Closed Bug 1836705 (CVE-2023-5724) Opened 1 year ago Closed 1 year ago

Firefox Container Overflow in WebGL Vulnerability

Categories

(Core :: Graphics: CanvasWebGL, defect, P1)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
Firefox 116
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 119+ fixed
firefox117 --- wontfix
firefox118 --- wontfix
firefox119 --- fixed

People

(Reporter: pwn2car, Assigned: jgilbert)

References

Details

(5 keywords, Whiteboard: [fixed in bug 1849433][adv-main119+][adv-ESR115.4+])

Attachments

(2 files, 2 obsolete files)

poc.html
1.57 KB, text/html
Details
advisory.txt
152 bytes, text/plain
Details
Attached file poc.html

Steps to reproduce:

An Attacker must open a arbitrary generated HTML file to exploit this vulnerability

  1. open vmware fusion ubuntu Desktop
  2. and open poc server python3 -m http.server 9292
  3. ./firefox
  4. open http://localhost:9292/poc.html

Actual results:

  1. Exact product that was found to be vulnerable including complete version information
    a. Product : Vmware Fusion Prefessional 13.0.2 / Ubuntu 22.04.2 LTS / Linux Kernel 5.19.0-43-generic
    b. HOST : macOS 13.3.1 (a)

  2. Crash log - firefox

Crash Annotation GraphicsCriticalError: |[0][GFX1-]: vaapitest: ERROR (t=2.60144) [GFX1-]: vaapitest: ERROR
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: vaapitest: ERROR (t=2.60144) |[1][GFX1-]: vaapitest: VA-API test failed: failed to initialise VAAPI connection.
 (t=2.60195) [GFX1-]: vaapitest: VA-API test failed: failed to initialise VAAPI connection.

console.error: ({})
JavaScript error: resource://gre/modules/XULStore.sys.mjs, line 60: Error: Can't find profile directory.
console.warn: TopSitesFeed: Failed to fetch data from Contile server: can't access property "match", cacheHeader is null
JavaScript error: resource://gre/modules/PromiseWorker.sys.mjs, line 102: Error: Could not get children of file(/home/xixon0531/.mozilla/firefox/lo5wnkso.default-default-1/thumbnails) because it does not exist
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9925==ERROR: AddressSanitizer: SEGV on unknown address 0x7f0c43e00000 (pc 0x7f0c6d4d9606 bp 0x616000728180 sp 0x7f0c717fa068 T34)
==9925==The signal is caused by a WRITE memory access.
    #0 0x7f0c6d4d9606  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xad9606) (BuildId: 293fc30af36a77064beef6344631fdf788ebaacb)
    #1 0x7f0c6d3c7daa  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0x9c7daa) (BuildId: 293fc30af36a77064beef6344631fdf788ebaacb)
    #2 0x7f0c6d3933ab  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0x9933ab) (BuildId: 293fc30af36a77064beef6344631fdf788ebaacb)
    #3 0x7f0c6cc76034  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0x276034) (BuildId: 293fc30af36a77064beef6344631fdf788ebaacb)
    #4 0x7f0d17b2f6eb in raw_fDrawArraysInstanced /builds/worker/checkouts/gecko/gfx/gl/GLContext.h:2506:5
    #5 0x7f0d17b2f6eb in mozilla::gl::GLContext::fDrawArraysInstanced(unsigned int, int, int, int) /builds/worker/checkouts/gecko/gfx/gl/GLContext.h:2490:5
    #6 0x7f0d17b2c3de in mozilla::WebGLContext::DrawArraysInstanced(unsigned int, int, int, int) /builds/worker/checkouts/gecko/dom/canvas/WebGLContextDraw.cpp:815:13
    #7 0x7f0d17c08616 in DrawArraysInstanced /builds/worker/checkouts/gecko/dom/canvas/HostWebGLContext.h:750:15
    #8 0x7f0d17c08616 in auto bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 100ul, void (mozilla::HostWebGLContext::*)(unsigned int, int, int, int) const, &mozilla::HostWebGLContext::DrawArraysInstanced(unsigned int, int, int, int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)::operator()<unsigned int, int, int, int>(auto&...) const /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:253:13
    #9 0x7f0d17bb7406 in __invoke_impl<bool, (lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), unsigned int &, int &, int &, int &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #10 0x7f0d17bb7406 in __invoke<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), unsigned int &, int &, int &, int &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #11 0x7f0d17bb7406 in __apply_impl<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), std::tuple<unsigned int, int, int, int> &, 0UL, 1UL, 2UL, 3UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
    #12 0x7f0d17bb7406 in apply<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), std::tuple<unsigned int, int, int, int> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
    #13 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:244:14
    #14 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #15 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #16 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #17 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #18 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #19 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #20 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #21 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #22 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #23 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #24 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #25 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #26 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #27 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #28 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #29 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #30 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #31 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #32 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #33 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #34 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #35 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #36 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #37 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #38 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #39 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #40 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #41 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #42 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #43 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #44 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #45 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #46 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #47 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #48 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #49 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #50 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #51 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #52 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #53 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #54 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #55 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #56 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #57 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #58 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #59 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #60 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #61 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #62 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #63 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #64 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #65 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #66 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #67 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #68 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #69 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #70 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #71 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #72 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #73 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #74 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #75 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #76 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #77 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #78 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #79 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #80 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #81 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #82 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #83 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #84 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #85 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #86 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #87 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #88 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #89 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #90 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #91 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #92 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #93 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #94 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #95 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #96 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #97 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #98 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #99 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #100 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #101 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #102 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #103 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #104 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #105 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #106 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #107 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #108 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #109 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #110 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #111 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #112 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #113 0x7f0d17bb7406 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #114 0x7f0d17bb7406 in mozilla::dom::WebGLParent::RecvDispatchCommands(mozilla::ipc::BigBuffer&&, unsigned long) /builds/worker/checkouts/gecko/dom/canvas/WebGLParent.cpp:62:21
    #115 0x7f0d17cd95b6 in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:229:79
    #116 0x7f0d1428490e in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32
    #117 0x7f0d12dc14ad in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1811:25
    #118 0x7f0d12dbdfa3 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1736:9
    #119 0x7f0d12dbf0bb in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1536:3
    #120 0x7f0d12dc00b2 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1634:14
    #121 0x7f0d113725dd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:16
    #122 0x7f0d1137fc54 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
    #123 0x7f0d12dca30a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
    #124 0x7f0d12c1b22a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:368:10
    #125 0x7f0d12c1b22a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
    #126 0x7f0d12c1b22a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
    #127 0x7f0d11368cff in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
    #128 0x7f0d2f6eab3f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #129 0x7f0d2f494b42 in start_thread nptl/pthread_create.c:442:8
    #130 0x7f0d2f5269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xad9606) (BuildId: 293fc30af36a77064beef6344631fdf788ebaacb) 
Thread T34 created by T0 here:
    #0 0x55dc073d55ca in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f0d2f6d92a4 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f0d2f6c6e9e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f0d1136cabc in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:634:18
    #4 0x7f0d1137d4fe in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:548:12
    #5 0x7f0d1138b04c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:175:57
    #6 0x7f0d14240965 in NS_NewNamedThread<15UL> /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:76:10
    #7 0x7f0d14240965 in mozilla::gfx::CanvasRenderThread::Start() /builds/worker/checkouts/gecko/gfx/ipc/CanvasRenderThread.cpp:55:17
    #8 0x7f0d1406f440 in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1315:9
    #9 0x7f0d1406843b in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:974:3
    #10 0x7f0d1406ee5f in GetPlatform /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:464:5
    #11 0x7f0d1406ee5f in gfxPlatform::InitializeCMS() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:2109:9
    #12 0x7f0d1bb525eb in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:968:7
    #13 0x7f0d1bb525eb in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:519:5
    #14 0x7f0d1bb525eb in nsXPLookAndFeel::GetUncachedColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /builds/worker/checkouts/gecko/widget/nsXPLookAndFeel.cpp:1013:9
    #15 0x7f0d1bb519cf in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /builds/worker/checkouts/gecko/widget/nsXPLookAndFeel.cpp:993:17
    #16 0x7f0d1bb57926 in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /builds/worker/checkouts/gecko/widget/nsXPLookAndFeel.cpp:1437:47
    #17 0x7f0d1ba8c08c in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:465:12
    #18 0x7f0d1ba8c08c in GetAccentColor /builds/worker/checkouts/gecko/widget/ThemeColors.cpp:91:7
    #19 0x7f0d1ba8c08c in mozilla::widget::ThemeColors::RecomputeAccentColors() /builds/worker/checkouts/gecko/widget/ThemeColors.cpp:195:20
    #20 0x7f0d1ba8bb1d in mozilla::widget::Theme::LookAndFeelChanged() /builds/worker/checkouts/gecko/widget/Theme.cpp:182:3
    #21 0x7f0d1bb4f5af in nsXPLookAndFeel::GetInstance() /builds/worker/checkouts/gecko/widget/nsXPLookAndFeel.cpp:409:3
    #22 0x7f0d1bb583e5 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /builds/worker/checkouts/gecko/widget/nsXPLookAndFeel.cpp:1550:3
    #23 0x7f0d1118d6c7 in nsSystemInfo::Init() /builds/worker/checkouts/gecko/xpcom/base/nsSystemInfo.cpp:1081:5
    #24 0x7f0d112e30ad in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11930:7
    #25 0x7f0d1130c022 in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:184:46
    #26 0x7f0d1130c022 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor>>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:971:17
    #27 0x7f0d1130d55f in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1061:10
    #28 0x7f0d112f448d in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:13134:50
    #29 0x7f0d130ee86c in assign_from_helper /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:897:7
    #30 0x7f0d130ee86c in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:533:5
    #31 0x7f0d130ee86c in GetServiceImpl /builds/worker/checkouts/gecko/js/xpconnect/src/JSServices.cpp:83:32
    #32 0x7f0d130ee86c in GetService /builds/worker/checkouts/gecko/js/xpconnect/src/JSServices.cpp:130:8
    #33 0x7f0d130ee86c in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /builds/worker/checkouts/gecko/js/xpconnect/src/JSServices.cpp:153:25
    #34 0x7f0d21e64d3b in CallResolveOp /builds/worker/checkouts/gecko/js/src/vm/NativeObject-inl.h:666:8
    #35 0x7f0d21e64d3b in NativeLookupOwnPropertyInline<(js::AllowGC)1, (js::LookupResolveMode)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject-inl.h:778:14
    #36 0x7f0d21e64d3b in NativeGetPropertyInline<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2239:10
    #37 0x7f0d21e64d3b in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2287:10
    #38 0x7f0d21ada4f9 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:118:10
    #39 0x7f0d21ada4f9 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:125:10
    #40 0x7f0d21ada4f9 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4787:10
    #41 0x7f0d21aacc2c in GetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:245:10
    #42 0x7f0d21aacc2c in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3050:12
    #43 0x7f0d21a9224b in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:400:10
    #44 0x7f0d21a9224b in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
    #45 0x7f0d21a9368c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
    #46 0x7f0d21a95606 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
    #47 0x7f0d21a95606 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
    #48 0x7f0d21a97456 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:801:10
    #49 0x7f0d21e656ad in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2080:12
    #50 0x7f0d21e656ad in GetExistingProperty<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2108:12
    #51 0x7f0d21e656ad in NativeGetPropertyInline<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2256:14
    #52 0x7f0d21e656ad in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2287:10
    #53 0x7f0d21ada4f9 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:118:10
    #54 0x7f0d21ada4f9 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:125:10
    #55 0x7f0d21ada4f9 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4787:10
    #56 0x7f0d21aacc2c in GetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:245:10
    #57 0x7f0d21aacc2c in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3050:12
    #58 0x7f0d21a9224b in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:400:10
    #59 0x7f0d21a9224b in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
    #60 0x7f0d21a9368c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
    #61 0x7f0d21a95606 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10
    #62 0x7f0d21a95606 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8
    #63 0x7f0d21bfc902 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:53:10
    #64 0x7f0d1313092d in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
    #65 0x7f0d113d16f9 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #66 0x7f0d113d03fa in SharedStub xptcstubs_x86_64_linux.cpp
    #67 0x7f0d1130509b in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:682:19
    #68 0x7f0d216bde29 in nsXREDirProvider::DoStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsXREDirProvider.cpp:811:11
    #69 0x7f0d2169a35e in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5404:18
    #70 0x7f0d2169cced in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5859:8
    #71 0x7f0d2169de41 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5915:21
    #72 0x55dc0742b0e4 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227:22
    #73 0x55dc0742b0e4 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445:16
    #74 0x7f0d2f429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

