Closed Bug 1676636 (CVE-2020-16048) Opened 4 years ago Closed 4 years ago

WebGL2 compressedTexImage3D Handling Out-Of-Bounds Read Information Disclosure Vulnerability [ZDI-CAN-12197]

Categories

(Core :: Graphics: CanvasWebGL, defect, P1)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86_64
Windows
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
firefox-esr78 85+ verified
firefox84 - wontfix
firefox85 + verified
firefox86 + verified
firefox87 + verified

People

(Reporter: freddy, Assigned: jgilbert)

Details

(Keywords: reporter-external, sec-critical, Whiteboard: [Disclosure deadline 2021-03-11][reporter-external][sec-survey])

Attachments

(3 files)

PoC.html
661 bytes, text/html
Details
log output from windbg
81.42 KB, text/plain
Details
Bug 1676636 - [angle] Cherry-pick compressed tex depth stride fix.
48 bytes, text/x-phabricator-request
tjr
: approval-mozilla-beta+
jcristau
: approval-mozilla-release+
tjr
: approval-mozilla-esr78+
tjr
: sec-approval+
Details | Review
Attached file PoC.html —

This was sent to us from the ZDI.
[Credit: Abraruddin Khan and Omair working with Trend Micro Zero Day Initiative]

Attached file log output from windbg —
Group: gfx-core-security
Whiteboard: [reporter Abraruddin Khan and Omair working with Trend Micro Zero Day Initiative] → [reporter-external][reporter Abraruddin Khan and Omair working with Trend Micro Zero Day Initiative]

Note: I filed the bug without the security flag, which left it open to the public for about ~3 minutes. I'll make sure it won't happen again.
I have also reached out to bmo admins and glob tells me that I have been the only one who requested the PoC in the given timeframe.

Appears to only affect Windows builds.

OS: Unspecified → Windows
Hardware: Unspecified → x86_64

Looks like it's in ANGLE:

00 000000f0`bf7fc568 00007ffb`713b7d60     VCRUNTIME140!memcpy_repmovs+0xe [d:\agent\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 114] 
01 000000f0`bf7fc580 00007ffb`713483e3     libGLESv2!angle::LoadCompressedToNative<4,4,1,16>+0xd0 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/image_util/loadimage.inc @ 129] 
02 000000f0`bf7fc630 00007ffb`7132d374     libGLESv2!rx::Image11::loadCompressedData+0x1b3 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Image11.cpp @ 349] 
03 (Inline Function) --------`--------     libGLESv2!rx::TextureD3D::setCompressedImageImpl+0xc8 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/TextureD3D.cpp @ 341] 
04 000000f0`bf7fc700 00007ffb`712ba0b4     libGLESv2!rx::TextureD3D_2DArray::setCompressedImage+0x194 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/TextureD3D.cpp @ 3163] 
05 000000f0`bf7fc7c0 00007ffb`7124f8d5     libGLESv2!gl::Texture::setCompressedImage+0xc4 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Texture.cpp @ 1082] 
06 000000f0`bf7fc870 00007ffb`71415d5c     libGLESv2!gl::Context::compressedTexImage3D+0x175 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Context.cpp @ 4264] 
07 000000f0`bf7fc920 00007ffb`743bdf37     libGLESv2!gl::CompressedTexImage3D+0xec [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libGLESv2/entry_points_gles_3_0_autogen.cpp @ 284] 
08 000000f0`bf7fc9c0 00007ffb`743a8fec     xul!VR_RuntimePath+0xbe7ab7
09 000000f0`bf7fca60 00007ffb`743a89fc     xul!VR_RuntimePath+0xbd2b6c
0a 000000f0`bf7fcb10 00007ffb`74380ddc     xul!VR_RuntimePath+0xbd257c
0b 000000f0`bf7fcd50 00007ffb`74335599     xul!VR_RuntimePath+0xbaa95c
0c 000000f0`bf7fce00 00007ffb`74335395     xul!VR_RuntimePath+0xb5f119
0d 000000f0`bf7fcf00 00007ffb`73f7fbd2     xul!VR_RuntimePath+0xb5ef15
0e 000000f0`bf7fcff0 00007ffb`73f7fa17     xul!VR_RuntimePath+0x7a9752
0f 000000f0`bf7fd0e0 00007ffb`72233bf8     xul!VR_RuntimePath+0x7a9597
10 000000f0`bf7fd220 00007ffb`75e5484a     xul!XRE_GetBootstrap+0x24fe58

Either this is a bug in (our fairly old) ANGLE, or ANGLE is following our bad orders.

The severity field is not set for this bug.
:jgilbert, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jgilbert)
Assignee: nobody → jgilbert
Severity: -- → S3
Flags: needinfo?(jgilbert)
Priority: -- → P1

This is an ANGLE bug, at least in our checkout of ANGLE.

Cherry-picking that fixes the crash locally for me.

Comment on attachment 9198324 [details]
Bug 1676636 - [angle] Cherry-pick compressed tex depth stride fix.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Fairly easily (both from a code standpoint and also the commit message from the cherry-picked patch)
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: We have good regression tests for 2d textures here, just not 3d. (hence this issue)
Attachment #9198324 - Flags: sec-approval?

-critical, given this is public upstream.

Keywords: sec-highsec-critical

Comment on attachment 9198324 [details]
Bug 1676636 - [angle] Cherry-pick compressed tex depth stride fix.

Approved to land and uplift. This could be a release ridealong.

Attachment #9198324 - Flags: sec-approval?
Attachment #9198324 - Flags: sec-approval+
Attachment #9198324 - Flags: approval-mozilla-release?
Attachment #9198324 - Flags: approval-mozilla-esr78+
Attachment #9198324 - Flags: approval-mozilla-beta+

Since these are all tracking, are we just waiting for a release chemspill in order to land them all simultaneously?

Flags: needinfo?(tom)

We may have a dot release for this to ridealong on; otherwise we can land it next week.

Flags: needinfo?(tom)

Julien has a point, we can land this in -central and -beta now

https://hg.mozilla.org/mozilla-central/rev/845c92efe125

Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox87: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch

(In reply to Tom Ritter [:tjr] (ni? for response to sec-[advisories/bounties/ratings/cves]) from comment #12)

-critical, given this is public upstream.

Soooo, if we don't have this patch, there are a bunch of other public ANGLE Chromium security fixes in the past year. If we land this and not those are we painting a bullseye on ourselves? Bugs fixed that long ago are public (in chromium, anyway).

What's our plan and timeline for updating our entire copy of ANGLE? The ANGLE project doesn't do a consistent job of flagging security issues or letting the chromium folks know certain patches are security relevant. This bug is a case in point where only the check-in comment happens to mention "...reading past the end of the user-supplied buffer" but there are no security flags on it and I couldn't find a corresponding chromium security bug. https://bugs.chromium.org/p/angleproject/issues/detail?id=3920

Flags: needinfo?(jgilbert)
Summary: WebGL2 compressedTexImage3D Handling Out-Of-Bounds Read Information Disclosure Vulnerability → WebGL2 compressedTexImage3D Handling Out-Of-Bounds Read Information Disclosure Vulnerability [ZDI-CAN-12197]
Whiteboard: [reporter-external][reporter Abraruddin Khan and Omair working with Trend Micro Zero Day Initiative] → [Disclosure deadline 2021-03-11][reporter-external]

Comment on attachment 9198324 [details]
Bug 1676636 - [angle] Cherry-pick compressed tex depth stride fix.

approved for 85.0.1

Attachment #9198324 - Flags: approval-mozilla-release? → approval-mozilla-release+

(In reply to Daniel Veditz [:dveditz] from comment #20)

(In reply to Tom Ritter [:tjr] (ni? for response to sec-[advisories/bounties/ratings/cves]) from comment #12)

-critical, given this is public upstream.

Soooo, if we don't have this patch, there are a bunch of other public ANGLE Chromium security fixes in the past year. If we land this and not those are we painting a bullseye on ourselves? Bugs fixed that long ago are public (in chromium, anyway).

What's our plan and timeline for updating our entire copy of ANGLE? The ANGLE project doesn't do a consistent job of flagging security issues or letting the chromium folks know certain patches are security relevant. This bug is a case in point where only the check-in comment happens to mention "...reading past the end of the user-supplied buffer" but there are no security flags on it and I couldn't find a corresponding chromium security bug. https://bugs.chromium.org/p/angleproject/issues/detail?id=3920

An update is coming in bug 1690349.
We're only affected by a subset of the ANGLE sec issues, so I don't think this paints a bullseye.

We used to do these more often but they do take time, and Gfx is incredibly staffing-constrained now.
On the balance we should aim for least two updates a year. We did let the previous update stagnate too long here.

We don't have a good story at all for ANGLE sec uplifts for ESR, and unfortunately it would take real heroics to do better than we do right now. Such is the price of large external libraries.
We will aim for an ANGLE update for each ESR version while it's still on Nightly.

Flags: needinfo?(jgilbert)
Flags: qe-verify+

Hi, Jeff! Is this something that can be manually verified by QA? if so, would you mind to provide more info about reproducing the bug.

I've tried to load the PoC.html from comment 0, using an affected Nightly build (2021-02-04), on Windows 10 64, but I cannot see something similar to comment 5, in my console output (though I'm not sure if that is what I'm supposed to get in a broken build).

Flags: needinfo?(jgilbert)

2021-02-04 might be fixed, maybe try 02-01? This should generally crash the tab.

Flags: needinfo?(jgilbert)

Thanks! It crashed on a Nightly build from 2021-02-01, after refreshing the tab several times.

The tab doesn't crash anymore on the latest fixed builds: 87.0a1, 86.0b7, 85.0.2 and 78.8.0esr. This was tested on Win 10 x64.

Status: RESOLVED → VERIFIED
status-firefox85: fixedverified
status-firefox86: fixedverified
status-firefox87: fixedverified
status-firefox-esr78: fixedverified
Flags: qe-verify+

Thanks!

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(jgilbert)
Whiteboard: [Disclosure deadline 2021-03-11][reporter-external] → [Disclosure deadline 2021-03-11][reporter-external][sec-survey]
Flags: needinfo?(jgilbert)
Alias: CVE-2020-16048
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: