Closed
Bug 1769739
Opened 2 years ago
Closed 2 years ago
AddressSanitizer: heap-use-after-free [@ std::list<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> >::_Unlinknode] with WRITE of size 8
Categories
(Core :: Graphics: CanvasWebGL, defect, P1)
Tracking
()
RESOLVED
FIXED
103 Branch
People
(Reporter: jkratzer, Assigned: aosmond)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [adv-main103+r][adv-esr102.1+r])
Crash Data
Attachments
(2 files)
|
21.48 KB,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr102+
dveditz
:
sec-approval+
|
Details | Review |
Found while fuzzing mozilla-central rev 28b2e8958185 (built with: --enable-address-sanitizer --enable-fuzzing).
I don't currently have a reproducible testcase but the fuzzers have identified this bug a few times in the last week. I will update here if I manage to get a working testcase or pernosco session.
AddressSanitizer: heap-use-after-free [@ std::list<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> >::_Unlinknode] with WRITE of size 8
=================================================================
==4408==ERROR: AddressSanitizer: heap-use-after-free on address 0x11e237252bc0 at pc 0x7ffac2638921 bp 0x00b82ef3d750 sp 0x00b82ef3d798
WRITE of size 8 at 0x11e237252bc0 thread T66
#0 0x7ffac2638920 in std::list<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> >::_Unlinknode /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/list:1332
#1 0x7ffac2638920 in std::list<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> >::erase /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/list:1350
#2 0x7ffac2638920 in mozilla::WebGLContext::LruPosition::reset /dom/canvas/WebGLContext.cpp:132
#3 0x7ffac2638920 in mozilla::WebGLContext::LruPosition::~LruPosition /dom/canvas/WebGLContext.h:267
#4 0x7ffac2638920 in mozilla::WebGLContext::~WebGLContext(void) /dom/canvas/WebGLContext.cpp:155
#5 0x7ffac2636d9f in mozilla::WebGLContext::`scalar deleting dtor'(unsigned int) /dom/canvas/WebGL2Context.h:24
#6 0x7ffac25506bc in mozilla::detail::RefCounted<mozilla::VRefCounted,mozilla::detail::NonAtomicRefCount>::Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefCounted.h:255
#7 0x7ffac25506bc in mozilla::RefPtrTraits<mozilla::WebGLContext>::Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50
#8 0x7ffac25506bc in RefPtr<mozilla::WebGLContext>::ConstRemovingRefPtrTraits<mozilla::WebGLContext>::Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381
#9 0x7ffac25506bc in RefPtr<mozilla::WebGLContext>::~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81
#10 0x7ffac25506bc in mozilla::HostWebGLContext::~HostWebGLContext(void) /dom/canvas/HostWebGLContext.cpp:74
#11 0x7ffac24726fc in mozilla::DefaultDelete<mozilla::HostWebGLContext>::operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:463
#12 0x7ffac24726fc in mozilla::UniquePtr<mozilla::HostWebGLContext,mozilla::DefaultDelete<mozilla::HostWebGLContext> >::reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:305
#13 0x7ffac24726fc in mozilla::UniquePtr<mozilla::HostWebGLContext,mozilla::DefaultDelete<mozilla::HostWebGLContext> >::~UniquePtr /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:253
#14 0x7ffac24726fc in mozilla::webgl::NotLostData::~NotLostData(void) /dom/canvas/ClientWebGLContext.cpp:57
#15 0x7ffac253d1d6 in std::_Ref_count_base::_Decref /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/memory:848
#16 0x7ffac253d1d6 in std::_Ptr_base<mozilla::webgl::NotLostData>::_Decref /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/memory:1120
#17 0x7ffac253d1d6 in std::shared_ptr<mozilla::webgl::NotLostData>::~shared_ptr /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/memory:1403
#18 0x7ffac253d1d6 in mozilla::ImplCycleCollectionUnlink(class std::shared_ptr<struct mozilla::webgl::NotLostData> &) /dom/canvas/ClientWebGLContext.cpp:6581
#19 0x7ffac253f989 in mozilla::ClientWebGLContext::cycleCollection::Unlink(void *) /dom/canvas/ClientWebGLContext.cpp:6611
#20 0x7ffabc5e6a40 in nsCycleCollector::CollectWhite(void) /xpcom/base/nsCycleCollector.cpp:3074
#21 0x7ffabc5e9dfe in nsCycleCollector::Collect(enum mozilla::CCReason, enum ccIsManual, class js::SliceBudget &, class nsICycleCollectorListener *, bool) /xpcom/base/nsCycleCollector.cpp:3440
#22 0x7ffabc5e96d4 in nsCycleCollector::ShutdownCollect(void) /xpcom/base/nsCycleCollector.cpp:3351
#23 0x7ffabc5ee8f0 in nsCycleCollector::Shutdown /xpcom/base/nsCycleCollector.cpp:3649
#24 0x7ffabc5ee8f0 in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3962
#25 0x7ffac536d784 in mozilla::dom::workerinternals::`anonymous namespace'::WorkerThreadPrimaryRunnable::Run /dom/workers/RuntimeService.cpp:2073
#26 0x7ffabc820c65 in nsThread::ProcessNextEvent(bool, bool *) /xpcom/threads/nsThread.cpp:1174
#27 0x7ffabc82f27c in NS_ProcessNextEvent(class nsIThread *, bool) /xpcom/threads/nsThreadUtils.cpp:465
#28 0x7ffabde539ae in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /ipc/glue/MessagePump.cpp:300
#29 0x7ffabdd6b5a5 in MessageLoop::RunInternal /ipc/chromium/src/base/message_loop.cc:380
#30 0x7ffabdd6b5a5 in MessageLoop::RunHandler(void) /ipc/chromium/src/base/message_loop.cc:373
#31 0x7ffabdd6b375 in MessageLoop::Run(void) /ipc/chromium/src/base/message_loop.cc:355
#32 0x7ffabc816a9f in nsThread::ThreadFunc(void *) /xpcom/threads/nsThread.cpp:378
#33 0x7ffae932946d in _PR_NativeRunThread /nsprpub/pr/src/threads/combined/pruthr.c:399
#34 0x7ffae9301a3b in pr_root /nsprpub/pr/src/md/windows/w95thred.c:139
#35 0x7ffaf89bfb7f (C:\Windows\System32\ucrtbase.dll+0x18001fb7f)
#36 0x7ffaeb2b9d93 in __asan::AsanThread::ThreadStart(unsigned __int64) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277
#37 0x7ffaf90384d3 (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
#38 0x7ffaefb98b2c in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h:150
#39 0x7ffaefb98b2c in patched_BaseThreadInitThunk /toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:572
#40 0x7ffafbae1790 (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)
0x11e237252bc0 is located 0 bytes inside of 24-byte region [0x11e237252bc0,0x11e237252bd8)
freed by thread T65 here:
#0 0x7ffaeb2adeeb in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:82
#1 0x7ffac263852b in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:73
#2 0x7ffac263852b in std::_Deallocate /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/xmemory0:207
#3 0x7ffac263852b in std::_Default_allocator_traits<std::allocator<std::_List_node<mozilla::WebGLContext *,void *> > >::deallocate /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/xmemory0:873
#4 0x7ffac263852b in std::_List_node<mozilla::WebGLContext *,void *>::_Freenode0 /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/list:374
#5 0x7ffac263852b in std::_List_buy<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> >::_Freenode /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/list:731
#6 0x7ffac263852b in std::list<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> >::erase /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/list:1351
#7 0x7ffac263852b in mozilla::WebGLContext::LruPosition::reset /dom/canvas/WebGLContext.cpp:132
#8 0x7ffac263852b in mozilla::WebGLContext::LruPosition::~LruPosition /dom/canvas/WebGLContext.h:267
#9 0x7ffac263852b in mozilla::WebGLContext::~WebGLContext(void) /dom/canvas/WebGLContext.cpp:155
#10 0x7ffac2636d9f in mozilla::WebGLContext::`scalar deleting dtor'(unsigned int) /dom/canvas/WebGL2Context.h:24
#11 0x7ffac25506bc in mozilla::detail::RefCounted<mozilla::VRefCounted,mozilla::detail::NonAtomicRefCount>::Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefCounted.h:255
#12 0x7ffac25506bc in mozilla::RefPtrTraits<mozilla::WebGLContext>::Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50
#13 0x7ffac25506bc in RefPtr<mozilla::WebGLContext>::ConstRemovingRefPtrTraits<mozilla::WebGLContext>::Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381
#14 0x7ffac25506bc in RefPtr<mozilla::WebGLContext>::~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81
#15 0x7ffac25506bc in mozilla::HostWebGLContext::~HostWebGLContext(void) /dom/canvas/HostWebGLContext.cpp:74
#16 0x7ffac24726fc in mozilla::DefaultDelete<mozilla::HostWebGLContext>::operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:463
#17 0x7ffac24726fc in mozilla::UniquePtr<mozilla::HostWebGLContext,mozilla::DefaultDelete<mozilla::HostWebGLContext> >::reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:305
#18 0x7ffac24726fc in mozilla::UniquePtr<mozilla::HostWebGLContext,mozilla::DefaultDelete<mozilla::HostWebGLContext> >::~UniquePtr /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:253
#19 0x7ffac24726fc in mozilla::webgl::NotLostData::~NotLostData(void) /dom/canvas/ClientWebGLContext.cpp:57
#20 0x7ffac253d1d6 in std::_Ref_count_base::_Decref /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/memory:848
#21 0x7ffac253d1d6 in std::_Ptr_base<mozilla::webgl::NotLostData>::_Decref /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/memory:1120
#22 0x7ffac253d1d6 in std::shared_ptr<mozilla::webgl::NotLostData>::~shared_ptr /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/memory:1403
#23 0x7ffac253d1d6 in mozilla::ImplCycleCollectionUnlink(class std::shared_ptr<struct mozilla::webgl::NotLostData> &) /dom/canvas/ClientWebGLContext.cpp:6581
#24 0x7ffac253f989 in mozilla::ClientWebGLContext::cycleCollection::Unlink(void *) /dom/canvas/ClientWebGLContext.cpp:6611
#25 0x7ffabc5e6a40 in nsCycleCollector::CollectWhite(void) /xpcom/base/nsCycleCollector.cpp:3074
#26 0x7ffabc5e9dfe in nsCycleCollector::Collect(enum mozilla::CCReason, enum ccIsManual, class js::SliceBudget &, class nsICycleCollectorListener *, bool) /xpcom/base/nsCycleCollector.cpp:3440
#27 0x7ffabc5e96d4 in nsCycleCollector::ShutdownCollect(void) /xpcom/base/nsCycleCollector.cpp:3351
#28 0x7ffabc5ee8f0 in nsCycleCollector::Shutdown /xpcom/base/nsCycleCollector.cpp:3649
#29 0x7ffabc5ee8f0 in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3962
#30 0x7ffac536d784 in mozilla::dom::workerinternals::`anonymous namespace'::WorkerThreadPrimaryRunnable::Run /dom/workers/RuntimeService.cpp:2073
#31 0x7ffabc820c65 in nsThread::ProcessNextEvent(bool, bool *) /xpcom/threads/nsThread.cpp:1174
#32 0x7ffabc82f27c in NS_ProcessNextEvent(class nsIThread *, bool) /xpcom/threads/nsThreadUtils.cpp:465
#33 0x7ffabde539ae in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /ipc/glue/MessagePump.cpp:300
#34 0x7ffabdd6b5a5 in MessageLoop::RunInternal /ipc/chromium/src/base/message_loop.cc:380
#35 0x7ffabdd6b5a5 in MessageLoop::RunHandler(void) /ipc/chromium/src/base/message_loop.cc:373
#36 0x7ffabdd6b375 in MessageLoop::Run(void) /ipc/chromium/src/base/message_loop.cc:355
#37 0x7ffabc816a9f in nsThread::ThreadFunc(void *) /xpcom/threads/nsThread.cpp:378
#38 0x7ffae932946d in _PR_NativeRunThread /nsprpub/pr/src/threads/combined/pruthr.c:399
#39 0x7ffae9301a3b in pr_root /nsprpub/pr/src/md/windows/w95thred.c:139
#40 0x7ffaf89bfb7f (C:\Windows\System32\ucrtbase.dll+0x18001fb7f)
#41 0x7ffaeb2b9d93 in __asan::AsanThread::ThreadStart(unsigned __int64) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277
#42 0x7ffaf90384d3 (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
#43 0x7ffaefb98b2c in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h:150
#44 0x7ffaefb98b2c in patched_BaseThreadInitThunk /toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:572
#45 0x7ffafbae1790 (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)
previously allocated by thread T65 here:
#0 0x7ffaeb2adffb in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:98
#1 0x7ffaefa815fd in moz_xmalloc /memory/mozalloc/mozalloc.cpp:52
#2 0x7ffac2609efa in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33
#3 0x7ffac2609efa in std::_Default_allocate_traits::_Allocate /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/xmemory0:52
#4 0x7ffac2609efa in std::_Allocate /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/xmemory0:190
#5 0x7ffac2609efa in std::allocator<std::_List_node<mozilla::WebGLContext *,void *> >::allocate /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/xmemory0:997
#6 0x7ffac2609efa in std::_List_alloc<std::_List_base_types<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> > >::_Buynode0 /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/list:612
#7 0x7ffac2609efa in std::_List_buy<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> >::_Buynode /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/list:716
#8 0x7ffac2609efa in std::list<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> >::_Insert /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/list:951
#9 0x7ffac2609efa in std::list<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> >::emplace /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/list:942
#10 0x7ffac2609efa in std::list<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> >::insert /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/list:911
#11 0x7ffac2609efa in mozilla::WebGLContext::LruPosition::LruPosition /dom/canvas/WebGLContext.cpp:126
#12 0x7ffac2609efa in mozilla::WebGLContext::BumpLru(void) /dom/canvas/WebGLContext.h:274
#13 0x7ffac26095f3 in mozilla::WebGLContext::LoseLruContextIfLimitExceeded(void) /dom/canvas/WebGLContext.cpp:688
#14 0x7ffac26080b3 in mozilla::WebGLContext::Create(class mozilla::HostWebGLContext &, struct mozilla::webgl::InitContextDesc const &, struct mozilla::webgl::InitContextResult *) /dom/canvas/WebGLContext.cpp:582
#15 0x7ffac2477474 in mozilla::HostWebGLContext::Create /dom/canvas/HostWebGLContext.cpp:59
#16 0x7ffac2477474 in mozilla::ClientWebGLContext::CreateHostContext::<lambda_3>::operator() /dom/canvas/ClientWebGLContext.cpp:716
#17 0x7ffac2477474 in mozilla::ClientWebGLContext::CreateHostContext(struct mozilla::avec2<unsigned int> const &) /dom/canvas/ClientWebGLContext.cpp:655
#18 0x7ffac2480713 in mozilla::ClientWebGLContext::SetDimensions(int, int) /dom/canvas/ClientWebGLContext.cpp:627
#19 0x7ffac24700b7 in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(struct JSContext *, class JS::Handle<class JS::Value>, class mozilla::ErrorResult &) /dom/canvas/CanvasRenderingContextHelper.cpp:260
#20 0x7ffac246fa88 in mozilla::dom::CanvasRenderingContextHelper::GetOrCreateContext(struct JSContext *, enum mozilla::dom::CanvasContextType, class JS::Handle<class JS::Value>, class mozilla::ErrorResult &) /dom/canvas/CanvasRenderingContextHelper.cpp:212
#21 0x7ffac2574621 in mozilla::dom::OffscreenCanvas::GetContext(struct JSContext *, enum mozilla::dom::OffscreenRenderingContextId const &, class JS::Handle<class JS::Value>, struct mozilla::dom::Nullable<class mozilla::dom::OwningOffscreenCanvasRenderingContext2DOrImageBitmapRenderingContextOrWebGLRenderingContextOrWebGL2RenderingContextOrGPUCanvasContext> &, class mozilla::ErrorResult &) /dom/canvas/OffscreenCanvas.cpp:137
#22 0x7ffac0848d99 in mozilla::dom::OffscreenCanvas_Binding::getContext /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:868
#23 0x7ffac22a5be6 in mozilla::dom::binding_detail::GenericMethod<struct mozilla::dom::binding_detail::NormalThisPolicy, struct mozilla::dom::binding_detail::ThrowExceptions>(struct JSContext *, unsigned int, class JS::Value *) /dom/bindings/BindingUtils.cpp:3271
#24 0x7ffacc7e3ac8 in CallJSNative /js/src/vm/Interpreter.cpp:421
#25 0x7ffacc7e3ac8 in js::InternalCallOrConstruct(struct JSContext *, class JS::CallArgs const &, enum js::MaybeConstruct, enum js::CallReason) /js/src/vm/Interpreter.cpp:507
#26 0x7ffacc7730d9 in js::jit::DoCallFallback(struct JSContext *, class js::jit::BaselineFrame *, class js::jit::ICFallbackStub *, unsigned int, class JS::Value *, class JS::MutableHandle<class JS::Value>) /js/src/jit/BaselineIC.cpp:1582
#27 0xb6d4652efe (<unknown module>)
Thread T66 created by T0 here:
#0 0x7ffaeb2baf32 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
#1 0x7ffaf89bfa76 (C:\Windows\System32\ucrtbase.dll+0x18001fa76)
#2 0x7ffae930186d in _PR_MD_CREATE_THREAD /nsprpub/pr/src/md/windows/w95thred.c:153
#3 0x7ffae932a22a in _PR_NativeCreateThread /nsprpub/pr/src/threads/combined/pruthr.c:1058
#4 0x7ffae932a9c3 in _PR_CreateThread /nsprpub/pr/src/threads/combined/pruthr.c:1184
#5 0x7ffae93208bf in PR_CreateThread /nsprpub/pr/src/threads/combined/pruthr.c:1404
#6 0x7ffabc819cc1 in nsThread::Init(class nsTSubstring<char> const &) /xpcom/threads/nsThread.cpp:604
#7 0x7ffac53cc300 in mozilla::dom::WorkerThread::Create(class mozilla::dom::WorkerThreadFriendKey const &) /dom/workers/WorkerThread.cpp:102
#8 0x7ffac5338268 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(class mozilla::dom::WorkerPrivate &) /dom/workers/RuntimeService.cpp:1306
#9 0x7ffac5335df3 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(class mozilla::dom::WorkerPrivate &) /dom/workers/RuntimeService.cpp:1182
#10 0x7ffac53905ac in mozilla::dom::WorkerPrivate::Constructor(struct JSContext *, class nsTSubstring<char16_t> const &, bool, enum mozilla::dom::WorkerKind, class nsTSubstring<char16_t> const &, class nsTSubstring<char> const &, struct mozilla::dom::WorkerLoadInfo *, class mozilla::ErrorResult &, class nsTString<char16_t>) /dom/workers/WorkerPrivate.cpp:2529
#11 0x7ffac534ed88 in mozilla::dom::Worker::Constructor(class mozilla::dom::GlobalObject const &, class nsTSubstring<char16_t> const &, struct mozilla::dom::WorkerOptions const &, class mozilla::ErrorResult &) /dom/workers/Worker.cpp:43
#12 0x7ffac1795302 in mozilla::dom::Worker_Binding::_constructor /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1104
#13 0xb6d45f4062 (<unknown module>)
Thread T65 created by T0 here:
#0 0x7ffaeb2baf32 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
#1 0x7ffaf89bfa76 (C:\Windows\System32\ucrtbase.dll+0x18001fa76)
#2 0x7ffae930186d in _PR_MD_CREATE_THREAD /nsprpub/pr/src/md/windows/w95thred.c:153
#3 0x7ffae932a22a in _PR_NativeCreateThread /nsprpub/pr/src/threads/combined/pruthr.c:1058
#4 0x7ffae932a9c3 in _PR_CreateThread /nsprpub/pr/src/threads/combined/pruthr.c:1184
#5 0x7ffae93208bf in PR_CreateThread /nsprpub/pr/src/threads/combined/pruthr.c:1404
#6 0x7ffabc819cc1 in nsThread::Init(class nsTSubstring<char> const &) /xpcom/threads/nsThread.cpp:604
#7 0x7ffac53cc300 in mozilla::dom::WorkerThread::Create(class mozilla::dom::WorkerThreadFriendKey const &) /dom/workers/WorkerThread.cpp:102
#8 0x7ffac5338268 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(class mozilla::dom::WorkerPrivate &) /dom/workers/RuntimeService.cpp:1306
#9 0x7ffac5335df3 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(class mozilla::dom::WorkerPrivate &) /dom/workers/RuntimeService.cpp:1182
#10 0x7ffac53905ac in mozilla::dom::WorkerPrivate::Constructor(struct JSContext *, class nsTSubstring<char16_t> const &, bool, enum mozilla::dom::WorkerKind, class nsTSubstring<char16_t> const &, class nsTSubstring<char> const &, struct mozilla::dom::WorkerLoadInfo *, class mozilla::ErrorResult &, class nsTString<char16_t>) /dom/workers/WorkerPrivate.cpp:2529
#11 0x7ffac534ed88 in mozilla::dom::Worker::Constructor(class mozilla::dom::GlobalObject const &, class nsTSubstring<char16_t> const &, struct mozilla::dom::WorkerOptions const &, class mozilla::ErrorResult &) /dom/workers/Worker.cpp:43
#12 0x7ffac1795302 in mozilla::dom::Worker_Binding::_constructor /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1104
#13 0xb6d45f4062 (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/fetches/vs/vc/tools/msvc/14.16.27023/include/list:1332 in std::list<mozilla::WebGLContext *,std::allocator<mozilla::WebGLContext *> >::_Unlinknode
Shadow bytes around the buggy address:
0x04187dd4a520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x04187dd4a530: fa fa fa fa fa fa fd fd fd fd fa fa fa fa fa fa
0x04187dd4a540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x04187dd4a550: fa fa fa fa fd fd fd fd fa fa fa fa fa fa fa fa
0x04187dd4a560: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fa
=>0x04187dd4a570: fa fa fa fa fa fa fa fa[fd]fd fd fa fa fa fa fa
0x04187dd4a580: fa fa fa fa fa fa fa fa fa fa fd fd fd fa fa fa
0x04187dd4a590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x04187dd4a5a0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fa fa
0x04187dd4a5b0: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fa fa
0x04187dd4a5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4408==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Updated•2 years ago
|
Group: core-security → gfx-core-security
|
|
||
Comment 2•2 years ago
•
|
||
From the stacks, it kind of looks like a linked list of WebGLContext::LruPosition are being mutated on multiple threads at once. The write is on thread T66 and the free and allocation are on thread T65. Both stacks involve shutdown cycle collections on DOM workers.
|
|
||
Comment 3•2 years ago
|
||
I guess specifically the linked list sWebglLru is the issue here.
|
||
Updated•2 years ago
|
Flags: needinfo?(aosmond)
|
Assignee | |
Comment 4•2 years ago
|
||
|
|
Assignee | |
Updated•2 years ago
|
Assignee: nobody → aosmond
Flags: needinfo?(aosmond)
|
|
||
Comment 5•2 years ago
|
||
[Tracking Requested - why for this release]: sec-high with a bunch of intermittent failures.
status-firefox102:
--- → affected
tracking-firefox102:
--- → ?
|
||
Updated•2 years ago
|
|
||
Comment 7•2 years ago
|
||
Copying crash signatures from duplicate bugs.
Crash Signature: [@ mozilla::WebGLContext::LoseLruContextIfLimitExceeded()]
|
|
||
Comment 8•2 years ago
|
||
The severity field is not set for this bug.
:jgilbert, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jgilbert)
|
|
||
Comment 9•2 years ago
|
||
I'm assuming this is a regression, because we're getting a ton of intermittent failures so we would have noticed it if it was happening before, but I'm not sure what this is a regression from.
status-firefox101:
--- → unaffected
status-firefox103:
--- → affected
status-firefox-esr91:
--- → unaffected
|
|
||
Updated•2 years ago
|
status-firefox-esr102:
--- → affected
|
|
Assignee | |
Comment 10•2 years ago
•
|
||
Comment on attachment 9277350 [details]
Bug 1769739.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not that easy. It requires WebGL to be run directly in the content process on a worker thread. This is only enabled on Zoom domains right now and the majority of users run WebGL in the compositor process. To run in the content process, the user needs to be on a platform config that disabled it.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: All besides ESR 91
- If not all supported branches, which bug introduced the flaw?: Bug 1751721
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Same patch should apply cleanly
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions. Most of the time there should be no contention on the new mutex. There are no functional changes besides refactoring to allow use of the mutex and clang annotations to make sure all uses are covered.
- Is Android affected?: Yes
Attachment #9277350 -
Flags: sec-approval?
|
|
Assignee | |
Updated•2 years ago
|
Severity: -- → S2
Flags: needinfo?(jgilbert)
Priority: -- → P1
|
|
Assignee | |
Comment 11•2 years ago
|
||
This affects 99+ in the wild. Earlier in CI.
|
||
Comment 12•2 years ago
|
||
We don't have to have this fix on Fx102 (which is good because we already have RC builds): unless someone has messed with hidden prefs--making themselves unsafe in other ways--this bug can not be exploited for the average Firefox user. YET! Currently only Zoom domains are allowed to use this feature, and it only affects Chromebooks and Android (in the default Firefox config)
We do need this fix in 103, and to uplift to 102.1: Some users and downstreams change prefs and don't do the same process separation as Firefox. ESR-102 is planned to keep this feature locked to Zoom (need some additional fixes to open it up safely, coming in 104+), but someone could find an XSS on zoom.us, either one that exists now or a mistake they make later.
The patch itself mentions none of those constraints. Even if someone takes the hints and looks for races they are unlikely to figure it out before we can ship 103 so it seems safe to land this fix on nightly now, let it ride to beta 103, and uplift to ESR 102.1.
|
|
||
Comment 13•2 years ago
|
||
Comment on attachment 9277350 [details]
Bug 1769739.
sec-approval+ = dveditz to land in nightly 103.
Attachment #9277350 -
Flags: sec-approval? → sec-approval+
|
||
Comment 14•2 years ago
|
||
r=jgilbert
https://hg.mozilla.org/integration/autoland/rev/375e18b67dbf25a9c3be0cf9fefc5e00f523bd6d
https://hg.mozilla.org/mozilla-central/rev/375e18b67dbf
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
|
|
||
Comment 15•2 years ago
|
||
The patch landed in nightly and beta is affected.
:aosmond, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox102towontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(aosmond)
|
||
Updated•2 years ago
|
Flags: needinfo?(aosmond)
|
|
||
Comment 16•2 years ago
|
||
Please nominate this for ESR102 approval when you get a chance.
Flags: needinfo?(aosmond)
|
|
Assignee | |
Comment 17•2 years ago
|
||
Comment on attachment 9277350 [details]
Bug 1769739.
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: User may experience crashes.
- Fix Landed on Version: 103
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just adds a mutex to protect certain data structures.
Flags: needinfo?(aosmond)
Attachment #9277350 -
Flags: approval-mozilla-esr102?
|
|
||
Comment 18•2 years ago
|
||
Comment on attachment 9277350 [details]
Bug 1769739.
Approved for 102.1esr.
Attachment #9277350 -
Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
|
|
||
Comment 19•2 years ago
|
||
| uplift | ||
|
|
||
Comment 21•2 years ago
|
||
Copying crash signatures from duplicate bugs.
Crash Signature: [@ mozilla::WebGLContext::LoseLruContextIfLimitExceeded()] → [@ mozilla::WebGLContext::LoseLruContextIfLimitExceeded()]
[@ mozilla::WebGLContext::LruPosition::reset]
|
||
Updated•2 years ago
|
Crash Signature: [@ mozilla::WebGLContext::LoseLruContextIfLimitExceeded()]
[@ mozilla::WebGLContext::LruPosition::reset] → [@ mozilla::WebGLContext::LoseLruContextIfLimitExceeded()]
[@ mozilla::WebGLContext::LruPosition::reset]
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
||
Updated•2 years ago
|
Whiteboard: [adv-main103+r]
|
|
||
Updated•2 years ago
|
Whiteboard: [adv-main103+r] → [adv-main103+r][adv-main102.1+r]
|
|
||
Updated•2 years ago
|
Whiteboard: [adv-main103+r][adv-main102.1+r] → [adv-main103+r][adv-esr102.1+r]
|
|
||
Updated•1 year ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•