==9925==ABORTING
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
  1. Root Cause Analysis (recommended but not required)
    a.
    /source/dom/canvas/WebGLContextDraw.cpp
void WebGLContext::DrawArraysInstanced(const GLenum mode, const GLint first,
                                     const GLsizei vertCount,
                                     const GLsizei instanceCount) {
const FuncScope funcScope(*this, "drawArraysInstanced");
// AUTO_PROFILER_LABEL("WebGLContext::DrawArraysInstanced", GRAPHICS);
if (IsContextLost()) return;
const gl::GLContext::TlsScope inTls(gl);

// -

if (!ValidateNonNegative("first", first) ||
    !ValidateNonNegative("vertCount", vertCount) ||
    !ValidateNonNegative("instanceCount", instanceCount)) {
  return;
}

if (IsWebGL2() && !gl->IsSupported(gl::GLFeature::prim_restart_fixed)) {
  MOZ_ASSERT(gl->IsSupported(gl::GLFeature::prim_restart));
  if (mPrimRestartTypeBytes != 0) {
    mPrimRestartTypeBytes = 0;

    // OSX appears to have severe perf issues with leaving this enabled.
    gl->fDisable(LOCAL_GL_PRIMITIVE_RESTART);
  }
}

// -

const auto fetchLimits = ValidateDraw(this, mode, instanceCount);
if (!fetchLimits) return;

// -

const auto totalVertCount_safe = CheckedInt<uint32_t>(first) + vertCount;
if (!totalVertCount_safe.isValid()) {
  ErrorOutOfMemory("`first+vertCount` out of range.");
  return;
}
auto totalVertCount = totalVertCount_safe.value();

if (vertCount && instanceCount && totalVertCount > fetchLimits->maxVerts) {           //[1] <--don't check it properly
  ErrorInvalidOperation(
      "Vertex fetch requires %u, but attribs only supply %u.", totalVertCount,
      uint32_t(fetchLimits->maxVerts));
  return;
}

/gfx/gl/GLContext.h

void raw_fDrawArraysInstanced(GLenum mode, GLint first, GLsizei count,
                              GLsizei primcount) {
  BEFORE_GL_CALL;
  ASSERT_SYMBOL_PRESENT(fDrawArraysInstanced);
  mSymbols.fDrawArraysInstanced(mode, first, count, primcount);
  AFTER_GL_CALL;
}

/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xad9606

  __int64 __fastcall sub_AD95F0(int a1, int a2, _DWORD *a3)
{
  unsigned int v3; // esi
  int v4; // ecx
  __int64 v5; // rax
  __int64 v6; // r8
  __int64 v7; // rax
  _DWORD *v8; // rsi
  __int64 result; // rax

  v3 = a2 - 2;
  if ( v3 )
  {
    v4 = a1;
    LODWORD(v5) = 0;
    do
    {
      v6 = v5;
      v5 = (v5 + 2);
      a3[v6] = v4++;          // <-- Crash here!
      a3[v6 + 1] = v4;
    }
    while ( v5 < v3 );
    v7 = v5;
    v8 = &a3[v7];
    result = v7 * 4 + 4;
    *v8 = v4;
    *(a3 + result) = a1;
  }
  else
  {
    result = 4LL;
    *a3 = a1;
    a3[1] = a1;
  }
  return result;
}

Does not properly check the vertCount value. The vercount value causes container overflow on vmwgfx_dri.so+0xad9606.

  1. Proof-of-Concept
    a. Please check the attachment file.

  2. This bug may enable sandboxescape.

Expected results:

Webgl had to work normally

Summary: Firfox Container Overflow Vulnerability → Firefox Container Overflow Vulnerability
Summary: Firefox Container Overflow Vulnerability → Firefox Container Overflow in WebGL Vulnerability
Group: firefox-core-security → gfx-core-security
Component: Untriaged → Graphics: CanvasWebGL
Product: Firefox → Core

Does Chrome handle this case OK? It looks like a driver bug, and I thought both Firefox and Chrome used the ANGLE library to process the shader language before sending it to the drivers in webGL. I could be misunderstanding that though.

Flags: needinfo?(pwn2car)
Flags: needinfo?(jgilbert)

Hello

However, this vulnerability does not occur in Chrome. Container Overflow occurs only in Firefox.

Flags: needinfo?(pwn2car)

If this isn't in Chrome, I'll assume this is something we could fix, until shown otherwise.

Keywords: csectype-bounds, sec-high

It does look like a driver bug, but one we are capable of working-around.
It looks like the driver is not handling (large? any?) vertCount when nothing is bound, even though it should by-spec handle this case.

The core piece is really just this, with no setup:

        gl.drawArraysInstanced(gl.LINE_LOOP, 10, 1105156025, 1);
Flags: needinfo?(jgilbert)

The severity field is not set for this bug.
:jgilbert, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jgilbert)
Assignee: nobody → jgilbert
Severity: -- → S3
Flags: needinfo?(jgilbert)
Priority: -- → P1

Ok yeah this may be indeed an overflow, where 1.1B of 4bytes might cause issues even just in calculations. We can just set a lower limit than is actually API-possible.

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:jgilbert, could you consider increasing the severity of this security bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(jgilbert)
Attachment #9341812 - Attachment is obsolete: true

any update?

I'm working on a fix.

Flags: needinfo?(jgilbert)

If you try in about:config webgl.force-index-validation: 1, does it still crash?

Flags: needinfo?(pwn2car)

yes.

firefox 118.0a1 still crash

Has the patch been applied yet?

Thank you for your continued interest in this vulnerability.

Flags: needinfo?(pwn2car)

Could you tell me the scheduled date of the patch?

Thank you!

gl.drawArraysInstanced(gl.LINE_LOOP, 10, 1105156025, 1);

becomes something like:

glDrawArrays(LINE_LOOP, first_vert=10, vert_count=0x41df_57b9, instance_count=1)

svga polyfills LINE_LOOP as LINES, and in :
https://gitlab.freedesktop.org/mesa/mesa/-/blob/main/src/gallium/auxiliary/indices/u_indices.c#L170
u_index_count_converted_indices(prim=LINE_LOOP, nr:0x41df_57b9) -> 2*0x41df_57b9 = 0x83be_af72

Also, we get: *out_index_size = ((start + nr) > 0xfffe) ? 4 : 2; -> *out_index_size = 4

There is a integer math overflow in the Mesa driver for allocation of a temporary index buffer when polyfilling LINE_LOOP as LINES in gallium/sgva (vmwgfx) in generate_indices(nr=0x83be_af72, index_size=4):
https://gitlab.freedesktop.org/mesa/mesa/-/blob/main/src/gallium/drivers/svga/svga_draw_arrays.c#L50

static enum pipe_error
generate_indices(struct svga_hwtnl *hwtnl,
                 unsigned nr,
                 unsigned index_size,
                 u_generate_func generate, struct pipe_resource **out_buf)
{
   struct pipe_context *pipe = &hwtnl->svga->pipe;
   struct pipe_transfer *transfer;
   unsigned size = index_size * nr;  // <- u32 overflow for (index_size=4) * (nr=0x83be_af72) = u32(0x2_0efa_bdc8) = 0x0efa_bdc8*
   struct pipe_resource *dst = NULL;

   void *dst_map = NULL;

   dst = pipe_buffer_create(pipe->screen, PIPE_BIND_INDEX_BUFFER,
                            PIPE_USAGE_IMMUTABLE, size);
   if (!dst)
      goto fail;

   dst_map = pipe_buffer_map(pipe, dst, PIPE_MAP_WRITE, &transfer);
   if (!dst_map)
      goto fail;

   generate(0, nr, dst_map); // The disassembly with the crash is called here
[...]

Effectively, this driver has a max safe LINE_LOOP vertex count of 0xffff_ffff/2/4=0x1fff_ffff.
If we were to need a polyfill for TRIANGLE_STRIP or TRIANGLE_FAN, then u_index_count_converted_indices(nr) -> (nr-2)*3, so a max safe vertex count of (x-2)*3*(index_size=4) = 0xffff_ffff => x = 0xffff_ffff/3/4+2 = 0x1555_5557. (~358M)

This is all pretty unreasonable numbers. I think the safe thing to do is to just claim OUT_OF_MEMORY above some arbitrary limit like 10M, which both leaves us tons of safety margin and also is more verts than is reasonable in one draw call. We can have a pref for it for tuning and testing.

