostWebGLContext::*)(float, float, float, float) const,&mozilla::HostWebGLContext::BlendColor>::DispatchCommand+0x3592 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
55 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,30,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long) const,&mozilla::HostWebGLContext::BindFramebuffer>::DispatchCommand+0x3592 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
56 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,29,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &) const,&mozilla::HostWebGLContext::BindAttribLocation>::DispatchCommand+0x3592 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
57 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,28,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::AttachShader>::DispatchCommand+0x3592 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
58 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,27,void (mozilla::HostWebGLContext::*)(),&mozilla::HostWebGLContext::DidRefresh>::DispatchCommand+0x3592 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
59 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,26,void (mozilla::HostWebGLContext::*)(mozilla::WebGLExtensionID),&mozilla::HostWebGLContext::RequestExtension>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
5a (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,25,void (mozilla::HostWebGLContext::*)(const mozilla::avec2<unsigned int> &),&mozilla::HostWebGLContext::Resize>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
5b (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,24,void (mozilla::HostWebGLContext::*)(unsigned int, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &) const,&mozilla::HostWebGLContext::GenerateError>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
5c (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,23,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::Enable>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
5d (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,22,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::Disable>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
5e (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,21,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteVertexArray>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
5f (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,20,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteTransformFeedback>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
60 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,19,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteTexture>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
61 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,18,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteSync>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
62 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,17,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteShader>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
63 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,16,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteSampler>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
64 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,15,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteRenderbuffer>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
65 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,14,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteQuery>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
66 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,13,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteProgram>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
67 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,12,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteFramebuffer>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
68 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,11,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteBuffer>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
69 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,10,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateVertexArray>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
6a (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,9,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateTransformFeedback>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
6b (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,8,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateTexture>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
6c (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,7,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateSync>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
6d (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,6,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int),&mozilla::HostWebGLContext::CreateShader>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
6e (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,5,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateSampler>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
6f (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,4,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateRenderbuffer>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
70 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,3,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateQuery>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
71 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,2,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateProgram>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
72 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,1,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateFramebuffer>::DispatchCommand+0x3699 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
73 (Inline Function) --------`--------     xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,0,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateBuffer>::DispatchCommand+0x36ac [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236] 
74 000000b1`ee10ed30 00007ffd`d695fad6     xul!mozilla::dom::WebGLParent::RecvDispatchCommands+0x3804 [/builds/worker/checkouts/gecko/dom/canvas/WebGLParent.cpp @ 59] 
75 000000b1`ee10efd0 00007ffd`d5ac1495     xul!mozilla::dom::PWebGLParent::OnMessageReceived+0x306 [/builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp @ 201] 
76 000000b1`ee10f0a0 00007ffd`d6757694     xul!mozilla::layers::PCompositorManagerParent::OnMessageReceived+0x65 [/builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp @ 205] 
77 (Inline Function) --------`--------     xul!mozilla::ipc::MessageChannel::DispatchAsyncMessage+0x71 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 2157] 
78 000000b1`ee10f1b0 00007ffd`d5729c7d     xul!mozilla::ipc::MessageChannel::DispatchMessage+0x404 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 2081] 
79 (Inline Function) --------`--------     xul!mozilla::ipc::MessageChannel::RunMessage+0xe7 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1929] 
7a 000000b1`ee10f540 00007ffd`d555430f     xul!mozilla::ipc::MessageChannel::MessageTask::Run+0x16d [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1962] 
7b 000000b1`ee10f5d0 00007ffd`d5552b0f     xul!nsThread::ProcessNextEvent+0x141f [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1153] 
7c (Inline Function) --------`--------     xul!NS_ProcessNextEvent+0x28 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 548] 
7d 000000b1`ee10f960 00007ffd`d6730b4f     xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xef [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 302] 
7e (Inline Function) --------`--------     xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 335] 
7f 000000b1`ee10fa00 00007ffd`d55529de     xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 329] 
80 000000b1`ee10fa50 00007ffd`d62cae47     xul!MessageLoop::Run+0x4e [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 311] 
81 000000b1`ee10fab0 00007ffe`2dc46d5a     xul!nsThread::ThreadFunc+0xe7 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 393] 
82 000000b1`ee10fc60 00007ffe`2dc3a471     nss3!_PR_NativeRunThread+0x14a [/builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c @ 421] 
83 000000b1`ee10fce0 00007ffe`5ddf1bb2     nss3!pr_root+0x11 [/builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c @ 140] 
84 000000b1`ee10fd10 00007ffe`5fff7034     ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x42
85 000000b1`ee10fd40 00007ffe`32ea0e58     KERNEL32!BaseThreadInitThunk+0x14
86 (Inline Function) --------`--------     mozglue!mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator()+0x15 [/builds/worker/workspace/obj-build/dist/include/nsWindowsDllInterceptor.h @ 150] 
87 000000b1`ee10fd70 00007ffe`606e2651     mozglue!patched_BaseThreadInitThunk+0x28 [/builds/worker/checkouts/gecko/mozglue/dllservices/WindowsDllBlocklist.cpp @ 588] 
88 000000b1`ee10fde0 00000000`00000000     ntdll!RtlUserThreadStart+0x21

Flags: sec-bounty?

:Gijs (he/him)

Updated

•

4 years ago

Group: firefox-core-security → gfx-core-security

Type: task → defect

Component: Security → Canvas: WebGL

Product: Firefox → Core

Tyson Smith [:tsmith]

Comment 1

•

4 years ago

An ASan trace for anyone interested.

==5652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x113ae0ac9794 at pc 0x7ffeed7853af bp 0x0030debfba50 sp 0x0030debfba98
WRITE of size 32 at 0x113ae0ac9794 thread T2
    #0 0x7ffeed7853d8 in __asan_memmove Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_interceptors_memintrinsics.cpp:30
    #1 0x7ffed59ce903 in gl::Framebuffer::setDrawBuffers /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Framebuffer.cpp:944
    #2 0x7ffed595b922 in gl::Context::drawBuffers /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Context.cpp:4377
    #3 0x7ffed603179c in gl::DrawBuffers /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libGLESv2/entry_points_gles_3_0_autogen.cpp:685
    #4 0x7ffedd77b3cf in mozilla::WebGLFramebuffer::RefreshDrawBuffers /builds/worker/checkouts/gecko/dom/canvas/WebGLFramebuffer.cpp:1075
    #5 0x7ffedd77c1f3 in mozilla::WebGLFramebuffer::DrawBuffers /builds/worker/checkouts/gecko/dom/canvas/WebGLFramebuffer.cpp:1143
    #6 0x7ffedd7126f2 in mozilla::WebGLContext::DrawBuffers /builds/worker/checkouts/gecko/dom/canvas/WebGLContextFramebufferOperations.cpp:148
    #7 0x7ffedd78c987 in mozilla::dom::WebGLParent::RecvDispatchCommands /builds/worker/checkouts/gecko/dom/canvas/WebGLParent.cpp:55
    #8 0x7ffed8eaa42b in mozilla::dom::PWebGLParent::OnMessageReceived /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:201
    #9 0x7ffed874cf81 in mozilla::layers::PCompositorManagerParent::OnMessageReceived /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:205
    #10 0x7ffed857a322 in mozilla::ipc::MessageChannel::DispatchAsyncMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2157
    #11 0x7ffed85766f3 in mozilla::ipc::MessageChannel::DispatchMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2081
    #12 0x7ffed85785de in mozilla::ipc::MessageChannel::RunMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1929
    #13 0x7ffed8578b98 in mozilla::ipc::MessageChannel::MessageTask::Run /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1960
    #14 0x7ffed71fd11b in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1152
    #15 0x7ffed720c76c in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548
    #16 0x7ffed858388e in mozilla::ipc::MessagePumpForNonMainThreads::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:302
    #17 0x7ffed84bae95 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328
    #18 0x7ffed84bac65 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310
    #19 0x7ffed71f5976 in nsThread::ThreadFunc /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391
    #20 0x7ffeed3bdb7e in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #21 0x7ffeed396ecb in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #22 0x7fff19801bb1 in configthreadlocale+0x91 (C:\WINDOWS\System32\ucrtbase.dll+0x180021bb1)
    #23 0x7ffeed7903a8 in __asan::AsanThread::ThreadStart Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:262
    #24 0x7fff1af67033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
    #25 0x7ffeee924a22 in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/mozglue/dllservices/WindowsDllBlocklist.cpp:592
    #26 0x7fff1bba2650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)

0x113ae0ac9794 is located 0 bytes to the right of 4-byte region [0x113ae0ac9790,0x113ae0ac9794)
allocated by thread T2 here:
    #0 0x7ffeed785674 in malloc Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:98
    #1 0x7ffeee9213de in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
    #2 0x7ffed59c74cc in gl::FramebufferState::FramebufferState /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Framebuffer.cpp:306
    #3 0x7ffed59ca144 in gl::Framebuffer::Framebuffer /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Framebuffer.cpp:704
    #4 0x7ffed59326b7 in gl::Context::setDefaultFramebuffer /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Context.cpp:8561
    #5 0x7ffed592fefa in gl::Context::makeCurrent /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Context.cpp:700
    #6 0x7ffed59ade41 in egl::Display::makeCurrent /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Display.cpp:1303
    #7 0x7ffed5fe7e20 in EGL_MakeCurrent /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libGLESv2/entry_points_egl.cpp:469
    #8 0x7ffed9b4e303 in mozilla::gl::GLContextEGL::MakeCurrentImpl /builds/worker/checkouts/gecko/gfx/gl/GLContextProviderEGL.cpp:476
    #9 0x7ffed9b24dac in mozilla::gl::GLContext::InitImpl /builds/worker/checkouts/gecko/gfx/gl/GLContext.cpp:369
    #10 0x7ffed9b24897 in mozilla::gl::GLContext::Init /builds/worker/checkouts/gecko/gfx/gl/GLContext.cpp:321
    #11 0x7ffed9b4da14 in mozilla::gl::GLContextEGL::Init /builds/worker/checkouts/gecko/gfx/gl/GLContextProviderEGL.cpp:421
    #12 0x7ffed9b4a310 in mozilla::gl::GLContextEGL::CreateGLContext /builds/worker/checkouts/gecko/gfx/gl/GLContextProviderEGL.cpp:772
    #13 0x7ffed9b53e10 in mozilla::gl::GLContextEGL::CreateEGLPBufferOffscreenContextImpl /builds/worker/checkouts/gecko/gfx/gl/GLContextProviderEGL.cpp:1186
    #14 0x7ffed9b58729 in mozilla::gl::GLContextEGL::CreateEGLPBufferOffscreenContext /builds/worker/checkouts/gecko/gfx/gl/GLContextProviderEGL.cpp:1207
    #15 0x7ffed9b58d6e in mozilla::gl::GLContextProviderEGL::CreateHeadless /builds/worker/checkouts/gecko/gfx/gl/GLContextProviderEGL.cpp:1221
    #16 0x7ffedd6c84da in mozilla::WebGLContext::CreateAndInitGL /builds/worker/checkouts/gecko/dom/canvas/WebGLContext.cpp:367
    #17 0x7ffedd6cbfda in mozilla::WebGLContext::Create /builds/worker/checkouts/gecko/dom/canvas/WebGLContext.cpp:498
    #18 0x7ffedd62ac97 in mozilla::HostWebGLContext::Create /builds/worker/checkouts/gecko/dom/canvas/HostWebGLContext.cpp:59

Thread T2 created by T0 here:
    #0 0x7ffeed7914dc in __asan_wrap_CreateThread Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cpp:146
    #1 0x7fff19801896 in beginthreadex+0x56 (C:\WINDOWS\System32\ucrtbase.dll+0x180021896)
    #2 0x7ffeed396cfd in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ffeed3be9dc in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ffeed3bf343 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ffeed3b52ff in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ffed71f82f9 in nsThread::Init /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:609
    #7 0x7ffed7209cac in nsThreadManager::NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:637
    #8 0x7ffed721577c in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:169
    #9 0x7ffeda209a6d in mozilla::layers::CompositorThreadHolder::CreateCompositorThread /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorThread.cpp:54
    #10 0x7ffeda20a056 in mozilla::layers::CompositorThreadHolder::Start /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorThread.cpp:93
    #11 0x7ffeda48bc61 in mozilla::gfx::GPUParent::Init /builds/worker/checkouts/gecko/gfx/ipc/GPUParent.cpp:179
    #12 0x7ffeda49f319 in mozilla::gfx::GPUProcessImpl::Init /builds/worker/checkouts/gecko/gfx/ipc/GPUProcessImpl.cpp:76
    #13 0x7ffee4792055 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:699
    #14 0x7ff725581edd in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309
    #15 0x7ff72558148e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131
    #16 0x7ff72567c407 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #17 0x7fff1af67033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
    #18 0x7fff1bba2650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)

Status: UNCONFIRMED → NEW

status-firefox88: --- → affected

Ever confirmed: true

Flags: in-testsuite?

Keywords: crash, csectype-bounds, testcase

Daniel Veditz [:dveditz]

Comment 2

•

4 years ago

Initial guess at sec-high because it's an OOBW, but if the value is always approximately that big it sounds more destructive and DOS-y than a useful exploit primitive.

Daniel Veditz [:dveditz]

Updated

•

4 years ago

Keywords: sec-high

Kelsey Gilbert [:jgilbert]

Assignee

Comment 3

•

4 years ago

Wow did tests really not hit this? :X

Kelsey Gilbert [:jgilbert]

Assignee

Comment 4

•

4 years ago

Ah, it's a fairly weird corner-case of state, I think as a result of some of the lazy framebuffer binding we do.

Kelsey Gilbert [:jgilbert]

Assignee

Comment 5

•

4 years ago

Attached file Bug 1699077 - Bind framebuffer before DrawBuffers/ReadBuffer selection. — Details

Phabricator Automation

Updated

•

4 years ago

Assignee: nobody → jgilbert

Status: NEW → ASSIGNED

Kelsey Gilbert [:jgilbert]

Assignee

Updated

•

4 years ago

status-firefox87: --- → wontfix

status-firefox89: --- → affected

status-firefox-esr78: --- → affected

status-thunderbird_esr78: --- → affected

Kelsey Gilbert [:jgilbert]

Assignee

Comment 6

•

4 years ago

Comment on attachment 9212954 [details]
Bug 1699077 - Bind framebuffer before DrawBuffers/ReadBuffer selection.

Security Approval Request

How easily could an exploit be constructed based on the patch?: I think it would be pretty hard. I don't think there's enough of a knob here to do anything other than crash.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
Which older supported branches are affected by this flaw?: all
If not all supported branches, which bug introduced the flaw?: None
Do you have backports for the affected branches?: No
If not, how different, hard to create, and risky will they be?: Trivial or easy
How likely is this patch to cause regressions; how much testing does it need?: Unlikely, but a new test is included, along with our other tests.

Attachment #9212954 - Flags: sec-approval?

Julien Cristau [:jcristau]

Updated

•

4 years ago

status-thunderbird_esr78: affected → ---

Tom Ritter [:tjr]

Comment 7

•

4 years ago

Can we separate out the test and land it later?

Flags: needinfo?(jgilbert)

Kelsey Gilbert [:jgilbert]

Assignee

Comment 8

•

4 years ago

Yeah, always.

Flags: needinfo?(jgilbert)

Kelsey Gilbert [:jgilbert]

Assignee

Comment 9

•

4 years ago

Attached file Bug 1699077 - Add test. — Details

Kelsey Gilbert [:jgilbert]

Assignee

Comment 10

•

4 years ago

Test split out.

Flags: needinfo?(tom)

Tom Ritter [:tjr]

Comment 11

•

4 years ago

Comment on attachment 9212954 [details]
Bug 1699077 - Bind framebuffer before DrawBuffers/ReadBuffer selection.

Approved to land and uplift

Flags: needinfo?(tom)

Attachment #9212954 - Flags: sec-approval?

Attachment #9212954 - Flags: sec-approval+

Attachment #9212954 - Flags: approval-mozilla-esr78+

Attachment #9212954 - Flags: approval-mozilla-beta+

Tom Ritter [:tjr]

Comment 12

•

4 years ago

Comment on attachment 9213961 [details]
Bug 1699077 - Add test.

Test approved to land on or after 5/10

Attachment #9213961 - Flags: sec-approval+

Ryan VanderMeulen [:RyanVM]

Comment 13

•

4 years ago

https://hg.mozilla.org/integration/autoland/rev/702b14b0f469c2690c0d725e78aa5f2899ce6a19

tracking-firefox88: --- → +

tracking-firefox89: --- → +

tracking-firefox-esr78: --- → 88+

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 14

•

4 years ago

https://hg.mozilla.org/mozilla-central/rev/702b14b0f469

Group: gfx-core-security → core-security-release

Status: ASSIGNED → RESOLVED

Closed: 4 years ago

status-firefox89: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 89 Branch

Ryan VanderMeulen [:RyanVM]

Comment 15

•

4 years ago

uplift

https://hg.mozilla.org/releases/mozilla-beta/rev/47f62003589f

status-firefox88: affected → fixed

Ryan VanderMeulen [:RyanVM]

Comment 16

•

4 years ago

uplift

https://hg.mozilla.org/releases/mozilla-esr78/rev/02986a6ad0ac

status-firefox-esr78: affected → fixed

Mihai Boldan, Desktop QA [:mboldan]

Updated

•

4 years ago

QA Whiteboard: [qa-triaged]

Flags: qe-verify+

Alexandru Trif, Desktop Test Engineering [:atrif]

Comment 17

•

4 years ago

Hello! Using Firefox 88.0a1 (2021-03-16) on Windows 10x64 and the attached test case I have managed to reproduce the crashes. These are the ones that showed in about:crashes after 10 visits: crash1x7, crash2x1, crash3x1, crash4x1. Those were almost all silent crashes for me, and the crash reporter showed only one time, and only one white/blank page was displayed on the affected version.

The crashes are no longer occurring and the page is properly displayed with Firefox 89.0a1 (20210411210108), 88.0b9 (20210408190318), and 78.10.0esr(20210408210613) from comment 16 on Windows 10x64, macOS 11.2.3M1 mini, and Ubuntu 20.04.

Status: RESOLVED → VERIFIED

status-firefox88: fixed → verified

status-firefox89: fixed → verified

status-firefox-esr78: fixed → verified

Flags: qe-verify+

Tom Ritter [:tjr]

Updated

•

4 years ago

Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main88+]

Daniel Veditz [:dveditz]

Updated

•

4 years ago

Flags: sec-bounty? → sec-bounty+

Tom Ritter [:tjr]

Comment 18

•

4 years ago

Attached file advisory.txt — Details

Tom Ritter [:tjr]

Updated

•

4 years ago

Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main88+] → [reporter-external] [client-bounty-form] [verif?][adv-main88+][adv-esr78.10+]

BugBot [:suhaib / :marco/ :calixte]

Comment 19

•

4 years ago

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(jgilbert)

Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main88+][adv-esr78.10+] → [reporter-external] [client-bounty-form] [verif?][adv-main88+][adv-esr78.10+][sec-survey]

Kelsey Gilbert [:jgilbert]

Assignee

Updated

•

4 years ago

Flags: needinfo?(jgilbert)

Frederik Braun [:freddy]

Updated

•

4 years ago

Alias: CVE-2021-23994

Daniel Veditz [:dveditz]

Updated

•

3 years ago

Group: core-security-release

David Lawrence [:dkl]

Updated

•

9 months ago

Keywords: reporter-external

drawbuffers-fill-memset-poc.html 4 years ago Omair 712 bytes, text/html		Details
Bug 1699077 - Bind framebuffer before DrawBuffers/ReadBuffer selection. 4 years ago Kelsey Gilbert [:jgilbert] 48 bytes, text/x-phabricator-request	tjr : approval-mozilla-beta+ tjr : approval-mozilla-esr78+ tjr : sec-approval+	Details \| Review
Bug 1699077 - Add test. 4 years ago Kelsey Gilbert [:jgilbert] 48 bytes, text/x-phabricator-request	tjr : sec-approval+	Details \| Review
advisory.txt 4 years ago Tom Ritter [:tjr] 187 bytes, text/plain		Details