Closed
Bug 1223002
Opened 9 years ago
Closed 9 years ago
Graphite 2 instruction parameter validation bypass
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
VERIFIED
FIXED
mozilla45
Tracking | Status | |
---|---|---|
firefox42 | --- | unaffected |
firefox43 | + | verified |
firefox44 | + | verified |
firefox45 | + | verified |
firefox-esr38 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | unaffected |
b2g-v2.5 | --- | fixed |
b2g-v2.2r | --- | unaffected |
b2g-master | --- | fixed |
People
(Reporter: hofusec, Assigned: jfkthame)
References
Details
(Keywords: regression, sec-critical)
Attachments
(5 files)
29.25 KB,
application/zip
|
Details | |
14.80 KB,
text/plain
|
Details | |
6.06 KB,
patch
|
jtd
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
1.68 KB,
patch
|
jtd
:
review+
|
Details | Diff | Splinter Review |
86.19 KB,
patch
|
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
With special CNTXT_ITEM instructions its possible to circumvent the validation of parameter for internal instructions in the Graphite smart font system. This gives a huge attack surface which can exploited for example to a reliable jump to an arbitrary address with a special crafted font. I'm sure its also possible to bypass ASLR with this bug. With the current nightly 64bit and windows 7 the poc jumps to 0x4141414141414141.
Updated•9 years ago
|
Group: core-security → gfx-core-security
Keywords: sec-critical
Comment 1•9 years ago
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 2•9 years ago
|
||
Martin, here's one that sounds like it wants fixing ASAP.
Flags: needinfo?(martin_hosken)
Assignee | ||
Comment 3•9 years ago
|
||
This is fixed upstream, so we just need to take the most recent fixes from there.
Attachment #8688500 -
Flags: review?(jdaggett)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•9 years ago
|
||
Running the testcase here revealed a bug on our side when gr_face initialization fails; we end up asserting on shutdown. So let's fix that while we're here.
Attachment #8688503 -
Flags: review?(jdaggett)
Comment 5•9 years ago
|
||
Given the fixes that have gone into 1.3.4 and this following bug, I would recommend applying these to gecko 44 and even 43. But that's you guys' call :)
Updated•9 years ago
|
Flags: needinfo?(martin_hosken)
Comment 6•9 years ago
|
||
Comment on attachment 8688503 [details] [diff] [review] Always call ReleaseGrFace to balance GetGrFace, even if the face is null Review of attachment 8688503 [details] [diff] [review]: ----------------------------------------------------------------- Hmmm, calling release on a null face seems sort of weird. So, r+ with a comment explaining the necessity of always calling release.
Attachment #8688503 -
Flags: review?(jdaggett) → review+
Updated•9 years ago
|
Attachment #8688500 -
Flags: review?(jdaggett) → review+
Updated•9 years ago
|
status-firefox44:
--- → ?
status-firefox45:
--- → affected
status-firefox-esr38:
--- → ?
tracking-firefox45:
--- → +
Assignee | ||
Comment 7•9 years ago
|
||
I've confirmed that the testcase attached here crashes current FF43 (Beta) and 44 (Developer Edition) releases.[1] It doesn't appear to hurt FF42 (Release) or 38esr, though that doesn't necessarily mean they are immune... it could be that older graphite2 releases would be vulnerable to a slight variation of the example. [1] E.g. https://crash-stats.mozilla.com/report/index/6ebd7243-196b-4de0-b661-d7c4a2151118
Assignee | ||
Updated•9 years ago
|
status-firefox42:
--- → unaffected
status-firefox43:
--- → affected
Updated•9 years ago
|
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-v2.2r:
--- → unaffected
status-b2g-v2.5:
--- → affected
status-b2g-master:
--- → affected
Assignee | ||
Comment 8•9 years ago
|
||
Comment on attachment 8688500 [details] [diff] [review] Cherry-pick post-1.3.4 bugfixes for graphite2 from upstream [Security approval request comment] How easily could an exploit be constructed based on the patch? The patch doesn't directly show how to construct an exploit, but does hint at a specific part of the font tables that might be worth exploring. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. (We could land the testcase as a crashtest later.) Which older supported branches are affected by this flaw? FF43 and FF44. If not all supported branches, which bug introduced the flaw? Bug 1200098 (major update of graphite2 library). Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Aurora and Beta are currently on graphite2-1.3.3. To backport, we should take a combined patch with bug 1220591 (update to 1.3.4) plus this bug (post-1.3.4 fixes). I'll post a combined patch. How likely is this patch to cause regressions; how much testing does it need? Minimal risk of regressions; this just adds error-checking to the graphite2 code so as to reject bad font tables before anything bad happens.
Attachment #8688500 -
Flags: sec-approval?
Assignee | ||
Comment 9•9 years ago
|
||
This is the combined backport of bug 1220591 (update to 1.3.4) and this bug, for aurora and beta branches.
Assignee | ||
Comment 10•9 years ago
|
||
Comment on attachment 8689196 [details] [diff] [review] Update graphite2 to release 1.3.4 plus post-release bugfixes from upstream Approval Request Comment (See sec-approval comment above.)
Attachment #8689196 -
Flags: approval-mozilla-beta?
Attachment #8689196 -
Flags: approval-mozilla-aurora?
Updated•9 years ago
|
tracking-firefox43:
--- → +
tracking-firefox44:
--- → +
Comment 11•9 years ago
|
||
Comment on attachment 8688500 [details] [diff] [review] Cherry-pick post-1.3.4 bugfixes for graphite2 from upstream sec-approval+ for trunk and other approvals given.
Attachment #8688500 -
Flags: sec-approval? → sec-approval+
Updated•9 years ago
|
Attachment #8689196 -
Flags: approval-mozilla-beta?
Attachment #8689196 -
Flags: approval-mozilla-beta+
Attachment #8689196 -
Flags: approval-mozilla-aurora?
Attachment #8689196 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 12•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/37722da27765ccd0ed63e7dc4f83241ef156f39c Bug 1223002 - Cherry-pick post-1.3.4 bugfixes for graphite2 from upstream. r=jdaggett
Assignee | ||
Comment 13•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/460116fc714a https://hg.mozilla.org/releases/mozilla-beta/rev/dca2389bacea
Updated•9 years ago
|
https://hg.mozilla.org/mozilla-central/rev/37722da27765
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
Assignee | ||
Comment 15•9 years ago
|
||
Oops, I failed to push the second patch here when landing to inbound. (This part isn't a security issue, it's just so we don't mistakenly think we've leaked a face that we actually failed to create.) Coming up shortly...
Assignee | ||
Comment 16•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ef2ee7ebb2503f1af7699db407dc09777184243a Bug 1223002 - Always call ReleaseGrFace to balance GetGrFace, even if the face is null. r=jdaggett
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
Comment 19•9 years ago
|
||
Reproduced the initial crash using old Nightly x64 (2015-11-08) on Ubuntu 14.04 64bit (http://pastebin.com/RGLTwbmN console output) and Windows 7 64-bit (bp-08f1ac46-64d5-4658-94bd-fbc582151207), verified that the crash does not reproduce anymore using latest Nightly 45.0a1, latest Developer Edition 44.0a2 and Firefox 43 beta 9 across platforms (Windows 7 64-bit, Ubuntu 14.04 64-bit and Mac OS X 10.11).
Status: RESOLVED → VERIFIED
Updated•8 years ago
|
Flags: sec-bounty?
Updated•8 years ago
|
Blocks: 1200098
Keywords: regression
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•8 years ago
|
Group: core-security-release
Updated•8 years ago
|
See Also: → CVE-2016-1523
You need to log in
before you can comment on or make changes to this bug.
Description
•