Closed Bug 1700235 (CVE-2021-29961) Opened 3 years ago Closed 3 years ago

<select> element with large size then transformed with scale() allow WebRender to render over Firefox UI

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
90 Branch
Tracking Flags:
Tracking Status
thunderbird_esr78 --- unaffected
firefox-esr78 --- unaffected
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- wontfix
firefox89 --- verified
firefox90 --- verified

People

(Reporter: sourc7, Assigned: gw)

References

(Regressed 1 open bug, Regression)

Details

(Keywords: csectype-spoof, regression, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [adv-main89+])

Attachments

(8 files, 1 obsolete file)

drawbar.bundle.html
1.89 MB, text/html
Details
hidebar.bundle.html
727.33 KB, text/html
Details
Firefox WebRender Render over UI - Drawbar - Intel i5-1035G1.mp4
345.14 KB, video/mp4
Details
Firefox Webrender Render over UI - Drawbar (Reduced Scale) - Intel i5-1035G1.mp4
277.41 KB, video/mp4
Details
Firefox WebRender Render over UI - Hidebar - Intel i5-1035G1.mp4
407.05 KB, video/mp4
Details
Bug 1700235 - Apply iframe clips on tile caches instead of prims.
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review
image
153.27 KB, image/png
Details
advisory.txt
237 bytes, text/plain
Details
Attached file drawbar.bundle.html

When create <select> element with large size attribute and large font-size, then transform the element with CSS scale(), the element is rendered and stretched over Firefox toolbar and other UI.

mozregression show the regression range is started from commit Bug 1664719 - Pt 2a - Re-enable is_ancestor check:

19:51.48 INFO: Narrowed integration regression window from [b88d1d84, c8102686] (3 builds) to [25a50264, c8102686] (2 builds) (~1 steps left)
19:51.48 INFO: No more integration revisions, bisection finished.
19:51.48 INFO: Last good revision: 25a50264ae3204f2df9add308fc712df45947637
19:51.48 INFO: First bad revision: c8102686489e51edec8a976f013398412577be44
19:51.48 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=25a50264ae3204f2df9add308fc712df45947637&tochange=c8102686489e51edec8a976f013398412577be44

As it able to render over Firefox address bar and toolbar UI, I can assume it's possible to spoof the address bar with background-image or hide the address bar with background-color.

Reproduced on:

  • Firefox Nightly 88.0a1 (2021-03-22) (64-bit) on Arch Linux (AMD RENOIR (DRM 3.40.0, 5.11.6-arch1-1, LLVM 11.1.0)
  • Firefox Nightly 88.0a1 (2021-03-22) (64-bit) on Windows 10 (AMD A8-7410 R5 Graphics)
  • Firefox Nightly 88.0a1 (2021-03-22) (64-bit) on Windows 10 (Intel i5-1035G1)

Steps to Reproduce:

  1. Open Firefox with WebRender enabled
  2. Visit attached drawbar.bundle.html or hidebar.bundle.html
  3. The toolbar is now covered by background-image or background-color

(If toolbar is only partially covered on your screen, try to zoom-in or zoom-out the page, or increase the CSS scale() or <select> size)

Flags: sec-bounty?
Attached file hidebar.bundle.html
Blocks: 1664719
Group: firefox-core-security → gfx-core-security
Type: task → defect
Component: Security → Graphics: WebRender
Product: Firefox → Core
Status: UNCONFIRMED → NEW
Ever confirmed: true
No longer blocks: 1664719
Keywords: regression
Regressed by: 1664719
Has Regression Range: --- → yes
Flags: needinfo?(gwatson)

I can't reproduce drawing over the titlebar after trying a number of zoom / scale / resolution configurations. But it does draw what looks like garbage at the bottom of the screen for me. I'll investigate that and find what's happening - hopefully whatever causes that is the same issue.

Assignee: nobody → gwatson
Flags: needinfo?(gwatson)

I was able to reduce the case further and reproduce in a wrench capture.

The problem is caused by (a lack of) f32 accuracy.

From Gecko, the display list contains a spatial node with transform ([1.0, 0.0, 0.0, 0.0, 0.0, 300.0, 0.0, 0.0, 0.0, 0.0, 1.0, 0.0, 0.0, -652528960.0, 0.0, 1.0]).

Since the coordinate system for that is axis-aligned with respect to the global iframe clip rect, WR maps the iframe clip-rect into this primitive's coordinate space, and intersects with the primitive's local clip rect, providing a single local clip rect that is applied during vertex shading.

However, the extremely large offset combined with the very large y-scale in the transform means that floating point accuracy loss occurs, and the mapped clip rect is incorrectly now referencing an area outside the iframe clip in world space by ~47 pixels in my local test case.

How would such a case be handled in non-WR Gecko? Does Gecko layout / DL building do any rejection or clamping of extremely large transforms like this?

Flags: needinfo?(matt.woodrow)
Flags: needinfo?(jmuizelaar)
Flags: needinfo?(emilio)

I don't know this off the top of my head, but if Matt / Jeff can't answer let me know and I can dig.

Flags: needinfo?(emilio)

Clipping is mostly done in device space (often with fixed point) so there's no opportunity for floating point error to cause a problem.

Flags: needinfo?(jmuizelaar)
Flags: needinfo?(matt.woodrow)

Thinking about this more overnight - it's still unclear to me why the overall content frame clip doesn't end up being applied to the content tiles. I need to investigate that, as that seems like the simplest way to ensure this can't happen.

Flags: sec-bounty? → sec-bounty+

The partial answer to the question in comment 8 is that for the picture cache tiles that overlap with the URL bar, there is no clip rect on the picture cache instance constraining them to the content region. Next step is to work out why this is.

The attached patch provides a solution that prevents the floating point inaccuracy affecting outside a content iframe, by ensuring that iframe clip rects are applied to the picture cache tiles (which aren't affected by the floating point accuracy issues in the content).

In some ways this is a band-aid fix, in that the float inaccuracy can still cause rendering artifacts within content, but it should prevent content leaking outside the iframe clip in these cases. We can work on the content inaccuracy with extreme transforms and primitive sizes as a lower priority.

Apply iframe clips on tile caches instead of prims. r=nical,kvark
https://hg.mozilla.org/integration/autoland/rev/8a4eff9d5f949a52dd7097395f4a124ceb9e39d4
https://hg.mozilla.org/mozilla-central/rev/8a4eff9d5f94

Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox89: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch
Regressions: 1706109

Backed out from Beta to avoid shipping 89.0b1 with the various regressions being filed off it. We can consider re-landing it once those are resolved on Nightly.
https://hg.mozilla.org/releases/mozilla-beta/rev/2cd99c728148493e0ee78c765d53a4ca40638c61

status-firefox89: fixedaffected
status-firefox90: --- → fixed

Backed out for painting regressions:

https://hg.mozilla.org/mozilla-central/rev/09bea3dd34bd0da18d56758701528ca7be22c0ea

Status: RESOLVED → REOPENED
status-firefox90: fixedaffected
Flags: needinfo?(gwatson)
Resolution: FIXED → ---
Target Milestone: 89 Branch → ---
Flags: needinfo?(gwatson)
Attachment #9215988 - Attachment is obsolete: true

Apply iframe clips on tile caches instead of prims. r=gfx-reviewers,kvark
https://hg.mozilla.org/integration/autoland/rev/6527552f2b2809528c69db127d813bf0a065d44c
https://hg.mozilla.org/mozilla-central/rev/6527552f2b28

Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
status-firefox90: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch

The patch landed in nightly and beta is affected.
:gw, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
If yes, don't forget to request an uplift for the patches in the regressions caused by this fix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(gwatson)

redirecting to :kvark given Glenn's PTO

Flags: needinfo?(dmalyshau)

Comment on attachment 9217049 [details]
Bug 1700235 - Apply iframe clips on tile caches instead of prims.

Beta/Release Uplift Approval Request

  • User impact if declined: Potential security risk of malicious pages rendering over UI and luring the user to click on stuff they don't want to.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Copied from the first comment:
  • Open Firefox with WebRender enabled
  • Visit attached drawbar.bundle.html or hidebar.bundle.html
  • The toolbar is now covered by background-image or background-color

(If toolbar is only partially covered on your screen, try to zoom-in or zoom-out the page, or increase the CSS scale() or <select> size)

  • List of other uplifts needed: None
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): It's not entirely trivial, and it didn't get much of the testing in Nightly yet.
  • String changes made/needed:
Flags: needinfo?(dmalyshau)
Attachment #9217049 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Requesting uplift

Flags: needinfo?(gwatson)
QA Whiteboard: [qa-triaged]
Regressions: 1708337
Attached image image

Hello! Using the attached TC's saved locally and STR from comment 20 I managed to reproduce the issue with Firefox 88.0a1 (20210302134918) on Windows 10x64 as follows:

  1. opening drawbar.bundle.html displayed the toolbar and address bar covered by a background-image
  2. opening Set title with the name from hidebar.bundle.html and set title with URL opened a new window without the address bar displayed.

Using Firefox 90.0a1 (20210429092605) on Windows 10x64, macOS 10.12, and Ubuntu 20.04:

  1. clicking both options from hidebar.bundle.html opens a new window with address bar displayed
  2. opening drawbar.bundle.html no longer displays background-image on the address bar and tab bar but it displayed underneath when zooming in/out.

Attached a screenshot with all results. Are these expected? Thank you in advance!

Flags: needinfo?(gwatson)

Thank you, Alexandru!
Given your observations, as well as the newly found regression, it's a tough call to make.
I think, given that the change still fixes the case of overlapping UI contents, it would be good to land in Beta. The security fix is more important than the drawbacks here.

Hi Alexandru,

Thanks for verifying - yes, those results appear to be as expected.

It's OK that we get some weird looking content inside the content frame for this test case (it involves extreme scale / stretching of a large image), so long as it doesn't draw on the main UI itself.

I'll investigate the attached regression today - if we can solve that easily, it's probably fine to uplift this.

Flags: needinfo?(gwatson)

Thank you both for all the information! marking 90 as verified per the above comments.

status-firefox90: fixedverified
Regressions: 1709270

Comment on attachment 9217049 [details]
Bug 1700235 - Apply iframe clips on tile caches instead of prims.

Approved for 89 beta 10, thanks.

Attachment #9217049 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Status: RESOLVED → VERIFIED

Verified fixed with 89.0b10 (20210509185840) on Windows10x64, macOS 11 and Ubuntu 18.04. The same results are displayed as in comment 22.

status-firefox89: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [adv-main89+]
Attached file advisory.txt
Alias: CVE-2021-29961
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: