1706069 - heap-use-after-free - blendTextureLinearFallback

Multiple Authors

Description

•

4 years ago

•

Edited

Attached file test_9077.html — Details

During fuzzing I found a crach in Firefox. It affects latest ASAN build (https://firefox-ci-tc.services.mozilla.com/api/index/v1/task/gecko.v2.mozilla-central.latest.firefox.win64-asan-opt/artifacts/public/build/target.zip).

ASAN Logs:

ERROR: AddressSanitizer: heap-use-after-free on address 0x133d233ec004 at pc 0x7fff45b399af bp 0x00d2317fa8f0 sp 0x00d2317fa938
READ of size 16 at 0x133d233ec004 thread T4
    #0 0x7fff45b399ae in blendTextureLinearFallback<1,glsl::sampler2D_impl *,NoColor,unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:177
    #1 0x7fff45b32928 in blendTextureLinearDispatch<1,glsl::sampler2D_impl *,NoColor,unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:441
    #2 0x7fff45b7f45b in brush_image_ADVANCED_BLEND_ALPHA_PASS_TEXTURE_2D_frag::swgl_drawSpanRGBA8 /builds/worker/workspace/obj-build/x86_64-pc-windows-msvc/release/build/swgl-51a17aa18babf9f1/out/brush_image_ADVANCED_BLEND_ALPHA_PASS_TEXTURE_2D.h:895
    #3 0x7fff45b7638c in brush_image_ADVANCED_BLEND_ALPHA_PASS_TEXTURE_2D_frag::draw_span_RGBA8 /builds/worker/workspace/obj-build/x86_64-pc-windows-msvc/release/build/swgl-51a17aa18babf9f1/out/brush_image_ADVANCED_BLEND_ALPHA_PASS_TEXTURE_2D.h:938
    #4 0x7fff45e1eace in draw_quad_spans<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:999
    #5 0x7fff45a9f9b7 in draw_quad /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1592
    #6 0x7fff45a9c221 in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2699
    #7 0x7fff442f6044 in swgl::swgl_fns::{{impl}}::draw_elements_instanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_fns.rs:1549
    #8 0x7fff445f7c36 in webrender::renderer::Renderer::draw_instanced_batch<webrender::gpu_types::PrimitiveInstanceData> /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2561
    #9 0x7fff445f3f78 in webrender::renderer::Renderer::draw_alpha_batch_container /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:3045
    #10 0x7fff445e7bef in webrender::renderer::Renderer::draw_frame /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4683
    #11 0x7fff445c8751 in webrender::renderer::Renderer::render_impl /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2159
    #12 0x7fff44621b0f in webrender_bindings::bindings::wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:637
    #13 0x7fff3895cc5f in mozilla::wr::RendererOGL::UpdateAndRender /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186
    #14 0x7fff3895a12c in mozilla::wr::RenderThread::UpdateAndRender /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486
    #15 0x7fff38958c23 in mozilla::wr::RenderThread::HandleFrameOneDoc /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341
    #16 0x7fff3852ac50 in mozilla::detail::RunnableMethodImpl<RefPtr<mozilla::layers::APZCTreeManager>,void (mozilla::layers::IAPZCTreeManager::*)(unsigned long long, bool),1,mozilla::RunnableKind::Standard,unsigned long long,bool>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201
    #17 0x7fff3691357a in MessageLoop::RunTask /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468
    #18 0x7fff369149e5 in MessageLoop::DeferOrRunPendingTask /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477
    #19 0x7fff36915fe0 in MessageLoop::DoWork /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552
    #20 0x7fff36917bc7 in base::MessagePumpDefault::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35
    #21 0x7fff369130f5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328
    #22 0x7fff36923cef in base::Thread::ThreadMain /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191
    #23 0x7fff368ebdb6 in `anonymous namespace'::ThreadFunc /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_win.cc:19
    #24 0x7fff5ce803a8 in __asan::AsanThread::ThreadStart Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:262
    #25 0x7fff84187bd3 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017bd3)
    #26 0x7fff76734a32 in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/mozglue/dllservices/WindowsDllBlocklist.cpp:592
    #27 0x7fff84acce50 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18006ce50)

0x133d233ec004 is located 2009092 bytes inside of 2097152-byte region [0x133d23201800,0x133d23401800)
freed by thread T4 here:
    #0 0x7fff5ce75564 in free Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:82
    #1 0x7fff45a668b0 in DeleteTexture /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1820
    #2 0x7fff44386e01 in webrender::compositor::sw_compositor::{{impl}}::destroy_surface /builds/worker/checkouts/gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:1147
    #3 0x7fff445d0a01 in webrender::renderer::Renderer::update_native_surfaces /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4495
    #4 0x7fff445c7712 in webrender::renderer::Renderer::render_impl /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2120
    #5 0x7fff44621b0f in webrender_bindings::bindings::wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:637
    #6 0x7fff3895cc5f in mozilla::wr::RendererOGL::UpdateAndRender /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186
    #7 0x7fff3895a12c in mozilla::wr::RenderThread::UpdateAndRender /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486
    #8 0x7fff38958c23 in mozilla::wr::RenderThread::HandleFrameOneDoc /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341
    #9 0x7fff3852ac50 in mozilla::detail::RunnableMethodImpl<RefPtr<mozilla::layers::APZCTreeManager>,void (mozilla::layers::IAPZCTreeManager::*)(unsigned long long, bool),1,mozilla::RunnableKind::Standard,unsigned long long,bool>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201
    #10 0x7fff3691357a in MessageLoop::RunTask /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468
    #11 0x7fff369149e5 in MessageLoop::DeferOrRunPendingTask /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477
    #12 0x7fff36915fe0 in MessageLoop::DoWork /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552
    #13 0x7fff36917bc7 in base::MessagePumpDefault::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35
    #14 0x7fff369130f5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328
    #15 0x7fff36923cef in base::Thread::ThreadMain /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191
    #16 0x7fff368ebdb6 in `anonymous namespace'::ThreadFunc /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_win.cc:19
    #17 0x7fff5ce803a8 in __asan::AsanThread::ThreadStart Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:262
    #18 0x7fff84187bd3 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017bd3)

previously allocated by thread T4 here:
    #0 0x7fff5ce7589b in realloc Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:135
    #1 0x7fff45aa2686 in Texture::allocate /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:492
    #2 0x7fff45a643df in set_tex_storage /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1678
    #3 0x7fff45a6cb1c in SetTextureBuffer /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2309
    #4 0x7fff44387b40 in webrender::compositor::sw_compositor::{{impl}}::bind /builds/worker/checkouts/gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:1262
    #5 0x7fff445e7172 in webrender::renderer::Renderer::draw_frame /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4641
    #6 0x7fff445c8751 in webrender::renderer::Renderer::render_impl /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2159
    #7 0x7fff44621b0f in webrender_bindings::bindings::wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:637
    #8 0x7fff3895cc5f in mozilla::wr::RendererOGL::UpdateAndRender /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186
    #9 0x7fff3895a12c in mozilla::wr::RenderThread::UpdateAndRender /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486
    #10 0x7fff38958c23 in mozilla::wr::RenderThread::HandleFrameOneDoc /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341
    #11 0x7fff3852ac50 in mozilla::detail::RunnableMethodImpl<RefPtr<mozilla::layers::APZCTreeManager>,void (mozilla::layers::IAPZCTreeManager::*)(unsigned long long, bool),1,mozilla::RunnableKind::Standard,unsigned long long,bool>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201
    #12 0x7fff3691357a in MessageLoop::RunTask /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468
    #13 0x7fff369149e5 in MessageLoop::DeferOrRunPendingTask /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477
    #14 0x7fff36915fe0 in MessageLoop::DoWork /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552
    #15 0x7fff36917bc7 in base::MessagePumpDefault::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35
    #16 0x7fff369130f5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328
    #17 0x7fff36923cef in base::Thread::ThreadMain /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191
    #18 0x7fff368ebdb6 in `anonymous namespace'::ThreadFunc /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_win.cc:19

Thread T4 created by T0 here:
    #0 0x7fff5ce814dc in __asan_wrap_CreateThread Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cpp:146
    #1 0x7fff368ebd4c in PlatformThread::Create /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_win.cc:57
    #2 0x7fff36923310 in base::Thread::StartWithOptions /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:97
    #3 0x7fff38953520 in mozilla::wr::RenderThread::Start /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:92
    #4 0x7fff387fff22 in mozilla::gfx::GPUParent::RecvInit /builds/worker/checkouts/gecko/gfx/ipc/GPUParent.cpp:321
    #5 0x7fff36def735 in mozilla::gfx::PGPUParent::OnMessageReceived /builds/worker/workspace/obj-build/ipc/ipdl/PGPUParent.cpp:802
    #6 0x7fff369d12d2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2154
    #7 0x7fff369cd686 in mozilla::ipc::MessageChannel::DispatchMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2078
    #8 0x7fff369cf5de in mozilla::ipc::MessageChannel::RunMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1926
    #9 0x7fff369cfb98 in mozilla::ipc::MessageChannel::MessageTask::Run /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1957
    #10 0x7fff3564fcfd in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:470
    #11 0x7fff3560449e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:754
    #12 0x7fff3560071e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:609
    #13 0x7fff35600c30 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:393
    #14 0x7fff35659f81 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:136:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534
    #15 0x7fff3562af61 in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159
    #16 0x7fff3563b30c in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548
    #17 0x7fff369d945b in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109
    #18 0x7fff369130f5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328
    #19 0x7fff36912ec5 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310
    #20 0x7fff3e905daa in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137
    #21 0x7fff3eae9b0b in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:602
    #22 0x7fff429bc754 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:906
    #23 0x7fff369130f5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328
    #24 0x7fff36912ec5 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310
    #25 0x7fff429bbbe9 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738
    #26 0x7ff7bfc31edd in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309
    #27 0x7ff7bfc3148e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131
    #28 0x7ff7bfd2c3d7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #29 0x7fff84187bd3 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017bd3)
    #30 0x7fff84acce50 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18006ce50)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:177 in blendTextureLinearFallback<1,glsl::sampler2D_impl *,NoColor,unsigned int>
Shadow bytes around the buggy address:
  0x0524be1fd7b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0524be1fd7c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0524be1fd7d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0524be1fd7e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0524be1fd7f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0524be1fd800:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0524be1fd810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0524be1fd820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0524be1fd830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0524be1fd840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0524be1fd850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==10588==ABORTING

PoC attached.

Flags: sec-bounty?

Andrew McCreight [:mccr8]

Updated

•

4 years ago

Group: firefox-core-security → gfx-core-security

Component: Security → Graphics: WebRender

Product: Firefox → Core

Summary: Firefox - heap-use-after-free - blendTextureLinearFallback → heap-use-after-free - blendTextureLinearFallback

Andrew McCreight [:mccr8]

Comment 1

•

4 years ago

Please run a reducer on your test cases. It makes it easier to see if something is a dupe.

Also, if you include the actual build id, or the hg revision from about:buildconfig, it would also make it easier to triage. The link you gave is going to change frequently.

The stack looks like bug 1704319.

Keywords: csectype-uaf

Andrew McCreight [:mccr8]

Comment 2

•

4 years ago

Tyson, could you check if this is a dupe? Thanks.

Flags: needinfo?(twsmith)

rnmx123

Reporter

Comment 3

•

4 years ago

•

Edited

Hello,

more details from about:buildconfig:

Compiler
/builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang-cl -Xclang -std=gnu99 	11.0.1 	-fsanitize=address -fsanitize-blacklist=/builds/worker/checkouts/gecko/build/sanitizers/asan_blacklist_win.txt -fcrash-diagnostics-dir=/builds/worker/artifacts -fcrash-diagnostics-dir=/builds/worker/artifacts -fcrash-diagnostics-dir=/builds/worker/artifacts -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -Wno-unknown-pragmas -Wno-ignored-pragmas -Wno-deprecated-declarations -Wno-invalid-noreturn

Version: 11.0.1
Compiler flags:
 	-fsanitize=address -fsanitize-blacklist=/builds/worker/checkouts/gecko/build/sanitizers/asan_blacklist_win.txt -fcrash-diagnostics-dir=/builds/worker/artifacts -fcrash-diagnostics-dir=/builds/worker/artifacts -fcrash-diagnostics-dir=/builds/worker/artifacts -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -Wno-unknown-pragmas -Wno-ignored-pragmas -Wno-deprecated-declarations -Wno-invalid-noreturn

Compiler
/builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang-cl -Xclang -std=c++17

Version: 11.0.1
Compiler flags:
 	-Qunused-arguments -Qunused-arguments -fsanitize=address -fsanitize-blacklist=/builds/worker/checkouts/gecko/build/sanitizers/asan_blacklist_win.txt -fcrash-diagnostics-dir=/builds/worker/artifacts -fcrash-diagnostics-dir=/builds/worker/artifacts -fcrash-diagnostics-dir=/builds/worker/artifacts -TP -Zc:sizedDealloc- -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -Wno-inline-new-delete -Wno-invalid-offsetof -Wno-microsoft-enum-value -Wno-microsoft-include -Wno-unknown-pragmas -Wno-ignored-pragmas -Wno-deprecated-declarations -Wno-invalid-noreturn -Wno-inconsistent-missing-override -Wno-implicit-exception-spec-mismatch -Wno-microsoft-exception-spec -Wno-unused-local-typedef -Wno-ignored-attributes -Wno-used-but-marked-unused -D_SILENCE_TR1_NAMESPACE_DEPRECATION_WARNING -GR- -Z7 -O2 -gline-tables-only -Oy-


Compiler
/builds/worker/fetches/rustc/bin/rustc

Version: 1.51.0
Compiler flags:

Configure Options:
MOZ_AUTOMATION=1 --target=x86_64-pc-mingw32 MOZBUILD_STATE_PATH=/builds/worker/.mozbuild MOZ_COPY_PDBS=1 MOZ_FETCHES_DIR=/builds/worker/fetches '--enable-optimize=-O2 -gline-tables-only' CCACHE=sccache SCCACHE_VERBOSE_STATS=1 CC=clang-cl CXX=clang-cl WINDOWSSDKDIR=/builds/worker/checkouts/gecko/vs2017_15.8.4/SDK 'DIA_SDK_PATH=/builds/worker/checkouts/gecko/vs2017_15.8.4/DIA SDK' LINKER=lld-link --enable-address-sanitizer ENABLE_CLANG_PLUGIN=1 --disable-jemalloc --enable-js-shell --disable-profiling --enable-rust-simd MAKE=/usr/bin/make MAKENSISU=/builds/worker/fetches/nsis-3.01/makensis.exe UPX=/builds/worker/fetches/upx-3.95-win64/upx.exe --disable-crashreporter

Info from "About Nightly":
89.0a1 (2021-04-12) (64-bit)

Andrew McCreight [:mccr8]

Comment 4

•

4 years ago

The important part of about:buildconfig is the section under "Source" that looks like "Built from https://hg.mozilla.org/mozilla-central/rev/b0151367069f2cb974d08cf73dc412876c1a64e8" and not the rest of it.

rnmx123

Reporter

Comment 5

•

4 years ago

I don't have that information in there.

Tyson Smith [:tsmith]

Comment 6

•

4 years ago

rnmx123, thanks for the report.

This looks like an old build 89.0a1 (2021-04-12) (64-bit). Can you look for a file named application.ini (BuildID + SourceStamp) or firefox.fuzzmanagerconf (product_version) it will be in the same directory as the firefox binary and include the build/source info to be sure.
I can't reproduce the issue and we have fixed a few issues that look similar lately but that doesn't mean this was fixed. If you can reproduce with the latest build let us know.
If you can reproduce, a reduced test case would be very helpful. Grizzly reduce can help with that. In this case I'd be something like:

python3 -m grizzly.reduce <firefox-bin> <testcase>

To get the latest builds we use fuzzfetch, you might find this useful.
This looks like a Domato test case and by default they run longer than they need. To speed up reduction you might want to add a setTimeout(window.close, 5000) (or a smaller value if appropriate).

Flags: needinfo?(twsmith)

Tyson Smith [:tsmith]

Updated

•

4 years ago

Flags: needinfo?(rnmx123)

rnmx123

Reporter

Comment 7

•

4 years ago

Hello Tyson,

please see below content of application.ini:
[App]
Vendor=Mozilla
Name=Firefox
RemotingName=firefox
CodeName=Nightly
Version=89.0a1
BuildID=20210412092813
SourceStamp=3e349af4587afa30e2d2575a0a205c1354adf85d
ID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[Gecko]
MinVersion=89.0a1
MaxVersion=89.0a1

[XRE]
EnableProfileMigrator=1

Flags: needinfo?(rnmx123)

Daniel Veditz [:dveditz]

Comment 8

•

4 years ago

Thanks for your answers rnmx123. That's not the latest build. The bug Tyson was talking about that may have fixed this one would have been in a build from April 15 or later, and yours is from April 12. Can you reproduce it with a newer nightly or even beta 89?

Flags: needinfo?(rnmx123)

Updated

•

4 years ago

Severity: -- → S4

rnmx123

Reporter

Comment 9

•

4 years ago

Hello Daniel,

seems I cannot reproduce it on latest build.

Flags: needinfo?(rnmx123)

Tyson Smith [:tsmith]

Comment 10

•

4 years ago

Thanks for checking!

Status: UNCONFIRMED → RESOLVED

Closed: 4 years ago

Resolution: --- → DUPLICATE

rnmx123

Reporter

Comment 11

•

4 years ago

Thank you for handling this ;)

Daniel Veditz [:dveditz]

Updated

•

4 years ago

Flags: sec-bounty? → sec-bounty-

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Group: gfx-core-security

David Lawrence [:dkl]

Updated

•

1 year ago

Keywords: reporter-external

Bugzilla

heap-use-after-free - blendTextureLinearFallback

Categories

(Core :: Graphics: WebRender, task)

Tracking

()

People

(Reporter: rnmx123, Unassigned)

References

Details

(Keywords: csectype-uaf, reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Updated

Comment 7

Comment 8

Updated

Comment 9

Comment 10

Comment 11

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type