Missing array size check in FilterNodeD2D1
Categories
(Core :: Graphics, defect)
Tracking
()
People
(Reporter: sonakkbi, Assigned: bobowen)
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main118+][adv-esr115.3+])
Attachments
(5 files)
|
4.75 KB,
text/plain
|
Details | |
|
1.46 KB,
text/html
|
Details | |
|
772 bytes,
patch
|
Details | Diff | Splinter Review | |
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
pascalc
:
approval-mozilla-esr115+
dveditz
:
sec-approval+
|
Details | Review |
|
238 bytes,
text/plain
|
Details |
|FilterNodeD2D1| is used by graphics rendering. In certain situations, |mInputSurfaces| array is accessed in |SetInput()|1. However, the array index, |mIndex| is not verified properly. This is a typical out-of-bounds write scenario and there is an out-of-bounds write in another |SetInput()|2. I tried to make an ASAN report but I found it not easy. Instead, the callstack when crashed is attached.
REPRODUCE
Operating System: Windows
1.apply *patch.diff
2.visit index.html
*: Patch to emulate a compromised content process.
Crash State: see result.txt
|
||
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
Looks like we moved the trust boundaries on this code -- it used to be part of the same process.
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 5•2 years ago
|
||
|
||
Comment 6•2 years ago
|
||
The severity field is not set for this bug.
:bhood, could you have a look please?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 7•2 years ago
|
||
Comment on attachment 9348869 [details]
Bug 1846683: Make assertions in FilterNodeD2D1::SetInput release assertions. r=jgilbert!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The issue is obvious, although not necessarily how it can be triggered.
Also, the example of triggering we have is from another process, so I'm not sure how easy it would be to exploit on its own. - Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely, turning debug assertions into release assertions.
- Is Android affected?: No
|
||
Updated•2 years ago
|
|
|
||
Comment 8•2 years ago
|
||
Comment on attachment 9348869 [details]
Bug 1846683: Make assertions in FilterNodeD2D1::SetInput release assertions. r=jgilbert!
sec-approval+ = dveditz
|
|
||
Comment 10•2 years ago
|
||
|
|
||
Comment 11•2 years ago
|
||
The patch landed in nightly and beta is affected.
:bobowen, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox118towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 12•2 years ago
|
||
Comment on attachment 9348869 [details]
Bug 1846683: Make assertions in FilterNodeD2D1::SetInput release assertions. r=jgilbert!
Beta/Release Uplift Approval Request
- User impact if declined: Possible use as part of sandbox escape.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just turning debug assertions into release assertions.
- String changes made/needed: None
- Is Android affected?: No
|
|
Assignee | |
Comment 13•2 years ago
|
||
Comment on attachment 9348869 [details]
Bug 1846683: Make assertions in FilterNodeD2D1::SetInput release assertions. r=jgilbert!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
- User impact if declined: Possible use as part of sandbox escape.
- Fix Landed on Version: 119
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just turning debug assertions into release assertions.
|
|
||
Updated•2 years ago
|
|
||
Comment 14•2 years ago
|
||
Comment on attachment 9348869 [details]
Bug 1846683: Make assertions in FilterNodeD2D1::SetInput release assertions. r=jgilbert!
Approved for 118.0b6, thanks.
|
||
Comment 15•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
|
||
Comment 16•2 years ago
|
||
Comment on attachment 9348869 [details]
Bug 1846683: Make assertions in FilterNodeD2D1::SetInput release assertions. r=jgilbert!
Approved for ESR 115.3, thanks.
|
|
||
Comment 17•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 18•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•