AddressSanitizer: stack-buffer-underflow [@ rx::`anonymous namespace'::SortAttributesByLayout] with WRITE of size 4
Categories
(Core :: Graphics, defect, P1)
Tracking
()
People
(Reporter: decoder, Assigned: jgilbert)
References
(Regression)
Details
(4 keywords, Whiteboard: [fixed by bug 1779800][adv-esr102.6+])
Attachments
(3 files)
|
21.30 KB,
text/plain
|
Details | |
|
197 bytes,
text/plain
|
tjr
:
sec-approval+
|
Details |
|
201 bytes,
text/plain
|
Details |
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 102.0a1-20220507213841-https://hg.mozilla.org/mozilla-central/rev/1d8f6404d0b9dd80fb4e5d57c5fe6eeaf0ab5161.
For detailed crash information, see attachment.
Looks like we are hitting a left redzone, could it be that we are somehow reading before the array that we are accessing here? https://searchfox.org/mozilla-central/rev/1c391443f770eddc7cde9e52dba5ef50cc233c06/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/StateManager11.cpp#201
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 2•2 years ago
|
||
This looks like a bug in Angle.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Comment 3•2 years ago
|
||
Kelsey is going to take another look at this soon.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 4•2 years ago
|
||
We used to do this thing called "collapseToDrawArrays", which you can see where in X we call glDrawArrays instead of glDrawElements.
This was removed in non-sec correctness bug 1779800.
The nature of this crash stack makes it likely that this was fixed by the correctness fixes in bug 1779800, and that previously, we were demanding invalid (thus unsafe) behavior from ANGLE.
This seems like it would be very difficult to exploit.
Bug 1779800 landed in 106, which is about to go to release.
@dveditz:
We would only need to backport it to esr102 to be covered, I think.
Should we do that in this bug?
|
|
Assignee | |
Comment 5•2 years ago
|
||
I am asking in bug 1779800 for uplift to esr102, under plausible/nearly-reasonable correctness concern reasons.
|
|
Assignee | |
Comment 6•2 years ago
|
||
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Hard.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No bullseye, and we're asking for plausible uplift of a public correctness bug.
Which older supported branches are affected by this flaw?
Esr102
If not all supported branches, which bug introduced the flaw?
Bug 1476327.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
No, shouldn't be too hard.
How likely is this patch to cause regressions; how much testing does it need?
We have a lot of tests, and this will cause more of them to pass.
|
||
Comment 7•2 years ago
|
||
Comment on attachment 9299969 [details]
fix plan
sec-approved
|
|
||
Comment 8•2 years ago
|
||
Note that we weren't able to uplift bug 1779800 to ESR102 in time for the 102.5esr release because we're waiting on a rebased patch. Targeting 102.6esr now.
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Comment 9•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Description
•