<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Group</th>
          <td>Mesa Security
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - read-after-free with llvmpipe in try_update_scene_state"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=57733">57733</a>
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>brianp@vmware.com, jfonseca@vmware.com
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>mesa-dev@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>read-after-free with llvmpipe in try_update_scene_state
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>bjacob@mozilla.com
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86-64 (AMD64)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Mesa
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=70829" name="attach_70829" title="apitrace trace">attachment 70829</a> <a href="attachment.cgi?id=70829&action=edit" title="apitrace trace">[details]</a></span> <a href='page.cgi?id=splinter.html&bug=57733&attachment=70829'>[review]</a>
apitrace trace

This was originally <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=791905">https://bugzilla.mozilla.org/show_bug.cgi?id=791905</a> and is
what is causing the Mozilla security team to want to blacklist llvmpipe.

This is a use-after-free in llvmpipe in try_update_scene_state, and from
looking at the call stacks in Valgrind, it looks like it might be a reference
counting error.

I am attaching an apitrace that allows to consistently reproduce in Valgrind.

The error is:

==4016== Invalid read of size 8
==4016==    at 0x402F180: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877)
==4016==    by 0x4C81573: try_update_scene_state (lp_setup.c:869)
==4016==    by 0x4C7FE91: begin_binning (lp_setup.c:197)
==4016==    by 0x4C8011C: execute_clears (lp_setup.c:262)
==4016==    by 0x4C80254: set_scene_state (lp_setup.c:310)
==4016==    by 0x4C8034E: lp_setup_flush (lp_setup.c:342)
==4016==    by 0x4C71E07: llvmpipe_flush (lp_flush.c:55)
==4016==    by 0x4C71390: do_flush (lp_context.c:103)
==4016==    by 0x4DD6AB0: st_flush (st_cb_flush.c:86)
==4016==    by 0x4DD6B71: st_glFlush (st_cb_flush.c:120)
==4016==    by 0x4D011BE: _mesa_flush (context.c:1612)
==4016==    by 0x4D012A0: _mesa_Flush (context.c:1644)
==4016==  Address 0xce19ff0 is 0 bytes inside a block of size 64 free'd
==4016==    at 0x402C5F9: free (vg_replace_malloc.c:446)
==4016==    by 0x4CFB98D: _mesa_align_free (imports.c:176)
==4016==    by 0x4DCEF0B: _mesa_free_parameter_list (prog_parameter.c:87)
==4016==    by 0x4DC8822: _mesa_delete_program (program.c:357)
==4016==    by 0x4EC3D53: st_delete_program (st_cb_program.c:169)
==4016==    by 0x4DC8A36: _mesa_reference_program_ (program.c:422)
==4016==    by 0x4EB4BDF: _mesa_reference_program (program.h:102)
==4016==    by 0x4EB4C9C: st_reference_fragprog (st_program.h:265)
==4016==    by 0x4EB4E23: update_fp (st_atom_shader.c:93)
==4016==    by 0x4EAF9D6: st_validate_state (st_atom.c:203)
==4016==    by 0x4EBBE1E: st_Clear (st_cb_clear.c:464)
==4016==    by 0x4E1880A: _mesa_Clear (clear.c:231)
==4016== 

The command I use to replay the apitrace in Valgrind is:

LD_PRELOAD=/hack/mesa/build/linux-x86_64-debug/gallium/targets/libgl-xlib/libGL.so.1
LD_LIBRARY_PATH=/hack/mesa/build/linux-x86_64-debug/gallium/targets/libgl-xlib
valgrind --smc-check=all-non-file ../apitrace/build/glretrace -v
firefox.2.trace

As far as avoiding currently llvmpipe blacklisting in browsers goes, here is
what would be useful:
 - either a work-around
 - or a careful assessment of the security implications, proving that this is
not security-critical (i.e. does not actually allow an attacker to read
memory).

Alternatively getting this fixed would allow to un-blacklist at least some
newer versions.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>