Closed Bug 1772909 Opened 2 years ago Closed 2 years ago

heap-buffer-overflow in [@ wgpu_core::device::map_buffer]

Categories

(Core :: Graphics: WebGPU, defect)

Product:
Core
Component:
Graphics: WebGPU
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- disabled
firefox103 --- disabled
firefox104 --- disabled
firefox105 --- disabled
firefox106 --- disabled
firefox107 --- fixed

People

(Reporter: tsmith, Assigned: nical)

References

(Blocks 2 open bugs)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

New test case
595 bytes, text/html
Details
Attached file testcase.html (obsolete) —

Found while fuzzing m-c 20220606-6951cd731119 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==23630==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f9e8f28e800 at pc 0x5581fd9b966c bp 0x7f9f4277fab0 sp 0x7f9f4277f280
WRITE of size 2147483616 at 0x7f9e8f28e800 thread T39 (Compositor)
    #0 0x5581fd9b966b in __asan_memset /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
    #1 0x7f9f79827c76 in core::intrinsics::write_bytes::h9c126d115220e965 /builds/worker/fetches/rust/library/core/src/intrinsics.rs:2288:9
    #2 0x7f9f79827c76 in wgpu_core::device::map_buffer::hcb4c2f3c2ea4863d /gecko/third_party/rust/wgpu-core/src/device/mod.rs:194:13
    #3 0x7f9f7985cd93 in wgpu_core::device::life::LifetimeTracker$LT$A$GT$::handle_mapping::h303d3c44bef2367b /gecko/third_party/rust/wgpu-core/src/device/life.rs:882:27
    #4 0x7f9f7985cd93 in wgpu_core::device::Device$LT$A$GT$::maintain::hb29a75792495066c /gecko/third_party/rust/wgpu-core/src/device/mod.rs:484:32
    #5 0x7f9f79a8ef3d in wgpu_core::device::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::poll_devices::h943cea9d0112fe6b /gecko/third_party/rust/wgpu-core/src/device/mod.rs:4997:42
    #6 0x7f9f79a8ef3d in wgpu_core::device::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::poll_all_devices::h5b16720b0b3b0a5e /gecko/third_party/rust/wgpu-core/src/device/mod.rs:5027:31
    #7 0x7f9f79a8ef3d in wgpu_server_poll_all_devices /gecko/gfx/wgpu_bindings/src/server.rs:111:5
    #8 0x7f9f6f42170d in DispatchToMethod<mozilla::webgpu::WebGPUParent, void (mozilla::webgpu::WebGPUParent::*)()> /gecko/ipc/chromium/src/base/tuple.h:381:3
    #9 0x7f9f6f42170d in base::BaseTimer<mozilla::webgpu::WebGPUParent, true>::TimerTask::Run() /gecko/ipc/chromium/src/base/timer.h:157:7
    #10 0x7f9f69afd97f in mozilla::DelayedRunnable::Notify(nsITimer*) /gecko/xpcom/threads/DelayedRunnable.cpp:92:20
    #11 0x7f9f69b821ee in match<(lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
    #12 0x7f9f69b821ee in nsTimerImpl::Fire(int) /gecko/xpcom/threads/nsTimerImpl.cpp:654:22
    #13 0x7f9f69b299ef in nsTimerEvent::Run() /gecko/xpcom/threads/TimerThread.cpp:263:11
    #14 0x7f9f69b3df9e in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1174:16
    #15 0x7f9f69b47ba4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #16 0x7f9f6b2b8eab in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
    #17 0x7f9f6b137d01 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #18 0x7f9f6b137d01 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #19 0x7f9f6b137d01 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #20 0x7f9f69b3555e in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:378:10
    #21 0x7f9f908d8b7e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #22 0x7f9f91519608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #23 0x7f9f910e0132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x7f9e8f28e800 is located 0 bytes to the right of 2147483648-byte region [0x7f9e0f28e800,0x7f9e8f28e800)
allocated by thread T39 (Compositor) here:
    #0 0x5581fd9ba917 in __interceptor_posix_memalign /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f9f236ed5e7  (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x3345e7) (BuildId: 1106af37206701c77fa5fccb2899f73413b732e0)

Thread T39 (Compositor) created by T0 here:
    #0 0x5581fd9a359c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f9f908c8c2c in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f9f908b9fce in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f9f69b38175 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:604:18
    #4 0x7f9f69b45448 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:534:12
    #5 0x7f9f69b518a9 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:161:57
    #6 0x7f9f6c0fbe32 in NS_NewNamedThread<11UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
    #7 0x7f9f6c0fbe32 in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /gecko/gfx/layers/ipc/CompositorThread.cpp:66:17
    #8 0x7f9f6c0fc339 in CompositorThreadHolder /gecko/gfx/layers/ipc/CompositorThread.cpp:40:25
    #9 0x7f9f6c0fc339 in mozilla::layers::CompositorThreadHolder::Start() /gecko/gfx/layers/ipc/CompositorThread.cpp:109:33
    #10 0x7f9f6c3743cc in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:961:3
    #11 0x7f9f6c377e6e in GetPlatform /gecko/gfx/thebes/gfxPlatform.cpp:467:5
    #12 0x7f9f6c377e6e in gfxPlatform::InitializeCMS() /gecko/gfx/thebes/gfxPlatform.cpp:2094:9
    #13 0x7f9f72278fcc in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:982:7
    #14 0x7f9f72278fcc in gfxPlatform::GetCMSMode() /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:526:5
    #15 0x7f9f72278546 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /gecko/widget/nsXPLookAndFeel.cpp:874:9
    #16 0x7f9f7227cae6 in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /gecko/widget/nsXPLookAndFeel.cpp:1274:47
    #17 0x7f9f721e7f74 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:440:12
    #18 0x7f9f721e7f74 in ThemedAccentColor /gecko/widget/ThemeColors.cpp:88:37
    #19 0x7f9f721e7f74 in mozilla::widget::ThemeColors::RecomputeAccentColors() /gecko/widget/ThemeColors.cpp:197:20
    #20 0x7f9f721e7bad in mozilla::widget::Theme::LookAndFeelChanged() /gecko/widget/Theme.cpp:180:3
    #21 0x7f9f72276abe in nsXPLookAndFeel::GetInstance() /gecko/widget/nsXPLookAndFeel.cpp:358:3
    #22 0x7f9f7227d4d5 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /gecko/widget/nsXPLookAndFeel.cpp:1387:3
    #23 0x7f9f69993d6a in nsSystemInfo::Init() /gecko/xpcom/base/nsSystemInfo.cpp:1047:5
    #24 0x7f9f69aa5ded in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11965:7
    #25 0x7f9f69ae82ce in CreateInstance /gecko/xpcom/components/nsComponentManager.cpp:185:46
    #26 0x7f9f69ae82ce in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor> >&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /gecko/xpcom/components/nsComponentManager.cpp:1283:17
    #27 0x7f9f69ae8d98 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /gecko/xpcom/components/nsComponentManager.cpp:1373:10
    #28 0x7f9f69abe46d in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12189:50
    #29 0x7f9f6994a4d1 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /gecko/xpcom/base/nsCOMPtr.cpp:109:7
    #30 0x7f9f6b5bb741 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
    #31 0x7f9f6b5bb741 in xpc::GetServiceImpl(JSContext*, mozilla::xpcom::JSServiceEntry const&, JS::MutableHandle<JSObject*>, mozilla::ErrorResult&) /gecko/js/xpconnect/src/JSServices.cpp:83:32
    #32 0x7f9f6b5bb1c8 in xpc::GetService(JSContext*, mozilla::xpcom::JSServiceEntry const&, mozilla::ErrorResult&) /gecko/js/xpconnect/src/JSServices.cpp:130:8
    #33 0x7f9f6b5ba0f1 in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /gecko/js/xpconnect/src/JSServices.cpp:153:25
    #34 0x7f9f778eecb6 in CallResolveOp /gecko/js/src/vm/NativeObject-inl.h:640:8
    #35 0x7f9f778eecb6 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /gecko/js/src/vm/NativeObject-inl.h:752:14
    #36 0x7f9f778eecb6 in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2126:10
    #37 0x7f9f778eecb6 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2174:10
    #38 0x7f9f775ea030 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:120:10
    #39 0x7f9f775ea030 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/ObjectOperations-inl.h:127:10
    #40 0x7f9f79035e13 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:4668:10
    #41 0x7f9f7901017d in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:2984:12
    #42 0x7f9f79002949 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:389:13
    #43 0x7f9f7902ebce in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:539:13
    #44 0x7f9f790306ae in InternalCall /gecko/js/src/vm/Interpreter.cpp:574:10
    #45 0x7f9f790306ae in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:605:8
    #46 0x7f9f777033d4 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:53:10
    #47 0x7f9f6b6019b5 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:981:17
    #48 0x7f9f69b91602 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #49 0x7f9f69b90352 in SharedStub xptcstubs_x86_64_linux.cpp
    #50 0x7f9f69ade9bd in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:682:19
    #51 0x7f9f772a9ef9 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:936:11
    #52 0x7f9f77282aa0 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5476:18
    #53 0x7f9f7728536e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5927:8
    #54 0x7f9f772860db in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5991:21
    #55 0x5581fd9f8821 in do_main(int, char**, char**) /gecko/browser/app/nsBrowserApp.cpp:227:22
    #56 0x5581fd9f7b5e in main /gecko/browser/app/nsBrowserApp.cpp:406:16
    #57 0x7f9f90fe5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220606212503-3d6d967aa9f6.
The bug appears to have been introduced in the following build range:

Start: 11fde2629eacf0f130e7123e3c2984b4ac921bd9 (20210622113140)
End: e11836c2c03d8b50de930730d6c0e62c25db58e4 (20210622140333)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=11fde2629eacf0f130e7123e3c2984b4ac921bd9&tochange=e11836c2c03d8b50de930730d6c0e62c25db58e4

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Looking at the range in comment 1, bug 1717072 talks about clientInformation, and the test case contains clientInformation, so I'm guessing this is related. Kagami, could you take a look please? Thanks.

Flags: needinfo?(krosylight)
Regressed by: 1717072

That was way too simple to cause any bug. The stack is GPU related so I'd ping Emilio for https://bugzilla.mozilla.org/show_bug.cgi?id=1715783.

Flags: needinfo?(krosylight)
No longer regressed by: 1717072

Kagami's bug added clientInformation as an alias for navigator. Tyson is going to try changing the testcase to navigator and see if we can find an earlier range. He'll also grab a pernosco session.

Keywords: sec-high
Flags: needinfo?(twsmith)

I was able to reproduce the crash with a build from 2021-06-09 when I updated the test case self.clientInformation.gpu.requestAdapter -> self.navigator.gpu.requestAdapter.

This isn't really a regression. The original bisection was to a patch from last year, and it turns out even that wasn't old enough. Presumably this is just an ancient WebGPU issue that the fuzzers happened to turn up now for some reason.

Keywords: regression

I cannot get a Pernosco session because I am unable to get the issue to reproduce with rr.

Blocks: fuzzing-webgpu
Flags: needinfo?(twsmith)
See Also: → 1773396

(removing "see also" link - we thought the two test cases were the same, but they're not)

See Also: 1773396
Attached file New test case

This is the same test case except with a smaller buffer size. The previous one does not work anymore because of recently added buffer size limit. I can still reproduce the issue locally with the new test case.

Attachment #9279937 - Attachment is obsolete: true

Some notes from today's debugging session:

crashing instruction:   vmodqu %ymm0,0x60(%rdi)

rax            0x7fd3a7e97040      140547031920704
rbx            0x7fd473dff640      140550453851712
rcx            0x20                32
rdx            0x7fd3e7e96fc0      140548105662400
rsi            0x0                 0
rdi            0x7fd3e7e96fa0      140548105662368   <----------------
rbp            0x7fd473dfcaf0      0x7fd473dfcaf0
rsp            0x7fd473dfcac8      0x7fd473dfcac8
r8             0x7fd4411f2880      140549602355328
r9             0x1b5aa2000         7342792704
r10            0x1                 1
r11            0x246               582
r12            0x7fd473dff640      140550453851712
r13            0xb                 11
r14            0x7fd4db69fae0      140552190950112
r15            0x0                 0
rip            0x7fd4db6ba9ae      0x7fd4db6ba9ae <__memset_avx2_unaligned_erms+174>
eflags         0x293               [ CF AF SF IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

test case buffer size 1073741824
mapping address  0x7fd3a7e97020   140547031920672
rdi              0x7fd3e7e96fa0   140548105662368

num_bytes = 1073741792
uninitialized_range = core::ops::range::Range<u64> {start: 32, end: 1073741824}

crashing at address rdi + 96 = 140548105662464
-> minus map address -> 1073741792 which is the requested mapped range size so we are writing right past our mapped range.

Also the bug stops reproducing when map offset is zero.

Bah, I stared at the faulty code a silly amount of time before noticing where the bug is. Pretty obvious in hindsight. The fix is in https://github.com/gfx-rs/wgpu/pull/2916

Assignee: nobody → nical.bugzilla

Demoting this to sec-moderate, because WebGPU is not enabled by default in nightly. I expect us to fix this bug before that changes; if for some reason we do not, I'll raise its level back to sec-high.

Keywords: sec-highsec-moderate
Depends on: 1784271

That's not how we track security bugs. Other people need to be able to check meta bugs and answer questions like "if we turn this on now, how many unfixed dependent bugs of what severity get exposed?" That doesn't work if the "highness" of a bug is only tracked in the memory of one or two people. The way we track the state you're describing is by setting the version-specific status fields to "disabled".

status-firefox103: affecteddisabled
status-firefox104: --- → disabled
status-firefox105: --- → disabled
status-firefox106: --- → disabled
status-firefox-esr102: --- → disabled
Keywords: sec-moderatesec-high

Okay - thanks. That way makes more sense.

(I verified that all the other bugs I'd changed from sec-high to sec-moderate as described in comment 12 have been changed back to sec-high.)

Fixed by bug 1791297 (based on comment 11).

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220922214429-4ce68ee50da2.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Group: gfx-core-security → core-security-release
status-firefox107: --- → fixed
Depends on: 1791297
No longer depends on: 1784271
Target Milestone: --- → 107 Branch
Flags: qe-verify+

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:nical, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

Flags: needinfo?(nical.bugzilla)
Keywords: regression

Looks like the the regression range is incorrect.

Flags: needinfo?(nical.bugzilla)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: