Closed Bug 1750817 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-use-after-free [@ EntryCount] with READ of size 4

Categories

(Core :: Graphics: WebGPU, defect)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
98 Branch
Tracking Status
thunderbird_esr91 --- unaffected
firefox-esr91 --- unaffected
firefox96 --- disabled
firefox97 --- disabled
firefox98 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-uaf, sec-high, testcase, Whiteboard: [bugmon:bisected,confirmed][sec-survey])

Attachments

(2 files)

Testcase found while fuzzing mozilla-central rev fd384d84f3d0 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build fd384d84f3d0 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
AddressSanitizer: heap-use-after-free [@ EntryCount] with READ of size 4

    =================================================================
    ==2443689==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100015050c at pc 0x7f167b13421b bp 0x7ffd0b4e20f0 sp 0x7ffd0b4e20e8
    READ of size 4 at 0x61100015050c thread T0 (Isolated Web Co)
        #0 0x7f167b13421a in EntryCount /builds/worker/workspace/obj-build/dist/include/PLDHashTable.h:434:40
        #1 0x7f167b13421a in Count /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:274:42
        #2 0x7f167b13421a in EnsureInserted /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:333:21
        #3 0x7f167b13421a in EnsureInserted /builds/worker/workspace/obj-build/dist/include/nsTHashSet.h:105:56
        #4 0x7f167b13421a in mozilla::webgpu::Device::CheckNewWarning(nsTSubstring<char> const&) /dom/webgpu/Device.cpp:276:25
        #5 0x7f167b15dbb1 in mozilla::webgpu::WebGPUChild::RecvDeviceUncapturedError(unsigned long, nsTSubstring<char> const&) /dom/webgpu/ipc/WebGPUChild.cpp:888:17
        #6 0x7f16773154e2 in mozilla::webgpu::PWebGPUChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUChild.cpp:1350:55
        #7 0x7f1676a86c9c in mozilla::layers::PCompositorManagerChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerChild.cpp:407:32
        #8 0x7f16768590b9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:2039:25
        #9 0x7f1676855fa8 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1964:9
        #10 0x7f16768577d0 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1823:3
        #11 0x7f16768581e7 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1851:14
        #12 0x7f167535a072 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:468:16
        #13 0x7f167531f96d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:771:26
        #14 0x7f167531cec8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:607:15
        #15 0x7f167531d5d9 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:391:36
        #16 0x7f16753624a4 in operator() /xpcom/threads/TaskController.cpp:127:37
        #17 0x7f16753624a4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:531:5
        #18 0x7f167533fc67 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1195:16
        #19 0x7f167534ae4c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #20 0x7f1676861a44 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #21 0x7f16766e1771 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
        #22 0x7f16766e1771 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #23 0x7f16766e1771 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #24 0x7f167d6294d7 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #25 0x7f168235787f in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
        #26 0x7f16766e1771 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
        #27 0x7f16766e1771 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #28 0x7f16766e1771 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #29 0x7f1682356ab3 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:707:34
        #30 0x55ec63028f9d in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #31 0x55ec630293c8 in main /browser/app/nsBrowserApp.cpp:327:18
        #32 0x7f16999bc0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #33 0x55ec62f78069 in _start (/home/jkratzer/builds/mc-asan/firefox+0x5d069)
    
    0x61100015050c is located 204 bytes inside of 224-byte region [0x611000150440,0x611000150520)
    freed by thread T0 (Isolated Web Co) here:
        #0 0x55ec62ff43d2 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
        #1 0x7f167517bf55 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /xpcom/base/nsCycleCollector.cpp:2444:9
        #2 0x7f1675158a5d in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /xpcom/base/nsCycleCollector.cpp:954:27
        #3 0x7f1675159312 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /xpcom/base/nsCycleCollector.cpp:2612:14
        #4 0x7f167777753b in AsyncFreeSnowWhite::Run() /js/xpconnect/src/XPCJSRuntime.cpp:149:9
        #5 0x7f1675358b39 in IdleRunnableWrapper::Run() /xpcom/threads/nsThreadUtils.cpp:311:22
        #6 0x7f167535a072 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:468:16
        #7 0x7f167531f96d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:771:26
        #8 0x7f167531d1e5 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:649:15
        #9 0x7f167531d5d9 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:391:36
        #10 0x7f1675362471 in operator() /xpcom/threads/TaskController.cpp:124:37
        #11 0x7f1675362471 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:531:5
        #12 0x7f167533fc67 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1195:16
        #13 0x7f167534ae4c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #14 0x7f1676861a4f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #15 0x7f16766e1771 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
        #16 0x7f16766e1771 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #17 0x7f16766e1771 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #18 0x7f167d6294d7 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #19 0x7f168235787f in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
        #20 0x7f16766e1771 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
        #21 0x7f16766e1771 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #22 0x7f16766e1771 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #23 0x7f1682356ab3 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:707:34
        #24 0x55ec63028f9d in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #25 0x55ec630293c8 in main /browser/app/nsBrowserApp.cpp:327:18
        #26 0x7f16999bc0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    previously allocated by thread T0 (Isolated Web Co) here:
        #0 0x55ec62ff463d in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
        #1 0x55ec6302f2cd in moz_xmalloc /memory/mozalloc/mozalloc.cpp:52:15
        #2 0x7f167b1233f9 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
        #3 0x7f167b1233f9 in mozilla::webgpu::Adapter::RequestDevice(mozilla::dom::GPUDeviceDescriptor const&, mozilla::ErrorResult&) /dom/webgpu/Adapter.cpp:92:9
        #4 0x7f167a16e948 in requestDevice /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:10625:60
        #5 0x7f167a16e948 in mozilla::dom::GPUAdapter_Binding::requestDevice_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:10641:13
        #6 0x7f167aa272ba in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3306:13
        #7 0x3cff8b1ad241  (<unknown module>)
        #8 0x6210003c291f  (<unknown module>)
        #9 0x3cff8b17d56e  (<unknown module>)
        #10 0x7f1683514f46 in EnterBaseline /js/src/jit/BaselineJIT.cpp:143:5
        #11 0x7f1683514f46 in js::jit::EnterBaselineInterpreterAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /js/src/jit/BaselineJIT.cpp:212:26
        #12 0x7f168262f35e in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2188:17
        #13 0x7f168260aec1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:394:13
        #14 0x7f1682639d2f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:544:13
        #15 0x7f168263be7b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:589:8
        #16 0x7f1682bd5f47 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1539:10
        #17 0x7f1682883f99 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:152:8
        #18 0x7f1682a3478a in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:1949:12
        #19 0x7f1682a3478a in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2012:12
        #20 0x7f1682639bf4 in CallJSNative /js/src/vm/Interpreter.cpp:425:13
        #21 0x7f1682639bf4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:512:12
        #22 0x7f168263be7b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:589:8
        #23 0x7f16828bae4d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #24 0x7f167980f3ec in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
        #25 0x7f167511cac7 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:89:12
        #26 0x7f167511cac7 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:102:12
        #27 0x7f167511cac7 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #28 0x7f16750fb937 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:674:17
        #29 0x7f16750fc91f in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #30 0x7f1677731fb6 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1478:28
        #31 0x7f16753401b8 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1232:24
        #32 0x7f167534ae4c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #33 0x7f1676861a4f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #34 0x7f16766e1771 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
        #35 0x7f16766e1771 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #36 0x7f16766e1771 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #37 0x7f167d6294d7 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #38 0x7f168235787f in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
    
    SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/PLDHashTable.h:434:40 in EntryCount
    Shadow bytes around the buggy address:
      0x0c2280022050: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280022060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c2280022070: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
      0x0c2280022080: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c2280022090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c22800220a0: fd[fd]fd fd fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c22800220b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c22800220c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
      0x0c22800220d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c22800220e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c22800220f0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==2443689==ABORTING
Attached file Testcase
Assignee: nobody → dmalyshau
Severity: -- → S2

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220118215506-89aa2c8696b7.
The bug appears to have been introduced in the following build range:

Start: 60c6b98b954e8d31353f9934e4b7c1581fd07d37 (20210903164901)
End: ef5dc3e04e5f271eea0636ab3a495e95cc912f1d (20210903165630)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=60c6b98b954e8d31353f9934e4b7c1581fd07d37&tochange=ef5dc3e04e5f271eea0636ab3a495e95cc912f1d

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

:kvark, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(dmalyshau)

You can find a pernosco session for this bug here.

Group: core-security → gfx-core-security
Flags: needinfo?(dmalyshau)

Comment on attachment 9259967 [details]
Bug 1750817 - Fix WebGPU device cleanup r=jimb

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Probably very hard? Especially since WebGPU is not enabled by default.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?:
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Should only be needed for Nightly.
  • How likely is this patch to cause regressions; how much testing does it need?: Possible but unlikely. Doesn't need manual testing.
Attachment #9259967 - Flags: sec-approval?

Andrew, should this issue be sec-high if WebGPU is not enabled by default?

Flags: needinfo?(continuation)

The rating system is about the severity of the flaw when it happens, not as much whether it is available. This makes sense most of the time, but for features like WebGPU that are disabled for long periods of time it is a bit awkward. It does feel like we should allow not needing sec-approval in this case, but I don't see anything about it in the guidelines. I'll ask about it.

Flags: needinfo?(continuation)

Comment on attachment 9259967 [details]
Bug 1750817 - Fix WebGPU device cleanup r=jimb

Yeah, as long as WebGPU is disabled by default, or enabled only on Nightly, sec-approval is not needed even if something is rated sec-high.

Attachment #9259967 - Flags: sec-approval?
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch

Bugmon Analysis
Bug marked as FIXED but still reproduces on mozilla-central 20220125100058-e960e654cbc9.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Flags: needinfo?(dmalyshau)
Regressions: 1752092

(In reply to Bugmon [:jkratzer for issues] from comment #11)

Bugmon Analysis
Bug marked as FIXED but still reproduces on mozilla-central 20220125100058-e960e654cbc9.

This appears to be a false positive. Bugmon uses a soft_rss_limit_mb of 10GB and the testcase is triggering allocations that exceed that limit.

Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(dmalyshau)
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][sec-survey]
Flags: needinfo?(jimb)
Flags: needinfo?(dmalyshau)
Flags: needinfo?(jimb)
Group: core-security-release
Assignee: dmalyshau → nobody
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.