Closed Bug 1706401 Opened 3 years ago Closed 3 years ago

AddressSanitizer: heap-buffer-overflow in raw_fReadPixels -> renderer memcpy

Categories

(Core :: Graphics: CanvasWebGL, task)

task

Tracking

()

VERIFIED FIXED
90 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox88 --- wontfix
firefox89 + verified
firefox90 + verified

People

(Reporter: sourc7, Assigned: jgilbert)

References

(Regression)

Details

(Keywords: csectype-bounds, regression, sec-high, Whiteboard: [reporter-external] [client-bounty-form][sec-survey][adv-main89-])

Attachments

(5 files)

Attached file testcase.html

After visit the testcase, then immediately press Ctrl+D (bookmark page), the tab crashed with SUMMARY: AddressSanitizer: heap-buffer-overflow at memcpy or AddressSanitizer: access-violation on unknown address on Linux and Windows 10.

Interestingly by changing the canvas height or width, it able to change the memcpy write of size (e.g. from 1112, 1200, 4000, 8008, 40004, 460800, and more..)

It's still unknown to me whether it only able to triggered by bookmark thumbnails, or it also able to triggered by just visiting the page. By looking the stack it contain "raw_fReadPixels" which similar to https://bugzilla.mozilla.org/show_bug.cgi?id=791905#c7

Tested on:

  • Firefox Nightly 89.0a1 (2021-04-19) (64-bit) on Windows 10 with Intel i5-1035G1 (GPU: Intel(R) UHD Graphics)
  • Firefox Nightly 89.0a1 (2021-04-19) (64-bit) on Arch Linux with AMD Ryzen 5 Pro 4650G (GPU: AMD RENOIR)
  • Firefox Release 88.0 (64-bit) on Ubuntu Groovy Gorilla with AMD Ryzen 5 Pro 4650G (GPU: AMD RENOIR)

Steps to Reproduce:

  1. Open Firefox ASan
  2. Resize Firefox window to half (side-by-side with ASan console)
  3. Visit attached testcase.html
  4. Press Ctrl+D or click bookmark the page
  5. The tab crashed with heap-buffer-oveflow or access-violation

(If above steps doesn't crash the tab, try resize the window, repeatedly press ctrl+d, or modify the testcase canvas height or width)

ASan Log:

Heap-buffer-overflow:

=================================================================
==163078==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fdd09c10bbf at pc 0x5646fc394463 bp 0x7ffead671480 sp 0x7ffead670c40
WRITE of size 8008 at 0x7fdd09c10bbf thread T0 (file:// Content)
    #0 0x5646fc394462 in memcpy /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:808:5
    #1 0x7fdd2e645c82  (/usr/lib/dri/radeonsi_dri.so+0x2cfc82)
    #2 0x7fdd2e50aec0  (/usr/lib/dri/radeonsi_dri.so+0x194ec0)
    #3 0x7fdd2e6423e3  (/usr/lib/dri/radeonsi_dri.so+0x2cc3e3)
    #4 0x7fdd2e6428c1  (/usr/lib/dri/radeonsi_dri.so+0x2cc8c1)
    #5 0x7fddc5fedaa0 in mozilla::gl::GLContext::raw_fReadPixels(int, int, int, int, unsigned int, unsigned int, void*) /builds/worker/workspace/obj-build/dist/include/GLContext.h:1566:5
    #6 0x7fddc8aed572 in mozilla::WebGLContext::FrontBufferSnapshotInto(mozilla::Range<unsigned char>) /builds/worker/checkouts/gecko/dom/canvas/WebGLContext.cpp:1011:7
    #7 0x7fddc8a7ea1b in mozilla::HostWebGLContext::FrontBufferSnapshotInto(mozilla::Range<unsigned char>) const /builds/worker/checkouts/gecko/dom/canvas/HostWebGLContext.h:183:22
    #8 0x7fddc89d65e9 in operator() /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:883:25
    #9 0x7fddc89d65e9 in mozilla::ClientWebGLContext::GetFrontBufferSnapshot(bool) /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:866:19
    #10 0x7fddc60d89d1 in mozilla::layers::CanvasRenderer::BorrowSnapshot(bool) const /builds/worker/checkouts/gecko/gfx/layers/CanvasRenderer.cpp:64:19
    #11 0x7fddc637174c in mozilla::layers::BasicCanvasLayer::Paint(mozilla::gfx::DrawTarget*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::layers::Layer*) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicCanvasLayer.cpp:38:42
    #12 0x7fddc637ce17 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicLayerManager.cpp:708:13
    #13 0x7fddc637b667 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicLayerManager.cpp
    #14 0x7fddc637cb75 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicLayerManager.cpp:728:7
    #15 0x7fddc637b667 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicLayerManager.cpp
    #16 0x7fddc6378c8f in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicLayerManager.cpp:614:5
    #17 0x7fddcbcb0ab1 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2546:19
    #18 0x7fddcb5c912a in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3489:45
    #19 0x7fddcb4d0e82 in mozilla::PresShell::RenderDocument(nsRect const&, mozilla::RenderDocumentFlags, unsigned int, gfxContext*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4618:3
    #20 0x7fddc66fe214 in mozilla::gfx::PaintFragment::Record(mozilla::dom::BrowsingContext*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags) /builds/worker/checkouts/gecko/gfx/ipc/CrossProcessPaint.cpp:136:26
    #21 0x7fddca80c8d3 in mozilla::dom::WindowGlobalChild::RecvDrawSnapshot(mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float const&, unsigned int const&, unsigned int const&, std::function<void (mozilla::gfx::PaintFragment&&)>&&) /builds/worker/checkouts/gecko/dom/ipc/WindowGlobalChild.cpp:447:12
    #22 0x7fddc570c217 in mozilla::dom::PWindowGlobalChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWindowGlobalChild.cpp:1058:61
    #23 0x7fddc52817fd in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8414:32
    #24 0x7fddc50d5009 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2154:25
    #25 0x7fddc50d2426 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2078:9
    #26 0x7fddc50d364e in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1926:3
    #27 0x7fddc50d3dcb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1957:13
    #28 0x7fddc3fe0906 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:473:16
    #29 0x7fddc3facdc3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:757:26
    #30 0x7fddc3faa907 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:612:15
    #31 0x7fddc3faad5d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:396:36
    #32 0x7fddc3fe9ef4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
    #33 0x7fddc3fe9ef4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #34 0x7fddc3fc7d13 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #35 0x7fddc3fd2c3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #36 0x7fddc50daaaf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
    #37 0x7fddc5005e71 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #38 0x7fddc5005e71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #39 0x7fddc5005e71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #40 0x7fddcaf8cfa7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #41 0x7fddce7c7b8f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:906:20
    #42 0x7fddc5005e71 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #43 0x7fddc5005e71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #44 0x7fddc5005e71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #45 0x7fddce7c741e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:34
    #46 0x5646fc42a07d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #47 0x5646fc42a4a1 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #48 0x7fddde92eb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #49 0x5646fc37da3c in _start (/tmp/m-c-20210420095122-asan-opt/firefox+0x55a3c)

0x7fdd09c10bbf is located 0 bytes to the right of 14828479-byte region [0x7fdd08dec800,0x7fdd09c10bbf)
allocated by thread T0 (file:// Content) here:
    #0 0x5646fc3f7a32 in calloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
    #1 0x7fddc5f6213c in Realloc /builds/worker/checkouts/gecko/gfx/2d/Tools.h:130:40
    #2 0x7fddc5f6213c in mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool, unsigned char, int) /builds/worker/checkouts/gecko/gfx/2d/SourceSurfaceRawData.cpp:70:12
    #3 0x7fddc5da2725 in mozilla::gfx::Factory::CreateDataSourceSurfaceWithStride(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, int, bool) /builds/worker/checkouts/gecko/gfx/2d/Factory.cpp:1154:16
    #4 0x7fddc89d6493 in operator() /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:861:9
    #5 0x7fddc89d6493 in operator() /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:872:25
    #6 0x7fddc89d6493 in mozilla::ClientWebGLContext::GetFrontBufferSnapshot(bool) /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:866:19
    #7 0x7fddc60d89d1 in mozilla::layers::CanvasRenderer::BorrowSnapshot(bool) const /builds/worker/checkouts/gecko/gfx/layers/CanvasRenderer.cpp:64:19
    #8 0x7fddc637174c in mozilla::layers::BasicCanvasLayer::Paint(mozilla::gfx::DrawTarget*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::layers::Layer*) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicCanvasLayer.cpp:38:42
    #9 0x7fddc637ce17 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicLayerManager.cpp:708:13
    #10 0x7fddc637b667 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicLayerManager.cpp
    #11 0x7fddc637cb75 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicLayerManager.cpp:728:7
    #12 0x7fddc637b667 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicLayerManager.cpp
    #13 0x7fddc6378c8f in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/checkouts/gecko/gfx/layers/basic/BasicLayerManager.cpp:614:5
    #14 0x7fddcbcb0ab1 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2546:19
    #15 0x7fddcb5c912a in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3489:45
    #16 0x7fddcb4d0e82 in mozilla::PresShell::RenderDocument(nsRect const&, mozilla::RenderDocumentFlags, unsigned int, gfxContext*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4618:3
    #17 0x7fddc66fe214 in mozilla::gfx::PaintFragment::Record(mozilla::dom::BrowsingContext*, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float, unsigned int, mozilla::gfx::CrossProcessPaintFlags) /builds/worker/checkouts/gecko/gfx/ipc/CrossProcessPaint.cpp:136:26
    #18 0x7fddca80c8d3 in mozilla::dom::WindowGlobalChild::RecvDrawSnapshot(mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, float const&, unsigned int const&, unsigned int const&, std::function<void (mozilla::gfx::PaintFragment&&)>&&) /builds/worker/checkouts/gecko/dom/ipc/WindowGlobalChild.cpp:447:12
    #19 0x7fddc570c217 in mozilla::dom::PWindowGlobalChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWindowGlobalChild.cpp:1058:61
    #20 0x7fddc52817fd in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8414:32
    #21 0x7fddc50d5009 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2154:25
    #22 0x7fddc50d2426 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2078:9
    #23 0x7fddc50d364e in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1926:3
    #24 0x7fddc50d3dcb in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1957:13
    #25 0x7fddc3fe0906 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:473:16
    #26 0x7fddc3facdc3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:757:26
    #27 0x7fddc3faa907 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:612:15
    #28 0x7fddc3faad5d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:396:36
    #29 0x7fddc3fe9ef4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
    #30 0x7fddc3fe9ef4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #31 0x7fddc3fc7d13 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #32 0x7fddc3fd2c3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #33 0x7fddc50daaaf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:808:5 in memcpy
Shadow bytes around the buggy address:
  0x0ffc2137a120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc2137a130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc2137a140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc2137a150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc2137a160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffc2137a170: 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa
  0x0ffc2137a180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffc2137a190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffc2137a1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffc2137a1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffc2137a1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==163078==ABORTING

Access Violation:

=================================================================
==4652==ERROR: AddressSanitizer: access-violation on unknown address 0x134c45265000 (pc 0x7ff87f0f3c22 bp 0x00e3115fb5f0 sp 0x00e3115fb568 T2)
==4652==The signal is caused by a WRITE memory access.
    #0 0x7ff87f0f3c21  (C:\Windows\SYSTEM32\ntdll.dll+0x1800a3c21)
    #1 0x7ff8315a4f8f in __asan_memcpy Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_interceptors_memintrinsics.cpp:22
    #2 0x7ff81d919146 in rx::PackPixels(struct rx::PackPixelsParams const &, struct angle::Format const &, int, unsigned char const *, unsigned char *) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/renderer_utils.cpp:359
    #3 0x7ff81d7b8dfd in rx::Renderer11::readFromAttachment(class gl::Context const *, class gl::FramebufferAttachment const &, struct gl::Rectangle const &, unsigned int, unsigned int, unsigned int, struct gl::PixelPackState const &, unsigned char *) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Renderer11.cpp:3418
    #4 0x7ff81d75f2a7 in rx::Framebuffer11::readPixelsImpl(class gl::Context const *, struct gl::Rectangle const &, unsigned int, unsigned int, unsigned __int64, struct gl::PixelPackState const &, class gl::Buffer *, unsigned char *) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Framebuffer11.cpp:272
    #5 0x7ff81d652f9a in rx::FramebufferD3D::readPixels(class gl::Context const *, struct gl::Rectangle const &, unsigned int, unsigned int, struct gl::PixelPackState const &, class gl::Buffer *, void *) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/FramebufferD3D.cpp:232
    #6 0x7ff81d412ae8 in gl::Framebuffer::readPixels(class gl::Context const *, struct gl::Rectangle const &, unsigned int, unsigned int, struct gl::PixelPackState const &, class gl::Buffer *, void *) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Framebuffer.cpp:1505
    #7 0x7ff81d398049 in gl::Context::readPixels(int, int, int, int, unsigned int, unsigned int, void *) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Context.cpp:4030
    #8 0x7ff81da6a1cb in gl::ReadPixels(int, int, int, int, unsigned int, unsigned int, void *) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/libGLESv2/entry_points_gles_2_0_autogen.cpp:2485
    #9 0x7fffeccc997a in mozilla::gl::GLContext::fReadPixels(int, int, int, int, unsigned int, unsigned int, void *) /builds/worker/checkouts/gecko/gfx/gl/GLContext.cpp:2186
    #10 0x7ffff0849047 in mozilla::WebGLContext::FrontBufferSnapshotInto(class mozilla::Range<unsigned char>) /builds/worker/checkouts/gecko/dom/canvas/WebGLContext.cpp:1011
    #11 0x7ffff090a05d in mozilla::dom::WebGLParent::RecvGetFrontBufferSnapshot(struct mozilla::webgl::FrontBufferSnapshotIpc *) /builds/worker/checkouts/gecko/dom/canvas/WebGLParent.cpp:88
    #12 0x7fffec03ee02 in mozilla::dom::PWebGLParent::OnMessageReceived(class IPC::Message const &, class IPC::Message *&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:351
    #13 0x7fffeb9b9b05 in mozilla::ipc::PBackgroundChild::OnMessageReceived(class IPC::Message const &, class IPC::Message *&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerChild.cpp:574
    #14 0x7fffeb7f1406 in mozilla::ipc::MessageChannel::DispatchSyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &, class IPC::Message *&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2123
    #15 0x7fffeb7ee150 in mozilla::ipc::MessageChannel::DispatchMessage(class IPC::Message &&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074
    #16 0x7fffeb7f002e in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::MessageChannel::MessageTask &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1926
    #17 0x7fffeb7f05e8 in mozilla::ipc::MessageChannel::MessageTask::Run(void) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1957
    #18 0x7fffea44a0cb in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1153
    #19 0x7fffea459e5c in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548
    #20 0x7fffeb7faffe in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:302
    #21 0x7fffeb733815 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328
    #22 0x7fffeb7335e5 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310
    #23 0x7fffea4429e0 in nsThread::ThreadFunc(void *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:395
    #24 0x7ff8311dc93e in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #25 0x7ff8311b5c8b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #26 0x7ff87cb21bb1  (C:\Windows\System32\ucrtbase.dll+0x180021bb1)
    #27 0x7ff8315b03a8 in __asan::AsanThread::ThreadStart(unsigned __int64, struct __sanitizer::atomic_uintptr_t *) Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:262
    #28 0x7ff87d277033  (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #29 0x7ff8328d4a32 in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/mozglue/dllservices/WindowsDllBlocklist.cpp:592
    #30 0x7ff87f0a2650  (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: access-violation (C:\Windows\SYSTEM32\ntdll.dll+0x1800a3c21) 
Thread T2 created by T0 here:
    #0 0x7ff8315b14dc in __asan_wrap_CreateThread Z:\task_1615408300\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cpp:146
    #1 0x7ff87cb21896  (C:\Windows\System32\ucrtbase.dll+0x180021896)
    #2 0x7ff8311b5abd in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ff8311dd79c in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ff8311de103 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ff8311d40bf in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7fffea44550c in nsThread::Init(class nsTSubstring<char> const &) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:613
    #7 0x7fffea45742c in nsThreadManager::NewNamedThread(class nsTSubstring<char> const &, unsigned int, class nsIThread **) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:573
    #8 0x7fffea462d3a in NS_NewNamedThread(class nsTSubstring<char> const &, class nsIThread **, struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:169
    #9 0x7fffed3a565d in mozilla::layers::CompositorThreadHolder::CreateCompositorThread(void) /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorThread.cpp:55
    #10 0x7fffed3a5c46 in mozilla::layers::CompositorThreadHolder::Start(void) /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorThread.cpp:94
    #11 0x7fffed620e11 in mozilla::gfx::GPUParent::Init(unsigned long, char const *, class MessageLoop *, class mozilla::UniquePtr<class IPC::Channel, class mozilla::DefaultDelete<class IPC::Channel>>) /builds/worker/checkouts/gecko/gfx/ipc/GPUParent.cpp:183
    #12 0x7fffed6341c9 in mozilla::gfx::GPUProcessImpl::Init(int, char **const) /builds/worker/checkouts/gecko/gfx/ipc/GPUProcessImpl.cpp:76
    #13 0x7ffff77eb02a in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:704
    #14 0x7ff672581edd in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309
    #15 0x7ff67258148e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131
    #16 0x7ff67267c3a7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #17 0x7ff87d277033  (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #18 0x7ff87f0a2650  (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

==4652==ABORTING
Flags: sec-bounty?
Summary: AddressSanitizer: heap-buffer-overflow in raw_fReadPixels at memcpy (triggered by bookmark thumbnails) → AddressSanitizer: heap-buffer-overflow in raw_fReadPixels -> renderer memcpy (triggered by bookmark thumbnails)

Mozregression show it is a regression between changeset at pushlog https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f5417fa966f71e4002613c3b282f63c7120966c7&tochange=978c7a6ddb55e53f9230112f5455a4970ee5d7b4:

12:15.73 INFO: Narrowed integration regression window from [ddeba39c, 978c7a6d] (3 builds) to [f5417fa9, 978c7a6d] (2 builds) (~1 steps left)
12:15.73 INFO: No more integration revisions, bisection finished.
12:15.73 INFO: Last good revision: f5417fa966f71e4002613c3b282f63c7120966c7
12:15.73 INFO: First bad revision: 978c7a6ddb55e53f9230112f5455a4970ee5d7b4
12:15.73 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f5417fa966f71e4002613c3b282f63c7120966c7&tochange=978c7a6ddb55e53f9230112f5455a4970ee5d7b4

Unfortunately mozregression unable to download build between those pushlog. After compiling the Firefox on master branch, I only able to reproduce the issue after checkout to commit Bug 1607940 - Stand up webgl.out-of-process:true path I can say it's likely regression of Bug 1607940.

Group: firefox-core-security → gfx-core-security
Component: Security → Canvas: WebGL
Product: Firefox → Core

If it's just thumbnailing code this is likely sec-moderate, but I don't think that code does anything a malicious web page couldn't do with canvas on its own so let's start with sec-high.

Flags: needinfo?(jgilbert)
Keywords: sec-high
Regressed by: 1607940
Has Regression Range: --- → yes
Keywords: regression

This smells like bug 1655000.

Flags: needinfo?(jgilbert)
See Also: → 1655000
See Also: → 1706938

(In reply to Daniel Veditz [:dveditz] from comment #5)

If it's just thumbnailing code this is likely sec-moderate, but I don't think that code does anything a malicious web page couldn't do with canvas on its own so let's start with sec-high.

Thanks Dan, I found it can be triggered by simply visiting the page using CSS -moz-element.

Summary: AddressSanitizer: heap-buffer-overflow in raw_fReadPixels -> renderer memcpy (triggered by bookmark thumbnails) → AddressSanitizer: heap-buffer-overflow in raw_fReadPixels -> renderer memcpy

Bug 1655000 is now fixed, is this one still reproducible?

(In reply to Julien Cristau [:jcristau] from comment #8)

Bug 1655000 is now fixed, is this one still reproducible?

After using mozregression --find-fix I confirmed that bug 1655000 also fixes this issue:

[sourc7@ArchLinux ~]$ mozregression --find-fix --good=2021-05-18 --bad=2020-08-01
...
16:25.08 INFO: Narrowed integration fix window from [d879add7, 497a9e22] (3 builds) to [ee547d7f, 497a9e22] (2 builds) (~1 steps left)
16:25.08 INFO: No more integration revisions, bisection finished.
16:25.08 INFO: First good revision: 497a9e22d0cec902ec27fa6369740f326af0cbca
16:25.08 INFO: Last bad revision: ee547d7fb4ecdd0a9084ac80a7fbeb408e527946
16:25.08 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ee547d7fb4ecdd0a9084ac80a7fbeb408e527946&tochange=497a9e22d0cec902ec27fa6369740f326af0cbca
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Target Milestone: --- → 90 Branch
Assignee: nobody → jgilbert
Depends on: 1655000
See Also: 1655000

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(jgilbert)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][sec-survey]
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify+

I was able to consistently reproduce the issue on Firefox 90.0a1 (2021-04-20) under macOS 11.3.1 by following the STR from Comment 0.

The issue is fixed on Firefox 90.0a1 (2021-05-23) and Firefox 89.0b15. Tests were performed on macOS 11.3.1, Windows 10 and Ubuntu 20.04.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey] → [reporter-external] [client-bounty-form][sec-survey][adv-main89+]
Whiteboard: [reporter-external] [client-bounty-form][sec-survey][adv-main89+] → [reporter-external] [client-bounty-form][sec-survey][adv-main89-]
Flags: sec-bounty? → sec-bounty+
Flags: needinfo?(jgilbert)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: