Closed Bug 1334102 (CVE-2017-5423) Opened 3 years ago Closed 3 years ago
Mozilla Firefox Int Overflow/Unchecked Address Addition Out of Bound Read (ASLR Bypass)
Milan, can you find someone to investigate?
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Product: Firefox → Core
Bas, would you suggest a CheckedInt approach or something else here?
Flags: needinfo?(milan) → needinfo?(bas)
Group: core-security → gfx-core-security
This isn't actually related to an overflow. It's a different type of issue, patch upcoming.
So there really is an actual driver -or- D2D bug here, we tell the driver we're creating a height 0 surface, which implies we're not passing it any readable memory. However it seemingly still tries to read from the given address. This could be in D2D or the NVidia driver itself. When our uploadRect is Empty though there's no real need to do anything with the gibberish it might contain though, so the upcoming patch should be a sufficient fix.
Assignee: nobody → bas
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8831731 - Flags: review?(milan)
Note the security impact is likely low here as far as I can tell, -if- a surface could be returned at all for a 0x0 size bitmap, which would contain the memory located at that particular byte, it is unlikely to be directly informative nor tell you what the exact content of that byte was.
3 years ago
Attachment #8831731 - Flags: review?(milan) → review+
I haven't actually properly looked at this yet, but I will check it out tonight... eax=b40ce91c ebx=000000ca ecx=00000001 edx=00000004 esi=bb9278bc edi=0f9e91a0 eip=611e46fc esp=00efc3e4 ebp=00efc3f0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 nvwgf2um!NVAPI_Thunk+0x33595c: 611e46fc f3a5 rep movs dword ptr es:[edi],dword ptr [esi] From what I can see from the crash dump I originally got from !exploitable, it looks like a DWORD sized section of memory is being read from ESI, which is the address we control. I'm guessing EDI is the data section of the bitmap that's going to be returned? I will look into it later.
Comment on attachment 8831731 [details] [diff] [review] Do not attempt to upload empty rectangles. Approval Request Comment It is possible this could reduce the number of driver resets on Nvidia in the cases where the driver resets instead of crashing. If that was the case, it could benefit the CompositorD3D11::BeginFrame crash, currently top 10 browser crash in 51. Bas, this doesn't have a security rating; if it is going to be less than sec-high, you can land it without security approval.
So I looked into this briefly last night and it would appear as though the DWORD gets written into the bitmap object and returned. So it comes down to how Firefox deals with this.
Comment on attachment 8831731 [details] [diff] [review] Do not attempt to upload empty rectangles. don't upload an empty rect, aurora53+, beta52+
Flagging this for manual testing, testcase available in Comment 0.
Reproduced the issue with an affected build (51.0.1, 20170125094131) using the testcase from Comment 0 on Windows 10 x64: 6bc8cc71-0730-4966-b006-a43f694bc10f. This is verified fixed on Windows 10 x64, Ubuntu 16.04 x86 and macOS 10.12.3, using: - 52.0b9-build2 (20170223185858), - 53.0a2 (2017-02-24), - 54.0a1 (2017-02-24), on which the test case is no longer crashing.
out of curiosity, I was wondering if issues like this (sec-low) are also considered for bug bounty program?
(In reply to Soroush Dalili from comment #16) > out of curiosity, I was wondering if issues like this (sec-low) are also > considered for bug bounty program? Per our security page, please write to email@example.com for bug bounty questions. I only saw this question because I was looking at the bug for other reasons. No, sec-low bugs don't receive bounties.
You need to log in before you can comment on or make changes to this bug.