Closed Bug 1488295 Opened 6 years ago Closed 6 years ago

heap overflow in TextureStorage11 - ANGLE

Categories

(Core :: Graphics: CanvasWebGL, defect)

61 Branch
defect
Not set
normal

Tracking

()

VERIFIED FIXED
mozilla64
Tracking Status
firefox-esr60 64+ verified
firefox62 --- wontfix
firefox63 + wontfix
firefox64 + verified

People

(Reporter: omair, Assigned: jgilbert)

References

Details

(4 keywords, Whiteboard: [Google assigned CVE-2018-17466][post-critsmash-triage][adv-main64+][adv-esr60.4+])

Attachments

(3 files)

Attached file texstor11.html
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180807170231

Steps to reproduce:

Attached is the testcase to reproduce a heap overflow in TexStorage11 in Firefox 61.0.2.
I have tested this on Intel and Nvidia GPU, both crash due to the same invalid pixelData buffer reference.



Actual results:

5:202> r
rax=00007ffd57ca1034 rbx=000001eeeaa00000 rcx=000001eeeaa00000
rdx=00000236f87c90d0 rsi=00000236f87c90d0 rdi=0000000000000004
rip=00007ffd57ca1034 rsp=00000048125fb2f8 rbp=0000000000000001
 r8=0000000000000004  r9=00007ffd57c80000 r10=000001eeeaa00000
r11=000001eeeaa00000 r12=000001eee1c01d58 r13=0000000000000000
r14=0000000000000040 r15=0000000000000004
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
igd10iumd64+0x21034:
00007ffd`57ca1034 8b02            mov     eax,dword ptr [rdx] ds:00000236`f87c90d0=????????
5:202> k
 # Child-SP          RetAddr           Call Site
00 00000048`125fb2f8 00007ffd`57cc2af7 igd10iumd64+0x21034
01 00000048`125fb300 00007ffd`57ce687f igd10iumd64!OpenAdapter10_2+0x1bd17
02 00000048`125fb360 00007ffd`66d72988 igd10iumd64!OpenAdapter10_2+0x3fa9f
03 00000048`125fb510 00007ffd`66d722a9 d3d11!CContext::TID3D11DeviceContext_UpdateSubresource_<1>+0x208
04 00000048`125fb620 00007ffd`3c7c7b0d d3d11!CContext::TID3D11DeviceContext_UpdateSubresource_Amortized<1>+0xe9
05 00000048`125fb6a0 00007ffd`3c780d46 libGLESv2!rx::TextureStorage11::setData+0x455 [z:\build\build\src\gfx\angle\checkout\src\libangle\renderer\d3d\d3d11\texturestorage11.cpp @ 838] 
06 00000048`125fb7f0 00007ffd`3c7886d7 libGLESv2!rx::TextureD3D::subImage+0xee [z:\build\build\src\gfx\angle\checkout\src\libangle\renderer\d3d\textured3d.cpp @ 277] 
07 00000048`125fb880 00007ffd`3c7322c8 libGLESv2!rx::TextureD3D_2DArray::setSubImage+0x167 [z:\build\build\src\gfx\angle\checkout\src\libangle\renderer\d3d\textured3d.cpp @ 3026] 
08 00000048`125fb960 00007ffd`3c801b8c libGLESv2!gl::Texture::setSubImage+0xcc [z:\build\build\src\gfx\angle\checkout\src\libangle\texture.cpp @ 965] 
09 00000048`125fb9e0 00007ffd`3c7bee07 libGLESv2!rx::IncompleteTextureSet::getIncompleteTexture+0x28c [z:\build\build\src\gfx\angle\checkout\src\libangle\renderer\renderer_utils.cpp @ 538] 
0a (Inline Function) --------`-------- libGLESv2!rx::RendererD3D::getIncompleteTexture+0x3a [z:\build\build\src\gfx\angle\checkout\src\libangle\renderer\d3d\rendererd3d.cpp @ 89] 
0b 00000048`125fbad0 00007ffd`3c7be495 libGLESv2!rx::StateManager11::applyTextures+0x1b3 [z:\build\build\src\gfx\angle\checkout\src\libangle\renderer\d3d\d3d11\statemanager11.cpp @ 2369] 
0c (Inline Function) --------`-------- libGLESv2!rx::StateManager11::syncTextures+0x66 [z:\build\build\src\gfx\angle\checkout\src\libangle\renderer\d3d\d3d11\statemanager11.cpp @ 2387] 
0d 00000048`125fbcb0 00007ffd`3c79cb62 libGLESv2!rx::StateManager11::updateState+0x495 [z:\build\build\src\gfx\angle\checkout\src\libangle\renderer\d3d\d3d11\statemanager11.cpp @ 2052] 
0e 00000048`125fc110 00007ffd`3c79be29 libGLESv2!rx::Context11::prepareForDrawCall+0x1e [z:\build\build\src\gfx\angle\checkout\src\libangle\renderer\d3d\d3d11\context11.cpp @ 407] 
0f 00000048`125fc150 00007ffd`3c6f1770 libGLESv2!rx::Context11::drawElementsInstanced+0x29 [z:\build\build\src\gfx\angle\checkout\src\libangle\renderer\d3d\d3d11\context11.cpp @ 193] 
10 00000048`125fc1b0 00007ffd`3c6cc839 libGLESv2!gl::Context::drawElementsInstanced+0x88 [z:\build\build\src\gfx\angle\checkout\src\libangle\context.cpp @ 1834] 
11 00000048`125fc210 00007ffd`32760009 libGLESv2!gl::DrawElementsInstanced+0x1c9 [z:\build\build\src\gfx\angle\checkout\src\libglesv2\entry_points_gles_3_0_autogen.cpp @ 525] 
12 (Inline Function) --------`-------- xul!mozilla::gl::GLContext::raw_fDrawElementsInstanced+0x30 [z:\build\build\src\gfx\gl\glcontext.h @ 2443] 
13 00000048`125fc480 00007ffd`327583d5 xul!mozilla::gl::GLContext::fDrawElementsInstanced+0x49 [z:\build\build\src\gfx\gl\glcontext.h @ 2426] 
14 00000048`125fc4c0 00007ffd`3254fa24 xul!mozilla::WebGLContext::DrawElementsInstanced+0x1e1 [z:\build\build\src\dom\canvas\webglcontextdraw.cpp @ 769] 
15 (Inline Function) --------`-------- xul!mozilla::WebGLContext::DrawElements+0x2a [z:\build\build\src\dom\canvas\webglcontext.h @ 1329] 
16 00000048`125fc5d0 00007ffd`310b1487 xul!mozilla::dom::WebGL2RenderingContextBinding::drawElements+0x194 [z:\build\build\src\obj-firefox\dom\bindings\webgl2renderingcontextbinding.cpp @ 10592] 
17 00000048`125fc640 00007ffd`30eb4875 xul!mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions>+0x11b [z:\build\build\src\dom\bindings\bindingutils.cpp @ 3266] 
18 (Inline Function) --------`-------- xul!js::CallJSNative+0x58 [z:\build\build\src\js\src\vm\jscontext-inl.h @ 280] 
19 00000048`125fc6d0 00007ffd`3106dbed xul!js::InternalCallOrConstruct+0x765 [z:\build\build\src\js\src\vm\interpreter.cpp @ 492] 
1a 00000048`125fc820 00007ffd`3177765d xul!Interpret+0x8d2d [z:\build\build\src\js\src\vm\interpreter.cpp @ 3115] 
1b 00000048`125fe1f0 00007ffd`3105ba50 xul!js::RunScript+0x3bd [z:\build\build\src\js\src\vm\interpreter.cpp @ 417] 
1c 00000048`125fe340 00007ffd`3105b992 xul!js::ExecuteKernel+0xa0 [z:\build\build\src\js\src\vm\interpreter.cpp @ 703] 
1d 00000048`125fe3d0 00007ffd`3105b748 xul!js::Execute+0xbe [z:\build\build\src\js\src\vm\interpreter.cpp @ 732] 
1e 00000048`125fe430 00007ffd`3105b672 xul!ExecuteScript+0xa8 [z:\build\build\src\js\src\jsapi.cpp @ 4740] 
1f 00000048`125fe4b0 00007ffd`3131cdb6 xul!nsJSUtils::ExecutionContext::CompileAndExec+0x52 [z:\build\build\src\dom\base\nsjsutils.cpp @ 268] 
20 00000048`125fe4e0 00007ffd`30e6cece xul!mozilla::dom::ScriptLoader::EvaluateScript+0x7ee [z:\build\build\src\dom\script\scriptloader.cpp @ 2328] 
21 00000048`125febb0 00007ffd`313a9923 xul!mozilla::dom::ScriptLoader::ProcessRequest+0x1de [z:\build\build\src\dom\script\scriptloader.cpp @ 1956] 
22 00000048`125fec30 00007ffd`313a8a67 xul!mozilla::dom::ScriptLoader::ProcessInlineScript+0x1d7 [z:\build\build\src\dom\script\scriptloader.cpp @ 1595] 
23 00000048`125fece0 00007ffd`311d7482 xul!mozilla::dom::ScriptLoader::ProcessScriptElement+0x207 [z:\build\build\src\dom\script\scriptloader.cpp @ 1314] 
24 00000048`125feeb0 00007ffd`3110098b xul!mozilla::dom::ScriptElement::MaybeProcessScript+0x1de [z:\build\build\src\dom\script\scriptelement.cpp @ 141] 
25 00000048`125fef30 00007ffd`311008de xul!nsIScriptElement::AttemptToExecute+0x17 [z:\build\build\src\obj-firefox\dist\include\nsiscriptelement.h @ 248] 
26 00000048`125fef60 00007ffd`3113f48e xul!nsHtml5TreeOpExecutor::RunScript+0x66 [z:\build\build\src\parser\html\nshtml5treeopexecutor.cpp @ 743] 
27 00000048`125fef90 00007ffd`31689561 xul!nsHtml5TreeOpExecutor::RunFlushLoop+0x2ea [z:\build\build\src\parser\html\nshtml5treeopexecutor.cpp @ 541] 
28 00000048`125ff040 00007ffd`31a81590 xul!nsHtml5ExecutorFlusher::Run+0x19 [z:\build\build\src\parser\html\nshtml5streamparser.cpp @ 123] 
29 00000048`125ff070 00007ffd`30f2184a xul!mozilla::SchedulerGroup::Runnable::Run+0x54 [z:\build\build\src\xpcom\threads\schedulergroup.cpp @ 341] 
2a 00000048`125ff0a0 00007ffd`30f1fc85 xul!nsThread::ProcessNextEvent+0x206 [z:\build\build\src\xpcom\threads\nsthread.cpp @ 1093] 
2b (Inline Function) --------`-------- xul!NS_ProcessNextEvent+0x16 [z:\build\build\src\xpcom\threads\nsthreadutils.cpp @ 519] 
2c 00000048`125ff270 00007ffd`31ce4b74 xul!mozilla::ipc::MessagePump::Run+0x91 [z:\build\build\src\ipc\glue\messagepump.cpp @ 97] 
2d 00000048`125ff2c0 00007ffd`3143c9f5 xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x70 [z:\build\build\src\ipc\glue\messagepump.cpp @ 302] 
2e (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0xf [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 326] 
2f 00000048`125ff2f0 00007ffd`3143c99a xul!MessageLoop::RunHandler+0x25 [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 320] 
30 00000048`125ff320 00007ffd`31417fe0 xul!MessageLoop::Run+0x3e [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 300] 
31 00000048`125ff370 00007ffd`31417ce0 xul!nsBaseAppShell::Run+0x3c [z:\build\build\src\widget\nsbaseappshell.cpp @ 159] 
32 00000048`125ff3a0 00007ffd`3365c2f7 xul!nsAppShell::Run+0x30 [z:\build\build\src\widget\windows\nsappshell.cpp @ 417] 
33 00000048`125ff3d0 00007ffd`31ce4b2d xul!XRE_RunAppShell+0x3b [z:\build\build\src\toolkit\xre\nsembedfunctions.cpp @ 896] 
34 00000048`125ff400 00007ffd`3143c9f5 xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x29 [z:\build\build\src\ipc\glue\messagepump.cpp @ 278] 
35 (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0xf [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 326] 
36 00000048`125ff430 00007ffd`3143c99a xul!MessageLoop::RunHandler+0x25 [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 320] 
37 00000048`125ff460 00007ffd`3365c076 xul!MessageLoop::Run+0x3e [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 300] 
38 00000048`125ff4b0 00007ff6`f4f7942d xul!XRE_InitChildProcess+0x90e [z:\build\build\src\toolkit\xre\nsembedfunctions.cpp @ 726] 
39 00000048`125ff710 00007ff6`f4f774b9 firefox!content_process_main+0x9d [z:\build\build\src\ipc\contentproc\plugin-container.cpp @ 51] 
3a (Inline Function) --------`-------- firefox!NS_internal_main+0x50cf [z:\build\build\src\browser\app\nsbrowserapp.cpp @ 280] 
3b 00000048`125ff750 00007ff6`f4f7570c firefox!wmain+0x52f9 [z:\build\build\src\toolkit\xre\nswindowswmain.cpp @ 129] 
3c (Inline Function) --------`-------- firefox!invoke_main+0x22 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 90] 
3d 00000048`125ffb40 00007ffd`6cac3034 firefox!__scrt_common_main_seh+0x110 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283] 
3e 00000048`125ffb80 00007ffd`6dfb1431 KERNEL32!BaseThreadInitThunk+0x14
3f 00000048`125ffbb0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Product: Firefox → Core
Jeff, can you please take a look at this?
Group: core-security → gfx-core-security
Flags: needinfo?(jgilbert)
Component: Graphics → Canvas: WebGL
Assignee: nobody → jgilbert
Flags: needinfo?(jgilbert)
If someone is able to post the ASAN report on this crash, that'll be very useful for rating this :-)
Raymond: do you have a windows ASAN build available? see comment 2.
Flags: sec-bounty?
Flags: needinfo?(rforbes)
On Firefox 62 Win10 I get a crash like bp-aec4ca38-fc9f-4e62-89c7-de4d00180911
On Nightly (64) I'm getting more varied crashes, but it's still crashing despite being on a newer ANGLE than the one which this was reported against. Here's an example: bp-4e9ec5ff-abb0-4476-8c2a-7b6300180911

Doesn't crash on Chrome despite them using essentially the same (just version skew) ANGLE code.
It does crash in Chrome Stable, I have reported it to them as well.

You can view the relevant fix:
https://chromium.googlesource.com/angle/angle/+/0d0fb43f34eeea20bf78089ca2a4e1f2831cffe5
Assuming the attacker could read memory data back out of the canvas we're calling this sec-high for now.
Keywords: sec-high
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Raymond: do you have a windows ASAN build available? see comment 2.

==3540==ERROR: AddressSanitizer: access-violation on unknown address 0x12fc8e7da8f0 (pc 0x7ffb773c12db bp 0x000000000000 sp 0x00f4c05f79c8 T0)
==3540==The signal is caused by a READ memory access.
    #0 0x7ffb773c12da in NVAPI_Thunk+0x7e655a (C:\WINDOWS\System32\DriverStore\FileRepository\nvddi.inf_amd64_e11ba76ead6e85cd\nvwgf2umx.dll+0x1812112da)
    #1 0x7ffb76f2b144 in NVAPI_Thunk+0x3503c4 (C:\WINDOWS\System32\DriverStore\FileRepository\nvddi.inf_amd64_e11ba76ead6e85cd\nvwgf2umx.dll+0x180d7b144)
    #2 0x7ffb76518ed6 in OpenAdapter12+0x202696 (C:\WINDOWS\System32\DriverStore\FileRepository\nvddi.inf_amd64_e11ba76ead6e85cd\nvwgf2umx.dll+0x180368ed6)
    #3 0x7ffbb34a2987 in CreateDirect3D11SurfaceFromDXGISurface+0x4e9a7 (C:\WINDOWS\system32\d3d11.dll+0x180182987)
    #4 0x7ffb70ee8bee in rx::TextureStorage11::setData z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\d3d11\TextureStorage11.cpp:798
    #5 0x7ffb70d36e14 in rx::TextureD3D::subImage z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\TextureD3D.cpp:277
    #6 0x7ffb70d6e8dd in rx::TextureD3D_2DArray::setSubImage z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\TextureD3D.cpp:2954
    #7 0x7ffb70bc8659 in gl::Texture::setSubImage z:\build\build\src\gfx\angle\checkout\src\libANGLE\Texture.cpp:974
    #8 0x7ffb7109258e in rx::IncompleteTextureSet::getIncompleteTexture z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\renderer_utils.cpp:538
    #9 0x7ffb70d23b6c in rx::RendererD3D::getIncompleteTexture z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\RendererD3D.cpp:89
    #10 0x7ffb70eb8461 in rx::StateManager11::applyTextures z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\d3d11\StateManager11.cpp:2431
    #11 0x7ffb70eaf294 in rx::StateManager11::syncTextures z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\d3d11\StateManager11.cpp:2450
    #12 0x7ffb70ead4c1 in rx::StateManager11::updateState z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\d3d11\StateManager11.cpp:2093
    #13 0x7ffb70deb56c in rx::Context11::drawArraysInstanced z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\d3d11\Context11.cpp:241
    #14 0x7ffb70a30a3e in gl::Context::drawArraysInstanced z:\build\build\src\gfx\angle\checkout\src\libANGLE\Context.cpp:2085
    #15 0x7ffb709597fb in gl::DrawArraysInstanced z:\build\build\src\gfx\angle\checkout\src\libGLESv2\entry_points_gles_3_0_autogen.cpp:485
    #16 0x7ffb591ea417 in mozilla::WebGLContext::DrawElementsInstanced z:\build\build\src\dom\canvas\WebGLContextDraw.cpp:796
    #17 0x7ffb579d41e5 in mozilla::dom::WebGL2RenderingContext_Binding::drawElements z:\build\build\src\obj-firefox\dom\bindings\WebGL2RenderingContextBinding.cpp:10903
    #18 0x7ffb58fc2420 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> z:\build\build\src\dom\bindings\BindingUtils.cpp:3296
    #19 0x7ffb6154878e in js::InternalCallOrConstruct z:\build\build\src\js\src\vm\Interpreter.cpp:552
    #20 0x7ffb6154b5f5 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:606
    #21 0x7ffb61512739 in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3439
    #22 0x7ffb6150dca5 in js::RunScript z:\build\build\src\js\src\vm\Interpreter.cpp:439
    #23 0x7ffb6154f2b6 in js::ExecuteKernel z:\build\build\src\js\src\vm\Interpreter.cpp:805
    #24 0x7ffb6154fbd6 in js::Execute z:\build\build\src\js\src\vm\Interpreter.cpp:837
    #25 0x7ffb604105ab in ExecuteScript z:\build\build\src\js\src\jsapi.cpp:4816
    #26 0x7ffb55777750 in nsJSUtils::ExecutionContext::CompileAndExec z:\build\build\src\dom\base\nsJSUtils.cpp:254
    #27 0x7ffb5b6712fb in mozilla::dom::ScriptLoader::EvaluateScript z:\build\build\src\dom\script\ScriptLoader.cpp:2421
    #28 0x7ffb5b66a31d in mozilla::dom::ScriptLoader::ProcessRequest z:\build\build\src\dom\script\ScriptLoader.cpp:2044
    #29 0x7ffb5b666725 in mozilla::dom::ScriptLoader::ProcessInlineScript z:\build\build\src\dom\script\ScriptLoader.cpp:1644
    #30 0x7ffb5b63e744 in mozilla::dom::ScriptLoader::ProcessScriptElement z:\build\build\src\dom\script\ScriptLoader.cpp:1364
    #31 0x7ffb5b63d27e in mozilla::dom::ScriptElement::MaybeProcessScript z:\build\build\src\dom\script\ScriptElement.cpp:141
    #32 0x7ffb53fc571c in nsHtml5TreeOpExecutor::RunScript z:\build\build\src\parser\html\nsHtml5TreeOpExecutor.cpp:738
    #33 0x7ffb53fbd5a3 in nsHtml5TreeOpExecutor::RunFlushLoop z:\build\build\src\parser\html\nsHtml5TreeOpExecutor.cpp:537
    #34 0x7ffb53fcbdae in nsHtml5ExecutorFlusher::Run z:\build\build\src\parser\html\nsHtml5StreamParser.cpp:123
    #35 0x7ffb51b5e435 in mozilla::SchedulerGroup::Runnable::Run z:\build\build\src\xpcom\threads\SchedulerGroup.cpp:337
    #36 0x7ffb51b8e774 in nsThread::ProcessNextEvent z:\build\build\src\xpcom\threads\nsThread.cpp:1161
    #37 0x7ffb51b9715e in NS_ProcessNextEvent z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:519
    #38 0x7ffb52c19d49 in mozilla::ipc::MessagePump::Run z:\build\build\src\ipc\glue\MessagePump.cpp:97
    #39 0x7ffb52b7b47e in MessageLoop::RunHandler z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318
    #40 0x7ffb52b7b206 in MessageLoop::Run z:\build\build\src\ipc\chromium\src\base\message_loop.cc:298
    #41 0x7ffb5b9b83aa in nsBaseAppShell::Run z:\build\build\src\widget\nsBaseAppShell.cpp:158
    #42 0x7ffb5bb3bf27 in nsAppShell::Run z:\build\build\src\widget\windows\nsAppShell.cpp:420
    #43 0x7ffb5fd01f0d in XRE_RunAppShell z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:944
    #44 0x7ffb52b7b47e in MessageLoop::RunHandler z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318
    #45 0x7ffb52b7b206 in MessageLoop::Run z:\build\build\src\ipc\chromium\src\base\message_loop.cc:298
    #46 0x7ffb5fd01101 in XRE_InitChildProcess z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:770
    #47 0x7ff75aec2038 in Ordinal0+0x2038 (firefox.exe+0x140002038)
    #48 0x7ff75aec14a1 in Ordinal0+0x14a1 (firefox.exe+0x1400014a1)
    #49 0x7ff75afbcf27 in TargetNtUnmapViewOfSection+0x27ce7 (firefox.exe+0x1400fcf27)
    #50 0x7ffbb98e3033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180013033)
    #51 0x7ffbba121460 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180071460)
Flags: needinfo?(rforbes)
Chrome has shipped the fix for this in Chrome 70 and assigned CVE-2018-17466. Jeff: is there some reason we can't just land the upstream fix?
Alias: CVE-2018-17466
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jgilbert)
We can take the patch. We're doing something wrong if we hit this incomplete-texture path though.
Flags: needinfo?(jgilbert)
My up-to-date Nightly doesn't seem to be crashing. Maybe bug 1498070 fixed this for 64?
Please retest?
Flags: needinfo?(omair)
Definitely crashes on Beta. Marking Nightly as unaffected.
I have tested this on 62.0.3 now and it crashes.
Doesn't crash in Nightly.
Flags: needinfo?(omair)
The fix doesn't apply cleanly to Beta's angle branch, but I think I fixed the conflicts. I will push this forward tomorrow.
We just built RC2, if we need to build a RC3 to get this fix we probably need it today.
This was filed 2 months ago and marked as affecting 63 + a tracking request only 12h ago, I'd rather not rush a RC3 over the week end before the merge for this patch but we could take it in a potential dot release so I am leaving the tracking flag for 63.
Whether we take this in 63 or not (and I think that ship has already sailed personally), we'll still need this for ESR60.
Chrome cherry-picked the fix to the branch we already took in 64: https://bugzilla.mozilla.org/show_bug.cgi?id=angle-64
This vulnerability makes ANGLE read four bytes of data per WebGL context given an arbitrary offset.
It's a little slow, but it seems like arbitrary read to me.

I've verified locally that this patch fixes the crash on 60.3esr.

63release is still vulnerable. I'm patching that next. I'll request approval then.
Attachment #9021388 - Flags: review?(kvark)
Attachment #9021388 - Flags: review?(kvark) → review+
[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: no regression

User impact if declined: sec-high vulnerability and crashes

Is this code covered by automated tests?: No

Has the fix been verified in Nightly?: Yes

Needs manual test from QE?: No

If yes, steps to reproduce: STR attached

List of other uplifts needed: esr60

Risk to taking this patch: Medium

Why is the change risky/not risky? (and alternatives if risky): These two fixes are both cherry-picks of the same upstream fix from ANGLE, but neither applied to their respective tips cleanly, requiring manual conflict resolution.
I'm fairly confident I fixed the conflicts correctly, and I believe I understand the code and the fix, but a messy cherry-pick doesn't fill me with confidence.

String changes made/needed: none
Attachment #9021405 - Flags: review?(kvark)
Attachment #9021405 - Flags: approval-mozilla-release?
Comment on attachment 9021388 [details] [diff] [review]
60.3esr: 0001-Bug-1488295-Vendor-in-texture-completeness-cherry-pi.patch

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high, see approval-mozilla-release comment

User impact if declined: see approval-mozilla-release comment

Fix Landed on Version: 64

Risk to taking this patch: Medium

Why is the change risky/not risky? (and alternatives if risky): see approval-mozilla-release comment

String or UUID changes made by this patch: none

[Security Approval Request]

How easily could an exploit be constructed based on the patch?: Relatively easy.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No

Which older supported branches are affected by this flaw?: all: esr60, release63

If not all supported branches, which bug introduced the flaw?: None

Do you have backports for the affected branches?: Yes

If not, how different, hard to create, and risky will they be?: Already done. We're cherry-picking the fix cset from upstream onto our angle branches for 60 and 63.

How likely is this patch to cause regressions; how much testing does it need?: We have extensive webgl tests, so we're unlikely to regress.
Attachment #9021388 - Flags: sec-approval?
Attachment #9021388 - Flags: approval-mozilla-esr60?
Comment on attachment 9021388 [details] [diff] [review]
60.3esr: 0001-Bug-1488295-Vendor-in-texture-completeness-cherry-pi.patch

sec-approval+
Attachment #9021388 - Flags: sec-approval? → sec-approval+
Attachment #9021405 - Flags: review?(kvark) → review+
Comment on attachment 9021388 [details] [diff] [review]
60.3esr: 0001-Bug-1488295-Vendor-in-texture-completeness-cherry-pi.patch

It seems very unlikely we're going to take this in an Fx63 dot release (and consequently a 60.3.1esr dot release), but approving for 60.4.0esr in the mean time. If we *do* for some reason decide to take this sooner, we'll need to graft the upcoming commit to a relbranch off ESR60 revision 9491263a845f. We'll also need to update the tracking flag from 64+ to 63+.
Attachment #9021388 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
https://hg.mozilla.org/releases/mozilla-esr60/rev/12ba39f69876

And calling this fixed for 64+ by bug 1489279.
Status: NEW → RESOLVED
Closed: 6 years ago
Depends on: angle-64
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Flags: sec-bounty? → sec-bounty+
Alias: CVE-2018-17466
Whiteboard: [Google assigned CVE-2018-17466]
Group: gfx-core-security → core-security-release
Flags: qe-verify+
Whiteboard: [Google assigned CVE-2018-17466] → [Google assigned CVE-2018-17466][post-critsmash-triage]
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0

Hi,
I have reproduced this issue on 61.0.2 with the test case file from the description. Using the latest Beta 64 build (id: 20181115150739) and the latest ESR 60.3.1 build (id: 20181116165247) from TaskCluster, I can confirm that the issue is fixed. I am no longer getting tab crashes.
Status: RESOLVED → VERIFIED
Adding Jessie (new graphics engineering manager) to all sec-crit and sec-high graphics bugs
Attachment #9021405 - Flags: approval-mozilla-release? → approval-mozilla-release-
Whiteboard: [Google assigned CVE-2018-17466][post-critsmash-triage] → [Google assigned CVE-2018-17466][post-critsmash-triage][adv-main64+][adv-esr60.4+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: