Closed Bug 1398381 (CVE-2017-7824) Opened 7 years ago Closed 7 years ago

Heap Buffer Overflow in CopyNativeVertexData (ANGLE)

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
45 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox-esr52 56+ fixed
firefox55 --- wontfix
firefox56 --- fixed
firefox57 --- fixed

People

(Reporter: omair, Assigned: svargas)

References

Details

(4 keywords, Whiteboard: [adv-main56+][adv-esr52.4+])

Attachments

(1 file)

CopyNativeVertex.html
8.37 KB, text/html
Details
Attached file CopyNativeVertex.html 
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36

Steps to reproduce:

Run the uploaded file to see the heap buffer overflow on Stable editions on Windows Firefox x64/x86.



Actual results:

1:061:x86> r
eax=14500e4c ebx=0ecf4000 ecx=00000e4c edx=0002ff4c esi=14500000 edi=07122100
eip=6f83cf5e esp=008fd830 ebp=008fd848 iopl=0         nv up ei pl nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210207
VCRUNTIME140!memcpy+0x4e:
6f83cf5e f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
1:061:x86> kb
 # ChildEBP RetAddr  Args to Child              
00 008fd834 658dfde2 070f3000 144d0f00 0002ff4c VCRUNTIME140!memcpy+0x4e [f:\dd\vctools\crt\vcruntime\src\string\i386\memcpy.asm @ 194]
01 008fd848 658d37b5 144d0f00 0000000c 00003ff1 libGLESv2!rx::CopyNativeVertexData<unsigned int,3,3,0>+0x19 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\copyvertex.inl @ 17]
02 008fd878 658ad39c 008fd8ac 0000000c 00001406 libGLESv2!rx::VertexBuffer11::storeVertexAttributes+0xcb [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\vertexbuffer11.cpp @ 144]
03 008fd8c8 658adf48 008fd900 0ecf4000 00001406 libGLESv2!rx::StreamingVertexBufferInterface::storeDynamicAttribute+0xf0 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\vertexbuffer.cpp @ 173]
04 008fd90c 658add39 008fd938 144d0f00 00000000 libGLESv2!rx::VertexDataManager::storeDynamicAttrib+0x10d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\vertexdatamanager.cpp @ 480]
05 008fd970 658d354b 008fda14 0f068b68 008fd99c libGLESv2!rx::VertexDataManager::storeDynamicAttribs+0x13d [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\vertexdatamanager.cpp @ 400]
06 008fd9e0 658c2e1b 008fda14 14226b20 0f0452f8 libGLESv2!rx::VertexArray11::updateDirtyAndDynamicAttribs+0x2aa [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\vertexarray11.cpp @ 220]
07 008fda1c 658c7a88 008fda5c 0f0452f8 00000003 libGLESv2!rx::Renderer11::applyVertexBuffer+0x35 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\renderer11.cpp @ 1698]
08 008fdaa4 658baca5 008fdaf0 0ccdfdd0 00000003 libGLESv2!rx::Renderer11::genericDrawElements+0x13b [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\renderer11.cpp @ 4514]
09 008fdacc 6587b2ad 008fdaf0 00000003 00000006 libGLESv2!rx::Context11::drawElements+0x20 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\angle\src\libangle\renderer\d3d\d3d11\context11.cpp @ 168]
0a (Inline) -------- -------- -------- -------- libGLESv2!gl::Context::drawElements+0x23 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\angle\src\libangle\context.cpp @ 1631]
0b 008fdb08 5c24b5a7 00000003 00000006 00001403 libGLESv2!gl::DrawElements+0x5f [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\angle\src\libglesv2\entry_points_gles_2_0.cpp @ 792]
0c (Inline) -------- -------- -------- -------- xul!mozilla::gl::GLContext::raw_fDrawElements+0x18 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\gl\glcontext.h @ 1147]
0d 008fdb20 5c6fdd62 00000003 00000006 00001403 xul!mozilla::gl::GLContext::fDrawElements+0x19 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\gfx\gl\glcontext.h @ 1161]
0e 008fdb70 5c5bda0c 00000003 00000006 00001403 xul!mozilla::WebGLContext::DrawElements+0xf9 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\canvas\webglcontextdraw.cpp @ 819]
0f 008fdba8 5b5e858a 04530000 008fdc10 0ecf3400 xul!mozilla::dom::WebGLRenderingContextBinding::drawElements+0xa8 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dom\bindings\webglrenderingcontextbinding.cpp @ 14403]
10 (Inline) -------- -------- -------- -------- xul!mozilla::dom::GenericBindingMethod+0xce [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\bindings\bindingutils.cpp @ 2812]
11 (Inline) -------- -------- -------- -------- xul!js::CallJSNative+0x383 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jscntxtinlines.h @ 235]
12 008fdc44 5b5e8133 00000000 04530000 ffffff8c xul!js::InternalCallOrConstruct+0x40a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 458]
13 008fdc68 5b6b26e3 1d7ff810 12237112 008fdd90 xul!InternalCall+0xa3 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 503]
14 (Inline) -------- -------- -------- -------- xul!js::CallFromStack+0xb [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\vm\interpreter.cpp @ 509]
15 008fdd6c 160a129f 04530000 008fde28 1d7ff810 xul!js::jit::DoCallFallback+0x403 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jit\baselineic.cpp @ 6008]
WARNING: Frame IP not in any known module. Following frames may be wrong.
16 008fddec 12237112 00005821 00000000 ffffff81 0x160a129f
17 008fde4c 160a0943 00001444 c450d882 00000000 0x12237112
18 00000000 00000000 00000000 00000000 00000000 0x160a0943
Initial regression range:
INFO: Last good revision: 099f695d31326c39595264c34988a0f4b7cbc698 (2015-11-25)
INFO: First bad revision: c321d84038519dcf1670d59fd2c5c00ad8a85a55 (2015-11-26)
INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=099f695d31326c39595264c34988a0f4b7cbc698&tochange=c321d84038519dcf1670d59fd2c5c00ad8a85a55

--> Possibly caused by bug 1221822?

Crash went away during the Fx56 cycle, though:
INFO: First good revision: 122e0e90b9a124f1376964a219625490794819a8
INFO: Last bad revision: fc27e4fc79a38461033e573f3bf9d799aa558f63
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=fc27e4fc79a38461033e573f3bf9d799aa558f63&tochange=122e0e90b9a124f1376964a219625490794819a8

Looks highly likely that bug 1376399 is what fixed it. It grafts cleanly to ESR52, so I'll just go ahead and request approval.
Assignee: nobody → svargas
Group: firefox-core-security → gfx-core-security
Status: UNCONFIRMED → RESOLVED
Has Regression Range: --- → yes
Closed: 7 years ago
status-firefox55: --- → wontfix
status-firefox56: --- → fixed
status-firefox57: --- → fixed
status-firefox-esr52: --- → affected
tracking-firefox-esr52: --- → ?
Component: Untriaged → Canvas: WebGL
Depends on: 1376399
Flags: in-testsuite?
Keywords: crash, regression
Product: Firefox → Core
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Version: 55 Branch → 45 Branch
Group: gfx-core-security → core-security-release
ESR52 CI builds aren't crashing with bug 1376399 uplifted.
status-firefox-esr52: affectedfixed
Alias: CVE-2017-7824
Whiteboard: [adv-main56+][adv-esr52.4+]
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: