CompositorD3D11::DrawVRDistortion using uninitialized memory

RESOLVED FIXED in Firefox 42

Status

()

defect
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: q1, Assigned: vlad)

Tracking

({csectype-uninitialized, sec-other})

38 Branch
mozilla42
Points:
---

Firefox Tracking Flags

(firefox39 disabled, firefox40 disabled, firefox41 disabled, firefox42 fixed, firefox-esr38 unaffected)

Details

(Whiteboard: [post-critsmash-triage])

Attachments

(1 attachment)

User Agent: Mozilla/5.0 (Windows; rv:26.0) Gecko/20100101 Firefox/26.0
Build ID: 20150305021524

Steps to reproduce:

In Firefox 38.0.1, CompositorD3D11::DrawVRDistortion uses uninitialized memory at gfx\layers\d3d11\CompositorD3D11.cpp line 749.

The problem is that DrawVRDistortion does not check the return value from the Windows function ID3D11DeviceContext::Map at line 748, thus (on failure) leaving untouched whatever was contained in the uninitialized variable resource:

748:    mContext->Map(mAttachments->mVRDistortionConstants, 0, D3D11_MAP_WRITE_DISCARD, 0, &resource);
749:    *(gfx::VRDistortionConstants*)resource.pData = shaderConstants;

Since resource can contain anything, this bug could make it possible to write data into anywhere in Firefox's address space. Depending on how DrawVRDistortion is used, this bug might be exploitable to disclose sensitive data and/or cause execution of attacker-selected code.
Component: Untriaged → Graphics: Layers
Flags: needinfo?(bas)
Product: Firefox → Core
I don't know whether the VR thing here means this is a nightly-only feature or not. Not assigning a security rating yet.
It's nightly/dev-edition only, and only with a non-default pref flipped.  I'll fix.
Assignee: nobody → vladimir
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(bas)
Attachment #8632823 - Flags: review?(bas) → review+
https://hg.mozilla.org/mozilla-central/rev/5aa264987ee6
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Group: core-security → core-security-release
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.