Closed Bug 1701975 Opened 3 years ago Closed 3 years ago

AddressSanitizer: heap-buffer-overflow /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:502:5 in load<unsigned int>

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- unaffected
firefox88 + verified
firefox89 + verified

People

(Reporter: jkratzer, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed][sec-survey][post-critsmash-triage])

Attachments

(3 files)

testcase.zip
3.06 KB, application/zip
Details
Bug 1701975 - Check for negative sample bounds. r?jrmuizel
48 bytes, text/x-phabricator-request
tjr
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review
Bug 1701975 - Add crashtest. r?jrmuizel
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev 52d2c9e672d0 (built with --enable-address-sanitizer --enable-fuzzing).

==4803==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500017c0fc at pc 0x7f64469ca436 bp 0x7f640dc3f3f0 sp 0x7f640dc3f3e8
READ of size 16 at 0x62500017c0fc thread T52 (Renderer)
    #0 0x7f64469ca435 in load<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:502:5
    #1 0x7f64469ca435 in unaligned_load<unsigned char __attribute__((ext_vector_type(16))), unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:531:10
    #2 0x7f64469ca435 in void blendTextureLinearUpscale<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:217:7
    #3 0x7f644697bf75 in int blendTextureLinear<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec4_scalar const&, NoColor, unsigned int*, LinearFilter) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:426:9
    #4 0x7f6446a8706b in brush_image_ALPHA_PASS_TEXTURE_2D_frag::swgl_drawSpanRGBA8() /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-fa1cedbe8c8d7d30/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:895:2
    #5 0x7f6446a7cfa9 in brush_image_ALPHA_PASS_TEXTURE_2D_frag::draw_span_RGBA8(brush_image_ALPHA_PASS_TEXTURE_2D_frag*) /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-fa1cedbe8c8d7d30/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:938:42
    #6 0x7f6446d36c9f in draw_span /builds/worker/checkouts/gecko/gfx/wr/swgl/src/program.h:149:12
    #7 0x7f6446d36c9f in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1008:42
    #8 0x7f64468c4af3 in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1592:5
    #9 0x7f64468c04b3 in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1622:5
    #10 0x7f64468c0159 in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2699:7
    #11 0x7f6445d2e67f in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::hdf4e10b32e2cd617 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3478:9
    #12 0x7f6445d2e67f in webrender::renderer::Renderer::draw_instanced_batch::hff0dd0452e9d80c1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2553:17
    #13 0x7f6445d1b589 in webrender::renderer::Renderer::draw_alpha_batch_container::hb633ae3deaa60ff4 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:3037:17
    #14 0x7f6445cf037d in webrender::renderer::Renderer::draw_picture_cache_target::h4479a69d077f4535 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2860:9
    #15 0x7f6445cf037d in webrender::renderer::Renderer::draw_frame::h2fe5327ba37c56d5 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4603:21
    #16 0x7f6445d53f16 in webrender::renderer::Renderer::render_impl::hc14c54b40ec9d2eb /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2154:17
    #17 0x7f6445d756e9 in webrender::renderer::Renderer::render::h630e7c763bf04fda /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1889:30
    #18 0x7f6445fe0d6f in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:637:11
    #19 0x7f643753a89e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #20 0x7f6437538fcf in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486:31
    #21 0x7f6437538151 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341:3
    #22 0x7f64375504f6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #23 0x7f64375504f6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #24 0x7f64375504f6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #25 0x7f643575b107 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #26 0x7f643575be6e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #27 0x7f643575c70b in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #28 0x7f643575da06 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #29 0x7f643575acb1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #30 0x7f643575acb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #31 0x7f643575acb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #32 0x7f6435778fb8 in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191:16
    #33 0x7f643576cbac in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #34 0x7f645513f608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #35 0x7f6454d08292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x62500017c0fc is located 4 bytes to the left of 8192-byte region [0x62500017c100,0x62500017e100)
allocated by thread T52 (Renderer) here:
    #0 0x55fd1da127d9 in realloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x7f64468c66c3 in Texture::allocate(bool, int, int) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:492:32
    #2 0x7f64468af85f in set_tex_storage(Texture&, unsigned int, int, int, void*, int, int, int) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1678:5
    #3 0x7f64468af31e in TexStorage2D /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1692:3
    #4 0x7f64468b04d9 in TexImage2D /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1780:3
    #5 0x7f6444df4a8a in _$LT$swgl..swgl_fns..Context$u20$as$u20$gleam..gl..Gl$GT$::tex_image_2d::h4a67fbdce1d3895b /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_fns.rs:990:13
    #6 0x7f6445c67b36 in webrender::device::gl::Device::create_texture::he61e0ee0d63cbdf1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:2445:13
    #7 0x7f6445d37e14 in webrender::renderer::Renderer::update_texture_cache::_$u7b$$u7b$closure$u7d$$u7d$::h10aab31fc41e7d8f /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2435:29
    #8 0x7f6445d37e14 in core::option::Option$LT$T$GT$::unwrap_or_else::h95a9ebff8addefd0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/option.rs:427:21
    #9 0x7f6445d37e14 in webrender::renderer::Renderer::update_texture_cache::hbe25867822377249 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2434:43
    #10 0x7f6445d53172 in webrender::renderer::Renderer::render_impl::hc14c54b40ec9d2eb /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2114:13
    #11 0x7f6445d756e9 in webrender::renderer::Renderer::render::h630e7c763bf04fda /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1889:30
    #12 0x7f6445fe0d6f in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:637:11
    #13 0x7f643753a89e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #14 0x7f6437538fcf in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486:31
    #15 0x7f6437538151 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341:3
    #16 0x7f64375504f6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #17 0x7f64375504f6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #18 0x7f64375504f6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #19 0x7f643575b107 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #20 0x7f643575be6e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #21 0x7f643575c70b in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #22 0x7f643575da06 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #23 0x7f643575acb1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #24 0x7f643575acb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #25 0x7f643575acb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3

