Bug 99677

Summary: heap-use-after-free in glsl
Product: Mesa Reporter: Bartosz Tomczyk <bartosz.tomczyk86>
Component: glsl-compilerAssignee: mesa-dev
Status: RESOLVED FIXED QA Contact: Intel 3D Bugs Mailing List <intel-3d-bugs>
Severity: normal    
Priority: medium CC: bartosz.tomczyk86, siglesias
Version: git   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Bartosz Tomczyk 2017-02-04 15:50:18 UTC 
Address Sanitizer report use after free in glsl compiler.

Steps to reproduce: build mesa with address sanitizer enabled and run piglit test glsl-es-3.00/compiler/no-unsized-arrays-01.vert fail 3.0:


==27336==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000024ddb0 at pc 0x7f62c7771443 bp 0x7ffec46303b0 sp 0x7ffec46303a8
READ of size 4 at 0x61000024ddb0 thread T0
    #0 0x7f62c7771442 in ast_declarator_list::hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5266:24
    #1 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
    #2 0x7f62c779f624 in ast_function_definition::hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
    #3 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
    #4 0x7f62c7dd5e38 in _mesa_glsl_compile_shader /home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
    #5 0x7f62c68b8801 in _mesa_compile_shader /home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
    #6 0x7f62c68bf323 in _mesa_CompileShader /home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
    #7 0x7f62d4e5f37f in stub_glCompileShader /home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
    #8 0x401dd6 in test /home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
    #9 0x40250f in piglit_init /home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
    #10 0x7f62d4ef75bf in run_test /home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
    #11 0x7f62d4edc1fb in piglit_gl_test_run /home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
    #12 0x40183d in main /home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
    #13 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #14 0x401629 in _start (/home/bartek/Devel/piglit/bin/glslparsertest_gles2+0x401629)

0x61000024ddb0 is located 112 bytes inside of 192-byte region [0x61000024dd40,0x61000024de00)
freed by thread T0 here:
    #0 0x7f62d5295310 in __interceptor_cfree.localalias.1 /build/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:55
    #1 0x7f62c80dc88d in unsafe_free /home/bartek/Devel/mesa/src/util/ralloc.c:268:4
    #2 0x7f62c80db4da in ralloc_free /home/bartek/Devel/mesa/src/util/ralloc.c:231:4
    #3 0x7f62c780b200 in exec_node::operator delete(void*) /home/bartek/Devel/mesa/src/compiler/../../src/compiler/glsl/list.h:59:4
    #4 0x7f62c7f2c515 in ir_variable::~ir_variable() /home/bartek/Devel/mesa/src/compiler/../../src/compiler/glsl/ir.h:420:7
    #5 0x7f62c7789d36 in get_variable_being_redeclared(ir_variable*, YYLTYPE, _mesa_glsl_parse_state*, bool) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:4001:7
    #6 0x7f62c776fec1 in ast_declarator_list::hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5210:10
    #7 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
    #8 0x7f62c779f624 in ast_function_definition::hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
    #9 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
    #10 0x7f62c7dd5e38 in _mesa_glsl_compile_shader /home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
    #11 0x7f62c68b8801 in _mesa_compile_shader /home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
    #12 0x7f62c68bf323 in _mesa_CompileShader /home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
    #13 0x7f62d4e5f37f in stub_glCompileShader /home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
    #14 0x401dd6 in test /home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
    #15 0x40250f in piglit_init /home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
    #16 0x7f62d4ef75bf in run_test /home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
    #17 0x7f62d4edc1fb in piglit_gl_test_run /home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
    #18 0x40183d in main /home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
    #19 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

previously allocated by thread T0 here:
    #0 0x7f62d52954c8 in __interceptor_malloc /build/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f62c80d95d2 in ralloc_size /home/bartek/Devel/mesa/src/util/ralloc.c:113:18
    #2 0x7f62c80da2cc in rzalloc_size /home/bartek/Devel/mesa/src/util/ralloc.c:145:16
    #3 0x7f62c61b9808 in exec_node::operator new(unsigned long, void*) /home/bartek/Devel/mesa/src/mesa/../../src/compiler/glsl/list.h:59:4
    #4 0x7f62c7762e1c in ast_declarator_list::hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:4789:13
    #5 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
    #6 0x7f62c779f624 in ast_function_definition::hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
    #7 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*) /home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
    #8 0x7f62c7dd5e38 in _mesa_glsl_compile_shader /home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
    #9 0x7f62c68b8801 in _mesa_compile_shader /home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
    #10 0x7f62c68bf323 in _mesa_CompileShader /home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
    #11 0x7f62d4e5f37f in stub_glCompileShader /home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
    #12 0x401dd6 in test /home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
    #13 0x40250f in piglit_init /home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
    #14 0x7f62d4ef75bf in run_test /home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
    #15 0x7f62d4edc1fb in piglit_gl_test_run /home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
    #16 0x40183d in main /home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
    #17 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
Comment 1 Samuel Iglesias Gonsálvez 2017-02-07 08:12:30 UTC 
I am not able to reproduce it with current master (21efe2528cd88cb09ba9f69222f69a8ee47611c9), but I might have something wrong.

My CFLAGS and CXXFLAGS are "-Wall -g -O0 -fsanitize=address -fno-omit-frame-pointer".

Please share your setup (Mesa commit/version you compiled, the environment variables you used, autogen.sh parameters...) to see if I can reproduce it here.
Comment 2 Bartosz Tomczyk 2017-02-07 08:36:47 UTC 
Hi Samuel,

I don't have setup to reproduce it right now. I will update you will more details in the evening.

But I looked at current mesa git and the bug is definitively there.

Look at  src/compiler/glsl/ast_to_hir.cpp:5210 - function get_variable_being_redeclared can free 'var',  and then it could be dereferenced at src/compiler/glsl/ast_to_hir.cpp:5266. This is exactly what address sanitizer showed.
Comment 3 Samuel Iglesias Gonsálvez 2017-02-07 08:46:44 UTC 
(In reply to Bartosz Tomczyk from comment #2)
> Hi Samuel,
> 
> I don't have setup to reproduce it right now. I will update you will more
> details in the evening.
> 
> But I looked at current mesa git and the bug is definitively there.
> 
> Look at  src/compiler/glsl/ast_to_hir.cpp:5210 - function
> get_variable_being_redeclared can free 'var',  and then it could be
> dereferenced at src/compiler/glsl/ast_to_hir.cpp:5266. This is exactly what
> address sanitizer showed.

Right. Thanks!
Comment 4 Samuel Iglesias Gonsálvez 2017-02-07 10:48:01 UTC 
I have sent a patch to fix this:

https://lists.freedesktop.org/archives/mesa-dev/2017-February/143329.html

Would you mind testing it with address sanitizer? I would like to confirm this error disappears with the patch :)
Comment 5 Samuel Iglesias Gonsálvez 2017-02-23 06:26:01 UTC 
Patch pushed to master. I am closing the bug :-)

commit a73a61893323c74f38b1baa30d63a5cc665b7b58
Author: Samuel Iglesias Gonsálvez <siglesias@igalia.com>
Date:   Thu Feb 9 13:54:46 2017 +0100

    glsl: fix heap-use-after-free in ast_declarator_list::hir()

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.