Closed Bug 1507696 Opened 2 years ago Closed 1 year ago

ANGLE crash in copyTexSubImage from a 2d_array


(Core :: Canvas: WebGL, defect, P1)




Tracking Status
firefox-esr60 --- unaffected
firefox67 --- wontfix
firefox68 + fixed
firefox69 + fixed


(Reporter: jgilbert, Assigned: jgilbert)




(Keywords: csectype-uaf, regression, sec-high, Whiteboard: gfx-noted[post-critsmash-triage][adv-main68+])


(3 files)

Crash bug, passing -1 where we expect a small positive number. Hopefully just sec-dos.

ANGLE is *full* of bugs in this code, it seems like.

Also WebRender wants to use this codepath. Oops.
Group: core-security → gfx-core-security
r12 has the UAF marker in it -- interesting. Does a UAF from passing a -1 make sense?
Quite possibly, yeah.

Jeff - is there anything we should be doing to address this bug or is it stalled?

Flags: needinfo?(jgilbert)

Stalled for now. It's not critical.

Flags: needinfo?(jgilbert)
Keywords: stalled

Picking this back up.

Keywords: stalled

This works in Chrome Canary now, so maybe it's fixed in ANGLE now?

Attached file testcase
Type: enhancement → defect

Comment on attachment 9074364 [details]
Bug 1507696 - Cherry-pick CopyTexImage3D fixes.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Hard. There's a ton of moving parts, and you're in ANGLE, so you're like three layers deep in abstractions.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Likely fairly easy. Only esr60 might be more difficult.
  • How likely is this patch to cause regressions; how much testing does it need?: We have a ton of tests.
Attachment #9074364 - Flags: sec-approval?

[Tracking Requested - why for this release]:
sec-high UAF

sec-approval+ for trunk. We'll want patches on beta and ESR60 made and nominated as well.

Attachment #9074364 - Flags: sec-approval? → sec-approval+
See Also: → 1526143
Attached patch beta68 backportSplinter Review

Beta/Release Uplift Approval Request

  • User impact if declined: sec-high
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Low risk: This was a clean cherry-pick of a targetting fix taken upstream.
  • String changes made/needed: none
Attachment #9074637 - Flags: review+
Attachment #9074637 - Flags: approval-mozilla-beta?
Attachment #9074637 - Flags: review+
Group: gfx-core-security → core-security-release
Target Milestone: --- → mozilla69
Closed: 1 year ago
Resolution: --- → FIXED
Comment on attachment 9074637 [details] [diff] [review]
beta68 backport

Fixes a webgl sec issue by cherry-picking an upstream fix. Approved for 68rc1.
Attachment #9074637 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: gfx-noted → gfx-noted[post-critsmash-triage]

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Whiteboard: gfx-noted[post-critsmash-triage] → gfx-noted[post-critsmash-triage][adv-main68+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.