Closed Bug 1544630 Opened 6 years ago Closed 6 years ago

libANGLE UAF due to deleting a buffer not updating VAO validation

Categories

(Core :: Graphics: CanvasWebGL, defect, P2)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr60 --- fixed
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- unaffected

People

(Reporter: dveditz, Assigned: jgilbert)

References

Details

(Keywords: csectype-uaf, sec-high)

According to crbug/943424 this is a UAF due to not updating the right caches when a buffer was deleted. It mentions that the check-in credited the wrong bug by mistake (the texture one I filed earlier).

https://crrev.com/f7f15ac20a354f71600b0c11789d54546a924d4c

Priority: -- → P1

The Chrome bug is Security_Severity-High so going with that unless we know for sure we don't use this code. In the chrome case it's triggered through WebGL2 and Jeff says we don't use libANGLE for as much stuff as Chrome does.

Keywords: sec-high

I don't think this applies to us, since we do all validation before ANGLE. (And we don't delete objects until they're truly not in-use.

Status: NEW → UNCONFIRMED
Ever confirmed: false
Priority: P1 → P2

I think we can WONTFIX this, for our usecase.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX

We actually have this patch already in 68.

Severity: normal → minor
Status: RESOLVED → REOPENED
status-firefox66: --- → affected
status-firefox67: --- → affected
status-firefox68: --- → unaffected
status-firefox-esr60: --- → affected
Ever confirmed: true
Resolution: WONTFIX → ---
Assignee: nobody → jgilbert
Depends on: 1550655
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.