Closed
Bug 1911923
Opened 1 year ago
Closed 1 year ago
heap-buffer-overflow in [@ wgpu_core::resource::StagingBuffer$LT$A$GT$::write_with_offset]
Categories
(Core :: Graphics: WebGPU, defect)
Core
Graphics: WebGPU
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox129 | --- | unaffected |
| firefox130 | --- | disabled |
| firefox131 | --- | fixed |
People
(Reporter: tsmith, Assigned: jimb)
References
(Blocks 1 open bug, Regression, )
Details
(4 keywords, Whiteboard: [fixed in bug 1910150])
Found with m-c 20240805-b7131a95dd25 (--enable-address-sanitizer --enable-fuzzing)
This was found by visiting a live website with an ASan build.
STR:
- Launch browser and visit site
This issue was triggered by visiting http://boat-demo.cds.unity3d.com/.
==120015==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x771f03602000 at pc 0x6464c7c17d94 bp 0x771f58dfe810 sp 0x771f58dfdfd0
WRITE of size 4422816 at 0x771f03602000 thread T60
#0 0x6464c7c17d93 in __asan_memcpy /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3
#1 0x772032c58dc8 in core::intrinsics::copy_nonoverlapping::ha15a6e299020cc9f /builds/worker/fetches/rust/library/core/src/intrinsics.rs:2978:14
#2 0x772032c58dc8 in wgpu_core::resource::StagingBuffer$LT$A$GT$::write_with_offset::h0c6fb169f0fc1f84 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/resource.rs:917:13
#3 0x772032c58dc8 in wgpu_core::device::queue::_$LT$impl$u20$wgpu_core..global..Global$GT$::queue_write_texture::h75e85040cc57f724 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/queue.rs:785:32
#4 0x772032c58dc8 in wgpu_server_queue_write_action /builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs:1269:13
#5 0x77202a695fe8 in mozilla::webgpu::WebGPUParent::RecvQueueWriteAction(unsigned long, unsigned long, mozilla::ipc::ByteBuf const&, mozilla::ipc::UnsafeSharedMemoryHandle&&) /builds/worker/checkouts/gecko/dom/webgpu/ipc/WebGPUParent.cpp:805:3
#6 0x77202a6baf3c in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:1886:80
#7 0x77202733bed5 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:248:32
#8 0x772025993035 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1820:25
#9 0x77202598efdf in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1739:9
#10 0x77202598ff01 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
#11 0x772025991453 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1630:14
#12 0x772024425aff in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16
#13 0x7720244305b8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#14 0x77202599c8a3 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:299:20
#15 0x77202587ead4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#16 0x77202587ead4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#17 0x77202587ead4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#18 0x77202441e0bc in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
#19 0x7720437eb46b in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#20 0x6464c7c16008 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
#21 0x772043d7bac2 in start_thread nptl/pthread_create.c:442:8
#22 0x772043e0d84f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
0x771f03602000 is located 0 bytes after 8388608-byte region [0x771f02e02000,0x771f03602000)
allocated by thread T60 here:
#0 0x6464c7c1a617 in posix_memalign /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:142:3
#1 0x771f478cdfb4 (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x2bbfb4) (BuildId: 638a2bc959cbdb1a2f670c878df950dcd76eedf1)
Thread T60 created by T0 here:
#0 0x6464c7bffa11 in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
#1 0x7720437dbe28 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7720437ca0de in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x772024420db9 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:625:20
#4 0x77202442ee16 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:606:22
#5 0x772024439a59 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:176:57
#6 0x772027301f0d in NS_NewNamedThread<15UL> /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:76:10
#7 0x772027301f0d in mozilla::gfx::CanvasRenderThread::Start() /builds/worker/checkouts/gecko/gfx/ipc/CanvasRenderThread.cpp:115:17
#8 0x7720270ff406 in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:986:3
#9 0x77202710493e in GetPlatform /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:462:5
#10 0x77202710493e in gfxPlatform::InitializeCMS() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:2138:9
#11 0x77202e2fce8a in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:952:7
#12 0x77202e2fce8a in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:499:5
#13 0x77202e2fce8a in nsXPLookAndFeel::GetUncachedColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /builds/worker/checkouts/gecko/widget/nsXPLookAndFeel.cpp:1025:9
#14 0x77202e2fc649 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /builds/worker/checkouts/gecko/widget/nsXPLookAndFeel.cpp:1005:17
#15 0x77202e300d2c in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /builds/worker/checkouts/gecko/widget/nsXPLookAndFeel.cpp:1398:47
#16 0x77202e28011f in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:421:12
#17 0x77202e28011f in GetAccentColor /builds/worker/checkouts/gecko/widget/ThemeColors.cpp:91:7
#18 0x77202e28011f in mozilla::widget::ThemeColors::RecomputeAccentColors() /builds/worker/checkouts/gecko/widget/ThemeColors.cpp:203:20
#19 0x77202e265757 in mozilla::widget::Theme::LookAndFeelChanged() /builds/worker/checkouts/gecko/widget/Theme.cpp:182:3
#20 0x77202e2fb219 in nsXPLookAndFeel::GetInstance() /builds/worker/checkouts/gecko/widget/nsXPLookAndFeel.cpp:401:3
#21 0x77202e3016d5 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /builds/worker/checkouts/gecko/widget/nsXPLookAndFeel.cpp:1516:3
#22 0x7720242a5c3e in nsSystemInfo::Init() /builds/worker/checkouts/gecko/xpcom/base/nsSystemInfo.cpp:1481:5
#23 0x77202439db96 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10632:7
#24 0x7720243c9757 in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:189:46
#25 0x7720243c9757 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor>>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:987:17
#26 0x7720243ca771 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1077:10
#27 0x7720243b7ccd in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:13250:50
#28 0x772025c152f0 in assign_from_helper /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:901:7
#29 0x772025c152f0 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:537:5
#30 0x772025c152f0 in GetServiceImpl /builds/worker/checkouts/gecko/js/xpconnect/src/JSServices.cpp:84:32
#31 0x772025c152f0 in GetService /builds/worker/checkouts/gecko/js/xpconnect/src/JSServices.cpp:131:8
#32 0x772025c152f0 in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /builds/worker/checkouts/gecko/js/xpconnect/src/JSServices.cpp:158:25
#33 0x772030668b42 in CallResolveOp /builds/worker/checkouts/gecko/js/src/vm/NativeObject-inl.h:681:8
#34 0x772030668b42 in NativeLookupOwnPropertyInline<(js::AllowGC)1, (js::LookupResolveMode)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject-inl.h:793:14
#35 0x772030668b42 in NativeGetPropertyInline<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2302:10
#36 0x772030668b42 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2350:10
#37 0x772030351d50 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:117:10
#38 0x772030351d50 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:124:10
#39 0x772030351d50 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4793:10
#40 0x772030326603 in GetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:257:10
#41 0x772030326603 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3004:12
#42 0x77203031b37f in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:10
#43 0x77203031b37f in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:463:13
#44 0x77203031c5ca in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:617:13
#45 0x77203031e35c in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#46 0x77203031e35c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:684:8
#47 0x77203032005b in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:806:10
#48 0x7720306a2696 in CallGetter(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2143:12
#49 0x772030669258 in GetExistingProperty<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2171:12
#50 0x772030669258 in NativeGetPropertyInline<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2319:14
#51 0x772030669258 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2350:10
#52 0x772030351d50 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:117:10
#53 0x772030351d50 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:124:10
#54 0x772030351d50 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4793:10
#55 0x772030326603 in GetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:257:10
#56 0x772030326603 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3004:12
#57 0x77203031b37f in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:10
#58 0x77203031b37f in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:463:13
#59 0x77203031c5ca in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:617:13
#60 0x77203031e35c in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#61 0x77203031e35c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:684:8
#62 0x772030476d26 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:55:10
#63 0x772025c4a98f in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
#64 0x77202446fd79 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#65 0x77202446ec2e in SharedStub xptcstubs_x86_64_linux.cpp
#66 0x7720243c3afb in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:680:19
#67 0x7720300649d0 in nsXREDirProvider::DoStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsXREDirProvider.cpp:838:11
#68 0x772030048bdb in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5541:18
#69 0x77203004aba4 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6016:8
#70 0x77203004bc71 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6091:21
#71 0x6464c7c59947 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:230:22
#72 0x6464c7c59947 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:448:16
#73 0x772043d10d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/fetches/rust/library/core/src/intrinsics.rs:2978:14 in core::intrinsics::copy_nonoverlapping::ha15a6e299020cc9f
Shadow bytes around the buggy address:
0x771f03601d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x771f03601e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x771f03601e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x771f03601f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x771f03601f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x771f03602000:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x771f03602080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x771f03602100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x771f03602180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x771f03602200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x771f03602280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
|
||
Comment 1•1 year ago
•
|
||
|
||
Comment 2•1 year ago
|
||
This was fixed upstream by https://github.com/gfx-rs/wgpu/pull/6009.
1910150 will bring in the fix.
Depends on: 1910150
|
|
||
Comment 3•1 year ago
|
||
1910150 is in central.
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
|
||
Comment 4•1 year ago
|
||
Which other branches are affected? Does bug 1910150 need to backported?
Flags: needinfo?(ttanasoaia)
|
|
||
Comment 5•1 year ago
|
||
The bug was introduced with the wgpu update (from https://phabricator.services.mozilla.com/D216897 part of bug 1908573) which is the update prior to the one done in bug 1910150.
WebGPU is currently only enabled in nightly, I don't think there is anything to backport.
Flags: needinfo?(ttanasoaia)
|
|
||
Comment 6•1 year ago
|
||
Ah, I didn't realize that WebGPU was only enabled in Nightly. Thanks.
It looks like bug 1908573 landed in 130, so I'll mark that as disabled and all earlier branches as unaffected.
status-firefox129:
--- → unaffected
status-firefox130:
--- → disabled
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
Keywords: regression
Regressed by: 1908573
|
|
||
Updated•1 year ago
|
Assignee: nobody → jimb
|
|
||
Comment 7•1 year ago
|
||
No worries, thanks!
|
||
Updated•1 year ago
|
Group: gfx-core-security → core-security-release
|
|
||
Updated•1 year ago
|
See Also: → https://github.com/gfx-rs/wgpu/pull/6009
Whiteboard: [fixed in bug 1910150]
|
||
Updated•1 year ago
|
QA Whiteboard: [post-critsmash-triage]
|
|
||
Updated•10 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•