Closed
Bug 1554665
Opened 5 years ago
Closed 5 years ago
Fix bounds checks in glxtest child process
Categories
(Core :: Graphics, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla69
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox67 | --- | unaffected |
firefox67.0.1 | --- | unaffected |
firefox68 | + | fixed |
firefox69 | + | fixed |
People
(Reporter: aosmond, Assigned: aosmond)
References
(Regression)
Details
(Keywords: regression, sec-high, Whiteboard: [post-critsmash-triage])
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Review |
The bounds checks in the glxtest child process spawned to query the GL driver for information are incorrect.
Assignee | ||
Updated•5 years ago
|
Assignee: nobody → aosmond
Group: gfx-core-security
Keywords: regression
OS: Unspecified → Linux
Priority: -- → P3
Regressed by: 1294232
Hardware: Unspecified → Desktop
Version: Trunk → 68 Branch
Assignee | ||
Updated•5 years ago
|
status-firefox67:
--- → unaffected
status-firefox67.0.1:
--- → unaffected
status-firefox68:
--- → affected
Assignee | ||
Comment 1•5 years ago
|
||
Assignee | ||
Comment 2•5 years ago
|
||
Comment on attachment 9067859 [details]
Bug 1554665.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The buffer overflow potential is fairly obvious. I'm not sure how easy it would be to exploit given this is a fork of the main process at startup, before any remote data is loaded, just to collect some GL information which it dumps to a pipe, and which the main process reads back.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: 68
- If not all supported branches, which bug introduced the flaw?: Bug 1294232
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Very low risk.
- How likely is this patch to cause regressions; how much testing does it need?: Very unlikely to cause regressions. They will be limited to desktop Linux only.
Attachment #9067859 -
Flags: sec-approval?
Comment 3•5 years ago
|
||
sec-approval+ for trunk. Let's get this on Beta as well.
status-firefox-esr60:
--- → unaffected
tracking-firefox68:
--- → +
tracking-firefox69:
--- → +
Keywords: sec-high
Updated•5 years ago
|
Attachment #9067859 -
Flags: sec-approval? → sec-approval+
Comment 4•5 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/1b9357648b9b582d9db5290db79f8f1d8045574c
https://hg.mozilla.org/mozilla-central/rev/1b9357648b9b
Group: gfx-core-security, core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Assignee | ||
Comment 5•5 years ago
|
||
Comment on attachment 9067859 [details]
Bug 1554665.
Beta/Release Uplift Approval Request
- User impact if declined: Will be vulnerable to a potential buffer overflow on startup.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Fix is trivial.
- String changes made/needed:
Attachment #9067859 -
Flags: approval-mozilla-beta?
Comment 6•5 years ago
|
||
Comment on attachment 9067859 [details]
Bug 1554665.
Fixes a buffer overflow. Approved for 68.0b7.
Attachment #9067859 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 7•5 years ago
|
||
uplift |
Updated•5 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•4 years ago
|
Group: core-security-release
Updated•3 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•