CompositorD3D11::DrawVRDistortion using uninitialized memory

RESOLVED FIXED in Firefox 42

Status

()

RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: q1, Assigned: vlad)

Tracking

({csectype-uninitialized, sec-other})

38 Branch
mozilla42
csectype-uninitialized, sec-other
Points:
---

Firefox Tracking Flags

(firefox39 disabled, firefox40 disabled, firefox41 disabled, firefox42 fixed, firefox-esr38 unaffected)

Details

(Whiteboard: [post-critsmash-triage])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows; rv:26.0) Gecko/20100101 Firefox/26.0
Build ID: 20150305021524

Steps to reproduce:

In Firefox 38.0.1, CompositorD3D11::DrawVRDistortion uses uninitialized memory at gfx\layers\d3d11\CompositorD3D11.cpp line 749.

The problem is that DrawVRDistortion does not check the return value from the Windows function ID3D11DeviceContext::Map at line 748, thus (on failure) leaving untouched whatever was contained in the uninitialized variable resource:

748:    mContext->Map(mAttachments->mVRDistortionConstants, 0, D3D11_MAP_WRITE_DISCARD, 0, &resource);
749:    *(gfx::VRDistortionConstants*)resource.pData = shaderConstants;

Since resource can contain anything, this bug could make it possible to write data into anywhere in Firefox's address space. Depending on how DrawVRDistortion is used, this bug might be exploitable to disclose sensitive data and/or cause execution of attacker-selected code.

Updated

3 years ago
Component: Untriaged → Graphics: Layers
Flags: needinfo?(bas)
Product: Firefox → Core

Comment 1

3 years ago
I don't know whether the VR thing here means this is a nightly-only feature or not. Not assigning a security rating yet.
Keywords: csectype-uninitialized
It's nightly/dev-edition only, and only with a non-default pref flipped.  I'll fix.
Assignee: nobody → vladimir
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(bas)
status-firefox39: --- → disabled
status-firefox40: --- → disabled
status-firefox41: --- → disabled
status-firefox-esr38: --- → unaffected
Keywords: sec-other
Created attachment 8632823 [details] [diff] [review]
correctly error check the mapping
Attachment #8632823 - Flags: review?(bas)
Attachment #8632823 - Flags: review?(bas) → review+
https://hg.mozilla.org/mozilla-central/rev/5aa264987ee6
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox42: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla42

Updated

3 years ago
Group: core-security → core-security-release
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.