Thread T52 (Renderer) created by T0 here:
    #0 0x55fd1d9fcf2a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f643576709c in CreateThread /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7f643576709c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7f64357787dd in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7f6437534d91 in mozilla::wr::RenderThread::Start() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:92:16
    #5 0x7f64372a1829 in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1323:7
    #6 0x7f643729ce26 in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:963:3
    #7 0x7f643729b76b in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:480:5
    #8 0x7f643bf9bd0c in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/checkouts/gecko/widget/GfxInfoBase.cpp:1778:25
    #9 0x7f643465a841 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #10 0x7f64366149ea in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1623:10
    #11 0x7f64366149ea in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #12 0x7f64366149ea in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #13 0x7f643661a3d3 in GetAttribute /builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h:1460:12
    #14 0x7f643661a3d3 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
    #15 0x7f643fd3b2a0 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
    #16 0x7f643fd3b2a0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:520:12
    #17 0x7f643fd3d0d9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #18 0x7f643fd3d35b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
    #19 0x7f643fd3e918 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:721:10
    #20 0x7f6440255fb8 in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2108:12
    #21 0x7f6440255fb8 in GetExistingProperty<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2137:12
    #22 0x7f6440255fb8 in NativeGetPropertyInline<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2281:14
    #23 0x7f6440255fb8 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2311:10
    #24 0x7f643fd29249 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:116:10
    #25 0x7f643fd29249 in GetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:451:10
    #26 0x7f643fd29249 in GetElementOperationWithStackIndex /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:558:10
    #27 0x7f643fd29249 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3051:14
    #28 0x7f643fd0af13 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
    #29 0x7f643fd3b3da in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:13
    #30 0x7f643fd3d0d9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #31 0x7f643fd3d35b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
    #32 0x7f64405a3600 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2793:10
    #33 0x7f6436607711 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:971:17
    #34 0x7f643465c190 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #35 0x7f643465af2a in SharedStub (/home/user/builds/mc-asan/libxul.so+0x50f4f2a)
    #36 0x7f64345c0308 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:687:19
    #37 0x7f643fb02af2 in nsXREDirProvider::DoStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsXREDirProvider.cpp:1029:11
    #38 0x7f643faddf19 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5096:18
    #39 0x7f643fae10f6 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5537:8
    #40 0x7f643fae20b3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5600:21
    #41 0x55fd1da45672 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:220:22
    #42 0x55fd1da45672 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:347:16
    #43 0x7f6454c0d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:502:5 in load<unsigned int>
Shadow bytes around the buggy address:
  0x0c4a800277c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a800277d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a800277e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a800277f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80027800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a80027810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c4a80027820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80027830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80027840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80027850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80027860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4803==ABORTING
Flags: in-testsuite?

Bounds problems in a raw memcpy() are pretty scary. Is it just the read target we've gotten wrong and and the write will be safe?

Group: core-security → gfx-core-security
Keywords: csectype-bounds, sec-high

(In reply to Daniel Veditz [:dveditz] from comment #1)

Bounds problems in a raw memcpy() are pretty scary. Is it just the read target we've gotten wrong and and the write will be safe?

In this case, it looks like you can only access (read-only) the 4 bytes immediately preceding the buffer with this, which is just going to be malloc headers. It doesn't seem particularly worrying.

Assignee: nobody → lsalzman
Status: NEW → ASSIGNED

The problem here is that in brush shaders, and some other places too, we can have negative bounds rects, i.e. https://searchfox.org/mozilla-central/source/gfx/wr/webrender/res/brush_image.glsl#183

As a last resort it seems better to guard against this downwind in one place inside SWGL.

Depends on D110482

Comment on attachment 9212945 [details]
Bug 1701975 - Check for negative sample bounds. r?jrmuizel

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not easily. Only seems to allow a read access to a small number of bytes in front of a texture buffer, which is usually just a malloc header.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: 88
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely, just clamps some bounds so that we never read outside.
Attachment #9212945 - Flags: sec-approval?
status-firefox88: --- → affected
Attachment #9212945 - Flags: sec-approval?
Attachment #9212945 - Flags: sec-approval+
Attachment #9212945 - Flags: approval-mozilla-beta+

Check for negative sample bounds. r=jrmuizel
https://hg.mozilla.org/integration/autoland/rev/ff04582b22c4d21ac53bc039a8ef16ebf004f6b4

https://hg.mozilla.org/mozilla-central/rev/ff04582b22c4

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox89: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(lsalzman)
Whiteboard: [bugmon:confirm] → [bugmon:confirm][sec-survey]
Flags: needinfo?(lsalzman)
Flags: qe-verify+
Whiteboard: [bugmon:confirm][sec-survey] → [bugmon:confirm][sec-survey][post-critsmash-triage]
QA Whiteboard: [qa-triaged]

Hello!
Reproduced the issue with asan Bof mozilla-central rev 52d2c9e672d0 and the attached prefs and test case on Ubuntu 18.04.
I can no longer reproduce the issue using asan Bof Firefox 89.0a1 (20210414033918) and Firefox 88.0 (20210412175251). The test case is opened properly with the attached prefs and no crashes are encountered on Ubuntu 18.04 and Windows 10x64.

Status: RESOLVED → VERIFIED
status-firefox88: fixedverified
status-firefox89: fixedverified
Flags: qe-verify+

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: bf2f3987e5c1e56e83b3e853c15062540fb49e9e (20210402153113)
End: e6eab689ad6fbdd13b5aa4d1d50e84e9977a50d5 (20210402165306)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bf2f3987e5c1e56e83b3e853c15062540fb49e9e&tochange=e6eab689ad6fbdd13b5aa4d1d50e84e9977a50d5
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:confirm][sec-survey][post-critsmash-triage] → [bugmon:bisected,confirmed][sec-survey][post-critsmash-triage]
Group: core-security-release

We can land this test now

Flags: needinfo?(lsalzman)
Flags: needinfo?(lsalzman)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: