With AMDGPU, UNMASKED_RENDERER_WEBGL leaks precise kernel and DRM version on desktop Linux
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
People
(Reporter: hsivonen, Assigned: hsivonen)
References
Details
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr78+
|
Details | Review |
In most cases, UNMASKED_RENDERER_WEBGL leaks at most the exact GPU model, but on desktop Linux with the amdgpu driver, it also leaks the exact kernel version and the exact DRM version.
It seem rather implausible that Web content would use these so commonly to legitimately work around Linux driver bugs that leaking this information would be justified.
Long ago, we used to leak the kernel version in the UA string, and we stopped doing that in order to make it harder for attackers to target attack payloads to vulnerabilities of a specific kernel version.
I realize that the format of the string isn't decided by us but is given to us by the OS (Chrome leaks the same string), but I suggest we sanitize what we get from the OS and not expose it to the Web as-is.
The format of the AMD string appears to be:
AMD Radeon (TM) GPU model Graphics (GPUgeneration, DRM DRMversion, kernelversion, LLVM LLVMversion)
We should either trim the string to
AMD Radeon (TM) GPU model Graphics (GPUgeneration)
if that's Web-compatible or, if it isn't Web-compatible, replace the version numbers with plasible frozen ones.
|
Assignee | |
Comment 1•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
Yeah, we should truncate that information off.
Can you add that system's info from about:support to this doc? https://hackmd.io/Ductv3pQTMej74gbveD4yw
|
|
Assignee | |
Comment 3•3 years ago
|
||
(In reply to Jeff Gilbert [:jgilbert] from comment #2)
Yeah, we should truncate that information off.
Can you add that system's info from about:support to this doc? https://hackmd.io/Ductv3pQTMej74gbveD4yw
Added.
Aside: Epiphany, like Safari, just says "Apple GPU". I wonder what would actually break if we returned a constant here like WebKit does.
|
|
||
Comment 4•3 years ago
•
|
||
For the same reasons us Firefox devs really need to know the actual device when we run into defects/feedback/bug reports, some website devs (Google Maps, Unity) need to know too. Sometimes they need same-day fixes too! Safari doesn't think so but we disagree with their reasoning.
I'm planning to round off some of this information though. (e.g. Adreno 512 -> Adreno 5xx) This may become an iterative process.
|
|
||
Comment 5•3 years ago
|
||
FWIW resistFingerprinting does disable this query. (All you get is "Mozilla")
Pushed by hsivonen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1dec1152e3ff Avoid leaking the kernel version to the Web with amdgpu. r=jgilbert
|
||
Comment 7•3 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 8•3 years ago
|
||
Comment on attachment 9203970 [details]
Bug 1693534 - Avoid leaking the kernel version to the Web with amdgpu.
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Information leak to the Web.
- User impact if declined: Web sites can discover the exact kernel version, including the distro security patch level, which may help targeting attacks to the bugs of a specific kernel version.
- Fix Landed on Version: 88
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Low risk, because sites can't expect to have this information available for all drivers or even for the more common operating systems for these GPUs. The main risk comes from sites wishing to sniff the AMD GPU generation name and expecting a comma after it.
- String or UUID changes made by this patch: none
Beta/Release Uplift Approval Request
- User impact if declined: Web sites can discover the exact kernel version, including the distro security patch level, which may help targeting attacks to the bugs of a specific kernel version.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: 1. Use desktop Linux with an AMD GPU and the amdgpu driver.
- Load https://browserleaks.com/webgl
- Look at the item "Unmasked Renderer"
- Verify that the kernel version is not there.
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Low risk, because sites can't expect to have this information available for all drivers or even for the more common operating systems for these GPUs. The main risk comes from sites wishing to sniff the AMD GPU generation name and expecting a comma after it.
- String changes made/needed: none
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 9•3 years ago
|
||
The main risk comes from sites wishing to sniff the AMD GPU generation name and expecting a comma after it.
For clarity, I have no existence proof of this. It's just the most guessable risk.
|
|
Assignee | |
Comment 10•3 years ago
|
||
Since the same information leak affects Chromium, in the spirit of sharing reports of security-ish nature, I filed:
https://bugs.chromium.org/p/chromium/issues/detail?id=1181193
|
||
Updated•3 years ago
|
|
|
||
Comment 11•3 years ago
|
||
Comment on attachment 9203970 [details]
Bug 1693534 - Avoid leaking the kernel version to the Web with amdgpu.
approved for 87.0b2
|
|
||
Comment 12•3 years ago
|
||
| bugherder uplift | ||
|
||
Updated•3 years ago
|
|
||
Comment 13•3 years ago
|
||
Reproduced the issue on Firefox 86.0 (20210222142601)
Verified the fix on Firefox 88.0a1 (20210223230332) and Firefox 87.0b2 (20210223185702)
|
||
Comment 14•3 years ago
|
||
Comment on attachment 9203970 [details]
Bug 1693534 - Avoid leaking the kernel version to the Web with amdgpu.
Approved for 78.9esr.
|
|
||
Comment 15•3 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 16•3 years ago
|
||
Verified the fix on Firefox 78.9.0esr (20210224175802)
Description
•