1841050 - (CVE-2023-6204) Out-of-bound memory access in WebGL2 blitFramebuffer

Status: RESOLVED FIXED

(Core :: Graphics: CanvasWebGL, defect, P1)

Description

Attachment: blit.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36

Steps to reproduce:

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0

When accessing the POC file from the browser, an out-of-bounds error occurs, leading to the termination of the GPU process.

In a typical environment, it works well, but in a VM, it may need the "webgl.force-enabled" option set to true to be triggered.

Actual results:

An out-of-bound bug occurs when calculating the sourcePixel in the BlitD24S8ToD32F function.
This function is as follows.

for (int row = 0; row < destArea.height; ++row)
{
    for (int column = 0; column < destArea.width; ++column)
    {
        ptrdiff_t offset         = row * sourceRowPitch + column * srcPixelStride;
        const float *sourcePixel = reinterpret_cast<const float *>(sourceData + offset);
        float *destPixel =
            reinterpret_cast<float *>(destData + row * destRowPitch + column * destPixelStride);
        Depth32FStencil8ToDepth32F(sourcePixel, destPixel);
    }
}

When calculating the sourcePixel, the offset can be larger than the size of the sourceData, resulting in an out-of-bound bug.

sourceData = width*height*srcPixelStride

• width and height are values that can be set in the renderbufferStorage API.
• srcPixelStride is set to 8 when using DEPTH32F_STENCIL8 foramt in the renderbufferStorage API.

offset = row*sourceRowPitch+column+srcPixelStride

• row = dstY0-dstY1
  • dstY0 and dstY1 are values that can be set in the blitFramebuffer API.
• sourceRowPitch = width*srcPixelStride
  • width is value that can be set in the renderbufferStorage API.
  • srcPixelStride is set to 8 when using DEPTH32F_STENCIL8 foramt in the renderbufferStorage API.
• column = dstX0-dstX1
  • dstX0 and dstX1 are values that can be set in the blitFramebuffer API.

The size of the sourceData is affected by the width and height values set by the renderbufferStorage API.
If there is no validation for row or column values when calculating offset, an out-of-bound bug will occur.
In fact, there is a check of values for row and column. But this check is wrong.
Row must be verified to be less than width and column less than height. At this time, width and height must be values set by the renderbufferStorage API.
However, row is compared to the width of the canvas object and column is compared to the height of the canvas object.
Therefore, if you set the width and height of the canvas object large, the offset increases a lot.

Expected results:

This bug allows for inserting values obtained through an out-of-bound read into the destPixel. Therefore, this results in information leak.

Comment 1

[Daniel Veditz [:dveditz]]

[added syntax highlighting to comment 0 for readability]

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:jgilbert, could you have a look please?

For more information, please visit BugBot documentation.

Comment 3

[Kelsey Gilbert [:jgilbert]]

Are there any crashes from this in about:crashes?
It does not crash in on my Windows AMD igpu laptop.

Comment 4

[JSec]

https://crash-stats.mozilla.org/report/index/4f92e286-5fc1-4207-8264-e32ef0230724

When tested inside the virtual machine, the crash occurred immediately, but when I tested it outside, I tried to reload several times.

Comment 5

[Kelsey Gilbert [:jgilbert]]

Can you attach an about:support? I would like to know more about your driver situation.

Comment 6

[JSec]

Application Basics

Name: Firefox
Version: 116.0.2
Build ID: 20230805021307
Distribution ID:
Update Channel: release
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
OS: Windows_NT 10.0 19045
Launcher Process: Enabled
Multiprocess Windows: 1/1
Fission Windows: 1/1 Enabled by default
Remote Processes: 7
Enterprise Policies: Inactive
Google Location Service Key: Found
Google Safebrowsing Key: Found
Mozilla Location Service Key: Found
Safe Mode: false
Memory Size (RAM): 32.0 GB
Disk Space Available: 73.9 GB

Graphics

Features
Window Device Pixel Ratios: 1
Compositing: WebRender
Asynchronous Pan/Zoom: wheel input enabled; scrollbar drag enabled; keyboard enabled; autoscroll enabled; smooth pinch-zoom enabled
WebGL 1 Driver WSI Info: EGL_VENDOR: Google Inc. (NVIDIA) EGL_VERSION: 1.5 (ANGLE 2.1.19734 git hash: 23347851217a) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_ANGLE_windows_ui_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_display_semaphore_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_ANDROID_blob_cache EGL_ANDROID_recordable EGL_ANGLE_image_d3d11_texture EGL_ANGLE_create_context_backwards_compatible EGL_KHR_no_config_context EGL_KHR_create_context_no_error EGL_KHR_reusable_sync EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_device_query EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_platform_angle_d3d11on12 EGL_ANGLE_platform_angle_device_id EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_ANGLE_feature_control IsWebglOutOfProcessEnabled: 1
WebGL 1 Driver Renderer: Google Inc. (NVIDIA) -- ANGLE (NVIDIA, NVIDIA GeForce GT 710 Direct3D11 vs_5_0 ps_5_0, D3D11-27.21.14.5671)
WebGL 1 Driver Version: OpenGL ES 2.0.0 (ANGLE 2.1.19734 git hash: 23347851217a)
WebGL 1 Driver Extensions: GL_AMD_performance_monitor GL_ANGLE_base_vertex_base_instance GL_ANGLE_base_vertex_base_instance_shader_builtin GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_get_serialized_context_string GL_ANGLE_get_tex_level_parameter GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_memory_size GL_ANGLE_multi_draw GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_provoking_vertex GL_ANGLE_request_extension GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_lose_context GL_CHROMIUM_sync_query GL_EXT_EGL_image_external_wrap_modes GL_EXT_base_instance GL_EXT_blend_func_extended GL_EXT_blend_minmax GL_EXT_clip_control GL_EXT_color_buffer_half_float GL_EXT_debug_label GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_draw_elements_base_vertex GL_EXT_float_blend GL_EXT_frag_depth GL_EXT_instanced_arrays GL_EXT_map_buffer_range GL_EXT_multi_draw_indirect GL_EXT_multisampled_render_to_texture GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_bptc GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_rgtc GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_texture_type_2_10_10_10_REV GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_no_error GL_KHR_parallel_shader_compile GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_framebuffer_blit GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_EAC_R11_signed_texture GL_OES_compressed_EAC_R11_unsigned_texture GL_OES_compressed_EAC_RG11_signed_texture GL_OES_compressed_EAC_RG11_unsigned_texture GL_OES_compressed_ETC2_RGB8_texture GL_OES_compressed_ETC2_RGBA8_texture GL_OES_compressed_ETC2_punchthroughA_RGBA8_texture GL_OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture GL_OES_compressed_ETC2_sRGB8_alpha8_texture GL_OES_compressed_ETC2_sRGB8_texture GL_OES_depth24 GL_OES_depth32 GL_OES_draw_elements_base_vertex GL_OES_element_index_uint GL_OES_fbo_render_mipmap GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_border_clamp GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_texture_stencil8 GL_OES_vertex_array_object GL_WEBGL_video_texture
WebGL 1 Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_float_blend EXT_frag_depth EXT_shader_texture_lod EXT_sRGB EXT_texture_compression_bptc EXT_texture_compression_rgtc EXT_texture_filter_anisotropic MOZ_debug OES_element_index_uint OES_fbo_render_mipmap OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context WEBGL_provoking_vertex
WebGL 2 Driver WSI Info: EGL_VENDOR: Google Inc. (NVIDIA) EGL_VERSION: 1.5 (ANGLE 2.1.19734 git hash: 23347851217a) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_ANGLE_windows_ui_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_display_semaphore_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_ANDROID_blob_cache EGL_ANDROID_recordable EGL_ANGLE_image_d3d11_texture EGL_ANGLE_create_context_backwards_compatible EGL_KHR_no_config_context EGL_KHR_create_context_no_error EGL_KHR_reusable_sync EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_device_query EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_platform_angle_d3d11on12 EGL_ANGLE_platform_angle_device_id EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_ANGLE_feature_control IsWebglOutOfProcessEnabled: 1
WebGL 2 Driver Renderer: Google Inc. (NVIDIA) -- ANGLE (NVIDIA, NVIDIA GeForce GT 710 Direct3D11 vs_5_0 ps_5_0, D3D11-27.21.14.5671)
WebGL 2 Driver Version: OpenGL ES 3.0.0 (ANGLE 2.1.19734 git hash: 23347851217a)
WebGL 2 Driver Extensions: GL_AMD_performance_monitor GL_ANGLE_base_vertex_base_instance GL_ANGLE_base_vertex_base_instance_shader_builtin GL_ANGLE_client_arrays GL_ANGLE_copy_texture_3d GL_ANGLE_depth_texture GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_get_serialized_context_string GL_ANGLE_get_tex_level_parameter GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_memory_size GL_ANGLE_multi_draw GL_ANGLE_multiview_multisample GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_provoking_vertex GL_ANGLE_request_extension GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_multisample GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_lose_context GL_CHROMIUM_sync_query GL_EXT_EGL_image_external_wrap_modes GL_EXT_base_instance GL_EXT_blend_func_extended GL_EXT_blend_minmax GL_EXT_clip_control GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_EXT_debug_label GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_draw_buffers_indexed GL_EXT_draw_elements_base_vertex GL_EXT_float_blend GL_EXT_frag_depth GL_EXT_instanced_arrays GL_EXT_map_buffer_range GL_EXT_multi_draw_indirect GL_EXT_multisampled_render_to_texture GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_bptc GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_rgtc GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_texture_type_2_10_10_10_REV GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_no_error GL_KHR_parallel_shader_compile GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_framebuffer_blit GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_OES_compressed_EAC_R11_signed_texture GL_OES_compressed_EAC_R11_unsigned_texture GL_OES_compressed_EAC_RG11_signed_texture GL_OES_compressed_EAC_RG11_unsigned_texture GL_OES_compressed_ETC2_RGB8_texture GL_OES_compressed_ETC2_RGBA8_texture GL_OES_compressed_ETC2_punchthroughA_RGBA8_texture GL_OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture GL_OES_compressed_ETC2_sRGB8_alpha8_texture GL_OES_compressed_ETC2_sRGB8_texture GL_OES_depth24 GL_OES_depth32 GL_OES_draw_buffers_indexed GL_OES_draw_elements_base_vertex GL_OES_element_index_uint GL_OES_fbo_render_mipmap GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_border_clamp GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_texture_stencil8 GL_OES_vertex_array_object GL_OVR_multiview GL_OVR_multiview2 GL_WEBGL_video_texture
WebGL 2 Extensions: EXT_color_buffer_float EXT_float_blend EXT_texture_compression_bptc EXT_texture_compression_rgtc EXT_texture_filter_anisotropic MOZ_debug OES_draw_buffers_indexed OES_texture_float_linear OVR_multiview2 WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context WEBGL_provoking_vertex
Direct2D: true
Target Frame Rate: 60
WebGPU Default Adapter: { "navigator.gpu": null }
WebGPU Fallback Adapter: { "navigator.gpu": null }
DirectWrite: true (10.0.19041.1566)
GPU #1
Active: Yes
Description: NVIDIA GeForce GT 710
Vendor ID: 0x10de
Device ID: 0x128b
Driver Version: 27.21.14.5671
Driver Date: 9-30-2020
Drivers: C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\nvldumdx.dll C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_1c83a5d7cffd7bff\nvldumd.dll
Subsys ID: 128b10de
RAM: 2048
GPU #2
Active: No
RAM: 0
Diagnostics
AzureCanvasBackend: direct2d 1.1
AzureContentBackend: skia
AzureFallbackCanvasBackend: skia
CMSOutputProfile: AAAMSExpbm8CEAAAbW50clJHQiBYWVogB84AAgAJAAYAMQAAYWNzcE1TRlQAAAAASUVDIHNSR0IAAAAAAAAAAAAAAAAAAPbWAAEAAAAA0y1IUCAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARY3BydAAAAVAAAAAzZGVzYwAAAYQAAABsd3RwdAAAAfAAAAAUYmtwdAAAAgQAAAAUclhZWgAAAhgAAAAUZ1hZWgAAAiwAAAAUYlhZWgAAAkAAAAAUZG1uZAAAAlQAAABwZG1kZAAAAsQAAACIdnVlZAAAA0wAAACGdmlldwAAA9QAAAAkbHVtaQAAA/gAAAAUbWVhcwAABAwAAAAkdGVjaAAABDAAAAAMclRSQwAABDwAAAgMZ1RSQwAABDwAAAgMYlRSQwAABDwAAAgMdGV4dAAAAABDb3B5cmlnaHQgKGMpIDE5OTggSGV3bGV0dC1QYWNrYXJkIENvbXBhbnkAAGRlc2MAAAAAAAAAEnNSR0IgSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFhZWiAAAAAAAADzUQABAAAAARbMWFlaIAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAAb6IAADj1AAADkFhZWiAAAAAAAABimQAAt4UAABjaWFlaIAAAAAAAACSgAAAPhAAAts9kZXNjAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5nIENvbmRpdGlvbiBpbiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAACxSZWZlcmVuY2UgVmlld2luZyBDb25kaXRpb24gaW4gSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2aWV3AAAAAAATpP4AFF8uABDPFAAD7cwABBMLAANcngAAAAFYWVogAAAAAABMCVYAUAAAAFcf521lYXMAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAKPAAAAAnNpZyAAAAAAQ1JUIGN1cnYAAAAAAAAEAAAAAAUACgAPABQAGQAeACMAKAAtADIANwA7AEAARQBKAE8AVABZAF4AYwBoAG0AcgB3AHwAgQCGAIsAkACVAJoAnwCkAKkArgCyALcAvADBAMYAywDQANUA2wDgAOUA6wDwAPYA+wEBAQcBDQETARkBHwElASsBMgE4AT4BRQFMAVIBWQFgAWcBbgF1AXwBgwGLAZIBmgGhAakBsQG5AcEByQHRAdkB4QHpAfIB+gIDAgwCFAIdAiYCLwI4AkECSwJUAl0CZwJxAnoChAKOApgCogKsArYCwQLLAtUC4ALrAvUDAAMLAxYDIQMtAzgDQwNPA1oDZgNyA34DigOWA6IDrgO6A8cD0wPgA+wD+QQGBBMEIAQtBDsESARVBGMEcQR+BIwEmgSoBLYExATTBOEE8AT+BQ0FHAUrBToFSQVYBWcFdwWGBZYFpgW1BcUF1QXlBfYGBgYWBicGNwZIBlkGagZ7BowGnQavBsAG0QbjBvUHBwcZBysHPQdPB2EHdAeGB5kHrAe/B9IH5Qf4CAsIHwgyCEYIWghuCIIIlgiqCL4I0gjnCPsJEAklCToJTwlkCXkJjwmkCboJzwnlCfsKEQonCj0KVApqCoEKmAquCsUK3ArzCwsLIgs5C1ELaQuAC5gLsAvIC+EL+QwSDCoMQwxcDHUMjgynDMAM2QzzDQ0NJg1ADVoNdA2ODakNww3eDfgOEw4uDkkOZA5/DpsOtg7SDu4PCQ8lD0EPXg96D5YPsw/PD+wQCRAmEEMQYRB+EJsQuRDXEPURExExEU8RbRGMEaoRyRHoEgcSJhJFEmQShBKjEsMS4xMDEyMTQxNjE4MTpBPFE+UUBhQnFEkUahSLFK0UzhTwFRIVNBVWFXgVmxW9FeAWAxYmFkkWbBaPFrIW1hb6Fx0XQRdlF4kXrhfSF/cYGxhAGGUYihivGNUY+hkgGUUZaxmRGbcZ3RoEGioaURp3Gp4axRrsGxQbOxtjG4obshvaHAIcKhxSHHscoxzMHPUdHh1HHXAdmR3DHeweFh5AHmoelB6+HukfEx8+H2kflB+/H+ogFSBBIGwgmCDEIPAhHCFIIXUhoSHOIfsiJyJVIoIiryLdIwojOCNmI5QjwiPwJB8kTSR8JKsk2iUJJTglaCWXJccl9yYnJlcmhya3JugnGCdJJ3onqyfcKA0oPyhxKKIo1CkGKTgpaymdKdAqAio1KmgqmyrPKwIrNitpK50r0SwFLDksbiyiLNctDC1BLXYtqy3hLhYuTC6CLrcu7i8kL1ovkS/HL/4wNTBsMKQw2zESMUoxgjG6MfIyKjJjMpsy1DMNM0YzfzO4M/E0KzRlNJ402DUTNU01hzXCNf02NzZyNq426TckN2A3nDfXOBQ4UDiMOMg5BTlCOX85vDn5OjY6dDqyOu87LTtrO6o76DwnPGU8pDzjPSI9YT2hPeA+ID5gPqA+4D8hP2E/oj/iQCNAZECmQOdBKUFqQaxB7kIwQnJCtUL3QzpDfUPARANER0SKRM5FEkVVRZpF3kYiRmdGq0bwRzVHe0fASAVIS0iRSNdJHUljSalJ8Eo3Sn1KxEsMS1NLmkviTCpMcky6TQJNSk2TTdxOJU5uTrdPAE9JT5NP3VAnUHFQu1EGUVBRm1HmUjFSfFLHUxNTX1OqU/ZUQlSPVNtVKFV1VcJWD1ZcVqlW91dEV5JX4FgvWH1Yy1kaWWlZuFoHWlZaplr1W0VblVvlXDVchlzWXSddeF3JXhpebF69Xw9fYV+zYAVgV2CqYPxhT2GiYfViSWKcYvBjQ2OXY+tkQGSUZOllPWWSZedmPWaSZuhnPWeTZ+loP2iWaOxpQ2maafFqSGqfavdrT2una/9sV2yvbQhtYG25bhJua27Ebx5veG/RcCtwhnDgcTpxlXHwcktypnMBc11zuHQUdHB0zHUodYV14XY+dpt2+HdWd7N4EXhueMx5KnmJeed6RnqlewR7Y3vCfCF8gXzhfUF9oX4BfmJ+wn8jf4R/5YBHgKiBCoFrgc2CMIKSgvSDV4O6hB2EgITjhUeFq4YOhnKG14c7h5+IBIhpiM6JM4mZif6KZIrKizCLlov8jGOMyo0xjZiN/45mjs6PNo+ekAaQbpDWkT+RqJIRknqS45NNk7aUIJSKlPSVX5XJljSWn5cKl3WX4JhMmLiZJJmQmfyaaJrVm0Kbr5wcnImc951kndKeQJ6unx2fi5/6oGmg2KFHobaiJqKWowajdqPmpFakx6U4pammGqaLpv2nbqfgqFKoxKk3qamqHKqPqwKrdavprFys0K1ErbiuLa6hrxavi7AAsHWw6rFgsdayS7LCszizrrQltJy1E7WKtgG2ebbwt2i34LhZuNG5SrnCuju6tbsuu6e8IbybvRW9j74KvoS+/796v/XAcMDswWfB48JfwtvDWMPUxFHEzsVLxcjGRsbDx0HHv8g9yLzJOsm5yjjKt8s2y7bMNcy1zTXNtc42zrbPN8+40DnQutE80b7SP9LB00TTxtRJ1MvVTtXR1lXW2Ndc1+DYZNjo2WzZ8dp22vvbgNwF3IrdEN2W3hzeot8p36/gNuC94UThzOJT4tvjY+Pr5HPk/OWE5g3mlucf56noMui86Ubp0Opb6uXrcOv77IbtEe2c7ijutO9A78zwWPDl8XLx//KM8xnzp/Q09ML1UPXe9m32+/eK+Bn4qPk4+cf6V/rn+3f8B/yY/Sn9uv5L/tz/bf//
Display0: 2560x1440@59Hz scales:1.000000|1.250000
Display1: 1920x1080@60Hz scales:1.000000|1.000000
DisplayCount: 2
HardwareStretching: both=0 window-only=0 full-screen-only=2 none=0 error=0
ClearType Parameters: \.\DISPLAY1 [ Gamma: 1.8 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 50 ] \.\DISPLAY2 [ Gamma: 1.8 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 50 ]
Decision Log
HW_COMPOSITING:
default: available,
D3D11_COMPOSITING:
default: available,
DIRECT2D:
default: available,
D3D11_HW_ANGLE:
default: available,
WEBRENDER:
default: available,
WEBRENDER_COMPOSITOR:
default: available,
runtime: unavailable, No DirectComposition usage, Blocklisted; failure code FEATURE_FAILURE_NO_GPU_PROCESS
WEBRENDER_PARTIAL:
default: available,
WEBRENDER_SHADER_CACHE:
default: available,
WEBRENDER_OPTIMIZED_SHADERS:
default: available,
WEBRENDER_ANGLE:
default: available,
WEBRENDER_DCOMP_PRESENT:
default: available,
env: unavailable, Requires GPU process, Blocklisted; failure code FEATURE_FAILURE_NO_GPU_PROCESS
WEBRENDER_SCISSORED_CACHE_CLEARS:
default: available,
WEBGPU:
default: available,
runtime: blocked, WebGPU cannot be enabled in release or beta, Blocklisted; failure code WEBGPU_DISABLE_RELEASE_OR_BETA
WINDOW_OCCLUSION:
default: available,
HW_DECODED_VIDEO_ZERO_COPY:
default: blocked, Blocklisted by gfxInfo,
VP8_HW_DECODE:
default: available,
VP9_HW_DECODE:
default: available,
REUSE_DECODER_DEVICE:
default: available,
BACKDROP_FILTER:
default: available,
CANVAS_RENDERER_THREAD:
default: available,
ACCELERATED_CANVAS2D:
default: disabled, Disabled by default, Blocklisted; failure code FEATURE_FAILURE_DISABLED

Comment 7

[Kelsey Gilbert [:jgilbert]]

I am working on this.

Comment 8

[Kelsey Gilbert [:jgilbert]]

We have validation that makes this not work if there's an MSAA buffer for the context, so we'd have to be on a system that we chose not to use MSAA on. This is rare, but not extremely rare. (Maybe e.g. VMs, as in the case of the crashing system for the reporter)

Comment 9

[Kelsey Gilbert [:jgilbert]]

Attachment: blit--no-aa.html

Comment 10

[Kelsey Gilbert [:jgilbert]]

By default, this doesn't crash as described in DEBUG builds

In DEBUG builds, we enable MOZ_GL_DEBUG_ABORT_ON_ERROR.
When we enable MOZ_GL_DEBUG_ABORT_ON_ERROR, we ignore the request from webgl for NO_VALIDATION, and so we don't activate KHR_no_error.
This hides the bug in DEBUG builds by default, unless you use MOZ_GL_DEBUG_ABORT_ON_ERROR=0.
Instead in DEBUG builds, we hit an ANGLE validation, and actually end up then crashing because of asserts in MOZ_GL_DEBUG_ABORT_ON_ERROR.
With MOZ_GL_DEBUG_ABORT_ON_ERROR=0, we don't precisely crash in the same spot, but we hit an in-angle assert that formats match, but that's close enough to the same issue in my mind, because:

Root cause

The root cause here is that with KHR_no_error turned on in ANGLE, ANGLE's assumption that srcDepthStencilFormat == dstDepthStencilFormat holds true can be violated, and we hit an issue because of that somewhere in BlitD24S8ToD32F. While it's possible to fix BlitD24S8ToD32F, I think this is effectively not a supported path in ANGLE, because it's not reachable when ANGLE's validation layer is enabled.

There is a note I left years ago in the middle of our BlitFramebuffer validation in webgl: https://searchfox.org/mozilla-central/source/dom/canvas/WebGLFramebuffer.cpp#1466-1487

  /* GLES 3.0.4, p199:
   *   Calling BlitFramebuffer will result in an INVALID_OPERATION error if
   *   mask includes DEPTH_BUFFER_BIT or STENCIL_BUFFER_BIT, and the source
   *   and destination depth and stencil buffer formats do not match.
   *
   * jgilbert: The wording is such that if only DEPTH_BUFFER_BIT is specified,
   * the stencil formats must match. This seems wrong. It could be a spec bug,
   * or I could be missing an interaction in one of the earlier paragraphs.
   */

The condition I mention and say "This seems wrong" is actually what ANGLE strictly validates here: https://searchfox.org/mozilla-central/source/gfx/angle/checkout/src/libANGLE/validationES.cpp#1737-1742

                if (!Format::EquivalentForBlit(readBuffer->getFormat(), drawBuffer->getFormat()))
                {
                    context->validationError(entryPoint, GL_INVALID_OPERATION,
                                             kBlitDepthOrStencilFormatMismatch);
                    return false;
                }

Next steps

There are two choices of mitigations to fix this vulnerability:
A. Disable KHR_no_error on ANGLE.
B. Match ANGLE's validation for srcDepthStencilFormat == dstDepthStencilFormat.

There are two more optional actions we might take:
C. We don't currently have a pref for disabling KHR_no_error, but I will add one.
D. We should consider disabling-by-default KHR_no_error on ESR.

Comment 11

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1841050 - Add pref webgl.gl_khr_no_error:true.

This allows for disabling WebGL's use of GL_KHR_no_error, rather than the default of enabled.

Use snake_case so that searching for KHR_no_error finds this more
easily.

Comment 12

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1841050 - Disable webgl.gl_khr_no_error on Windows.

Comment 13

[Kelsey Gilbert [:jgilbert]]

The benefit of doing it this way, is that we can turn this off without tipping our hand about what the specific issue is. We're simply re-enabling extra validation (and eating a perf hit for it).

The goal of course is to re-enable it once we fix it more specifically, but this gives us a lot more runway for that.

Comment 14

[Kelsey Gilbert [:jgilbert]]

Reporter: Can you test this build? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/EwIUW_YnTIuxpMCRzDMRwg/runs/0/artifacts/public/build/target.zip
(win64 asan opt)

Comment 15

[JSec]

I have completed the test. The vulnerability was not triggered because the validation was done in the libGLESv2!gl::ValidateBlitFramebuffer, which prevented the libGLESv2!gl::Context::blitFramebuffer from being called.

Comment 16

[Kelsey Gilbert [:jgilbert]]

CI is mostly fine with this change, but it does cause a change in test behavior in dom/canvas/test/webgl-conf/generated/test_2_conformance__misc__uninitialized-test.html: https://treeherder.mozilla.org/jobs?repo=try&revision=a9f7cc18bc34518e77bb3d0366ff566c3de4a026

I'm pretty sure that this is due to differences in validation behavior in certain edgecases between Firefox and ANGLE when calling CopyTexSubImage on textures that were created with TexImage or TexStorage instead of CopyTexImage.
There is a risk of exposing uninitialized data when a full-frame CopyTexSubImage call fails due to this difference.

Therefore, we require an additional fix, which we should take anyway, and ideally apply to other similar cases of errors that could expose uninit data:
https://searchfox.org/mozilla-central/source/dom/canvas/WebGLTextureUpload.cpp#1881-1886

   if (!DoCopyTexOrSubImage(mContext, isSubImage, expectsInit, this, imageTarget,
                            level, srcOffset.x, srcOffset.y, srcTotalWidth,
                            srcTotalHeight, srcUsage, dstOffset.x, dstOffset.y,
                            dstOffset.z, size.x, size.y, dstUsage)) {
+    tex->Truncate();
     return;
   }

With this additional fix, it should be safe to mark the new test failure as expected, until such time as we can rectify it. (We should file an S3+P2 bug for this)

I am on sabbatical now, but that should be enough info to finish this off.

Comment 17

[Timothy Nikkel (:tnikkel)]

I have made the required patches as described in the last comment and they are green on try. Just need to post them and request review.

Comment 18

[Timothy Nikkel (:tnikkel)]

Attachment: Bug 1841050. r?#gfx-reviewers

Comment 19

[Timothy Nikkel (:tnikkel)]

Attachment: Bug 1841050. Mark expected test fail. r?#gfx-reviewers

Depends on D191597

Comment 20

[Timothy Nikkel (:tnikkel)]

Comment on attachment 9354240 [details]
Bug 1841050 - Add pref webgl.gl_khr_no_error:true.

Security Approval Request

• How easily could an exploit be constructed based on the patch?: the one patch that adds a Truncate call does point to one path in our code that could expose un-init data
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?: all
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: easy
• How likely is this patch to cause regressions; how much testing does it need?: not sure, more bake time would be better
• Is Android affected?: Yes

Comment 21

[Tom Ritter [:tjr]]

Comment on attachment 9354240 [details]
Bug 1841050 - Add pref webgl.gl_khr_no_error:true.

Approved to land and uplift when ready

Comment 22

[Timothy Nikkel (:tnikkel)]

Comment on attachment 9354240 [details]
Bug 1841050 - Add pref webgl.gl_khr_no_error:true.

Beta/Release Uplift Approval Request

• User impact if declined: sec issue
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: No
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): turns on more validation/error checking in webgl
• String changes made/needed: none
• Is Android affected?: Yes

Comment 23

[Pulsebot]

Pushed by tnikkel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b5a554aae2b2
Add pref webgl.gl_khr_no_error:true. r=gfx-reviewers,bradwerth
https://hg.mozilla.org/integration/autoland/rev/2caa5632e597
Disable webgl.gl_khr_no_error on Windows. r=gfx-reviewers,bradwerth
https://hg.mozilla.org/integration/autoland/rev/08dd99ff7aac
r=gfx-reviewers,nical,ahale
https://hg.mozilla.org/integration/autoland/rev/cad717e42236
Mark expected test fail. r=gfx-reviewers,nical,ahale

Comment 24

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/b5a554aae2b2
https://hg.mozilla.org/mozilla-central/rev/2caa5632e597
https://hg.mozilla.org/mozilla-central/rev/08dd99ff7aac
https://hg.mozilla.org/mozilla-central/rev/cad717e42236

Comment 25

[Dianna Smith [:diannaS] - on Leave, back on August 9th]

Comment on attachment 9354240 [details]
Bug 1841050 - Add pref webgl.gl_khr_no_error:true.

Approved for 120.0b4

Comment 26

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/99b03d602f0a
https://hg.mozilla.org/releases/mozilla-beta/rev/a5b3b0b35e5b
https://hg.mozilla.org/releases/mozilla-beta/rev/490d345de8aa
https://hg.mozilla.org/releases/mozilla-beta/rev/e65ddc9d9929

Comment 27

[Dianna Smith [:diannaS] - on Leave, back on August 9th]

Comment on attachment 9354240 [details]
Bug 1841050 - Add pref webgl.gl_khr_no_error:true.

Approved for 115.5esr

Comment 28

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr115/rev/76f91cb28fdf
https://hg.mozilla.org/releases/mozilla-esr115/rev/feb44fb3185b
https://hg.mozilla.org/releases/mozilla-esr115/rev/7560222f64ed
https://hg.mozilla.org/releases/mozilla-esr115/rev/e0a921d60bd5

Comment 29

[Daniel Veditz [:dveditz]]

The goal of course is to re-enable it once we fix it more specifically, but this gives us a lot more runway for that.

Is there a bug filed to do what Kelsey said above in comment 13? I notice the perf regression bug was closed WONTFIX, but really the goal is to get a real fix here and then not have the perf hit right?

Comment 30

[Daniel Veditz [:dveditz]]

As a generic data leak (of graphics from other sites, for example) this is a sec-high and we are going to award a bug bounty as such. There may be information related to IPC communication that could be used to take over the GPU or parent process. If you are interested in doing further exploration and can demonstrate the ability to capture and use this information from a compromised child process we can elevate this to a "sandbox escape"

Comment 31

[Timothy Nikkel (:tnikkel)]

(In reply to Daniel Veditz [:dveditz] from comment #29)

The goal of course is to re-enable it once we fix it more specifically, but this gives us a lot more runway for that.

Is there a bug filed to do what Kelsey said above in comment 13?

Yes, this bug blocks it, bug 1860470.

I notice the perf regression bug was closed WONTFIX, but really the goal is to get a real fix here and then not have the perf hit right?

Yes I believe so.

Comment 32

[Daniel Veditz [:dveditz]]

Attachment: advisory.txt

Comment 33

[Mark Straver]

I'm auditing this sec bug and I'm not entirely clear on the following:

1. Why is this validation explicitly not turned on on Windows, but turned on everywhere else?
2. What is the potential sec impact of keeping the ANGLE validation layer disabled on Windows?

I'd appreciate if you could give me insight in this.

Comment 34

[Timothy Nikkel (:tnikkel)]

(In reply to Mark Straver from comment #33)

1. Why is this validation explicitly not turned on on Windows, but turned on everywhere else?

This bug turns on the validation for Windows only. Note that this is a bit of a confusing double negative.

"Disable webgl.gl_khr_no_error on Windows."

When webgl.gl_khr_no_error is enabled it means that we don't error out, ie we don't validate. So disabling webgl.gl_khr_no_error actual enables validation.

Note that it is being considered to make this change on other platforms, for example bug 1862039.

I can't really speak to your second question.

Comment 35

[Mark Straver]

Ah right, I totally got confused by the double-negative there (seems I'm not the only one, judging by the other bug)! Thanks for clarifying. Maybe a better name/state of the pref would be useful to prevent this confusion?

Considering the other bug indicates fallout for enabling this on non-Windows, I'll follow your current state here and only flip it on for Windows, as well and CC there to keep tabs on development.

Comment 36

[Daniel Veditz [:dveditz]]

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter