Closed
Bug 743475
(CVE-2012-0473)
Opened 12 years ago
Closed 12 years ago
WebGLBuffer::FindMaxUshortElement passes wrong template arguments to FindMaxElementInSubArray
Categories
(Core :: Graphics: CanvasWebGL, defect)
Core
Graphics: CanvasWebGL
Tracking
()
VERIFIED
FIXED
mozilla14
People
(Reporter: dwarfcrank, Assigned: dwarfcrank)
Details
(Whiteboard: [sg:high][qa!])
Attachments
(2 files)
|
911 bytes,
patch
|
jgilbert
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr10+
jgilbert
:
checkin+
|
Details | Diff | Splinter Review |
|
2.83 KB,
text/html
|
Details |
WebGLBuffer::FindMaxUshortElement in content/canvas/src/WebGLContext.h passes GLshort instead of GLushort to FindMaxElementInSubArray, even though only GLubyte or GLushort should be used. I've attached a patch to fix the issue.
|
Assignee | |
Updated•12 years ago
|
Attachment #613142 -
Attachment is patch: true
|
||
Updated•12 years ago
|
Attachment #613142 -
Flags: review+
Attachment #613142 -
Flags: checkin?(jgilbert)
|
|
||
Updated•12 years ago
|
Assignee: nobody → matias.juntunen
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
OS: Windows 7 → All
Hardware: x86_64 → All
|
|
||
Comment 1•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8a4ef59d7490
Target Milestone: --- → mozilla14
|
|
||
Updated•12 years ago
|
Attachment #613142 -
Flags: checkin?(jgilbert) → checkin+
|
||
Comment 2•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/8a4ef59d7490
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Comment 3•12 years ago
|
||
Comment on attachment 613142 [details] [diff] [review] Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray [Approval Request Comment] Regression caused by (bug #): we've had this bug ever since we ship WebGL User impact if declined: security risk, will explain once this bug is hidden Testing completed (on m-c, etc.): just landed Risk to taking this patch (and alternatives if risky): trivial fix, no risk String changes made by this patch:
Attachment #613142 -
Flags: approval-mozilla-beta?
Attachment #613142 -
Flags: approval-mozilla-aurora?
|
||
Updated•12 years ago
|
Group: core-security
|
|
||
Comment 4•12 years ago
|
||
OK, now that this bug is hidden, here's the explanation. WebGL.drawElements validates that all the indices are in range. It does that by computing the max index, and comparing that to the min buffer size. This bug causes the max index computation to be wrong. Basically, indices >= 32768 are ignored by the max element computation. An attacker could exploit this by drawing with indices all in the range 32768--65535. This would allow them to read some illegal video memory, whence the sec-high rating.
|
||
Comment 5•12 years ago
|
||
If it's landing on beta/Firefox 12 it also needs to land on the ESR branch
status-firefox-esr10:
--- → affected
status-firefox12:
--- → affected
status-firefox13:
--- → affected
status-firefox14:
--- → fixed
tracking-firefox-esr10:
--- → ?
tracking-firefox12:
--- → +
tracking-firefox13:
--- → +
|
||
Comment 7•12 years ago
|
||
Comment on attachment 613142 [details] [diff] [review] Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray [Triage Comment] Approved for Beta 12 and Aurora 13 given the low risk evaluation and sg:high rating. Please land asap.
Attachment #613142 -
Flags: approval-mozilla-beta?
Attachment #613142 -
Flags: approval-mozilla-beta+
Attachment #613142 -
Flags: approval-mozilla-aurora?
Attachment #613142 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•12 years ago
|
|
|
||
Comment 8•12 years ago
|
||
http://hg.mozilla.org/releases/mozilla-aurora/rev/144d327b35a9 http://hg.mozilla.org/releases/mozilla-beta/rev/7b1f6af2b2d7
|
|
||
Updated•12 years ago
|
Attachment #613142 -
Flags: approval-mozilla-esr10?
|
|
||
Updated•12 years ago
|
|
||
Comment 9•12 years ago
|
||
Is there a means to test this fix for verification purposes?
|
|
||
Comment 12•12 years ago
|
||
(In reply to Al Billings [:abillings] from comment #9) > Is there a means to test this fix for verification purposes? I'll whip a quick testcase.
|
|
||
Comment 13•12 years ago
|
||
|
||
Comment 14•12 years ago
|
||
Comment on attachment 613142 [details] [diff] [review] Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray Please go ahead and land as per https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
Attachment #613142 -
Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
|
|
||
Comment 15•12 years ago
|
||
Verified fixed in trunk with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120411 Firefox/14.0a1 and Benoit's nice testcase.
Status: RESOLVED → VERIFIED
|
|
||
Updated•12 years ago
|
Alias: CVE-2012-0473
|
||
Updated•12 years ago
|
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
Whiteboard: [sg:high][qa+] → [sg:high][qa!]
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•