Closed Bug 1758156 Opened 3 years ago Closed 3 years ago

A compromised content process can cause the parent to use WebGPU even if preffed off

Categories

(Core :: Graphics: WebGPU, defect)

Product:
Core
Component:
Graphics: WebGPU
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
100 Branch
Tracking Flags:
Tracking Status
firefox-esr91 98+ fixed
firefox97 - wontfix
firefox98 + fixed
firefox99 + fixed
firefox100 + fixed

People

(Reporter: nical, Assigned: nical)

References

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey])

Attachments

(2 files, 1 obsolete file)

Bug 1758156 - Check that the webgpu pref is enabled when creating PWebGPUParent. r=aosmond
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
pascalc
: approval-mozilla-release+
tjr
: sec-approval+
Details | Review
Bug 1758156 - Check the pref when creating PWebGPU parent actors. r=aosmond
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-esr91+
tjr
: sec-approval+
Details | Review

+++ This bug was initially created as a clone of Bug #1758070 +++

A compromised content process can cause the gpu process to create and manipulate GPU actors even if dom.webpu.enabled is set to false.

In 98 this is possible because ContentCompositorBridgeParent::AllocPWebGPUParent does not check the pref.

In 99 and later we need to check in CanvasManagerParent.

Group: core-security → gfx-core-security
Assignee: nobody → nical.bugzilla
Status: NEW → ASSIGNED

A better solution would check against the same value as reported by gfxConfig, which takes the pref as well as whether webgpu was blocked (for example due to buggy drivers) into account, but this still is good sanity check and easy to uplift.

Attachment #9266862 - Attachment description: Bug 1758156 - Assert that the webgpu pref is enabled when creating PWebGPUParent. r=aosmond → Bug 1758156 - Check that the webgpu pref is enabled when creating PWebGPUParent. r=aosmond

Comment on attachment 9266862 [details]
Bug 1758156 - Check that the webgpu pref is enabled when creating PWebGPUParent. r=aosmond

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not very easy but doable. The thing this is fixing was a part of a recent chain of exploits that used this as well as two more serious flaws.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All branches including esr91
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: This patch should apply cleanly all the way to release, D140535 is the esr91 version.
  • How likely is this patch to cause regressions; how much testing does it need?: Not likely, simple patch.

It is very hard to test (would need an exploit to compromise the content process in order to test it).

Attachment #9266862 - Flags: sec-approval?

Comment on attachment 9266867 [details]
Bug 1758156 - Check the pref when creating PWebGPU parent actors. r=aosmond

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not very easy but doable. The thing this is fixing was a part of a recent chain of exploits that used this as well as two more serious flaws.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all of them.
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Not very risky, but I would like to land the other patch in nightly first and wait for a day or two before getting this one into esr just to be extra safe.

Very hard to test, would need to first compromise the content process to get into what this patch is trying to prevent.

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Without this patch, if an attacker can compromise the content process via one security flaw and knows about another security flaw in WebGPU on the Parent process, then the attacker can chain the two exploits even if the webgpu pref is disabled. This is what happened in CVE-2022-26486.
    It is important because the webgpu pref is currently disabled by default on all channels, we are still in the process of fuzzing webgpu and we have some open bug for issues found by fuzzers.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Not very risky, but I would like to land the other patch in nightly first and wait for a day or two before getting this one into esr just to be extra safe.
Attachment #9266867 - Flags: sec-approval?
Attachment #9266867 - Flags: approval-mozilla-esr91?
Attachment #9266557 - Attachment is obsolete: true
See Also: → 1758549

Comment on attachment 9266862 [details]
Bug 1758156 - Check that the webgpu pref is enabled when creating PWebGPUParent. r=aosmond

Approved to land in Nightly and uplift to beta when Nical feels it's ready

Attachment #9266862 - Flags: sec-approval? → sec-approval+

Comment on attachment 9266867 [details]
Bug 1758156 - Check the pref when creating PWebGPU parent actors. r=aosmond

Approved to uplift to esr when Nical feels it's ready

Attachment #9266867 - Flags: sec-approval? → sec-approval+

Landed: https://hg.mozilla.org/integration/autoland/rev/fd02141cc64d1ce879eb965d7995fac61dae57fb

Backed out for causing build bustages in CanvasManagerParent.obj:
https://hg.mozilla.org/integration/autoland/rev/e01d5975a6b3421db0e120e5bc05749a5bd0cb22

Push which ran failing task
Failure log

[task 2022-03-09T14:05:48.541Z] 14:05:48    ERROR -  /builds/worker/checkouts/gecko/gfx/ipc/CanvasManagerParent.cpp:93:21: error: no member named 'dom_webgpu_enabled' in namespace 'mozilla::StaticPrefs'
[task 2022-03-09T14:05:48.541Z] 14:05:48     INFO -    if (!StaticPrefs::dom_webgpu_enabled()) {
[task 2022-03-09T14:05:48.541Z] 14:05:48     INFO -         ~~~~~~~~~~~~~^
[task 2022-03-09T14:05:48.541Z] 14:05:48     INFO -  1 error generated.
Flags: needinfo?(nical.bugzilla)

(In reply to Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout) from comment #8)

[task 2022-03-09T14:05:48.541Z] 14:05:48    ERROR -  /builds/worker/checkouts/gecko/gfx/ipc/CanvasManagerParent.cpp:93:21: error: no member named 'dom_webgpu_enabled' in namespace 'mozilla::StaticPrefs'
[task 2022-03-09T14:05:48.541Z] 14:05:48     INFO -    if (!StaticPrefs::dom_webgpu_enabled()) {
[task 2022-03-09T14:05:48.541Z] 14:05:48     INFO -         ~~~~~~~~~~~~~^
[task 2022-03-09T14:05:48.541Z] 14:05:48     INFO -  1 error generated.

Looks like it's missing an #include "mozilla/StaticPrefs_dom.h" in that file...

Comment on attachment 9266862 [details]
Bug 1758156 - Check that the webgpu pref is enabled when creating PWebGPUParent. r=aosmond

Beta/Release Uplift Approval Request

  • User impact if declined: Compromised content process can make the GPU or parent process run preffed off WebGPU code that isn't robust enough and may use it to craft exploits.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple patch, landed on nightly
  • String changes made/needed: None
Flags: needinfo?(nical.bugzilla)
Attachment #9266862 - Flags: approval-mozilla-release?
Attachment #9266862 - Flags: approval-mozilla-beta?

Check that the webgpu pref is enabled when creating PWebGPUParent. r=aosmond
https://hg.mozilla.org/integration/autoland/rev/4822222716a104ba3190b23c2450727819f749b9
https://hg.mozilla.org/mozilla-central/rev/4822222716a1

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox100: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch

Comment on attachment 9266862 [details]
Bug 1758156 - Check that the webgpu pref is enabled when creating PWebGPUParent. r=aosmond

Approved for 99.0b2. Thanks.

Attachment #9266862 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Tom, can we have a release note wording for this patch as we will include it in a dot release? Thanks

Flags: needinfo?(tom)

Comment on attachment 9266862 [details]
Bug 1758156 - Check that the webgpu pref is enabled when creating PWebGPUParent. r=aosmond

Approved for our upcoming 98 dot release.

Attachment #9266862 - Flags: approval-mozilla-release? → approval-mozilla-release+

Comment on attachment 9266867 [details]
Bug 1758156 - Check the pref when creating PWebGPU parent actors. r=aosmond

Approved for our upcoming ESR dot release 91.7.1
This will land on both FIREFOX_ESR_91_7_X_RELBRANCH and for the next 91.8 release.

Attachment #9266867 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(nical.bugzilla)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][sec-survey]
Flags: needinfo?(nical.bugzilla)
Flags: needinfo?(tom)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: