Closed
Bug 1692832
(CVE-2021-23981)
Opened 4 years ago
Closed 4 years ago
OOBR in Angle LoadRGB8ToBGR565
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
88 Branch
People
(Reporter: omair, Assigned: jgilbert)
References
Details
(Keywords: csectype-bounds, reporter-external, sec-high, Whiteboard: [adv-main87+][adv-esr78.9+][sec-survey])
Attachments
(3 files)
|
746 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr78+
dveditz
:
sec-approval+
|
Details | Review |
|
302 bytes,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Steps to reproduce:
Crash Report
Crash Environment:
**Application Name: firefox.exe (Nightly) **
Application Version: 87.0a1 (2021-02-13) (64-bit)
Crash Analysis:
Crash occurs at libGLESv2!angle::LoadRGB8ToBGR565+0x57 at the following instruction:
movzx r10d,byte ptr [rsi-2] ds:000004c1`6b396939=??
Equivalent source code for the instruction is:
dest[x] = (r5 << 11) | (g6 << 5) | b5;
From the above instruction x is a user-controlled variable and r5, g6 and b5 are calculated using source variable. Source and dest pointers are calculated in libGLESv2!angle::LoadRGB8ToBGR565 as follows:
const uint8_t *source = priv::OffsetDataPointer<uint8_t>(input, y, z, inputRowPitch, inputDepthPitch);
uint16_t *dest = priv::OffsetDataPointer<uint16_t>(output, y, z, outputRowPitch, outputDepthPitch);
In the above source code, source and dest are calculated using user-controlled input y, inputRowPitch and inputDepthPitch. From the PoC we know that the crash occurs when a pixel unpack buffer is created and then texImage2D is called. The syntax for texImage2d used in PoC is:
void gl.texImage2D(target, level, internalformat, width, height, border, format, type, ImageData source);
The variables being affected by user input are,
x is used in for loop and as an index for dest while writing pixel data, the exit condition is x < width.
y is used in for loop in which source and dest are calculated, the exit condition is y < height.
inputRowPitch and inputDepthPitch are calculated using width and height from texImage2D.
The source for the crash seems to be in libGLESv2!rx::`anonymous namespace'::GetUnpackPointer which returns the pixelData pointer, which is passed as input pointer being used in calculation of source pointer
if (unpackBuffer) {
ptrdiff_t offset = reinterpret_cast<ptrdiff_t>(pixels);
BufferD3D *bufferD3D = GetImplAs<BufferD3D>(unpackBuffer);
ASSERT(bufferD3D);
const uint8_t *bufferData = nullptr;
ANGLE_TRY(bufferD3D->getData(context, &bufferData));
*pointerOut = bufferData + offset;
}
The above code snippet is from the function libGLESv2!rx::`anonymous namespace'::GetUnpackPointer. The return pointer pointerOut is calculated by adding bufferData and offset which seem to be pointers, the resulting pointer is out of bounds. Thus, the program crashes when it tries to read data being pointed using returned pointer by this function.
Register values at crash:
2:042> r
> rax=0000000000000000 rbx=00000260b0cbe000 rcx=0000000000000040 rdx=0000000000000040
> rsi=000004c16b39693b rdi=00000000000000c0 rip=00007ffbcd4491d7 rsp=0000008b2f0ddd18
> rbp=0000000000000000 r8=00000260b0cbe000 r9=000004c16b39693b r10=00000fff79a89230
> r11=0001000004000040 r12=0000000000000080 r13=00000000000000c0 r14=00007ffbcd449180 r15=0000000000000000
> iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
> **libGLESv2!angle::LoadRGB8ToBGR565+0x57: 00007ffb`cd4491d7 440fb656fe movzx r10d,byte ptr [rsi-2] ds:000004c1`6b396939=??**
Registers rxc, rdx, rdi, r11 and r13 are user controllable at crash, the register values can be mapped to the following function in PoC:
gl4.texImage2D(gl4.TEXTURE_CUBE_MAP_POSITIVE_X, 0, gl4.RGB565, 64, 64, 0, gl4.RGB, gl4.UNSIGNED_BYTE, imgData);
Width and height are 64 (0x40) which is seen in registers rcx, rdx and r11. inputRowPitch is 0xc0 and is calculated using width, it is present in rdi and r13 registers.
Call Stack:
Child-SP RetAddr Call Site
00 00000072`d163dd98 00007ffb`cd15ef86 libGLESv2!angle::LoadRGB8ToBGR565+0x57 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/image_util/loadimage.cpp @ 396]
01 00000072`d163ddf0 00007ffb`cd1324d0 libGLESv2!rx::Image11::loadData+0x1f6 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Image11.cpp @ 305]
02 00000072`d163deb0 00007ffb`cd13759a libGLESv2!rx::TextureD3D::setImageImpl+0x1d0 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/TextureD3D.cpp @ 278]
03 00000072`d163df60 00007ffb`cd0bad52 libGLESv2!rx::TextureD3D_Cube::setImage+0x9a [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/TextureD3D.cpp @ 1758]
04 00000072`d163dfd0 00007ffb`cd045122 libGLESv2!gl::Texture::setImage+0xe2 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Texture.cpp @ 1143]
05 00000072`d163e0a0 00007ffb`cd23df5b libGLESv2!gl::Context::texImage2D+0x182 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Context.cpp @ 4461]
06 00000072`d163e160 00007ffb`c64140de libGLESv2!gl::TexImage2D+0x13b [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libGLESv2/entry_points_gles_2_0_autogen.cpp @ 2836]
07 00000072`d163e210 00007ffb`c640b432 xul!mozilla::gl::GLContext::raw_fTexImage2D+0x7e [/builds/worker/workspace/obj-build/dist/include/GLContext.h @ 1660]
08 00000072`d163e280 00007ffb`c709b4f0 xul!mozilla::gl::GLContext::fTexImage2D+0x72 [/builds/worker/checkouts/gecko/gfx/gl/GLContext.cpp @ 2276]
09 00000072`d163e310 00007ffb`c704e6a6 xul!mozilla::DoTexImage+0xb0 [/builds/worker/checkouts/gecko/dom/canvas/WebGLTextureUpload.cpp @ 618]
0a 00000072`d163e3d0 00007ffb`c704de7a xul!mozilla::webgl::DoTexOrSubImage+0xc6 [/builds/worker/checkouts/gecko/dom/canvas/TexUnpackBlob.cpp @ 482]
0b 00000072`d163e470 00007ffb`c709ce2e xul!mozilla::webgl::TexUnpackBytes::TexOrSubImage+0x1aa [/builds/worker/checkouts/gecko/dom/canvas/TexUnpackBlob.cpp @ 583]
0c 00000072`d163e550 00007ffb`c7079765 xul!mozilla::WebGLTexture::TexImage+0x9ce [/builds/worker/checkouts/gecko/dom/canvas/WebGLTextureUpload.cpp @ 1074]
0d 00000072`d163e9a0 00007ffb`c708c104 xul!mozilla::WebGLContext::TexImage+0xa5 [/builds/worker/checkouts/gecko/dom/canvas/WebGLContextTextures.cpp @ 202]
0e (Inline Function) --------`-------- xul!mozilla::HostWebGLContext::TexImage+0x2c [/builds/worker/checkouts/gecko/dom/canvas/HostWebGLContext.h @ 557]
0f (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,75,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, const mozilla::avec3<unsigned int> &, const mozilla::webgl::PackingInfo &, const mozilla::webgl::TexUnpackBlobDesc &) const,&mozilla::HostWebGLContext::TexImage>::DispatchCommand<mozilla::HostWebGLContext>::<unnamed-tag>::operator()+0x132a [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 231]
10 (Inline Function) --------`-------- xul!std::_C__Invoker_functor::_Call+0x132a
11 (Inline Function) --------`-------- xul!std::_C_invoke+0x132a
12 (Inline Function) --------`-------- xul!std::_Apply_impl+0x132a [/builds/worker/checkouts/gecko/vs2017_15.8.4/VC/include/tuple @ 1233]
13 (Inline Function) --------`-------- xul!std::apply+0x132a [/builds/worker/checkouts/gecko/vs2017_15.8.4/VC/include/tuple @ 1241]
14 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,75,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, const mozilla::avec3<unsigned int> &, const mozilla::webgl::PackingInfo &, const mozilla::webgl::TexUnpackBlobDesc &) const,&mozilla::HostWebGLContext::TexImage>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 228]
15 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,74,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, const mozilla::avec3<unsigned int> &) const,&mozilla::HostWebGLContext::TexStorage>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
16 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,73,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, const mozilla::avec3<unsigned int> &, const mozilla::avec2<int> &, const mozilla::avec2<unsigned int> &) const,&mozilla::HostWebGLContext::CopyTexImage>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
17 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,72,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::GenerateMipmap>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
18 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,71,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long) const,&mozilla::HostWebGLContext::BindTexture>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
19 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,70,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::ActiveTexture>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
1a (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,69,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int, unsigned int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::RenderbufferStorageMultisample>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
1b (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,68,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::ReadBuffer>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
1c (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,67,void (mozilla::HostWebGLContext::*)(unsigned int, const mozilla::RawBuffer<const unsigned int> &, int, int, int, int) const,&mozilla::HostWebGLContext::InvalidateSubFramebuffer>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
1d (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,66,void (mozilla::HostWebGLContext::*)(unsigned int, const mozilla::RawBuffer<const unsigned int> &) const,&mozilla::HostWebGLContext::InvalidateFramebuffer>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
1e (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,65,void (mozilla::HostWebGLContext::*)(int, int, int, int, int, int, int, int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::BlitFramebuffer>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
1f (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,64,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long, const mozilla::RawBuffer<unsigned char> &) const,&mozilla::HostWebGLContext::BufferSubData>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
20 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,63,void (mozilla::HostWebGLContext::*)(unsigned int, const mozilla::RawBuffer<unsigned char> &, unsigned int) const,&mozilla::HostWebGLContext::BufferData>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
21 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,62,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned long long, unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::CopyBufferSubData>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
22 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,61,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned long long, unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::BindBufferRange>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
23 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,60,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long)
const,&mozilla::HostWebGLContext::BindBuffer>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
24 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,59,void (mozilla::HostWebGLContext::*)(int, int, int, int) const,&mozilla::HostWebGLContext::Viewport>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
25 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,58,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::StencilOpSeparate>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
26 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,57,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int) const,&mozilla::HostWebGLContext::StencilMaskSeparate>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
27 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,56,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, int, unsigned int) const,&mozilla::HostWebGLContext::StencilFuncSeparate>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
28 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,55,void (mozilla::HostWebGLContext::*)(unsigned long long, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &) const,&mozilla::HostWebGLContext::ShaderSource>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
29 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,54,void (mozilla::HostWebGLContext::*)(int, int, int, int) const,&mozilla::HostWebGLContext::Scissor>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
2a (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,53,void (mozilla::HostWebGLContext::*)(float, bool) const,&mozilla::HostWebGLContext::SampleCoverage>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
2b (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,52,void (mozilla::HostWebGLContext::*)(unsigned long long, mozilla::layers::TextureType, bool) const,&mozilla::HostWebGLContext::Present>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
2c (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,51,void (mozilla::HostWebGLContext::*)(float, float) const,&mozilla::HostWebGLContext::PolygonOffset>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
2d (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,50,void (mozilla::HostWebGLContext::*)(unsigned long long) const,&mozilla::HostWebGLContext::LinkProgram>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
2e (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,49,void (mozilla::HostWebGLContext::*)(float) const,&mozilla::HostWebGLContext::LineWidth>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
2f (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,48,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int) const,&mozilla::HostWebGLContext::Hint>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
30 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,47,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::FrontFace>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
31 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,46,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, unsigned long long, int, int, int) const,&mozilla::HostWebGLContext::FramebufferAttach>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
32 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,45,void (mozilla::HostWebGLContext::*)() const,&mozilla::HostWebGLContext::Flush>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
33 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,44,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::DetachShader>::DispatchCommand+0x2e33 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
34 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,43,void (mozilla::HostWebGLContext::*)(float, float)
const,&mozilla::HostWebGLContext::DepthRange>::DispatchCommand+0x38a4 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
35 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,42,void (mozilla::HostWebGLContext::*)(bool) const,&mozilla::HostWebGLContext::DepthMask>::DispatchCommand+0x38a4 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
36 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,41,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::DepthFunc>::DispatchCommand+0x3e79 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
37 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,40,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::CullFace>::DispatchCommand+0x3e79 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
38 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,39,void (mozilla::HostWebGLContext::*)(unsigned long long) const,&mozilla::HostWebGLContext::CompileShader>::DispatchCommand+0x3f1a [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
39 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,38,void (mozilla::HostWebGLContext::*)(bool, bool, bool, bool) const,&mozilla::HostWebGLContext::ColorMask>::DispatchCommand+0x3f1a [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
3a (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,37,void (mozilla::HostWebGLContext::*)(int) const,&mozilla::HostWebGLContext::ClearStencil>::DispatchCommand+0x3f1a [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
3b (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,36,void (mozilla::HostWebGLContext::*)(float) const,&mozilla::HostWebGLContext::ClearDepth>::DispatchCommand+0x3f62 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
3c (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,35,void (mozilla::HostWebGLContext::*)(float, float, float, float) const,&mozilla::HostWebGLContext::ClearColor>::DispatchCommand+0x3f62 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
3d (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,34,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::Clear>::DispatchCommand+0x3f62 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
3e (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,33,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::BlendFuncSeparate>::DispatchCommand+0x3f62 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
3f (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,32,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int) const,&mozilla::HostWebGLContext::BlendEquationSeparate>::DispatchCommand+0x3f62 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
40 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,31,void (mozilla::HostWebGLContext::*)(float, float, float, float) const,&mozilla::HostWebGLContext::BlendColor>::DispatchCommand+0x3f62 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
41 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,30,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long) const,&mozilla::HostWebGLContext::BindFramebuffer>::DispatchCommand+0x3f62 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
42 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,29,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &) const,&mozilla::HostWebGLContext::BindAttribLocation>::DispatchCommand+0x3f62 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
43 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,28,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::AttachShader>::DispatchCommand+0x3f62 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
44 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,27,void (mozilla::HostWebGLContext::*)(),&mozilla::HostWebGLContext::DidRefresh>::DispatchCommand+0x3f62 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
45 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,26,void (mozilla::HostWebGLContext::*)(mozilla::WebGLExtensionID),&mozilla::HostWebGLContext::RequestExtension>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
46 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,25,void (mozilla::HostWebGLContext::*)(const mozilla::avec2<unsigned int>
&),&mozilla::HostWebGLContext::Resize>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
47 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,24,void (mozilla::HostWebGLContext::*)(unsigned int, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &) const,&mozilla::HostWebGLContext::GenerateError>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
48 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,23,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::Enable>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
49 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,22,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::Disable>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
4a (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,21,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteVertexArray>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
4b (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,20,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteTransformFeedback>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
4c (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,19,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteTexture>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
4d (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,18,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteSync>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
4e (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,17,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteShader>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
4f (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,16,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteSampler>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
50 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,15,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteRenderbuffer>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
51 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,14,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteQuery>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
52 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,13,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteProgram>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
53 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,12,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteFramebuffer>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
54 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,11,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteBuffer>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
55 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,10,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateVertexArray>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
56 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,9,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateTransformFeedback>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
57 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,8,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateTexture>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
58 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,7,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateSync>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
59 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,6,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int),&mozilla::HostWebGLContext::CreateShader>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
5a (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,5,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateSampler>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
5b (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,4,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateRenderbuffer>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
5c (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,3,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateQuery>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
5d (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,2,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateProgram>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
5e (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,1,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateFramebuffer>::DispatchCommand+0x4069 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
5f (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,0,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateBuffer>::DispatchCommand+0x407c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 236]
60 00000072`d163ea20 00007ffb`c614d8b6 xul!mozilla::dom::WebGLParent::RecvDispatchCommands+0x41d4 [/builds/worker/checkouts/gecko/dom/canvas/WebGLParent.cpp @ 61]
61 00000072`d163ecc0 00007ffb`c5296714 xul!mozilla::dom::PWebGLParent::OnMessageReceived+0x306 [/builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp @ 201]
62 00000072`d163ed90 00007ffb`c5f47c7d xul!mozilla::layers::PCompositorManagerParent::OnMessageReceived+0x64 [/builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp @ 205] 63 (Inline Function) --------`-------- xul!mozilla::ipc::MessageChannel::DispatchAsyncMessage+0x74 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 2153]
64 00000072`d163ee90 00007ffb`c4d04355 xul!mozilla::ipc::MessageChannel::DispatchMessage+0x40d [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 2077]
65 (Inline Function) --------`-------- xul!mozilla::ipc::MessageChannel::RunMessage+0xf7 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1925]
66 (Inline Function) --------`-------- xul!mozilla::ipc::MessageChannel::MessageTask::Run+0x16d [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1956]
67 00000072`d163f220 00007ffb`c4d02502 xul!nsThread::ProcessNextEvent+0x1a15 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1152]
68 (Inline Function) --------`-------- xul!NS_ProcessNextEvent+0x28 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 548]
69 00000072`d163f5b0 00007ffb`c5f210bf xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xf2 [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 302]
6a (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 335]
6b 00000072`d163f650 00007ffb`c4d023ce xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 329]
6c 00000072`d163f6a0 00007ffb`c5ac3d77 xul!MessageLoop::Run+0x4e [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 311]
6d 00000072`d163f700 00007ffb`e90a6d5a xul!nsThread::ThreadFunc+0xe7 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 393]
6e 00000072`d163f8b0 00007ffb`e909a4a1 nss3!_PR_NativeRunThread+0x14a [/builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c @ 421]
6f 00000072`d163f930 00007ffc`30951bb2 nss3!pr_root+0x11 [/builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c @ 140] 70 00000072`d163f960 00007ffc`32ab7034 ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x42 71 00000072`d163f990 00007ffc`19c838a8 KERNEL32!BaseThreadInitThunk+0x14 72 (Inline Function) --------`-------- mozglue!mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator()+0x15 [/builds/worker/workspace/obj-build/dist/include/nsWindowsDllInterceptor.h @ 150] 73 00000072`d163f9c0 00007ffc`32ffd241 mozglue!patched_BaseThreadInitThunk+0x28 [/builds/worker/checkouts/gecko/mozglue/dllservices/WindowsDllBlocklist.cpp @ 587] 74 00000072`d163fa30 00000000`00000000 ntdll!RtlUserThreadStart+0x21
|
||
Updated•4 years ago
|
Group: firefox-core-security → gfx-core-security
Component: Untriaged → Graphics
Product: Firefox → Core
|
Assignee | |
Comment 1•4 years ago
|
||
Sigh, plausible.
|
||
Updated•4 years ago
|
Keywords: csectype-bounds,
sec-high
|
|
Assignee | |
Comment 2•4 years ago
|
||
INVALID_OPERATION otherwise.
|
||
Updated•4 years ago
|
Assignee: nobody → jgilbert
|
|
Assignee | |
Comment 3•4 years ago
|
||
We're messing up far before calling into ANGLE.
status-firefox86:
--- → ?
status-firefox87:
--- → affected
status-firefox88:
--- → affected
status-firefox-esr78:
--- → ?
|
|
Assignee | |
Updated•4 years ago
|
See Also: → CVE-2021-4127
|
|
Assignee | |
Comment 4•4 years ago
|
||
Comment on attachment 9207663 [details]
Bug 1692832 - isTexUploadFromPbo iff isPboBound.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Requires specialized knowledge of opengl to leverage. Based on the patch it's not too obvious what to do, but if you know GL you'll have an inkling.
"medium difficulty" - Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Low. Test included, to supplement our existing tests.
Attachment #9207663 -
Flags: sec-approval?
|
|
||
Updated•4 years ago
|
|
|
||
Comment 5•4 years ago
|
||
Comment on attachment 9207663 [details]
Bug 1692832 - isTexUploadFromPbo iff isPboBound.
sec-approval=dveditz
Attachment #9207663 -
Flags: sec-approval? → sec-approval+
|
||
Comment 6•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/2a2ccdf0ce6b9b372f7115fa17a83998caba3523
Please nominate this for Beta and ESR78 approval ASAP.
Flags: needinfo?(jgilbert)
|
||
Comment 7•4 years ago
|
||
isTexUploadFromPbo iff isPboBound. r=lsalzman
https://hg.mozilla.org/mozilla-central/rev/2a2ccdf0ce6b
Group: gfx-core-security → core-security-release
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
|
|
Assignee | |
Comment 8•4 years ago
|
||
Comment on attachment 9207663 [details]
Bug 1692832 - isTexUploadFromPbo iff isPboBound.
Beta/Release Uplift Approval Request
- User impact if declined: sec-high
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: esr78
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small change, testcase included
- String changes made/needed: none
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
- User impact if declined: sec-high
- Fix Landed on Version: 88
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small change, testcase included
- String or UUID changes made by this patch: none
Flags: needinfo?(jgilbert)
Attachment #9207663 -
Flags: approval-mozilla-esr78?
Attachment #9207663 -
Flags: approval-mozilla-beta?
|
||
Comment 9•4 years ago
|
||
Comment on attachment 9207663 [details]
Bug 1692832 - isTexUploadFromPbo iff isPboBound.
approved for 87.0b9
Attachment #9207663 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 10•4 years ago
|
||
| uplift | ||
|
||
Updated•4 years ago
|
Flags: sec-bounty?
|
||
Updated•4 years ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
|
||
Comment 11•4 years ago
|
||
Comment on attachment 9207663 [details]
Bug 1692832 - isTexUploadFromPbo iff isPboBound.
Approved for 78.9esr.
Attachment #9207663 -
Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
|
|
||
Comment 12•4 years ago
|
||
| uplift | ||
|
|
||
Updated•4 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•4 years ago
|
Whiteboard: [adv-main87+]
|
|
||
Updated•4 years ago
|
Whiteboard: [adv-main87+] → [adv-main87+][adv-esr78.9+]
|
|
||
Comment 13•4 years ago
|
||
|
||
Comment 14•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Flags: needinfo?(jgilbert)
Whiteboard: [adv-main87+][adv-esr78.9+] → [adv-main87+][adv-esr78.9+][sec-survey]
|
|
||
Updated•4 years ago
|
Alias: CVE-2021-23981
|
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(jgilbert)
|
|
||
Updated•3 years ago
|
Group: core-security-release
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•