1380495 - Potential UAF when exiting VR presentation after the GPU process has been terminated

Status: RESOLVED FIXED

(Core :: WebVR, defect)

Description

[:kip (Kearwood Gilbert)]

I have created a patch to fix Bug 1321275, which enables the browser to survive GPU process termination while WebVR presentations are active.

I am filing this additional security bug to disclose a potential usage after free vulnerability with PVRLayerChild that is possible during this event.

This vulnerability should be corrected with the fix in Bug 1321275.

Assuming that the fix passes try server tests and has no other ill effects identified after landing in Nightly, I would like to uplift this patch to Beta channel which is also affected.

The current release build includes the affected code; however, the feature (WebVR via dom.vr.enabled pref) needed to expose it is disabled by default in release.

Comment 1

[:kip (Kearwood Gilbert)]

Attachment: Bug 1321275 - Fix reference counting of PVRLayerChild when GPU process has been terminated

Comment 2

[:kip (Kearwood Gilbert)]

Comment on attachment 8887202 [details] [diff] [review]
Bug 1321275 - Fix reference counting of PVRLayerChild when GPU process has been terminated

Approval Request Comment
[Feature/Bug causing the regression]:
Bug 1250244 (WebVR 1.0 API)
[User impact if declined]:
If declined, Firefox will crash when the GPU process is killed during a WebVR Session.  The Firefox GPU process may be killed by 3rd party software update mechanisms that try to unlock VR runtime files.  As the crash is called by UAF, there is a potential security impact.
[Is this code covered by automated tests?]:
Automated WebVR mochitests will hit this code with normal GPU process shutdown; however, the tests do not forcefully terminate the GPU process.
[Has the fix been verified in Nightly?]:
Yes, Nightly's content process no longer crashes when WebVR is active and the GPU process is terminated.
[Needs manual test from QE? If yes, steps to reproduce]: 
Manual test:
- Navigate to a WebVR site (ie. https://webvr.info/samples/04-simple-mirroring.html)
- Click the "Enter VR" button provided by the site. (bottom-right corner for webvr.info)
- Kill the GPU process
- Refresh the browser window
- Close the browser
Expected: None of the browser processes shuts down abnormally (other than the manually killed GPU process)
[List of other uplifts needed for the feature/fix]:
None
[Is the change risky?]:
Medium risk.
[Why is the change risky/not risky?]:
There are only a few lines changed, but they interact with e10s and can be sensitive to varying multiprocess configurations.  The changed code would only be executed for users with VR hardware after they have started a VR presentation on a WebVR site.  IMHO, The Risk of not fixing is greater than the risk of fixing.
[String changes made/needed]:
None

Comment 3

[:kip (Kearwood Gilbert)]

This patch has already landed in Mozilla-Central in Bug 1321275.  The beta uplift request has been added to this separate secure bug as the uplift comments reference the potential UAF vulnerability.

Comment 4

[Julien Cristau [:jcristau]]

Marking 56 as fixed per comment 3.

Comment 5

[Julien Cristau [:jcristau]]

Comment on attachment 8887202 [details] [diff] [review]
Bug 1321275 - Fix reference counting of PVRLayerChild when GPU process has been terminated

sec-high, uaf fix for webvr, beta55+

Comment 6

[:kip (Kearwood Gilbert)]

Check-in needed for beta, thanks!

Comment 7

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 8887202 [details] [diff] [review]
Bug 1321275 - Fix reference counting of PVRLayerChild when GPU process has been terminated

For future reference, we've got bug queries for patches that are approved for uplift, so no need to go the checkin-needed route :)

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/7bb0d5ad88b3