Closed
Bug 1789449
Opened 3 years ago
Closed 3 years ago
AddressSanitizer: global-buffer-overflow [@ blendTextureNearestFast<1,glsl::sampler2D_impl *,NoColor,unsigned int>] with READ of size 4
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
People
(Reporter: jkratzer, Assigned: lsalzman)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-bounds, sec-moderate, testcase, Whiteboard: [adv-main110+r][adv-esr102.8+r])
Attachments
(2 files)
|
406 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
Found while fuzzing mozilla-central rev 087477ea609d (built with: --enable-address-sanitizer --enable-fuzzing).
I don't currently have a working testcase but will update this bug if one becomes available.
AddressSanitizer: global-buffer-overflow [@ blendTextureNearestFast<1,glsl::sampler2D_impl *,NoColor,unsigned int>] with READ of size 4
=================================================================
==960==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ff912782080 at pc 0x7ff90f0ce7cb bp 0x00a235e1a8d0 sp 0x00a235e1a918
READ of size 4 at 0x7ff912782080 thread T36
#0 0x7ff90f0ce7ca in blendTextureNearestFast<1,glsl::sampler2D_impl *,NoColor,unsigned int> /gfx/wr/swgl/src/swgl_ext.h:532
#1 0x7ff90f0ababa in brush_image_ALPHA_PASS_TEXTURE_2D_frag::swgl_drawSpanRGBA8(void) /builds/worker/workspace/obj-build/x86_64-pc-windows-msvc/release/build/swgl-5da913d53e4bf52d/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:885
#2 0x7ff90f0a2bac in brush_image_ALPHA_PASS_TEXTURE_2D_frag::draw_span_RGBA8(struct glsl::FragmentShaderImpl *) /builds/worker/workspace/obj-build/x86_64-pc-windows-msvc/release/build/swgl-5da913d53e4bf52d/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:933
#3 0x7ff90f395522 in glsl::FragmentShaderImpl::draw_span /gfx/wr/swgl/src/program.h:168
#4 0x7ff90f395522 in draw_depth_span /gfx/wr/swgl/src/rasterize.h:629
#5 0x7ff90f395522 in draw_quad_spans<unsigned int> /gfx/wr/swgl/src/rasterize.h:1023
#6 0x7ff90efc871c in draw_quad /gfx/wr/swgl/src/rasterize.h:1621
#7 0x7ff90efc524c in draw_elements /gfx/wr/swgl/src/rasterize.h:1652
#8 0x7ff90efc524c in DrawElementsInstanced /gfx/wr/swgl/src/gl.cc:2744
#9 0x7ff90d85c994 in swgl::swgl_fns::impl$3::draw_elements_instanced /gfx/wr/swgl/src/swgl_fns.rs:1551
#10 0x7ff90db165b7 in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16 /gfx/wr/webrender/src/device/gl.rs:3623
#11 0x7ff90db165b7 in webrender::renderer::Renderer::draw_instanced_batch<webrender::gpu_types::PrimitiveInstanceData> /gfx/wr/webrender/src/renderer/mod.rs:1974
#12 0x7ff90db116ba in webrender::renderer::Renderer::draw_alpha_batch_container /gfx/wr/webrender/src/renderer/mod.rs:2626
#13 0x7ff90db04e0c in webrender::renderer::Renderer::draw_picture_cache_target /gfx/wr/webrender/src/renderer/mod.rs:2431
#14 0x7ff90db04e0c in webrender::renderer::Renderer::draw_frame /gfx/wr/webrender/src/renderer/mod.rs:4357
#15 0x7ff90daeea25 in webrender::renderer::Renderer::render_impl /gfx/wr/webrender/src/renderer/mod.rs:1473
#16 0x7ff90db361d8 in webrender::renderer::Renderer::render /gfx/wr/webrender/src/renderer/mod.rs:1202
#17 0x7ff90db361d8 in wr_renderer_render /gfx/webrender_bindings/src/bindings.rs:620
#18 0x7ff9005d967c in mozilla::wr::RendererOGL::UpdateAndRender(class mozilla::Maybe<struct mozilla::gfx::IntSizeTyped<struct mozilla::gfx::UnknownUnits>> const &, class mozilla::Maybe<enum mozilla::wr::ImageFormat> const &, class mozilla::Maybe<class mozilla::Range<unsigned char>> const &, bool *, struct mozilla::wr::RendererStats *) /gfx/webrender_bindings/RendererOGL.cpp:187
#19 0x7ff9005d6bf0 in mozilla::wr::RenderThread::UpdateAndRender(struct mozilla::wr::WrWindowId, struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType> const &, class mozilla::TimeStamp const &, bool, class mozilla::Maybe<struct mozilla::gfx::IntSizeTyped<struct mozilla::gfx::UnknownUnits>> const &, class mozilla::Maybe<enum mozilla::wr::ImageFormat> const &, class mozilla::Maybe<class mozilla::Range<unsigned char>> const &, bool *) /gfx/webrender_bindings/RenderThread.cpp:565
#20 0x7ff9005d5460 in mozilla::wr::RenderThread::HandleFrameOneDoc(struct mozilla::wr::WrWindowId, bool) /gfx/webrender_bindings/RenderThread.cpp:411
#21 0x7ff90001ea50 in mozilla::detail::RunnableMethodArguments<unsigned long long,bool>::applyImpl /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147
#22 0x7ff90001ea50 in mozilla::detail::RunnableMethodArguments<unsigned long long,bool>::apply /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153
#23 0x7ff90001ea50 in mozilla::detail::RunnableMethodImpl<class RefPtr<class mozilla::layers::APZCTreeManager>, void (__cdecl mozilla::layers::IAPZCTreeManager::*)(unsigned __int64, bool), 1, 0, unsigned __int64, bool>::Run(void) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200
#24 0x7ff8fda55ae5 in nsThread::ProcessNextEvent(bool, bool *) /xpcom/threads/nsThread.cpp:1199
#25 0x7ff8fda6419c in NS_ProcessNextEvent(class nsIThread *, bool) /xpcom/threads/nsThreadUtils.cpp:465
#26 0x7ff8ff0b26fa in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /ipc/glue/MessagePump.cpp:330
#27 0x7ff8fefcbba5 in MessageLoop::RunInternal /ipc/chromium/src/base/message_loop.cc:381
#28 0x7ff8fefcbba5 in MessageLoop::RunHandler(void) /ipc/chromium/src/base/message_loop.cc:374
#29 0x7ff8fefcb975 in MessageLoop::Run(void) /ipc/chromium/src/base/message_loop.cc:356
#30 0x7ff8fda4b49e in nsThread::ThreadFunc(void *) /xpcom/threads/nsThread.cpp:384
#31 0x7ff92fdd96ad in _PR_NativeRunThread /nsprpub/pr/src/threads/combined/pruthr.c:399
#32 0x7ff92fdb1a3b in pr_root /nsprpub/pr/src/md/windows/w95thred.c:139
#33 0x7ff93bfefb7f (C:\Windows\System32\ucrtbase.dll+0x18001fb7f)
#34 0x7ff933dd9dc3 in __asan::AsanThread::ThreadStart(unsigned __int64) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277
#35 0x7ff93e3e84d3 (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
#36 0x7ff933c7bfac in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h:150
#37 0x7ff933c7bfac in patched_BaseThreadInitThunk /toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:577
#38 0x7ff93f761790 (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)
0x7ff912782080 is located 32 bytes to the left of global variable '??_7brush_opacity_ALPHA_PASS_ANTIALIASING_program@@6B@' defined in 'src/gl.cc' (0x7ff9127820a0) of size 64
0x7ff912782080 is located 7 bytes to the right of global variable '<string literal>' defined in '/builds/worker/workspace/obj-build/x86_64-pc-windows-msvc/release/build/swgl-5da913d53e4bf52d/out/brush_opacity_ALPHA_PASS.h:812:48' (0x7ff912782060) of size 25
'<string literal>' is ascii string 'brush_opacity_ALPHA_PASS'
SUMMARY: AddressSanitizer: global-buffer-overflow /gfx/wr/swgl/src/swgl_ext.h:532 in blendTextureNearestFast<1,glsl::sampler2D_impl *,NoColor,unsigned int>
Shadow bytes around the buggy address:
0x1287731703c0: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 00 00 00 00
0x1287731703d0: 00 00 00 00 f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9
0x1287731703e0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 07
0x1287731703f0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x128773170400: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 01
=>0x128773170410:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x128773170420: 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x128773170430: 00 00 00 00 f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9
0x128773170440: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x128773170450: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x128773170460: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T36 created by T0 here:
#0 0x7ff933ddaf62 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
#1 0x7ff93bfefa76 (C:\Windows\System32\ucrtbase.dll+0x18001fa76)
#2 0x7ff92fdb186d in _PR_MD_CREATE_THREAD /nsprpub/pr/src/md/windows/w95thred.c:153
#3 0x7ff92fdda46a in _PR_NativeCreateThread /nsprpub/pr/src/threads/combined/pruthr.c:1058
#4 0x7ff92fddac03 in _PR_CreateThread /nsprpub/pr/src/threads/combined/pruthr.c:1184
#5 0x7ff92fdd0aff in PR_CreateThread /nsprpub/pr/src/threads/combined/pruthr.c:1404
#6 0x7ff8fda4ea31 in nsThread::Init(class nsTSubstring<char> const &) /xpcom/threads/nsThread.cpp:618
#7 0x7ff8fda61608 in nsThreadManager::NewNamedThread(class nsTSubstring<char> const &, unsigned int, class nsIThread **) /xpcom/threads/nsThreadManager.cpp:533
#8 0x7ff8fda6e45c in NS_NewNamedThread(class nsTSubstring<char> const &, class nsIThread **, struct already_AddRefed<class nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:161
#9 0x7ff9005ceafb in NS_NewNamedThread /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74
#10 0x7ff9005ceafb in mozilla::wr::RenderThread::Start(unsigned int) /gfx/webrender_bindings/RenderThread.cpp:96
#11 0x7ff90022c335 in gfxPlatform::InitLayersIPC(void) /gfx/thebes/gfxPlatform.cpp:1316
#12 0x7ff900226c87 in gfxPlatform::Init(void) /gfx/thebes/gfxPlatform.cpp:974
#13 0x7ff90022bd53 in gfxPlatform::GetPlatform /gfx/thebes/gfxPlatform.cpp:462
#14 0x7ff90022bd53 in gfxPlatform::InitializeCMS(void) /gfx/thebes/gfxPlatform.cpp:2110
#15 0x7ff90734a062 in gfxPlatform::EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:966
#16 0x7ff90734a062 in gfxPlatform::GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:528
#17 0x7ff90734a062 in nsXPLookAndFeel::GetUncachedColor(enum mozilla::StyleSystemColor, enum mozilla::ColorScheme, enum mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:962
#18 0x7ff907349539 in nsXPLookAndFeel::GetColorValue(enum mozilla::StyleSystemColor, enum mozilla::ColorScheme, enum mozilla::LookAndFeel::UseStandins, unsigned int &) /widget/nsXPLookAndFeel.cpp:942
#19 0x7ff90734da85 in mozilla::LookAndFeel::GetColor(enum mozilla::StyleSystemColor, enum mozilla::ColorScheme, enum mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1361
#20 0x7ff907ad81b2 in mozilla::LookAndFeel::Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:444
#21 0x7ff907ad81b2 in mozilla::PreferenceSheet::Prefs::LoadColors(bool) /layout/style/PreferenceSheet.cpp:129
#22 0x7ff907ad93bc in mozilla::PreferenceSheet::Prefs::Load(bool) /layout/style/PreferenceSheet.cpp:193
#23 0x7ff907ad9906 in mozilla::PreferenceSheet::Initialize(void) /layout/style/PreferenceSheet.cpp:234
#24 0x7ff907aed208 in mozilla::PreferenceSheet::EnsureInitialized /builds/worker/workspace/obj-build/dist/include/mozilla/PreferenceSheet.h:75
#25 0x7ff907aed208 in mozilla::ServoStyleSet::ServoStyleSet(class mozilla::dom::Document &) /layout/style/ServoStyleSet.cpp:120
#26 0x7ff900c6fa18 in mozilla::MakeUnique /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:605
#27 0x7ff900c6fa18 in mozilla::dom::Document::Init(void) /dom/base/Document.cpp:2763
#28 0x7ff90475a014 in nsHTMLDocument::Init(void) /dom/html/nsHTMLDocument.cpp:143
#29 0x7ff904759a50 in NS_NewHTMLDocument(class mozilla::dom::Document **, bool) /dom/html/nsHTMLDocument.cpp:109
#30 0x7ff9087baeba in nsContentDLF::CreateBlankDocument(class nsILoadGroup *, class nsIPrincipal *, class nsIPrincipal *, class nsDocShell *) /layout/build/nsContentDLF.cpp:215
#31 0x7ff90af70565 in nsDocShell::CreateAboutBlankContentViewer(class nsIPrincipal *, class nsIPrincipal *, class nsIContentSecurityPolicy *, class nsIURI *, bool, class mozilla::Maybe<enum nsILoadInfo::CrossOriginEmbedderPolicy> const &, bool, bool, class mozilla::dom::WindowGlobalChild *) /docshell/base/nsDocShell.cpp:6736
#32 0x7ff90b0c2905 in nsAppShellService::JustCreateTopWindow(class nsIAppWindow *, class nsIURI *, unsigned int, int, int, bool, class mozilla::AppWindow **) /xpfe/appshell/nsAppShellService.cpp:765
#33 0x7ff90b0c395c in nsAppShellService::CreateTopLevelWindow(class nsIAppWindow *, class nsIURI *, unsigned int, int, int, class nsIAppWindow **) /xpfe/appshell/nsAppShellService.cpp:177
#34 0x7ff90bb8ac15 in nsAppStartup::CreateChromeWindow(class nsIWebBrowserChrome *, unsigned int, class nsIOpenWindowInfo *, bool *, class nsIWebBrowserChrome **) /toolkit/components/startup/nsAppStartup.cpp:750
#35 0x7ff90bd5952c in nsWindowWatcher::CreateChromeWindow(class nsIWebBrowserChrome *, unsigned int, class nsIOpenWindowInfo *, class nsIWebBrowserChrome **) /toolkit/components/windowwatcher/nsWindowWatcher.cpp:438
#36 0x7ff90bd549dd in nsWindowWatcher::OpenWindowInternal(class mozIDOMWindowProxy *, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsTSubstring<char> const &, bool, bool, bool, class nsIArray *, bool, bool, bool, enum nsPIWindowWatcher::PrintKind, class nsDocShellLoadState *, class mozilla::dom::BrowsingContext **) /toolkit/components/windowwatcher/nsWindowWatcher.cpp:988
#37 0x7ff90bd50955 in nsWindowWatcher::OpenWindow(class mozIDOMWindowProxy *, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsISupports *, class mozIDOMWindowProxy **) /toolkit/components/windowwatcher/nsWindowWatcher.cpp:294
#38 0x7ff90f63e261 in XPTC__InvokebyIndex (C:\Users\task_166212029251248\builds\asan\xul.dll+0x1927ee261)
#39 0x7ff8ff3e2d39 in CallMethodHelper::Invoke /js/xpconnect/src/XPCWrappedNative.cpp:1626
#40 0x7ff8ff3e2d39 in CallMethodHelper::Call /js/xpconnect/src/XPCWrappedNative.cpp:1181
#41 0x7ff8ff3e2d39 in XPCWrappedNative::CallMethod(class XPCCallContext &, enum XPCWrappedNative::CallMode) /js/xpconnect/src/XPCWrappedNative.cpp:1125
#42 0x7ff8ff3e8faf in XPC_WN_CallMethod(struct JSContext *, unsigned int, class JS::Value *) /js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965
#43 0x7ff90dead182 in CallJSNative /js/src/vm/Interpreter.cpp:459
#44 0x7ff90dead182 in js::InternalCallOrConstruct(struct JSContext *, class JS::CallArgs const &, enum js::MaybeConstruct, enum js::CallReason) /js/src/vm/Interpreter.cpp:546
#45 0x7ff90de97045 in InternalCall /js/src/vm/Interpreter.cpp:613
#46 0x7ff90de97045 in js::CallFromStack /js/src/vm/Interpreter.cpp:618
#47 0x7ff90de97045 in Interpret /js/src/vm/Interpreter.cpp:3374
#48 0x7ff90de8233c in js::RunScript(struct JSContext *, class js::RunState &) /js/src/vm/Interpreter.cpp:430
#49 0x7ff90dead2c5 in js::InternalCallOrConstruct(struct JSContext *, class JS::CallArgs const &, enum js::MaybeConstruct, enum js::CallReason) /js/src/vm/Interpreter.cpp:578
#50 0x7ff90deaf4f1 in InternalCall /js/src/vm/Interpreter.cpp:613
#51 0x7ff90deaf4f1 in js::Call(struct JSContext *, class JS::Handle<class JS::Value>, class JS::Handle<class JS::Value>, class js::AnyInvokeArgs const &, class JS::MutableHandle<class JS::Value>, enum js::CallReason) /js/src/vm/Interpreter.cpp:645
#52 0x7ff90c2e95c5 in JS_CallFunctionValue(struct JSContext *, class JS::Handle<class JSObject *>, class JS::Handle<class JS::Value>, class JS::HandleValueArray const &, class JS::MutableHandle<class JS::Value>) /js/src/vm/CallAndConstruct.cpp:53
#53 0x7ff8ff3d0f1f in nsXPCWrappedJS::CallMethod(unsigned short, struct nsXPTMethodInfo const *, struct nsXPTCMiniVariant *) /js/xpconnect/src/XPCWrappedJSClass.cpp:981
#54 0x7ff8fdab20cd in PrepareAndDispatch /xpcom/reflect/xptcall/md/win32/xptcstubs_x86_64.cpp:168
#55 0x7ff90f63e2b8 in SharedStub (C:\Users\task_166212029251248\builds\asan\xul.dll+0x1927ee2b8)
#56 0x7ff8fd9ea92e in NS_CreateServicesFromCategory(char const *, class nsISupports *, char const *, char16_t const *) /xpcom/components/nsCategoryManager.cpp:682
#57 0x7ff90be6dbfb in nsXREDirProvider::DoStartup(void) /toolkit/xre/nsXREDirProvider.cpp:958
#58 0x7ff90be3af53 in XREMain::XRE_mainRun(void) /toolkit/xre/nsAppRunner.cpp:5468
#59 0x7ff90be424bd in XREMain::XRE_main(int, char **const, struct mozilla::BootstrapConfig const &) /toolkit/xre/nsAppRunner.cpp:5919
#60 0x7ff90be4383a in XRE_main(int, char **const, struct mozilla::BootstrapConfig const &) /toolkit/xre/nsAppRunner.cpp:5975
#61 0x7ff73a5f2335 in do_main /browser/app/nsBrowserApp.cpp:215
#62 0x7ff73a5f2335 in NS_internal_main(int, char **, char **) /browser/app/nsBrowserApp.cpp:433
#63 0x7ff73a5f17bf in wmain /toolkit/xre/nsWindowsWMain.cpp:167
#64 0x7ff73a6ee477 in invoke_main d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
#65 0x7ff73a6ee477 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#66 0x7ff93e3e84d3 (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
#67 0x7ff93f761790 (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)
==960==ABORTING
|
Reporter | |
Updated•3 years ago
|
Whiteboard: [bugmon:confirm]
|
|
Reporter | |
Updated•3 years ago
|
Group: core-security
|
||
Updated•3 years ago
|
Group: core-security → gfx-core-security
|
|
||
Comment 1•3 years ago
|
||
I'll go ahead and mark this sec-high, though it make not be actionable as is.
Keywords: csectype-bounds,
sec-high
|
||
Updated•3 years ago
|
Blocks: gfx-triage
|
||
Updated•3 years ago
|
Component: Graphics: CanvasWebGL → Graphics: WebRender
|
Assignee | |
Comment 3•3 years ago
|
||
(In reply to Jeff Muizelaar [:jrmuizel] from comment #2)
Lee can you guess what this might be?
Without any testcase, I can't really see anything just by eyeballing the code on this one.
Flags: needinfo?(lsalzman)
|
||
Comment 4•3 years ago
|
||
The severity field is not set for this bug.
:gw, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(gwatson)
|
||
Updated•3 years ago
|
Severity: -- → S3
Flags: needinfo?(gwatson)
|
|
||
Comment 5•3 years ago
|
||
The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:gw, could you consider increasing the severity of this security bug?
For more information, please visit auto_nag documentation.
Flags: needinfo?(gwatson)
|
|
||
Updated•3 years ago
|
Flags: needinfo?(gwatson)
|
|
||
Updated•3 years ago
|
No longer blocks: gfx-triage
|
||
Comment 6•3 years ago
|
||
Jason, any chance we can get a test case for this one?
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 7•3 years ago
|
||
Bob, unfortunately not. We've only seen one instance of this testcase on 9/2/2022 and the resulting testcase was not reproducible.
Flags: needinfo?(jkratzer)
|
||
Comment 8•3 years ago
|
||
This test is not 100% reliable but does usually reproduce the issues within 5 attempts.
This test case has only been tested on Linux. It requires a 32-bit build.
While trying to further reduce the test case many OOMs were triggered so there is potentially a memory pressure aspect to this.
|
|
||
Updated•3 years ago
|
Flags: in-testsuite?
|
|
||
Comment 9•3 years ago
|
||
This is what worked for me on ubuntu 20.04 (Note 32-bit libs are required):
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --cpu x86 --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --repeat 20 --xvfb
status-firefox109:
--- → affected
status-firefox110:
--- → affected
|
||
Updated•3 years ago
|
status-firefox108:
--- → wontfix
status-firefox-esr102:
--- → ?
|
|
||
Updated•3 years ago
|
Blocks: gfx-triage
|
|
Assignee | |
Comment 10•3 years ago
|
||
Tyson, is there any way to at least get a pernosco session or something to work with here? I am not sure I can usefully set up a 32 bit debug build here.
Or otherwise, is there a way to make this reproduceable in a 64 bit debug build?
This is somewhat hard to take action on just based on the traces so far as there are not enough clues to go on.
Flags: needinfo?(twsmith)
|
|
||
Comment 11•3 years ago
|
||
(In reply to Lee Salzman [:lsalzman] from comment #10)
is there any way to at least get a pernosco session or something to work with here?
Sorry Pernosco does not (and does not have plans to) support 32-bit. Best I can do is try to get a rr recording and share that with you. Does that work for you?
Or otherwise, is there a way to make this reproduceable in a 64 bit debug build?
The fuzzers have reported this while fuzzing 64-bit targets but unfortunately none of the tests are reproducible.
Flags: needinfo?(twsmith) → needinfo?(lsalzman)
|
|
||
Updated•3 years ago
|
No longer blocks: gfx-triage
|
|
Assignee | |
Comment 12•3 years ago
|
||
rr has never really worked reliably for me locally, so I would prefer we track down some way to prove this issue on 64 bit.
Flags: needinfo?(lsalzman)
|
|
||
Comment 13•3 years ago
•
|
||
(In reply to Lee Salzman [:lsalzman] from comment #10)
I am not sure I can usefully set up a 32 bit debug build here.
Here is a mozconfig for a 32-bit build that works reliably on Linux
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/objdir-ff-asan32
# Adjust this to the number of CPU cores + 2
mk_add_options MOZ_MAKE_FLAGS=-j30
ac_add_options --target=i686-pc-linux
ac_add_options --enable-address-sanitizer
ac_add_options --enable-fuzzing
export ASAN_OPTIONS="detect_leaks=0"
# Ensure you set this to your LLVM_HOME path
export LLVM_HOME="/home/<CHANGE_ME>/.mozbuild/clang"
# Set CC/CXX based on LLVM_HOME
export CC="$LLVM_HOME/bin/clang"
export CXX="$LLVM_HOME/bin/clang++"
# This will ensure the symbolizer is packaged with the binary
export LLVM_SYMBOLIZER="$LLVM_HOME/bin/llvm-symbolizer"
ac_add_options --disable-elf-hack
ac_add_options --disable-jemalloc
ac_add_options --disable-crashreporter
export MOZ_DEBUG_SYMBOLS=1
ac_add_options --enable-debug-symbols
ac_add_options --disable-install-strip
ac_add_options --enable-valgrind
ac_add_options --enable-optimize="-O2 -g"
ac_add_options --disable-debug
|
|
||
Comment 14•3 years ago
|
||
Also to be transparent about impact (if this can't be addressed), at the time of writing this has been reported by fuzzer 176x by fuzzers that are available publicly. Usually a few times a day.
|
|
||
Comment 15•3 years ago
|
||
I have a rr recording available in Google Drive. Please ping me if you would like access.
|
|
Assignee | |
Comment 16•3 years ago
|
||
|
||
Updated•3 years ago
|
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 17•3 years ago
•
|
||
Comment on attachment 9312105 [details]
Bug 1789449 - Adjust clamp order. r?aosmond
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Fairly difficult. First you need to cause an OOM specifically on a fallible texture allocation while the user is using Software WebRender (not the default anymore on any platform unless you are blocklisted from HW-accel), without causing an OOM that might crash somewhere else. This sets the base of texture read pointer to a zeroed out buffer in global static constant memory, of which you can read a single 4 byte value at within a variable 18-bit range (i.e. 256KB), the offset of which should be controlled by WebRender's texture allocator rather than the user, so is probably hard to predict though might be predictable to some degree.
Anecdotally we don't seem to be able to reproduce this well or at all on 64 bit builds - seemingly only on 32 bit builds where memory resources are very constrained, likely because you can more easily construct a texture large enough that address space limits the allocation instead of physical memory, without as much risk of causing a normal OOM crash. You would have to be super determined to really do anything useful with this bug.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: 91+
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: This patch should only affect this OOM texture allocation case, so I don't expect any breakage.
- Is Android affected?: Yes
Attachment #9312105 -
Flags: sec-approval?
|
|
||
Comment 18•3 years ago
|
||
:lsalzman, thank you for the analysis.
:mccr8, from what lsalzman has said this sounds more like a sec-moderate, would you agree?
Flags: needinfo?(continuation)
|
|
||
Comment 19•3 years ago
|
||
I guess that's fine. I'd imagine that causing an OOM for a texture allocation is probably one of the easier kinds of OOMs to trigger, assuming it is influenced by web content, but I don't know how easy it is to turn it into something exploitable.
Flags: needinfo?(continuation)
|
|
||
Updated•3 years ago
|
Keywords: sec-high → sec-moderate
|
||
Comment 20•3 years ago
|
||
Comment on attachment 9312105 [details]
Bug 1789449 - Adjust clamp order. r?aosmond
Approved to land and request uplift
Attachment #9312105 -
Flags: sec-approval? → sec-approval+
|
|
||
Updated•3 years ago
|
status-firefox111:
--- → affected
tracking-firefox110:
--- → +
tracking-firefox111:
--- → +
tracking-firefox-esr102:
--- → 110+
|
|
Assignee | |
Comment 21•3 years ago
|
||
Comment on attachment 9312105 [details]
Bug 1789449 - Adjust clamp order. r?aosmond
Beta/Release Uplift Approval Request
- User impact if declined: Potential buffer overflow exploit, though very hard to trigger on 64 bit and mostly effects 32 bit platforms in OOM situations, but only when using Software WebRender.
- Is this code covered by automated tests?: Unknown
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Verified locally. Shouldn't affect normal code semantics, though will catch the out-of-bounds case in OOM situations.
- String changes made/needed:
- Is Android affected?: Yes
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
Attachment #9312105 -
Flags: approval-mozilla-esr102?
Attachment #9312105 -
Flags: approval-mozilla-beta?
|
|
||
Comment 22•3 years ago
|
||
Adjust clamp order. r=aosmond
https://hg.mozilla.org/integration/autoland/rev/bb8ae9a9399b64b9cfc566f9e9e1c54adf000cb5
https://hg.mozilla.org/mozilla-central/rev/bb8ae9a9399b
Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
|
||
Comment 23•3 years ago
|
||
Comment on attachment 9312105 [details]
Bug 1789449 - Adjust clamp order. r?aosmond
Approved for 110 beta 5, thanks.
Attachment #9312105 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 24•3 years ago
|
||
| uplift | ||
|
|
||
Comment 25•3 years ago
|
||
Comment on attachment 9312105 [details]
Bug 1789449 - Adjust clamp order. r?aosmond
Approved for 102.8esr.
Attachment #9312105 -
Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
|
|
||
Comment 26•3 years ago
|
||
| uplift | ||
|
|
||
Updated•3 years ago
|
Whiteboard: [adv-main110+r]
|
|
||
Updated•3 years ago
|
Whiteboard: [adv-main110+r] → [adv-main110+r][adv-esr102.8+r]
|
||
Updated•3 years ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
||
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•