stack buffer overflow in SkAlphaRuns::Break

RESOLVED FIXED in Firefox -esr60

Status

()

defect
RESOLVED FIXED
10 months ago
12 days ago

People

(Reporter: dveditz, Assigned: RyanVM)

Tracking

({csectype-bounds, sec-high})

unspecified
mozilla64
Points:
---

Firefox Tracking Flags

(firefox-esr6063+ fixed, firefox62 wontfix, firefox63+ fixed, firefox64+ fixed)

Details

(Whiteboard: [adv-main63+][adv-esr60.3+][Google CVE-2018-6153])

Attachments

(1 attachment)

Looks like we may need the patch from https://bugs.chromium.org/p/chromium/issues/detail?id=850350 to fix a static buffer overflow found by fuzzing in Chrome. The fix was shipped with Chrome 68 and assigned CVE-2018-6153. It was demonstrated to affect m67; no regressor was identified so it might affect the m66 branch we're using.

There were two patches taken (plus a test patch). Only the second one appears to have been merged to the m68 branch

https://skia.googlesource.com/skia/+/1e259cda4fb7f12e98dd611bd651f40ebef2d14a
https://skia.googlesource.com/skia/+/73be50da2a1fe8944f2623a511fda1957eed708a
A stack buffer UNDERflow in this function was reported as https://bugs.chromium.org/p/chromium/issues/detail?id=862004 but this was determined to have been fixed by the same patches. Not sure why it wasn't duped but was instead marked fixed.
AFAICT, this affects all of our supported releases.
Attachment #9017302 - Flags: review?(lsalzman) → review+
Comment on attachment 9017302 [details] [diff] [review]
Backport the upstream patches

[Security Approval Request]

How easily could an exploit be constructed based on the patch?: No clue, but the upstream commit is public knowledge.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No

Which older supported branches are affected by this flaw?: All

If not all supported branches, which bug introduced the flaw?: N/A

Do you have backports for the affected branches?: Yes

If not, how different, hard to create, and risky will they be?: N/A

How likely is this patch to cause regressions; how much testing does it need?: Green on Try, not sure what more we can realistically do.

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: None

User impact if declined: 

Is this code covered by automated tests?: Yes

Has the fix been verified in Nightly?: Yes

Needs manual test from QE?: Yes

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): 

String changes made/needed: 

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: 

User impact if declined: 

Fix Landed on Version: 

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): 

String or UUID changes made by this patch:
Attachment #9017302 - Flags: sec-approval?
Attachment #9017302 - Flags: approval-mozilla-release?
Attachment #9017302 - Flags: approval-mozilla-esr60?
Comment on attachment 9017302 [details] [diff] [review]
Backport the upstream patches

Approvals given.
Attachment #9017302 - Flags: sec-approval?
Attachment #9017302 - Flags: sec-approval+
Attachment #9017302 - Flags: approval-mozilla-release?
Attachment #9017302 - Flags: approval-mozilla-release+
Attachment #9017302 - Flags: approval-mozilla-esr60?
Attachment #9017302 - Flags: approval-mozilla-esr60+
https://hg.mozilla.org/mozilla-central/rev/a1fb2da7388b
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Group: gfx-core-security → core-security-release
Whiteboard: [adv-main63+][adv-esr60.3+]
Google assigned CVE-2018-6153 to chromebug 850350. chromebug 862004 was fixed by 850350 and didn't get its own patch or cve.
Whiteboard: [adv-main63+][adv-esr60.3+] → [adv-main63+][adv-esr60.3+][Google CVE-2018-6153]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.