Closed Bug 1770930 (CVE-2022-46881) Opened 2 years ago Closed 1 year ago

AddressSanitizer: stack-buffer-underflow [@ rx::`anonymous namespace'::SortAttributesByLayout] with WRITE of size 4

Categories

(Core :: Graphics, defect, P1)

x86_64
Windows
defect

Tracking

()

RESOLVED FIXED
106 Branch
Tracking Status
firefox-esr102 108+ fixed
firefox101 --- wontfix
firefox102 --- wontfix
firefox105 --- wontfix
firefox106 --- fixed
firefox107 --- fixed

People

(Reporter: decoder, Assigned: jgilbert)

References

(Regression)

Details

(4 keywords, Whiteboard: [fixed by bug 1779800][adv-esr102.6+])

Attachments

(3 files)

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 102.0a1-20220507213841-https://hg.mozilla.org/mozilla-central/rev/1d8f6404d0b9dd80fb4e5d57c5fe6eeaf0ab5161.

For detailed crash information, see attachment.

Looks like we are hitting a left redzone, could it be that we are somehow reading before the array that we are accessing here? https://searchfox.org/mozilla-central/rev/1c391443f770eddc7cde9e52dba5ef50cc233c06/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/StateManager11.cpp#201

Group: core-security → gfx-core-security
Blocks: gfx-triage

This looks like a bug in Angle.

Severity: critical → S3
Severity: S3 → S2
Priority: -- → P1
Assignee: nobody → jgilbert
Flags: needinfo?(jgilbert)
No longer blocks: gfx-triage
Flags: needinfo?(jgilbert)
Flags: needinfo?(jgilbert)

Kelsey is going to take another look at this soon.

Flags: needinfo?(jgilbert)
Flags: needinfo?(jgilbert)

We used to do this thing called "collapseToDrawArrays", which you can see where in X we call glDrawArrays instead of glDrawElements.
This was removed in non-sec correctness bug 1779800.
The nature of this crash stack makes it likely that this was fixed by the correctness fixes in bug 1779800, and that previously, we were demanding invalid (thus unsafe) behavior from ANGLE.
This seems like it would be very difficult to exploit.

Bug 1779800 landed in 106, which is about to go to release.

@dveditz:
We would only need to backport it to esr102 to be covered, I think.
Should we do that in this bug?

Flags: needinfo?(jgilbert) → needinfo?(dveditz)
Depends on: 1779800

I am asking in bug 1779800 for uplift to esr102, under plausible/nearly-reasonable correctness concern reasons.

Flags: needinfo?(dveditz)
Regressed by: 1476327
Attached file fix plan

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Hard.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No bullseye, and we're asking for plausible uplift of a public correctness bug.

Which older supported branches are affected by this flaw?
Esr102

If not all supported branches, which bug introduced the flaw?
Bug 1476327.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
No, shouldn't be too hard.

How likely is this patch to cause regressions; how much testing does it need?
We have a lot of tests, and this will cause more of them to pass.

Attachment #9299969 - Flags: sec-approval?

Comment on attachment 9299969 [details]
fix plan

sec-approved

Attachment #9299969 - Flags: sec-approval? → sec-approval+

Note that we weren't able to uplift bug 1779800 to ESR102 in time for the 102.5esr release because we're waiting on a rebased patch. Targeting 102.6esr now.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
Whiteboard: [fixed by bug 1779800]
Whiteboard: [fixed by bug 1779800] → [fixed by bug 1779800][adv-esr102.6+r]
Attached file advisory.txt
Whiteboard: [fixed by bug 1779800][adv-esr102.6+r] → [fixed by bug 1779800][adv-esr102.6+]
Alias: CVE-2022-46881
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: