Closed Bug 1533525 Opened 6 years ago Closed 6 years ago

WebGL converts freely from WebGLintptr to GLintptr, which truncates on 32bit (also WebGLsizeiptr->GLsizeiptr)

Categories

(Core :: Graphics: CanvasWebGL, enhancement, P1)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: jgilbert, Assigned: jgilbert)

References

Details

(Keywords: sec-audit, Whiteboard: gfx-noted [post-critsmash-triage][adv-main68-])

Attachments

(1 file)

Bug 1533525 - Don't freely convert WebGL(int|sizei)ptr to GL(int|sizei)ptr.
47 bytes, text/x-phabricator-request
Details | Review

This isn't necessarily dangerous, but it is risky.
Best case, we just truncate the requests consistently, which is incorrect, but safe.
Worst case would be if we're inconsistent.

Just to be safe, marking this sec, but it's probably not an issue.

See Also: → CVE-2019-11693
Assignee: nobody → jgilbert
Severity: normal → minor
Priority: -- → P1
Whiteboard: gfx-noted
Group: core-security → gfx-core-security
Keywords: sec-audit

Landed: https://hg.mozilla.org/integration/mozilla-inbound/rev/bdc40c000b29ba024a7014d3ff5fc31d98e608df
Backed out for build bustages in WebGLTypes.h: https://hg.mozilla.org/integration/mozilla-inbound/rev/36570e7c5eb7191101d786823427ed70707e5606

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&resultStatus=pending%2Crunning%2Ctestfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel%2Crunnable&tier=1%2C2%2C3&group_state=expanded&selectedJob=239207331&revision=bdc40c000b29ba024a7014d3ff5fc31d98e608df

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=239227194&repo=mozilla-inbound

[task 2019-04-10T00:11:25.088Z] 00:11:25 INFO - In file included from /builds/worker/workspace/build/src/dom/canvas/TexUnpackBlob.h:12:
[task 2019-04-10T00:11:25.089Z] 00:11:25 ERROR - /builds/worker/workspace/build/src/dom/canvas/WebGLTypes.h:42:5: error: static_assert failed due to requirement 'std::numeric_limits<unsigned long long>::max() <= std::numeric_limits<unsigned int>::max()' "SrcT must be narrower than DestT."
[task 2019-04-10T00:11:25.089Z] 00:11:25 INFO - static_assert(
[task 2019-04-10T00:11:25.089Z] 00:11:25 INFO - ^
[task 2019-04-10T00:11:25.089Z] 00:11:25 INFO - /builds/worker/workspace/build/src/dom/canvas/WebGLBuffer.cpp:109:28: note: in instantiation of function template specialization 'mozilla::ForbidNarrowing<unsigned int>::ForbidNarrowing<unsigned long long>' requested here
[task 2019-04-10T00:11:25.090Z] 00:11:25 INFO - newIndexCache = malloc(size);
[task 2019-04-10T00:11:25.090Z] 00:11:25 INFO - ^
[task 2019-04-10T00:11:25.090Z] 00:11:25 INFO - 1 error generated.
[task 2019-04-10T00:11:25.090Z] 00:11:25 INFO - /builds/worker/workspace/build/src/config/rules.mk:805: recipe for target 'Unified_cpp_dom_canvas1.o' failed
[task 2019-04-10T00:11:25.091Z] 00:11:25 ERROR - make[4]: *** [Unified_cpp_dom_canvas1.o] Error 1
[task 2019-04-10T00:11:25.091Z] 00:11:25 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/dom/canvas'
[task 2019-04-10T00:11:25.091Z] 00:11:25 INFO - make[4]: *** Waiting for unfinished jobs....

Flags: needinfo?(jgilbert)

https://hg.mozilla.org/integration/mozilla-inbound/rev/256eff8cc0f8c1a7c3a37dc75353474c3309f900
https://hg.mozilla.org/mozilla-central/rev/256eff8cc0f8

Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Flags: needinfo?(jgilbert)
Flags: qe-verify-
Whiteboard: gfx-noted → gfx-noted [post-critsmash-triage]
Whiteboard: gfx-noted [post-critsmash-triage] → gfx-noted [post-critsmash-triage][adv-main68-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: