Closed Bug 790808 Opened 13 years ago Closed 10 years ago

Texture corruption with Direct2D, exposing video memory with AMD driver (recent versions)

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Version:
16 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: tissotrobin, Assigned: bjacob)

References

Details

(4 keywords, Whiteboard: driver bug, blocklisted in 792480)

Attachments

(4 files)

screenshot with window resized
14.18 KB, image/png
Details
samta is my character's name
11.48 KB, image/png
Details
bug reproduced in main window
30.77 KB, image/png
Details
about support graphics
24.08 KB, image/png
Details
The name of my character in a game appeared in the download window, and later in the settings window. When i resized the download window the texture changed size too (see second screenshot). With the option gfx.direct2d.disabled i couldn't reproduce.
Attached image screenshot with window resized —
Attached image samta is my character's name —
Thanks - video memory exposure bugs are security sensitive so you did the right thing by hiding this bug. Could you please go to about:support and paste here the contents of the Graphics section. Preferably in the configuration that reproduces the bug. Is this image (the blue "Samta") from a web page displayed in firefox, or from a separate application?
Keywords: sec-high
I couldn't reproduce it yesterday, i'll have more time this week end to play and try it. In the meantime is it usefull to paste the content of about:support if i don't reproduce it ? The image is from a separate application.
Yes, it is useful to have your about:support, as that will already tell us what's your GPU and driver version. This bug is almost certainly a driver bug. So it's possible that just by seeing your about:support we'll be able to blacklist a particular driver.
I could finally reproduce it and in the main window ! it doesn't in fact come from a game but from Mumble ! i upload two screenshot, one of the bug, one of my about:support graphics (in french sorry)
Attached image bug reproduced in main window —
Attached image about support graphics —
Ok, the last screenshot (in the main window) is not a bug, its what they call overlay, but it still appears in the download window, which it shouldn't.
This exact ATI driver version (8.982.0.0) has known issues that caused it to be blacklisted for Windows 8, see bug 783517. Maybe we need to blacklist it for Windows 7 as well. Can you try a different driver version (maybe downgrade to the previous one)?
(In reply to tissotrobin from comment #10) > Ok, the last screenshot (in the main window) is not a bug, its what they > call overlay, > but it still appears in the download window, which it shouldn't. What do you call an "overlay"? Is this some kind of on-screen-display by another application? We only care about this if this is drawn by Firefox itself.
Erm, sorry, the fact that this only happens with gfx.direct2d.enabled is proof that this is a Firefox drawing issue.
Assignee: nobody → bjacob
Status: UNCONFIRMED → NEW
Ever confirmed: true
Benoit, any ideas on the next step? Are we still thinking this is sec-high?
Flags: sec-bounty?
Have we been able to reproduce this in-house? Is there a testcase?
Keywords: testcase-wanted
Benoit asked me to recap so here i am, the bug is fairly easy to reproduce, all you need is: - windows 7 - install Mumble, and invite a least 1 people to a conversation - don't change any mumble properties - you should see the list of people in the mumble channel in the rigth-upper corner of your screen (light blue) - start a download in firefox - enjoy the same list appearing in the download window hope it helps
Given the precise steps-to-reproduce in comment 16, it would be nice if QA could try to reproduce this. If this does reproduce then it's a pretty serious security bug.
Keywords: qawanted
Matt could you verify STR in comment 16? (When you're back)
Flags: needinfo?(mwobensmith)
Working on it. Having issues getting Mumble to connect. I'll keep trying, but if anyone has a suggestion on how to reproduce without using Mumble, I'd be happy to try that as well.
Flags: needinfo?(mwobensmith)
I am finally able to connect to Mumble, and I've followed Robin's steps above. First question: when you say to invite someone into a conversation, does that mean I actually have to start a spoken conversation with someone? Or is simply having them displayed in the same room enough? Also, in your screenshots, other Mumble users' names are displayed in a larger, light blue font. I can't seem to make mine display that same font/color. Is this text only displayed this way when you are actually talking with these other people?
I think, but i may be wrong, that being in the same room should be enough, i am not a mumble specialist i only used it a couple times, but if you don't see the overlay (the list of light blue names), maybe something triggers it ? like starting a dx9 app ? About the overlay, i think its purpose is to tell you who is currently speaking by turning their name white. But i don't think the font/color matter if its appearing ?
Thanks for the info. I'll try a few more things and get back to you soon. Much appreciated.
I've set this up on three different Windows 7 machines. Only one of them has an ATI driver (8.862.3.0) - the other two are NVIDIA. However, I can't reproduce any weird redraw behavior on any of them. The screen as captured in this bug doesn't match what the UI of the program looks like for me. To be sure, I'm using the defaults. There is a configuration section for changing the overlay, which presents a UI that appears much more like what Robin sees. However, nothing I do enables this particular type of overlay text to appear. So, for the moment, I'm stuck.
according to http://mumble.sourceforge.net/Overlay, i may have been right when making the assumption you need to start a dx9/10 game (fullscreen ?) for the overlay to appear.
Thanks Robin. So you are saying that the steps in comment 16 are not complete? One must start a game - which one exactly? - to enable the overlay and then possibly reproduce the bug? I'd really appreciate as much info as you can give so that I can reproduce this bug. If you can provide any missing steps, that will help us a lot.
The game was Guild Wars 2, but according to the link in comment 24, any fullscreen dx9/openGL game would(?) make the overlay appear. I can't promise you that the overlay alone will make the bug reproducible though. The steps in comment 16 were only what i could remember, ill try to reproduce it with a free game tonight when ill get home.
and btw i just spotted this line in Mumble wiki: Incompatible games [...] Guild Wars 2 Direct3D 9 because of device recreation I am not too sure if this is related, ill try another dx9 game tonight and let you know.
Robin: are you using an external monitor? I'm asking because usage of an external monitor has been relevant to other similar bugs in the past.
Ok, so, i tried again yesterday, and it appears that i don't need to launch a game to make the overlay appear, and reproduce the bug. Firefox is considered as a dx9 app it seems. But it made me wonder if firefox was really the problem here, i mean, couldn't Mumble write stuff where it shouldn't ? And i am not using an external monitor at home.
Indeed, that would definitely be a bug in the graphics driver, not directly a bug in Firefox. But we have a responsibility that no matter how bad your drivers are, using Firefox should be secure. That's why we try hard to reproduce and work around this bug if possible. In the present case, if we could consistently reproduce on a particular driver version, we would probably just disable Direct2D on that driver version.
I see, so, are you telling me that i should try to reproduce with another driver version and see what happens ? would it help ? I would try on different setups if i could but the other computers i have access to are running linux only. Anyway ill try to ask a colleague if i can try on his machine if he is not too busy this afternoon.
No no, I am saying that anyone trying to reproduce your bug should use the same driver version as you are using, as indicated in your 'about support graphics' attachment.
Summary: Texture corruption with Direct2D, exposing video memory → Texture corruption with Direct2D, exposing video memory with AMD driver 8.982.0.0 (mid-2012)
Updated title to reflect this.
Wait a minute... we already blacklisted this exact driver version in bug 792480. Why are you still getting Direct2D? Did you force-enable Direct2D? See in about:config, is gfx.direct2d.force-enabled set? Are you still using this driver version? If yes, what is the value of gfx.blacklist.direct2d?
This bug was filed before the blocklisting bug was, let alone the blocklisting actually taking effect. The interesting question is why it could still be reproduced in comment 16 almost two months after we thought we blocklisted it.
Depends on: 792480
Keywords: sec-vector
Whiteboard: driver bug, blocklisted in 792480
gfx.direct2d.force-enabled;false gfx.blacklist.direct2d not found and no, i updated my pilot its now in version 9.2.0.0
(In reply to tissotrobin from comment #36) > and no, i updated my pilot its now in version 9.2.0.0 Can you still reproduce this issue with version 9.2.0.0 ?
Yes !
Summary: Texture corruption with Direct2D, exposing video memory with AMD driver 8.982.0.0 (mid-2012) → Texture corruption with Direct2D, exposing video memory with AMD driver (recent versions)
Flags: sec-bounty? → sec-bounty-
Keywords: sec-highsec-moderate
Group: core-security → gfx-core-security
(In reply to tissotrobin from comment #38) > Yes ! Does this still reproduce for you in modern versions of Firefox?
Flags: needinfo?(tissotrobin)
Not reproduced with a different computer and version of Windows/Mumble.
Flags: needinfo?(tissotrobin)
Status: NEW → RESOLVED
Closed: 10 years ago
Keywords: testcase-wanted
Resolution: --- → WORKSFORME
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: