Potential UAF when exiting VR presentation after the GPU process has been terminated

RESOLVED FIXED in Firefox 55

Status

()

RESOLVED FIXED
a year ago
a year ago

People

(Reporter: kip, Assigned: kip)

Tracking

({csectype-uaf, sec-high})

unspecified
mozilla56
csectype-uaf, sec-high
Points:
---
Bug Flags:
qe-verify ?

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox54 disabled, firefox55 fixed, firefox56 fixed)

Details

(Whiteboard: [post-critsmash-triage])

Attachments

(1 attachment)

(Assignee)

Description

a year ago
I have created a patch to fix Bug 1321275, which enables the browser to survive GPU process termination while WebVR presentations are active.

I am filing this additional security bug to disclose a potential usage after free vulnerability with PVRLayerChild that is possible during this event.

This vulnerability should be corrected with the fix in Bug 1321275.

Assuming that the fix passes try server tests and has no other ill effects identified after landing in Nightly, I would like to uplift this patch to Beta channel which is also affected.

The current release build includes the affected code; however, the feature (WebVR via dom.vr.enabled pref) needed to expose it is disabled by default in release.
(Assignee)

Updated

a year ago
Assignee: nobody → kgilbert
(Assignee)

Updated

a year ago
Depends on: 1321275
(Assignee)

Updated

a year ago
No longer depends on: 1321275
status-firefox54: --- → disabled
status-firefox55: --- → affected
status-firefox56: --- → affected
status-firefox-esr52: --- → unaffected
Keywords: csectype-uaf, sec-high
Group: core-security → gfx-core-security
(Assignee)

Comment 1

a year ago
Created attachment 8887202 [details] [diff] [review]
Bug 1321275 - Fix reference counting of PVRLayerChild when GPU process has been terminated
(Assignee)

Comment 2

a year ago
Comment on attachment 8887202 [details] [diff] [review]
Bug 1321275 - Fix reference counting of PVRLayerChild when GPU process has been terminated

Approval Request Comment
[Feature/Bug causing the regression]:
Bug 1250244 (WebVR 1.0 API)
[User impact if declined]:
If declined, Firefox will crash when the GPU process is killed during a WebVR Session.  The Firefox GPU process may be killed by 3rd party software update mechanisms that try to unlock VR runtime files.  As the crash is called by UAF, there is a potential security impact.
[Is this code covered by automated tests?]:
Automated WebVR mochitests will hit this code with normal GPU process shutdown; however, the tests do not forcefully terminate the GPU process.
[Has the fix been verified in Nightly?]:
Yes, Nightly's content process no longer crashes when WebVR is active and the GPU process is terminated.
[Needs manual test from QE? If yes, steps to reproduce]: 
Manual test:
- Navigate to a WebVR site (ie. https://webvr.info/samples/04-simple-mirroring.html)
- Click the "Enter VR" button provided by the site. (bottom-right corner for webvr.info)
- Kill the GPU process
- Refresh the browser window
- Close the browser
Expected: None of the browser processes shuts down abnormally (other than the manually killed GPU process)
[List of other uplifts needed for the feature/fix]:
None
[Is the change risky?]:
Medium risk.
[Why is the change risky/not risky?]:
There are only a few lines changed, but they interact with e10s and can be sensitive to varying multiprocess configurations.  The changed code would only be executed for users with VR hardware after they have started a VR presentation on a WebVR site.  IMHO, The Risk of not fixing is greater than the risk of fixing.
[String changes made/needed]:
None
Attachment #8887202 - Flags: approval-mozilla-beta?
(Assignee)

Comment 3

a year ago
This patch has already landed in Mozilla-Central in Bug 1321275.  The beta uplift request has been added to this separate secure bug as the uplift comments reference the potential UAF vulnerability.
Marking 56 as fixed per comment 3.
status-firefox56: affected → fixed
Comment on attachment 8887202 [details] [diff] [review]
Bug 1321275 - Fix reference counting of PVRLayerChild when GPU process has been terminated

sec-high, uaf fix for webvr, beta55+
Attachment #8887202 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
(Assignee)

Updated

a year ago
Attachment #8887202 - Flags: checkin?
(Assignee)

Comment 6

a year ago
Check-in needed for beta, thanks!
Comment on attachment 8887202 [details] [diff] [review]
Bug 1321275 - Fix reference counting of PVRLayerChild when GPU process has been terminated

For future reference, we've got bug queries for patches that are approved for uplift, so no need to go the checkin-needed route :)
Attachment #8887202 - Flags: checkin?

Comment 8

a year ago
uplift
https://hg.mozilla.org/releases/mozilla-beta/rev/7bb0d5ad88b3
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Group: gfx-core-security → core-security-release
Flags: qe-verify?
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.