DataSourceSurfaceD2D1::Map using uninitialized memory

RESOLVED DUPLICATE of bug 1167356

Status

()

Core
Graphics
RESOLVED DUPLICATE of bug 1167356
3 years ago
2 years ago

People

(Reporter: q1, Assigned: acomminos)

Tracking

({csectype-uninitialized, sec-high})

38 Branch
csectype-uninitialized, sec-high
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(firefox38 wontfix, firefox38.0.5 wontfix, firefox39+ fixed, firefox40+ fixed, firefox41+ fixed, firefox-esr3139+ fixed, firefox-esr3839+ fixed, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 unaffected, b2g-master unaffected)

Details

(Whiteboard: [adv-main39-][adv-esr38.1-][adv-esr31.8-])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows; rv:26.0) Gecko/20100101 Firefox/26.0
Build ID: 20150305021524

Steps to reproduce:

In Firefox 38.0.1, DataSourceSurfaceD2D1::Map uses uninitialized memory at gfx\2d\SourceSurfaceD2D1.cpp lines 186 and succeeding lines.

The problem is that DataSourceSurfaceD2D1::Map does not check the return value from the Windows function ID2D1Bitmap1::Map at line 185, thus (on failure) leaving untouched whatever was contained in the uninitialized variable map

177:  D2D1_MAP_OPTIONS options;
178:  if (aMapType == MapType::READ) {
179:    options = D2D1_MAP_OPTIONS_READ;
180:  } else {
181:    MOZ_CRASH("No support for Write maps on D2D1 DataSourceSurfaces yet!");
182:  }
183:
184:  D2D1_MAPPED_RECT map;
185:  mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map);
186:  aMappedSurface->mData = map.bits;
187:  aMappedSurface->mStride = map.pitch;
188:
189:  mIsMapped = !!aMappedSurface->mData;
190:  return mIsMapped;

Since map can contain anything, this bug could make it possible to read from anywhere in Firefox's address space. This might potentially cause one session to read (and possibly use and/or display) data from a different session. Also, if someone adds support for write maps, this bug could allow data to be *written* to anywhere in Firefox's address space.

There also appears to be a similar bug in DataSourceSurfaceD2D1::EnsureMapped() at gfx\2d\SourceSurfaceD2D1.cpp line 218.
Component: Untriaged → Graphics
Flags: needinfo?(bas)
Product: Firefox → Core
We've had Andrew look at similar issues (e.g., bug 1167393)
Assignee: nobody → acomminos
Flags: needinfo?(bas)
See Also: → bug 1167393
(Assignee)

Comment 2

3 years ago
Created attachment 8610769 [details] [diff] [review]
Check mapping results in SourceSurfaceD2D1.
Attachment #8610769 - Flags: review?(bas)
Comment on attachment 8610769 [details] [diff] [review]
Check mapping results in SourceSurfaceD2D1.

Review of attachment 8610769 [details] [diff] [review]:
-----------------------------------------------------------------

Obviously no issues with this, did anyone check if Map does or doesn't null out the data pointer if it returns an error?
Attachment #8610769 - Flags: review?(bas) → review+
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Keywords: sec-high
status-b2g-v2.0: --- → unaffected
status-b2g-v2.0M: --- → unaffected
status-b2g-v2.1: --- → unaffected
status-b2g-v2.1S: --- → unaffected
status-b2g-v2.2: --- → unaffected
status-b2g-master: --- → unaffected
status-firefox38: --- → wontfix
status-firefox38.0.5: --- → wontfix
status-firefox39: --- → affected
status-firefox40: --- → affected
status-firefox41: --- → affected
status-firefox-esr31: --- → affected
status-firefox-esr38: --- → affected
tracking-firefox39: --- → +
tracking-firefox40: --- → +
tracking-firefox41: --- → +
tracking-firefox-esr31: --- → 39+
tracking-firefox-esr38: --- → 39+
Keywords: csectype-uninitialized
Flags: sec-bounty?
Does this need to land or is the fix still in progress?  Since this is sec-high I figure you may want to uplift it to beta once it's ready.
Flags: needinfo?(bas)
Flags: needinfo?(acomminos)

Comment 5

3 years ago
This needs sec-approval to land.
(Assignee)

Comment 6

3 years ago
Fixes for DataSourceSurface::Map related bugs are handled in my patch for bug 1167356.
Flags: needinfo?(acomminos)
So, is this fixed ?  A dupe of 1167356? Or is there still work to do here for 39?
Flags: needinfo?(acomminos)
(Assignee)

Comment 8

3 years ago
As per Daniel's suggestion, I've corrected all map related issues in 1167356.
Flags: needinfo?(acomminos)
(Assignee)

Updated

3 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(bas)
Resolution: --- → DUPLICATE
Duplicate of bug: 1167356
Since the original bug 1167356 is already fixed and uplifted in Beta, Aurora, moz-central etc., updating status-firefoxN to "fixed".
status-firefox39: affected → fixed
status-firefox40: affected → fixed
status-firefox41: affected → fixed
status-firefox-esr31: affected → fixed
status-firefox-esr38: affected → fixed

Updated

3 years ago
Whiteboard: [adv-main39-][adv-esr38.1-][adv-esr31.8-]
Flags: sec-bounty? → sec-bounty-

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.