Closed Bug 1701834 (CVE-2021-23996) Opened 1 year ago Closed 1 year ago

I'm able to render HTML content on top of Firefox's address bar and tab bar

Categories

(Core :: Graphics: WebRender, defect)

defect

Tracking

()

RESOLVED FIXED
89 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- wontfix
firefox88 + fixed
firefox89 + fixed

People

(Reporter: colin, Assigned: kvark)

References

(Regression, )

Details

(Keywords: csectype-spoof, regression, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage][adv-main88+])

Attachments

(3 files, 1 obsolete file)

I was fiddling around with 3D CSS (e.g. turning on perspective, rendering cubes using CSS) and using JS to abuse this (too many divs) when I discovered that certain cubes in a 10x10x10 block of cubes were appearing above the FireFox webpage viewport.

At first I just thought it was amusing, but I then realised it is an actual security concern as the content can be arbitrary, and could e.g. replace the address bar's default content for someone better at HTML than I.

I have created a simple HTML page (including CSS) which reproduces the issue in current Firefox (87.0 64-bit running on MacOS X High Sierra), and demonstrates that it could be used to render 2D flat content appearing over the 2D flat content of Firefox's own UI. In my test case it simply shows a red square with "Hi" written in it.

Flags: sec-bounty?

Nice, thanks for filing! Jim, can you take a look at this, please?

Group: firefox-core-security → core-security
Status: UNCONFIRMED → NEW
Type: task → defect
Component: Security → Graphics
Ever confirmed: true
Flags: needinfo?(jmathies)
Product: Firefox → Core

This testcase doesn't work on ESR-78: the content is distorted and trapped at the top of the browser window

I can reproduce this on Release 87.0 and Nightly 89 (on mac). On Release gfx.webrender.enabled is false, but if I set gfx.webrender.force-disabled to true then the testcase is rendered harmless like ESR (so I guess some of webrender is on even when it's not enabled? Or is that just a dead pref now?).

Webrender is not respecting the content boundaries.

Group: core-security → gfx-core-security
Component: Graphics → Graphics: WebRender

Looks like we're not clipping something when we should be. I'm not surprised that 3d transforms are involved.

Glenn, can you take a look?

Flags: needinfo?(gwatson)
Attached file test4.html

Here's a reduced test case that doesn't show the drawing over chrome problem but does show different behaviour vs Safari and Chrome. Also notable is that changing the rotateX(1deg) to rotateX(0deg)` causes more correct rendering.

The reduced test case also renders correctly with WebRender turned off.

Blocks: gfx-triage
Flags: needinfo?(jmathies)
Assignee: nobody → gwatson
Flags: needinfo?(gwatson)

mozregression output:

 6:15.38 INFO: No more integration revisions, bisection finished.
 6:15.38 INFO: Last good revision: 6b89ff1b983e3f136ada5248ed47e8632bf1df1c
 6:15.38 INFO: First bad revision: 3013857e53518e740937da32d92d7d68cc926a05
 6:15.38 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6b89ff1b983e3f136ada5248ed47e8632bf1df1c&tochange=3013857e53518e740937da32d92d7d68cc926a05

So it started occurring as part of https://phabricator.services.mozilla.com/D92135.

It should still be getting clipped to the content frame, some possibilities are:

  • The change to the flattening of the transform matrix breaks something in the clip mask generation or sampling.
  • The clipping was always broken and the patch in question just changes whether it was considered backface-visible or not.

Dzmitry, would you be able to take a look at this?

Flags: needinfo?(dmalyshau)
Assignee: gwatson → dmalyshau
Has Regression Range: --- → yes

Comment on attachment 9212910 [details]
Roll back flattening Z to only affect the output

Revision D110463 was moved to bug 1702331. Setting attachment 9212910 [details] to obsolete.

Attachment #9212910 - Attachment is obsolete: true
Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(dmalyshau)
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Flags: in-testsuite+
Target Milestone: --- → 89 Branch
No longer blocks: gfx-triage
Flags: sec-bounty? → sec-bounty+

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(dmalyshau)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][sec-survey]

filled out

Flags: needinfo?(dmalyshau)
Flags: qe-verify-
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey] → [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage][adv-main88+]
Alias: CVE-2021-23996
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.