Closed
Bug 1865531
Opened 1 year ago
Closed 1 year ago
Firefox WebGL raw_fDrawArraysInstanced Heap-Buffer-Overflow Vulnerability (Mesa VM driver / Linux)
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1843782
People
(Reporter: d4ni31, Assigned: ahale)
References
Details
(4 keywords)
Attachments
(1 file)
|
2.59 KB,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Steps to reproduce:
Vulnerability Title
- Firefox WebGL raw_fDrawArraysInstanced Heap-Buffer-Overflow Vulnerability
Summary
- This vulnerability is very similar to 1843782.
- A Heap-Buffer-Overflow Vulnerability exists in the WebGL raw_fDrawArraysInstanced
- An attacker must open a arbitrary generated HTML file to exploit this vulnerability.
- Exploiting this vulnerability can lead to a privileged processor, enabling a sandbox escape.
Test environment
- OS : Ubuntu 22.04 LTS
- Product : Firefox 119.0.1 (Stable) & Firefox 121.0a1 (Dev)
ASan
=================================================================
==2689==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x53100081f6c8 at pc 0x55831ca4cd71 bp 0x7f89ec7ee700 sp 0x7f89ec7edeb8
READ of size 84704 at 0x53100081f6c8 thread T29
#0 0x55831ca4cd70 in memcpy /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115:5
#1 0x7f89b9a4c961 (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa4c961) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#2 0x7f89b9a5da8c (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa5da8c) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#3 0x7f89b9a3873c (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa3873c) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#4 0x7f89b9a3c7a2 (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa3c7a2) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#5 0x7f89b9a38f32 (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa38f32) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#6 0x7f89b9a38ffc (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa38ffc) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#7 0x7f89b9a39073 (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa39073) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#8 0x7f89b9a2cc2c (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa2cc2c) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#9 0x7f89b92f3b54 (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0x2f3b54) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
#10 0x7f8a08f919de in raw_fDrawArraysInstanced /builds/worker/checkouts/gecko/gfx/gl/GLContext.h:2503:5
#11 0x7f8a08f919de in mozilla::gl::GLContext::fDrawArraysInstanced(unsigned int, int, int, int) /builds/worker/checkouts/gecko/gfx/gl/GLContext.h:2487:5
#12 0x7f8a08f8e2e9 in mozilla::WebGLContext::DrawArraysInstanced(unsigned int, int, int, int) /builds/worker/checkouts/gecko/dom/canvas/WebGLContextDraw.cpp:824:13
#13 0x7f8a0906bd89 in DrawArraysInstanced /builds/worker/checkouts/gecko/dom/canvas/HostWebGLContext.h:750:15
#14 0x7f8a0906bd89 in auto bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 100ul, void (mozilla::HostWebGLContext::*)(unsigned int, int, int, int) const, &mozilla::HostWebGLContext::DrawArraysInstanced(unsigned int, int, int, int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)::operator()<unsigned int, int, int, int>(auto&...) const /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:253:13
#15 0x7f8a0901a08b in __invoke_impl<bool, (lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), unsigned int &, int &, int &, int &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#16 0x7f8a0901a08b in __invoke<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), unsigned int &, int &, int &, int &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#17 0x7f8a0901a08b in __apply_impl<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), std::tuple<unsigned int, int, int, int> &, 0UL, 1UL, 2UL, 3UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#18 0x7f8a0901a08b in apply<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), std::tuple<unsigned int, int, int, int> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#19 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:244:14
#20 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#21 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#22 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#23 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#24 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#25 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#26 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#27 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#28 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#29 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#30 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#31 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#32 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#33 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#34 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#35 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#36 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#37 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#38 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#39 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#40 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#41 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#42 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#43 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#44 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#45 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#46 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#47 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#48 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#49 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#50 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#51 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#52 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#53 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#54 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#55 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#56 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#57 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#58 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#59 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#60 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#61 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#62 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#63 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#64 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#65 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#66 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#67 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#68 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#69 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#70 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#71 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#72 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#73 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#74 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#75 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#76 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#77 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#78 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#79 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#80 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#81 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#82 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#83 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#84 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#85 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#86 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#87 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#88 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#89 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#90 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#91 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#92 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#93 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#94 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#95 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#96 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#97 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#98 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#99 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#100 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#101 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#102 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#103 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#104 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#105 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#106 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#107 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#108 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#109 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#110 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#111 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#112 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#113 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#114 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#115 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#116 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#117 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#118 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#119 0x7f8a0901a08b in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
#120 0x7f8a0901a08b in mozilla::dom::WebGLParent::RecvDispatchCommands(mozilla::ipc::BigBuffer&&, unsigned long) /builds/worker/checkouts/gecko/dom/canvas/WebGLParent.cpp:62:21
#121 0x7f8a0911bbca in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:236:79
#122 0x7f8a05cdd921 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:279:32
#123 0x7f8a047c1d3d in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
#124 0x7f8a047be803 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
#125 0x7f8a047bf93b in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#126 0x7f8a047c0932 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#127 0x7f8a02d875bf in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1192:16
#128 0x7f8a02d94eba in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#129 0x7f8a047ca93a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#130 0x7f8a046178aa in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#131 0x7f8a046178aa in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#132 0x7f8a046178aa in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#133 0x7f8a02d7e6ce in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
#134 0x7f8a20f0410f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#135 0x55831ca4a0fa in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:225:31
#136 0x7f8a20c94ac2 in start_thread nptl/pthread_create.c:442:8
#137 0x7f8a20d26a3f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
0x53100081f6c8 is located 0 bytes after 77512-byte region [0x53100080c800,0x53100081f6c8)
allocated by thread T29 here:
#0 0x55831ca4dd98 in calloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
#1 0x7f89b9a5c1e5 (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa5c1e5) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
Thread T29 created by T0 here:
#0 0x55831ca3389d in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:237:3
#1 0x7f8a20ef2834 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f8a20ee042e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f8a02d82199 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:20
#4 0x7f8a02d92a44 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:597:22
#5 0x7f8a02da0225 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:176:57
#6 0x7f8a05c95b61 in NS_NewNamedThread<15UL> /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:76:10
#7 0x7f8a05c95b61 in mozilla::gfx::CanvasRenderThread::Start() /builds/worker/checkouts/gecko/gfx/ipc/CanvasRenderThread.cpp:109:17
#8 0x7f8a05ab1326 in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:970:3
#9 0x7f8a05aaef93 in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:460:5
#10 0x7f8a0d3701d1 in nsWindow::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::LayoutDevicePixel> const&, mozilla::widget::InitData*) /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:6026:13
#11 0x7f8a0d145131 in nsIWidget::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::DesktopPixel> const&, mozilla::widget::InitData*) /builds/worker/checkouts/gecko/widget/nsIWidget.h:463:12
#12 0x7f8a11a5f4e3 in mozilla::AppWindow::Initialize(nsIAppWindow*, nsIAppWindow*, int, int, bool, mozilla::widget::InitData&) /builds/worker/checkouts/gecko/xpfe/appshell/AppWindow.cpp:213:17
#13 0x7f8a11a87acf in nsAppShellService::JustCreateTopWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, bool, mozilla::AppWindow**) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:673:15
#14 0x7f8a11a88a5f in nsAppShellService::CreateTopLevelWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, nsIAppWindow**) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:179:8
#15 0x7f8a1273bd20 in nsAppStartup::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIOpenWindowInfo*, bool*, nsIWebBrowserChrome**) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:757:15
#16 0x7f8a129112ef in nsWindowWatcher::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIOpenWindowInfo*, nsIWebBrowserChrome**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:437:33
#17 0x7f8a1290e5ed in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, bool, bool, bool, nsIArray*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1045:12
#18 0x7f8a12908da2 in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, nsISupports*, mozIDOMWindowProxy**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:293:3
#19 0x7f8a02dddb65 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#20 0x7f8a04b50933 in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1627:10
#21 0x7f8a04b50933 in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1180:19
#22 0x7f8a04b50933 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1126:23
#23 0x7f8a04b565f0 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:966:10
#24 0x7f8a12e4b715 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:472:13
#25 0x7f8a12e4b715 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:566:12
#26 0x7f8a12e706ca in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:633:10
#27 0x7f8a12e706ca in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:638:10
#28 0x7f8a12e706ca in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3053:16
#29 0x7f8a12e4a495 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:386:10
#30 0x7f8a12e4a495 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:444:13
#31 0x7f8a12e4b87e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:598:13
#32 0x7f8a12e4d806 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:633:10
#33 0x7f8a12e4d806 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:665:8
#34 0x7f8a12fa5cf2 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:55:10
#35 0x7f8a04b3f1ff in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
#36 0x7f8a02ddf4ea in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#37 0x7f8a02dde28a in SharedStub xptcstubs_x86_64_linux.cpp
#38 0x7f8a02d1287f in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:679:19
#39 0x7f8a12a60dc4 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5414:5
#40 0x7f8a12a63924 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5882:8
#41 0x7f8a12a64b41 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5938:21
#42 0x55831ca8d6f3 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227:22
#43 0x55831ca8d6f3 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445:16
#44 0x7f8a20c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115:5 in memcpy
Shadow bytes around the buggy address:
0x53100081f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x53100081f480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x53100081f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x53100081f580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x53100081f600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x53100081f680: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
0x53100081f700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x53100081f780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x53100081f800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x53100081f880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x53100081f900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2689==ABORTING
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: CompositorBridgeChild receives IPC close with reason=AbnormalShutdown (t=11.9402) Exiting due to channel error.
Exiting due to channel error.
Proof-of-Concept
- Please check the attached file!
Reproduce
- open a poc.html in Firefox
- Wait a few seconds.
|
||
Updated•1 year ago
|
Group: firefox-core-security → gfx-core-security
Component: Untriaged → Graphics: CanvasWebGL
Product: Firefox → Core
|
Reporter | |
Comment 1•1 year ago
|
||
Hello,
Could you please update the status of this issue?
Flags: needinfo?(dveditz)
|
||
Updated•1 year ago
|
See Also: → CVE-2023-6856
|
|
||
Comment 2•1 year ago
|
||
Ashley, is this something else that would be mitigated by your blocklisting work in bug 1843782 or does this need additional work to address? Thanks.
Flags: needinfo?(ahale)
|
|
Reporter | |
Updated•1 year ago
|
Flags: needinfo?(dveditz)
|
|
Reporter | |
Comment 3•1 year ago
|
||
This issue can be mitigated with the addition of blocklisting in the Mesa driver (bug 1843782).
However, blocking driver access through a blocklisting is only a preliminary measure.
|
|
Reporter | |
Updated•1 year ago
|
Flags: sec-bounty?
|
|
Reporter | |
Updated•1 year ago
|
Depends on: CVE-2023-6856
|
Assignee | |
Comment 4•1 year ago
|
||
This seems identical to the buffer overflow in the shader compiler in Bug 1843782, so is it really a different bug? It's likely that the specific type of Draw call doesn't matter.
Severity: -- → S2
Flags: needinfo?(ahale)
|
|
Assignee | |
Updated•1 year ago
|
Assignee: nobody → ahale
|
|
Reporter | |
Comment 5•1 year ago
|
||
This bug is very similar to Bug 1843782, and may be patched when the blocklist is added due to Bug 1843782.
Since it depends on Bug 1843782, I added it to the reference.
If Bug 1843782 is fixed, please fix this case as well.
Thanks.
Flags: needinfo?(ahale)
|
|
Reporter | |
Comment 6•1 year ago
|
||
This bug, which depended on Bug 1843782, has been fixed. Could you please update the status of this?
|
||
Updated•1 year ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: CVE-2023-6856
Resolution: --- → DUPLICATE
|
||
Updated•11 months ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•7 months ago
|
Group: gfx-core-security
|
||
Updated•6 months ago
|
Keywords: reporter-external
|
|
Assignee | |
Updated•4 months ago
|
Flags: needinfo?(ahale)
You need to log in
before you can comment on or make changes to this bug.
Description
•