1423275 - (CVE-2018-5110) Switching mouse cursor from none to image hides the cursor globally on OSX

Status: VERIFIED FIXED

(Core :: Widget: Cocoa, defect, P1)

Description

[blodbath]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36

Steps to reproduce:

There is a jsFiddle here: https://jsfiddle.net/vb1ojdaL/

Summarizing here; on OSX El Capitan using Firefox 58 (and developer edition) when you have an element with `cursor: none` set and you toggle (via JS) it back to an image based cursor (base64 encoded) when there is another fallback cursor available the mouse cursor will become entirely invisible across all tabs/areas of firefox until you mouse over certain system areas (not sure exactly which cause it to reset).

I have tested with a GIF and PNG that both appear to function correctly in chrome and on firefox in windows and both are broken on OSX.

Here is the rule I initially discovered this bug with: 

cursor:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgBAMAAACBVGfHAAAAKlBMVEUAAAAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMjZDADAAAADXRSTlMAYJ/vML9AEN/PUCBwo5BZ4wAAAGZJREFUKM9jQAFL1VH5jFctC1AEZBWcp6MouMTAYoQssAXIC0VWcNFZgekWsgm9Ika6AsgmMF10vohiBYOuCIoCBgaO26gKGHTRFDBdHFXAgK6A4RpUAUIATQHDnTRUBQx376IqAAB3TCfI3I+0DAAAAABJRU5ErkJggg==) 0 31,crosshair;


Actual results:

The mouse cursor becomes invisible across the entire page (and all tabs of firefox.


Expected results:

I would have expected the cursor to be visible as it is on other browsers/operating systems.

Comment 1

[Jim Mathies [:jimm]]

Setting to P2, this looks pretty bad. Confirmed on OSX by Tracy. Stephen we should get this prioritized.

Comment 2

[Stephen A Pohl [:spohl] (OOO until 2/27)]

Marking as security sensitive due to the possibility of cursor hijacking.

Comment 3

[Daniel Veditz [:dveditz]]

Attachment: testcase from jsfiddle (click in blue box)

Comment 4

[Stephen A Pohl [:spohl] (OOO until 2/27)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=c71f3e1082d9ac17fd533de79b78a91ab12dd0f4

Comment 5

[Stephen A Pohl [:spohl] (OOO until 2/27)]

Attachment: Patch

setMacCursor: is called from both setCursor: and setCursorWithImage:, but only setCursor: hides/unhides the mouse cursor. Moving the hiding/unhiding to setMacCursor: fixes the bug.

I've kept the commit message intentionally vague.

Comment 6

[Stephen A Pohl [:spohl] (OOO until 2/27)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/e15eeb9bbf33b6f73c2a41540931354f4b4ae7df
Bug 1423275: Ensure that the proper mouse cursor is shown on macOS when switching between custom and default system cursors. r=mstange

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/e15eeb9bbf33

Comment 8

[Stephen A Pohl [:spohl] (OOO until 2/27)]

Comment on attachment 8937113 [details] [diff] [review]
Patch

Beta Approval Request Comment
[Feature/Bug causing the regression]: Bug 286304
[User impact if declined]: Cursor hijacking security bug.
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: yes, run the test case and verify that the cursor appears every time that the mouse is outside the blue box regardless of how many times the blue box is clicked.
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: This moves some existing mouse hiding/unhiding code to a more global place to cover both default system cursors and custom cursors.
[String changes made/needed]: none


ESR52 Approval Request Comment
If this is not a sec:{high,crit} bug, please state case for ESR consideration: This issue could be used for cursor hijacking. Nominating in case we want to take this in ESR52.
User impact if declined: Cursor hijacking security bug.
Fix Landed on Version: 59
Risk to taking this patch (and alternatives if risky): This moves some existing mouse hiding/unhiding code to a more global place to cover both default system cursors and custom cursors.
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Comment 9

[Julien Cristau [:jcristau]]

Comment on attachment 8937113 [details] [diff] [review]
Patch

cursor hijacking issue on mac, beta58+

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/13b3ee92ee38

Comment 11

[Iulia Cristescu, QA [:JuliaC] (away, please needinfo? cornel.ionce@softvision.ro)]

I managed to reproduce the initial issue on 57.0.2 (20171206182557). I can confirm that 59.0a1 (2017-12-28) and 58.0b13 build1 (20171226085105) are verified fixed using Mac OS X 10.11.6 and macOS 10.13.2.

Comment 12

[Julien Cristau [:jcristau]]

Comment on attachment 8937113 [details] [diff] [review]
Patch

Al set esr52 to wontfix, updating patch flag to reflect that.