Closed Bug 1554665 Opened 2 years ago Closed 2 years ago

Fix bounds checks in glxtest child process

Categories

(Core :: Graphics, defect, P3)

68 Branch
Desktop
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox67.0.1 --- unaffected
firefox68 + fixed
firefox69 + fixed

People

(Reporter: aosmond, Assigned: aosmond)

References

(Regression)

Details

(Keywords: regression, sec-high, Whiteboard: [post-critsmash-triage])

Attachments

(1 file)

The bounds checks in the glxtest child process spawned to query the GL driver for information are incorrect.

Assignee: nobody → aosmond
Group: gfx-core-security
Keywords: regression
OS: Unspecified → Linux
Priority: -- → P3
Regressed by: 1294232
Hardware: Unspecified → Desktop
Version: Trunk → 68 Branch
Attached file Bug 1554665.

Comment on attachment 9067859 [details]
Bug 1554665.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: The buffer overflow potential is fairly obvious. I'm not sure how easy it would be to exploit given this is a fork of the main process at startup, before any remote data is loaded, just to collect some GL information which it dumps to a pipe, and which the main process reads back.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: 68
  • If not all supported branches, which bug introduced the flaw?: Bug 1294232
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Very low risk.
  • How likely is this patch to cause regressions; how much testing does it need?: Very unlikely to cause regressions. They will be limited to desktop Linux only.
Attachment #9067859 - Flags: sec-approval?

sec-approval+ for trunk. Let's get this on Beta as well.

Attachment #9067859 - Flags: sec-approval? → sec-approval+
Group: gfx-core-security, core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

Comment on attachment 9067859 [details]
Bug 1554665.

Beta/Release Uplift Approval Request

  • User impact if declined: Will be vulnerable to a potential buffer overflow on startup.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Fix is trivial.
  • String changes made/needed:
Attachment #9067859 - Flags: approval-mozilla-beta?

Comment on attachment 9067859 [details]
Bug 1554665.

Fixes a buffer overflow. Approved for 68.0b7.

Attachment #9067859 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.