https://bugs.freedesktop.org/show_bug.cgi?id=57733
Priority: medium
Group: Mesa Security
Bug ID: 57733
CC: bri...@vmware.com, jfons...@vmware.com
Assignee: mesa-dev@lists.freedesktop.org
Summary: read-after-free with llvmpipe in
try_update_scene_state
Severity: normal
Classification: Unclassified
OS: Linux (All)
Reporter: bja...@mozilla.com
Hardware: x86-64 (AMD64)
Status: NEW
Version: unspecified
Component: Other
Product: Mesa
Created attachment 70829
--> https://bugs.freedesktop.org/attachment.cgi?id=70829&action=edit
apitrace trace
This was originally https://bugzilla.mozilla.org/show_bug.cgi?id=791905 and is
what is causing the Mozilla security team to want to blacklist llvmpipe.
This is a use-after-free in llvmpipe in try_update_scene_state, and from
looking at the call stacks in Valgrind, it looks like it might be a reference
counting error.
I am attaching an apitrace that allows to consistently reproduce in Valgrind.
The error is:
==4016== Invalid read of size 8
==4016== at 0x402F180: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877)
==4016== by 0x4C81573: try_update_scene_state (lp_setup.c:869)
==4016== by 0x4C7FE91: begin_binning (lp_setup.c:197)
==4016== by 0x4C8011C: execute_clears (lp_setup.c:262)
==4016== by 0x4C80254: set_scene_state (lp_setup.c:310)
==4016== by 0x4C8034E: lp_setup_flush (lp_setup.c:342)
==4016== by 0x4C71E07: llvmpipe_flush (lp_flush.c:55)
==4016== by 0x4C71390: do_flush (lp_context.c:103)
==4016== by 0x4DD6AB0: st_flush (st_cb_flush.c:86)
==4016== by 0x4DD6B71: st_glFlush (st_cb_flush.c:120)
==4016== by 0x4D011BE: _mesa_flush (context.c:1612)
==4016== by 0x4D012A0: _mesa_Flush (context.c:1644)
==4016== Address 0xce19ff0 is 0 bytes inside a block of size 64 free'd
==4016== at 0x402C5F9: free (vg_replace_malloc.c:446)
==4016== by 0x4CFB98D: _mesa_align_free (imports.c:176)
==4016== by 0x4DCEF0B: _mesa_free_parameter_list (prog_parameter.c:87)
==4016== by 0x4DC8822: _mesa_delete_program (program.c:357)
==4016== by 0x4EC3D53: st_delete_program (st_cb_program.c:169)
==4016== by 0x4DC8A36: _mesa_reference_program_ (program.c:422)
==4016== by 0x4EB4BDF: _mesa_reference_program (program.h:102)
==4016== by 0x4EB4C9C: st_reference_fragprog (st_program.h:265)
==4016== by 0x4EB4E23: update_fp (st_atom_shader.c:93)
==4016== by 0x4EAF9D6: st_validate_state (st_atom.c:203)
==4016== by 0x4EBBE1E: st_Clear (st_cb_clear.c:464)
==4016== by 0x4E1880A: _mesa_Clear (clear.c:231)
==4016==
The command I use to replay the apitrace in Valgrind is:
LD_PRELOAD=/hack/mesa/build/linux-x86_64-debug/gallium/targets/libgl-xlib/libGL.so.1
LD_LIBRARY_PATH=/hack/mesa/build/linux-x86_64-debug/gallium/targets/libgl-xlib
valgrind --smc-check=all-non-file ../apitrace/build/glretrace -v
firefox.2.trace
As far as avoiding currently llvmpipe blacklisting in browsers goes, here is
what would be useful:
- either a work-around
- or a careful assessment of the security implications, proving that this is
not security-critical (i.e. does not actually allow an attacker to read
memory).
Alternatively getting this fixed would allow to un-blacklist at least some
newer versions.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev
