Closed Bug 1505973 (CVE-2018-12407) Opened 3 years ago Closed 3 years ago

Mozilla Firefox "VertexBuffer11" Heap Overflow Code Execution Vulnerability (iDefense Zero Day)

Categories

(Core :: Canvas: WebGL, defect)

defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox-esr60 --- unaffected
firefox63 + wontfix
firefox64 + fixed

People

(Reporter: abillings, Assigned: jgilbert)

Details

(Keywords: csectype-bounds, sec-high, Whiteboard: [adv-main64+])

Attachments

(1 file)

Attached file vertex_buff_poc.html
We received the following submission from iDefense today:


iDefense VCP Submission V-6v2c5n6tc4
11/08/2018
Mozilla Firefox "VertexBuffer11" Heap Overflow Code Execution Vulnerability (iDefense Zero Day)

Description: 
Remote exploitation of a heap overflow vulnerability in Mozilla Foundation's Firefox could allow an attacker to execute arbitrary code with the privileges of the current user. 

Analysis: 
A heap overflow vulnerability has been identified in Firefox . This vulnerability can be triggered by manipulating the HTML elements within a website using javascript. Specifically, the error occurs in the way a heap based buffer in a certain function within the VertexBuffer11 module is managed in memory. This condition can cause memory corruption, leading to the execution of arbitrary code.

Credit: 
Omair working with iDefense Labs

Tested on Windows 10 x64 and Firefox 63.0

The vulnerability is in ANGLE used by Firefox for WebGL which results in heap corruption.

6:251> r
rax=000001a777880000 rbx=000001a701436400 rcx=00007ffdc574cab1
rdx=000001a6b3508502 rsi=000001a777880000 rdi=000001a7012eaf40
rip=00007ffdc574cab1 rsp=000000433dbfce88 rbp=00007ffd820b0b90
 r8=0000000000000002  r9=00007ffdc5740000 r10=000001a6b3508502
r11=000001a777880000 r12=000001a6b3508502 r13=0000000000000002
r14=0000000000000001 r15=000000433dbfda48
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
VCRUNTIME140!MoveSmall+0x4a:
00007ffd`c574cab1 0fb70a          movzx   ecx,word ptr [rdx] ds:000001a6`b3508502=????



6:251> k
 # Child-SP          RetAddr           Call Site
00 00000043`3dbfce88 00007ffd`81f67860 VCRUNTIME140!memcpy+0xe1
01 00000043`3dbfce90 00007ffd`81efeb69 libGLESv2!rx::VertexBuffer11::storeVertexAttributes+0x250 [z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\d3d11\VertexBuffer11.cpp @ 130] 
02 00000043`3dbfd020 00007ffd`81f00ae1 libGLESv2!rx::StreamingVertexBufferInterface::storeDynamicAttribute+0x309 [z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\VertexBuffer.cpp @ 178] 
03 00000043`3dbfd1d0 00007ffd`81f67038 libGLESv2!rx::VertexDataManager::storeDynamicAttribs+0x561 [z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\VertexDataManager.cpp @ 427] 
04 00000043`3dbfd3e0 00007ffd`81f44fa3 libGLESv2!rx::VertexArray11::syncStateForDraw+0x538 [z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\d3d11\VertexArray11.cpp @ 144] 
05 00000043`3dbfd5d0 00007ffd`81f17d0c libGLESv2!rx::StateManager11::updateState+0x6f3 [z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\d3d11\StateManager11.cpp @ 2036] 
06 00000043`3dbfd9c0 00007ffd`81decce9 libGLESv2!rx::Context11::drawElements+0x2c [z:\build\build\src\gfx\angle\checkout\src\libANGLE\renderer\d3d\d3d11\Context11.cpp @ 265] 
07 00000043`3dbfda10 00007ffd`81d794b7 libGLESv2!gl::Context::drawElements+0xa9 [z:\build\build\src\gfx\angle\checkout\src\libANGLE\Context.cpp @ 2100] 
08 00000043`3dbfda90 00007ffd`687a0c7a libGLESv2!gl::DrawElements+0x137 [z:\build\build\src\gfx\angle\checkout\src\libGLESv2\entry_points_gles_2_0_autogen.cpp @ 787] 
09 00000043`3dbfdb10 00007ffd`6940b6c9 xul!mozilla::gl::GLContext::raw_fDrawElements+0x3a [z:\build\build\src\gfx\gl\GLContext.h @ 1105] 
0a 00000043`3dbfdb60 00007ffd`69034e82 xul!mozilla::WebGLContext::DrawElementsInstanced+0x4c9 [z:\build\build\src\dom\canvas\WebGLContextDraw.cpp @ 807] 
0b 00000043`3dbfdc70 00007ffd`6906739d xul!mozilla::WebGLContext::DrawElements+0x62 [z:\build\build\src\dom\canvas\WebGLContext.h @ 1354] 
0c 00000043`3dbfdcf0 00007ffd`669a491d xul!mozilla::dom::WebGLRenderingContext_Binding::drawElements+0xdd [z:\build\build\src\obj-firefox\dom\bindings\WebGLRenderingContextBinding.cpp @ 15074] 
0d 00000043`3dbfdd80 00007ffd`67b8773c xul!mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions>+0xfd [z:\build\build\src\dom\bindings\BindingUtils.cpp @ 3296] 
0e 00000043`3dbfde40 00007ffd`67b87ffb xul!js::InternalCallOrConstruct+0x16c [z:\build\build\src\js\src\vm\Interpreter.cpp @ 537] 
0f 00000043`3dbfdf30 00007ffd`67b7c829 xul!InternalCall+0xbb [z:\build\build\src\js\src\vm\Interpreter.cpp @ 588] 
10 00000043`3dbfdf90 00007ffd`67b79ff1 xul!Interpret+0x2689 [z:\build\build\src\js\src\vm\Interpreter.cpp @ 3267] 
11 00000043`3dbfe370 00007ffd`67b88adc xul!js::RunScript+0x191 [z:\build\build\src\js\src\vm\Interpreter.cpp @ 429] 
12 00000043`3dbfe480 00007ffd`67b88c7a xul!js::ExecuteKernel+0xcc [z:\build\build\src\js\src\vm\Interpreter.cpp @ 777] 
13 00000043`3dbfe520 00007ffd`673b29f7 xul!js::Execute+0xca [z:\build\build\src\js\src\vm\Interpreter.cpp @ 809] 
14 00000043`3dbfe5a0 00007ffd`66cbf226 xul!ExecuteScript+0xc7 [z:\build\build\src\js\src\jsapi.cpp @ 4691] 
15 00000043`3dbfe640 00007ffd`67010c7a xul!nsJSUtils::ExecutionContext::CompileAndExec+0x46 [z:\build\build\src\dom\base\nsJSUtils.cpp @ 254] 
16 00000043`3dbfe680 00007ffd`6700e3d9 xul!mozilla::dom::ScriptLoader::ProcessRequest+0xcfa [z:\build\build\src\dom\script\ScriptLoader.cpp @ 2046] 
17 00000043`3dbfe9c0 00007ffd`6700bd00 xul!mozilla::dom::ScriptLoader::ProcessScriptElement+0x1399 [z:\build\build\src\dom\script\ScriptLoader.cpp @ 1366] 
18 00000043`3dbfedf0 00007ffd`6700cd63 xul!mozilla::dom::ScriptElement::MaybeProcessScript+0x1d0 [z:\build\build\src\dom\script\ScriptElement.cpp @ 141] 
19 00000043`3dbfee70 00007ffd`66b98fde xul!nsHtml5TreeOpExecutor::RunScript+0xf3 [z:\build\build\src\parser\html\nsHtml5TreeOpExecutor.cpp @ 738] 
1a 00000043`3dbfeed0 00007ffd`66b98afd xul!nsHtml5TreeOpExecutor::RunFlushLoop+0x4ce [z:\build\build\src\parser\html\nsHtml5TreeOpExecutor.cpp @ 540] 
1b 00000043`3dbfefa0 00007ffd`67f2b9df xul!nsHtml5ExecutorFlusher::Run+0x1d [z:\build\build\src\parser\html\nsHtml5StreamParser.cpp @ 123] 
1c 00000043`3dbfefd0 00007ffd`66921026 xul!mozilla::SchedulerGroup::Runnable::Run+0x2f [z:\build\build\src\xpcom\threads\SchedulerGroup.cpp @ 337] 
1d 00000043`3dbff010 00007ffd`66920cc9 xul!nsThread::ProcessNextEvent+0x2c6 [z:\build\build\src\xpcom\threads\nsThread.cpp @ 1108] 
1e 00000043`3dbff150 00007ffd`66af4b4b xul!NS_ProcessNextEvent+0x29 [z:\build\build\src\xpcom\threads\nsThreadUtils.cpp @ 519] 
1f 00000043`3dbff1a0 00007ffd`66901078 xul!mozilla::ipc::MessagePump::Run+0xfb [z:\build\build\src\ipc\glue\MessagePump.cpp @ 97] 
20 00000043`3dbff210 00007ffd`66920861 xul!MessageLoop::RunHandler+0x28 [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 319] 
21 00000043`3dbff260 00007ffd`66af4a28 xul!MessageLoop::Run+0x51 [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 299] 
22 00000043`3dbff2b0 00007ffd`66af4273 xul!nsBaseAppShell::Run+0x28 [z:\build\build\src\widget\nsBaseAppShell.cpp @ 160] 
23 00000043`3dbff2f0 00007ffd`6aad7f65 xul!nsAppShell::Run+0x23 [z:\build\build\src\widget\windows\nsAppShell.cpp @ 420] 
24 00000043`3dbff320 00007ffd`66901078 xul!XRE_RunAppShell+0x45 [z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp @ 944] 
25 00000043`3dbff360 00007ffd`66920861 xul!MessageLoop::RunHandler+0x28 [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 319] 
26 00000043`3dbff3b0 00007ffd`6aad7b71 xul!MessageLoop::Run+0x51 [z:\build\build\src\ipc\chromium\src\base\message_loop.cc @ 299] 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for firefox.exe - 
27 00000043`3dbff400 00007ff6`b6be14e5 xul!XRE_InitChildProcess+0x6d1 [z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp @ 774] 
28 00000043`3dbff5f0 00007ff6`b6be143b firefox!Ordinal0+0x14e5
29 00000043`3dbff650 00007ff6`b6be1106 firefox!Ordinal0+0x143b
2a 00000043`3dbff6d0 00007ff6`b6c1c824 firefox!Ordinal0+0x1106
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\System32\KERNEL32.DLL - 
2b 00000043`3dbff730 00007ffd`cb2a7e94 firefox!TargetNtUnmapViewOfSection+0x9294
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
2c 00000043`3dbff770 00007ffd`cbf57ad1 KERNEL32!BaseThreadInitThunk+0x14
2d 00000043`3dbff7a0 00000000`00000000 ntdll!RtlUserThreadStart+0x21



6:251> dx Debugger.Sessions[0].Processes[23304].Threads[20040].Stack.Frames[1].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[23304].Threads[20040].Stack.Frames[1].SwitchTo()
<unavailable>     class rx::VertexBuffer11 * this = <value unavailable>
@rbx              struct gl::VertexAttribute * attrib = 0x000001a7`01436400
<unavailable>     class gl::VertexBinding * binding = <value unavailable>
00000043`3dbfd040 unsigned int currentValueType = 0x1406
00000043`3dbfd048 int start = 0n-654114815
00000043`3dbfd050 unsigned int64 count = 1
00000043`3dbfd058 int instances = 0n0
00000043`3dbfd060 unsigned int offset = 0
00000043`3dbfd068 unsigned char * sourceData = 0x000001a7`014a8500 ""
@r12              unsigned char * input = 0x000001a6`b3508502 "--- memory read error at address 0x000001a6`b3508502 ---"
@rsi              unsigned char * output = 0x000001a7`77880000 ""
<unavailable>     int inputStride = <value unavailable>
<unavailable>     gl::VertexFormatType vertexFormatType = <value unavailable>
<unavailable>     D3D_FEATURE_LEVEL featureLevel = <value unavailable>
<unavailable>     struct rx::d3d11::VertexFormat * vertexFormatInfo = <value unavailable>
<unavailable>     class gl::Error ANGLE_LOCAL_VAR = <value unavailable>

6:251> dx -id 0,6 -r1 ((libGLESv2!unsigned char *)0x1a6b3508502)
((libGLESv2!unsigned char *)0x1a6b3508502)                 : 0x1a6b3508502 : Unable to read memory at Address 0x1a6b3508502 [Type: unsigned char *]
    Unable to read memory at Address 0x1a6b3508502

https://dxr.mozilla.org/mozilla-central/source/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/VertexBuffer11.cpp#128

angle::Result VertexBuffer11::storeVertexAttributes(const gl::Context *context,
                                                    const gl::VertexAttribute &attrib,
                                                    const gl::VertexBinding &binding,
                                                    GLenum currentValueType,
                                                    GLint start,
                                                    size_t count,
                                                    GLsizei instances,
                                                    unsigned int offset,
                                                    const uint8_t *sourceData)
{
    ASSERT(mBuffer.valid());

    int inputStride = static_cast<int>(ComputeVertexAttributeStride(attrib, binding));

    // This will map the resource if it isn't already mapped.
    ANGLE_TRY(mapResource(context));

    uint8_t *output = mMappedResourceData + offset;

    const uint8_t *input = sourceData;

    if (instances == 0 || binding.getDivisor() == 0)
    {
        input += inputStride * start;
    }

    gl::VertexFormatType vertexFormatType = gl::GetVertexFormatType(attrib, currentValueType);
    const D3D_FEATURE_LEVEL featureLevel  = mRenderer->getRenderer11DeviceCaps().featureLevel;
    const d3d11::VertexFormat &vertexFormatInfo =
        d3d11::GetVertexFormatInfo(vertexFormatType, featureLevel);
    ASSERT(vertexFormatInfo.copyFunction != nullptr);
    vertexFormatInfo.copyFunction(input, inputStride, count, output);

    return angle::Result::Continue();
}


6:251> lmv m firefox
Browse full module list
start             end                 module name
00007ff6`b6be0000 00007ff6`b6c62000   firefox    (deferred)             
    Image path: firefox.exe
    Image name: firefox.exe
    Browse all global symbols  functions  data
    Timestamp:        Thu Oct 18 12:36:32 2018 (5BC8E0C0)
    CheckSum:         000857C7
    ImageSize:        00082000
    File version:     63.0.0.6865
    Product version:  63.0.0.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0
    Information from resource tables:
        CompanyName:      Mozilla Corporation
        ProductName:      Firefox
        InternalName:     Firefox
        OriginalFilename: firefox.exe
        ProductVersion:   63.0
        FileVersion:      63.0
        FileDescription:  Firefox
        LegalCopyright:   ©Firefox and Mozilla Developers; available under the MPL 2 license.
        LegalTrademarks:  Firefox is a Trademark of The Mozilla Foundation.



Attached is the POC that was sent as well.
Jeff, is this different than the other Angle issues Omair has reported?
Flags: needinfo?(jgilbert)
Dupe of bug 1488295? Pascal was planning a 63.0.3 dot release for this week - do we need to include that? We'd need to spin an ESR 60.3.1 release as well.
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2)
> Dupe of bug 1488295? Pascal was planning a 63.0.3 dot release for this week
> - do we need to include that? We'd need to spin an ESR 60.3.1 release as
> well.

This was fixed in 64 but taking a massive Angle update. So are we going to take the patch in bug 1488295 for this? That patch never landed anywhere as far as I know.
Correction: this seems to have *only* landed in current ESR60 at https://hg.mozilla.org/releases/mozilla-esr60/rev/12ba39f69876 but we have to backport that. The 63.0.3 patch has never landed anywhere though.
Correct, for 63.0.3 we'd need to take the 63release patch attached and nominated for m-r approval there. And we'd need to graft comment 24 to a relbranch for 60.3.1esr as noted in comment 23.
Flags: sec-bounty?
(In reply to Ryan VanderMeulen [:RyanVM] from comment #5)
> Correct, for 63.0.3 we'd need to take the 63release patch attached and
> nominated for m-r approval there. And we'd need to graft comment 24 to a
> relbranch for 60.3.1esr as noted in comment 23.

How risky is it to land a patch on a point release that never landed previously?
This is not the same crash as bug 1488295 -- do not take that crash as a fix for this.

Without testing we won't know if the ANGLE update in 64 fixed this. Maybe it did, maybe it didn't. If it did we'd still need to try to find an upstream patch so we can fix ESR. This is not anywhere near a state to stick in a 63.x ride-along.
We have no plans for another dot release and we are 4 weeks away from 64, so wontfix for 63.
The POC does not crash in 64beta or 60esr.
Assignee: nobody → jgilbert
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jgilbert)
Resolution: --- → WORKSFORME
This does not look to me like bug 1488295. I suspect it's just some other issue that was fixed in the ANGLE update in 64.
Need to see if Google assigned a CVE for this.
Flags: needinfo?(dveditz)
Might be https://bugs.chromium.org/p/chromium/issues/detail?id=842028, though the testcases are different. That earned a bug bounty but I don't see a CVE for it so maybe it was never in a shipping version of Chrome (which might make it less likely to be this bug). That was fixed in Chrome 67.
Flags: needinfo?(dveditz)
I could not reproduce the crash in 62.0.x, but it crashes nicely in 63.0.3: bp-492131d9-132d-4c8e-a16a-ae2040181201
Confirmed I do not crash on the same machine with a 64.0 Beta build: this appears to be fixed indeed. I couldn't reproduce the crash in a previous 60-ESR build, and given it didn't affect Firefox 62 either it's better to call 60esr "unaffected" rather than "fixed".
Whiteboard: [adv-main64+]
Alias: CVE-2018-12407
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.