'border-image' rendering is broken in WebRender
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
People
(Reporter: MatsPalmgren_bugz, Assigned: nical)
References
(Regression)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main77+])
Attachments
(6 files)
|
732 bytes,
text/html
|
Details | |
|
12.27 KB,
image/png
|
Details | |
|
9.36 KB,
image/png
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
dveditz
:
approval-mozilla-beta+
dveditz
:
sec-approval+
|
Details | Review |
|
47 bytes,
text/x-phabricator-request
|
dveditz
:
approval-mozilla-beta+
dveditz
:
sec-approval+
|
Details | Review |
|
325 bytes,
text/plain
|
Details |
Screenshot
The test works correctly in Firefox v76 and Chrome v81.
|
Reporter | |
Comment 1•5 years ago
|
||
Is the top border segment of the first box rendering random memory?
|
||
Comment 2•5 years ago
|
||
I see it broken in 75 as well. Probably WebRender specific?
|
|
||
Comment 4•5 years ago
|
||
Yeah, it's a WebRender bug looks like. And yeah, it's GPU memory, I got some text from my terminal there :)
|
|
||
Updated•5 years ago
|
|
|
||
Comment 5•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 6•5 years ago
|
||
Hmm, this seems like a security issue then.
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 7•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 8•5 years ago
|
||
I would be surprised if this is exploitable but the fix is simple enough that it is a good candidate for uplift.
|
|
||
Comment 9•5 years ago
|
||
Can we land a test for this?
|
|
Assignee | |
Comment 10•5 years ago
|
||
Yeah I'll add a reftest. I wasn't sure the behavior was what the spec intended.
|
|
Assignee | |
Comment 11•5 years ago
|
||
|
||
Comment 12•5 years ago
|
||
Can a web page get images back out of WebRender? Like, the leaked data is on the screen, but not on something like a <canvas> that could be read back? Would it be captured by a screenshot?
|
|
Assignee | |
Comment 13•5 years ago
|
||
Web pages aren't allowed to read pixels back from webrender. In gecko we have two ways to do screenshots, one that reads webrender's framebuffers (what the gecko profiler uses) and one that reconstructs the page on the content process and draws it without webrender (drawWindow which extensions can ask access to, but that's not affected by webrender). Both are privileged APIs that web pages don't have access to as far as I know.
I think webrtc has a screen sharing feature, which I expect can see the output of webrender, but that requires pretty verbose permission requests.
Beyond that I believe that it's quite hard to craft getting the texture cache's pieces of uninitialized memory to land on anything interesting. You are more likely to land on other bits of content of the same page which, if you get to that point, you already have access to.
|
|
Reporter | |
Comment 14•5 years ago
|
||
(In reply to Nicolas Silva [:nical] from comment #13)
Beyond that I believe that it's quite hard to craft getting the texture cache's pieces of uninitialized memory to land on anything interesting. You are more likely to land on other bits of content of the same page which, if you get to that point, you already have access to.
It's actually quite easy for me to see interesting content from other processes. If I start a separate browser and load a video into it I often get a region of that video into the border and not just a single frame - it's a slice of the live running video stream!
Also, many programs off-load more than just rendering to the GPU these days so if we can somehow write to their GPU memory here then it might be more problematic.
|
|
Assignee | |
Comment 15•5 years ago
|
||
My understanding is that we are reading uninitialized parts of a texture here. There is a strict separation between what shaders can read and write, and it would require a pretty catastrophic driver bug to be able to write into another program's active gpu memory.
It would take a security exploit for a page to be able to read webrender's gpu memory, so I am not overly worried. It doesn't hurt to treat this as a security issue anyway.
it's a slice of the live running video stream!
That's pretty wild, I wonder if this can be reproduced with webgl.
|
|
Assignee | |
Comment 16•5 years ago
|
||
Comment on attachment 9148030 [details]
Bug 1637112 - Don't draw border-image segments with zero slice size. r=mstange
Security Approval Request
- How easily could an exploit be constructed based on the patch?: I don't think it can without another exploit, so hard. But if an attacker manages to read back webrender's memory, then this could let them read random things from other process's gpu memory.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: it should apply cleanly to older branches.
- How likely is this patch to cause regressions; how much testing does it need?: Not very likely, let's let it bake on nightly for a few days and uplift after that.
|
|
Assignee | |
Updated•5 years ago
|
|
|
||
Comment 17•5 years ago
|
||
Which older supported branches are affected by this flaw?: all
I'm having trouble reconciling that answer with others earlier saying ESR-68 is unaffected. Do we need this fixed on ESR or not?
|
|
Assignee | |
Comment 18•5 years ago
|
||
My bad. The bug exists in all branches but it will not cause NaN texture coordinates in esr 68 which is the cause of the rendered garbage here. It does in Release, though.
|
|
||
Comment 19•5 years ago
|
||
WebRender is also disabled on ESR. Unless there's also a non-WR variant of this issue as well?
|
|
Assignee | |
Comment 20•5 years ago
|
||
This is webrender-only.
|
|
||
Updated•5 years ago
|
|
|
||
Comment 21•5 years ago
|
||
Comment on attachment 9148030 [details]
Bug 1637112 - Don't draw border-image segments with zero slice size. r=mstange
sec-approval+, a=dveditz for beta
|
|
||
Updated•5 years ago
|
|
|
||
Comment 22•5 years ago
|
||
| uplift | ||
https://hg.mozilla.org/integration/autoland/rev/b57a096b5ba4955abe131079820801457ee397af
https://hg.mozilla.org/integration/autoland/rev/67745f2dd84827d30f654d75766351ff788f5114
https://hg.mozilla.org/releases/mozilla-beta/rev/1f441180b014
https://hg.mozilla.org/releases/mozilla-beta/rev/d50a69ba1ac4
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Comment 23•5 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b57a096b5ba4
https://hg.mozilla.org/mozilla-central/rev/67745f2dd848
|
||
Updated•5 years ago
|
|
|
||
Comment 24•5 years ago
|
||
Reproduced the issue on Windows 10 and Ubuntu 18, with Nightly 78.0a1, Build ID 20200518093924.
Verified as fixed on Ubuntu 18, Windows 10 x64 and MacOS 10.14.6, with
- Latest Nightly 78.0a1, Build Id 20200525093440
- Latest Beta 77.0b9, Build ID 20200521224544.
|
||
Updated•5 years ago
|
|
|
||
Comment 25•5 years ago
|
||
|
|
||
Updated•5 years ago
|
|
|
||
Updated•4 years ago
|
Description
•