Closed
Bug 1167393
Opened 10 years ago
Closed 10 years ago
DataTextureSourceD3D11::Update using uninitialized memory
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1167356
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | wontfix |
| firefox38.0.5 | --- | fixed |
| firefox39 | + | fixed |
| firefox40 | + | fixed |
| firefox41 | + | fixed |
| firefox-esr31 | 39+ | fixed |
| firefox-esr38 | --- | affected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | unaffected |
| b2g-master | --- | unaffected |
People
(Reporter: q1, Assigned: acomminos)
References
Details
(Keywords: csectype-uninitialized, reporter-external, sec-high, Whiteboard: [adv-main39-][adv-esr38.1-][adv-esr31.8-])
Attachments
(1 file, 4 obsolete files)
|
1.01 KB,
patch
|
acomminos
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows; rv:26.0) Gecko/20100101 Firefox/26.0
Build ID: 20150305021524
Steps to reproduce:
In Firefox 38.0.1, DataTextureSourceD3D11::Update uses uninitialized memory at gfx\layers\d3d11\TextureD3D11.cpp line 644 et seq.
The problem is that DataTextureSourceD3D11::Update does not check the return value from DataSourceSurface::Map at line 630, thus (on failure and for some derived classes of DataSourceSurface, e.g., DataSourceSurfaceD2D) leaving untouched whatever was contained in the uninitialized variable map:
629: DataSourceSurface::MappedSurface map;
630: aSurface->Map(DataSourceSurface::MapType::READ, &map);
631:
632: if (aDestRegion) {
...
644: void* data = map.mData + map.mStride * iterRect->y + BytesPerPixel(aSurface->GetFormat()) * iterRect->x;
645:
646: mCompositor->GetDC()->UpdateSubresource(mTexture, 0, &box, data, map.mStride, map.mStride * mSize.height);
Since map can contain anything, this bug could make it possible to read data from anywhere in Firefox's address space. Depending on how Update is used, this bug might be exploitable to disclose sensitive data.
I notice the following note at the beginning of Update indicating that this might not currently be a significant bug, but it's still worth fixing:
// Incremental update with a source offset is only used on Mac so it is not
// clear that we ever will need to support it for D3D.
This bug seems unrelated to the problem reported in https://bugzilla.mozilla.org/show_bug.cgi?id=1092167 .
|
||
Updated•10 years ago
|
Status: UNCONFIRMED → NEW
Component: Untriaged → Graphics: Layers
Ever confirmed: true
Flags: needinfo?(milan)
Keywords: csectype-uninitialized,
sec-critical
Product: Firefox → Core
|
||
Updated•10 years ago
|
Flags: needinfo?(milan)
|
|
||
Updated•10 years ago
|
Assignee: nobody → acomminos
OS: Unspecified → Windows
|
Assignee | |
Comment 1•10 years ago
|
||
Attachment #8610776 -
Flags: review?(bas)
|
|
Assignee | |
Comment 2•10 years ago
|
||
Attachment #8610776 -
Attachment is obsolete: true
Attachment #8610776 -
Flags: review?(bas)
Attachment #8610778 -
Flags: review?(bas)
|
||
Comment 3•10 years ago
|
||
Comment on attachment 8610778 [details] [diff] [review]
Check return value of mapping in DataTextureSourceD3D11.
Review of attachment 8610778 [details] [diff] [review]:
-----------------------------------------------------------------
::: gfx/layers/d3d11/TextureD3D11.cpp
@@ +848,5 @@
> DataSourceSurface::MappedSurface map;
> + if (!aSurface->Map(DataSourceSurface::MapType::READ, &map)) {
> + Reset();
> + return false;
> + }
gfxCriticalError() here too.
Attachment #8610778 -
Flags: review?(bas) → review+
|
|
Assignee | |
Comment 4•10 years ago
|
||
Attachment #8610778 -
Attachment is obsolete: true
|
|
||
Updated•10 years ago
|
Attachment #8610801 -
Attachment description: Thanks, here's the revised patch. → Check return value of mapping in DataTextureSourceD3D11. Carry r=bas
Attachment #8610801 -
Flags: review+
|
||
Comment 5•10 years ago
|
||
Please remember to get sec-approval before landing on this and other patches that are sec-high or sec-critical and affect more than mozilla-central.
status-firefox38:
--- → wontfix
status-firefox38.0.5:
--- → affected
status-firefox39:
--- → affected
status-firefox40:
--- → affected
status-firefox41:
--- → affected
status-firefox-esr38:
--- → affected
|
|
Assignee | |
Comment 6•10 years ago
|
||
Fixed incorrect result check.
Attachment #8610801 -
Attachment is obsolete: true
Attachment #8611335 -
Flags: review+
|
|
Assignee | |
Comment 7•10 years ago
|
||
Fixed incorrect result check.
Attachment #8611335 -
Attachment is obsolete: true
Attachment #8611338 -
Flags: review+
|
|
Assignee | |
Comment 8•10 years ago
|
||
Comment on attachment 8611338 [details] [diff] [review]
Check return value of mapping in DataTextureSourceD3D11. Carry r=bas
[Security approval request comment]
>How easily could an exploit be constructed based on the patch?
On certain data source surface implementations (i.e. D2D) if the mapping fails, map is left untouched, potentially pointing anywhere. The triviality of developing an exploit for this is dependent on whether or not it is possible to cause some implementations of the source surface to fail mapping the backing texture.
>Do comments in the patch, the check-in comment, or tests included in the patch >paint a bulls-eye on the security problem?
No, the commit message is fairly unspecific.
>Which older supported branches are affected by this flaw?
All supported branches with DataTextureSourceD3D11.
>Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
No backported patch, it would be quite trivial to make one.
>How likely is this patch to cause regressions; how much testing does it need?
Unlikely to cause regressions. Shouldn't need any additional testing.
Attachment #8611338 -
Flags: sec-approval?
|
||
Updated•10 years ago
|
status-b2g-v2.0:
--- → affected
status-b2g-v2.0M:
--- → affected
status-b2g-v2.1:
--- → affected
status-b2g-v2.1S:
--- → affected
status-b2g-v2.2:
--- → affected
status-b2g-master:
--- → affected
status-firefox-esr31:
--- → affected
tracking-firefox39:
--- → +
tracking-firefox40:
--- → +
tracking-firefox41:
--- → +
tracking-firefox-esr31:
--- → 39+
Keywords: sec-critical → sec-high
|
|
||
Comment 9•10 years ago
|
||
Sorry, Firefox OS branches won't have D3D11.
|
|
||
Comment 10•10 years ago
|
||
Comment on attachment 8611338 [details] [diff] [review]
Check return value of mapping in DataTextureSourceD3D11. Carry r=bas
Holding off on this until we can fix all the similar problems at the same time (noted in the other bug).
Attachment #8611338 -
Flags: sec-approval?
|
|
||
Updated•10 years ago
|
Flags: sec-bounty?
|
|
Assignee | |
Comment 11•10 years ago
|
||
Fixes for DataSourceSurface::Map related bugs are handled in my patch for bug 1167356.
|
|
Assignee | |
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
|
||
Comment 13•10 years ago
|
||
Given that bug 1167356 is resolved as fixed and the fix is in all the streams, updating status-affected as "Fixed".
|
||
Updated•10 years ago
|
Whiteboard: [adv-main39-][adv-esr38.1-][adv-esr31.8-]
|
|
||
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•