Closed Bug 1796637 Opened 2 years ago Closed 2 years ago

heap-buffer-overflow in [@ mozilla::webgpu::WebGPUParent::RecvBufferUnmap]

Categories

(Core :: Graphics: WebGPU, defect, P3)

Product:
Core
Component:
Graphics: WebGPU
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- disabled
firefox108 --- disabled
firefox109 --- disabled
firefox110 --- fixed

People

(Reporter: tsmith, Assigned: nical)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
628 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20221019-a1297d435b3f (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==18952==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f656dc74c80 at pc 0x563d56e1f31a bp 0x7f65a1f33cd0 sp 0x7f65a1f334a0
WRITE of size 154899400 at 0x7f656dc74c80 thread T29 (CanvasRenderer)
    #0 0x563d56e1f319 in __asan_memcpy /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x7f65cdcc975e in mozilla::webgpu::WebGPUParent::RecvBufferUnmap(unsigned long, unsigned long, bool) /gecko/dom/webgpu/ipc/WebGPUParent.cpp:521:7
    #2 0x7f65cdd04b2b in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:979:80
    #3 0x7f65cac99afc in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32
    #4 0x7f65c9937399 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1756:25
    #5 0x7f65c9934407 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /gecko/ipc/glue/MessageChannel.cpp:1681:9
    #6 0x7f65c9935054 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1481:3
    #7 0x7f65c99362e2 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1579:14
    #8 0x7f65c8194ece in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1198:16
    #9 0x7f65c819f154 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #10 0x7f65c9940451 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:330:5
    #11 0x7f65c97bbbd1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #12 0x7f65c97bbbd1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #13 0x7f65c97bbbd1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #14 0x7f65c818c028 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:383:10
    #15 0x7f65f0284b7e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #16 0x7f65f0bc4608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #17 0x7f65f078b132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x7f656dc74c80 is located 0 bytes to the right of 154899584-byte region [0x7f65648bb800,0x7f656dc74c80)
allocated by thread T29 (CanvasRenderer) here:
    #0 0x563d56e20817 in __interceptor_posix_memalign /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f6584d495e7  ../src/util/os_memory_aligned.h:58:7
    #2 0x7f6584d495e7 in llvmpipe_allocate_memory ../src/gallium/drivers/llvmpipe/lp_texture.c:822:11

Thread T29 (CanvasRenderer) created by T0 here:
    #0 0x563d56e0949c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f65f0274c2c in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f65f0265fce in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f65c818ef95 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:617:18
    #4 0x7f65c819c9f8 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:533:12
    #5 0x7f65c81a8fe9 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:161:57
    #6 0x7f65cac663fa in NS_NewNamedThread<15UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
    #7 0x7f65cac663fa in mozilla::gfx::CanvasRenderThread::Start() /gecko/gfx/ipc/CanvasRenderThread.cpp:41:17
    #8 0x7f65caa64be0 in gfxPlatform::InitLayersIPC() /gecko/gfx/thebes/gfxPlatform.cpp:1315:9
    #9 0x7f65caa602b1 in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:975:3
    #10 0x7f65caa646ac in GetPlatform /gecko/gfx/thebes/gfxPlatform.cpp:461:5
    #11 0x7f65caa646ac in gfxPlatform::InitializeCMS() /gecko/gfx/thebes/gfxPlatform.cpp:2117:9
    #12 0x7f65d0cea9fc in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:966:7
    #13 0x7f65d0cea9fc in gfxPlatform::GetCMSMode() /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:528:5
    #14 0x7f65d0ce9f9e in nsXPLookAndFeel::GetUncachedColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /gecko/widget/nsXPLookAndFeel.cpp:964:9
    #15 0x7f65d0ce9b35 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /gecko/widget/nsXPLookAndFeel.cpp:944:17
    #16 0x7f65d0cede66 in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /gecko/widget/nsXPLookAndFeel.cpp:1361:47
    #17 0x7f65d0c51741 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:444:12
    #18 0x7f65d0c51741 in GetAccentColor /gecko/widget/ThemeColors.cpp:91:7
    #19 0x7f65d0c51741 in mozilla::widget::ThemeColors::RecomputeAccentColors() /gecko/widget/ThemeColors.cpp:195:20
    #20 0x7f65d0c5137d in mozilla::widget::Theme::LookAndFeelChanged() /gecko/widget/Theme.cpp:179:3
    #21 0x7f65d0ce7ede in nsXPLookAndFeel::GetInstance() /gecko/widget/nsXPLookAndFeel.cpp:385:3
    #22 0x7f65d0cee935 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /gecko/widget/nsXPLookAndFeel.cpp:1474:3
    #23 0x7f65c7fe46da in nsSystemInfo::Init() /gecko/xpcom/base/nsSystemInfo.cpp:1047:5
    #24 0x7f65c80f1f96 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10176:7
    #25 0x7f65c8139c1e in CreateInstance /gecko/xpcom/components/nsComponentManager.cpp:184:46
    #26 0x7f65c8139c1e in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor> >&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /gecko/xpcom/components/nsComponentManager.cpp:975:17
    #27 0x7f65c813a6e8 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /gecko/xpcom/components/nsComponentManager.cpp:1065:10
    #28 0x7f65c812062d in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12849:50
    #29 0x7f65c7f9c7d1 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /gecko/xpcom/base/nsCOMPtr.cpp:109:7
    #30 0x7f65c9c59241 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
    #31 0x7f65c9c59241 in xpc::GetServiceImpl(JSContext*, mozilla::xpcom::JSServiceEntry const&, JS::MutableHandle<JSObject*>, mozilla::ErrorResult&) /gecko/js/xpconnect/src/JSServices.cpp:83:32
    #32 0x7f65c9c58cc8 in xpc::GetService(JSContext*, mozilla::xpcom::JSServiceEntry const&, mozilla::ErrorResult&) /gecko/js/xpconnect/src/JSServices.cpp:130:8
    #33 0x7f65c9c57bf1 in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /gecko/js/xpconnect/src/JSServices.cpp:153:25
    #34 0x7f65d6552768 in CallResolveOp /gecko/js/src/vm/NativeObject-inl.h:627:8
    #35 0x7f65d6552768 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /gecko/js/src/vm/NativeObject-inl.h:739:14
    #36 0x7f65d6552768 in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2181:10
    #37 0x7f65d6552768 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2229:10
    #38 0x7f65d61c4c64 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:118:10
    #39 0x7f65d61c4c64 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/ObjectOperations-inl.h:125:10
    #40 0x7f65d7d53833 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:4734:10
    #41 0x7f65d7d2591c in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3030:12
    #42 0x7f65d7d2042e in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:431:13
    #43 0x7f65d7d4c5c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:579:13
    #44 0x7f65d7d4e06e in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
    #45 0x7f65d7d4e06e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
    #46 0x7f65d7d4f837 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:775:10
    #47 0x7f65d656c9bf in CallGetter(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2022:12
    #48 0x7f65d6552df6 in GetExistingProperty<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2050:12
    #49 0x7f65d6552df6 in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2198:14
    #50 0x7f65d6552df6 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2229:10
    #51 0x7f65d61c4c64 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:118:10
    #52 0x7f65d61c4c64 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/ObjectOperations-inl.h:125:10
    #53 0x7f65d7d53833 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:4734:10
    #54 0x7f65d7d2591c in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3030:12
    #55 0x7f65d7d2042e in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:431:13
    #56 0x7f65d7d4c5c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:579:13
    #57 0x7f65d7d4e06e in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
    #58 0x7f65d7d4e06e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
    #59 0x7f65d633b1a4 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:53:10
    #60 0x7f65c9c9de09 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
    #61 0x7f65c81e3d52 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #62 0x7f65c81e2aa2 in SharedStub xptcstubs_x86_64_linux.cpp
    #63 0x7f65c81334ad in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:682:19
    #64 0x7f65d5e83059 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:958:11
    #65 0x7f65d5e5a3cd in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5463:18
    #66 0x7f65d5e5cbde in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5916:8
    #67 0x7f65d5e5d95b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5972:21
    #68 0x563d56e5e946 in do_main(int, char**, char**) /gecko/browser/app/nsBrowserApp.cpp:226:22
    #69 0x563d56e5dbe7 in main /gecko/browser/app/nsBrowserApp.cpp:428:16
    #70 0x7f65f0690082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
Keywords: sec-high
Assignee: nobody → nical.bugzilla

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221027215515-2dddf127c6ab.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 2f3b5d0ef91160a8b34e6e22ebc4b1475f35d9fc (20211029094127)
End: a1297d435b3fddcb752141a4d6e95693b12734a6 (20221019211615)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jimb)
Blocks: webgpu-in-nightly
Flags: needinfo?(jimb)

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jimb)

Oh my. This one took me an unreasonably long time to figure out considering I fixed a very similar bug in https://bugzilla.mozilla.org/show_bug.cgi?id=1772909

The problem is that wgpu's buffer_get_mapped_range takes a range relative to the subset of the buffer we mapped whereas per spec it should be relative to the beginning of the buffer, causing us to apply the offset twice.

Flags: needinfo?(jimb)
Severity: -- → S3
Priority: -- → P3

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:nical, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(nical.bugzilla)

Sure, it's in unreleased code but there is a fix in review upstream anyway.

Severity: S3 → S2
Flags: needinfo?(nical.bugzilla)

Upstream fix made it to m-c.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

Verified bug as fixed on rev mozilla-central 20221219162526-91a9bbbe6bea.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Group: gfx-core-security → core-security-release
status-firefox110: --- → fixed
Depends on: 1806166
Target Milestone: --- → 110 Branch
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: