1715766 - (CVE-2021-30547) D3D11: Fix respecifying 3D textures

Status: RESOLVED FIXED

(Core :: Graphics: CanvasWebGL, defect)

Description

[Jeff Muizelaar [:jrmuizel]]

We found out about https://chromium-review.googlesource.com/c/angle/angle/+/2911032.

The details are unclear. Jeff Gilbert is going to investigate.

Comment 1

[Kelsey Gilbert [:jgilbert]]

Yeah, seems clear we need this. Here's our code, clearly unpatched:
https://searchfox.org/mozilla-central/rev/af8e5d37fd56be90ccddae2203e7b875d3f3ae87/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Image11.cpp#226

We're unlikely to be covered elsewhere. I'm requesting access to the Chromium issue, so I'll be able to know more, but this seems pretty cut-and-dry.

I'll get this cherry-picked for us.

Comment 2

[Pascal Chevrel:pascalc (PTO until April 26)]

Jeff, FYI, I am planning to do an 89 dot release (not security related) next week, building it on Monday and probably shipping on Wednesday, should I wait for this patch to be included in this dot release or is it a fix that can ride the 91 train? Also, do you know if ESR and mobile are affected? Thanks

Comment 3

[Kelsey Gilbert [:jgilbert]]

I'll have patches up today. Expect all branches to be effected.
This is simple enough that it could be a ride-along, and Chrome thought it was serious/high severity. (OOB write)

Comment 4

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1715766 - [angle] Cherry-pick 3d texture respec fix.

• Handle blank lines in moz.yaml.

Comment 5

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9226631 [details]
Bug 1715766 - [angle] Cherry-pick 3d texture respec fix.

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Medium-hard. The upstream commit fix is vague, but it given the sec bug marking here and upstream, it's clear there's more to this. The upstream commit (that we cherry-pick) does include a test, but turning that into a useful exploit is fairly hard.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
• Which older supported branches are affected by this flaw?: all
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: It should backport cleanly
• How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions: Small fix, taken (and uplifted) upstream.

Comment 6

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Comment on attachment 9226631 [details]
Bug 1715766 - [angle] Cherry-pick 3d texture respec fix.

Approved to land and uplift

Comment 7

[Julien Cristau [:jcristau]]

[angle] Cherry-pick 3d texture respec fix. r=lsalzman,jrmuizel
https://hg.mozilla.org/integration/autoland/rev/743226a3d588
https://hg.mozilla.org/mozilla-central/rev/743226a3d588

Comment 8

[Julien Cristau [:jcristau]]

https://hg.mozilla.org/releases/mozilla-beta/rev/e9fdf87e0a59ef46fc46580946efbb0983a057e5

Comment 9

[Julien Cristau [:jcristau]]

https://hg.mozilla.org/releases/mozilla-esr78/rev/b57fb5606415efc504e3dc035c219c238343479f

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Comment 11

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: advisory.txt

Comment 12

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: advisory.txt