FWIW, the source code for the disassembly with the crashing line is generated here:
https://gitlab.freedesktop.org/mesa/mesa/-/blob/main/src/gallium/auxiliary/indices/u_indices_gen.py#L222

Is this exploitable? You would need to control where this freshly allocated buffer gets mapped to, and aim your destination e.g. object for writes directly after it.

This affects both 32bit and 64bit. (sizeof(unsigned) -> 4)

How many users hit this?
I believe it's just users who run mesa/vmwgfx for their graphics driver. (I think just Linux on vmware?)
According to telemetry: https://firefoxgraphics.github.io/telemetry/#view=linux
Of Linux users, mesa/vmwgfx - 1.9%
Of all users, Linux - 4.3%
So of all users, Linux+mesa/vmwgfx is 0.0817% (~1:1200)

Here's my reassembly notes:

// gl.drawArraysInstanced(gl.LINE_LOOP, 10, 1105156025=0x41df_57b9, 1);
 __int64 __fastcall sub_AD95F0(int a1:first_vert_id, int a2:segment_vert_count, _DWORD *a3:connected_vert_id_by_segmented_vert_id)
{
  //unsigned int v3; // esi
  int v4; // ecx
  __int64 v5; // rax
  __int64 v6; // r8
  __int64 v7; // rax
  _DWORD *v8; // rsi
  __int64 result; // rax

  //v3 = a2 - 2;
  //if (a2 - 2) // if ( v3 )
  {
    v4:connected_vert_id = first_vert_id;
    LODWORD(v5:segmented_vert_id) = 0;
    for (; segmented_vert_id < segment_vert_count-2;) //do
    {
      //v6 = v5;
      //v5 = (v5 + 2);
      a3:segment_vert_id_pairs[segmented_vert_id] = connected_vert_id;  (v4 += 1;)  //a3[v6] = v4++;          // <-- Crash here!
      a3:segment_vert_id_pairs[segmented_vert_id + 1] = connected_vert_id+1; // a3[v6 + 1] = v4;
      connected_vert_id += 1;
      segmented_vert_id += 2;
    }
    //while ( v5 < v3 );
    //v7 = v5;
    //v8 = &a3[v5]; // v8 = &a3[v7];
    //result = v5 * 4 + 4; //result = v7 * 4 + 4;
    index_data_as_segments[v5] = connected_vert_id; // *v8 = v4;
    index_data_as_segments[v5+1] = first_vert_id;
    //*(a3 + result) = a1;
    result:segmented_vert_id_data_byte_size = segmented_vert_id*sizeof(*connected_vert_id_by_segmented_vert_id);
  }
  /*else
  {
    result = 4LL;
    a3[0] = a1;
    a3[1] = a1;
  }*/
  return result;
}
Depends on: 1849433

I'll mark this as confirmed, though the root cause is a driver bug. I think we were reasonably cautious here, but just expected too much of the driver in the end.

Status: UNCONFIRMED → NEW
Ever confirmed: true

I believe the patch in bug 1849433 will fix this.

OS: Unspecified → Linux

I think it's fixed well!

No more crashes.

Flags: needinfo?(pwn2car)

Defect in driver -> sec-vector
Limited scope of users, no clear path to exploit -> sec-moderate

I have two fixes to Mesa that I will submit.

Fixed by bug 1849433.

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox119: --- → fixed
Resolution: --- → FIXED
Flags: sec-bounty?
Group: gfx-core-security → core-security-release
tracking-firefox-esr115: --- → 119+
Target Milestone: --- → 119 Branch

This bug may enable sandboxescape.

We're dubious, but if you can demonstrate that we can re-rate this back to sec-high and add more to the bounty award.

Flags: sec-bounty? → sec-bounty+
Whiteboard: [fixed in bug 1849433]
Flags: qe-verify+
QA Whiteboard: [post-critsmash-triage]
Whiteboard: [fixed in bug 1849433] → [fixed in bug 1849433][adv-main119+]
Whiteboard: [fixed in bug 1849433][adv-main119+] → [fixed in bug 1849433][adv-main119+][adv-ESR115.4+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9359580 - Attachment is obsolete: true
Alias: CVE-2023-5724

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: