use-after-free in mStream
Categories
(Core :: Graphics, defect, P1)
Tracking
()
People
(Reporter: sonakkbi, Assigned: bobowen)
Details
(5 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main117+] [adv-esr115.2+] [adv-esr102.15+])
Attachments
(8 files)
|
17.01 KB,
text/plain
|
Details | |
|
328 bytes,
text/html
|
Details | |
|
3.08 KB,
patch
|
Details | Diff | Splinter Review | |
|
549 bytes,
patch
|
Details | Diff | Splinter Review | |
|
424 bytes,
text/html
|
Details | |
|
6.54 KB,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-release-
RyanVM
:
approval-mozilla-esr102+
RyanVM
:
approval-mozilla-esr115+
tjr
:
sec-approval+
|
Details | Review |
|
229 bytes,
text/plain
|
Details |
While graphics rendering, |mStream| is used to receive rendering data1. |mStream| could be destroyed when initialized. However, there is no check in init function2 and it could initialize twice. This could lead to use-after-free when |mStream| is destroyed during accessing rendering data.
REPRODUCE
Operating System: All
1.apply *patch1.diff and patch2.diff
2.visit index.html
*: patch1.diff is emulating a compromised content process. patch2.diff is patching the Graphic Process to improve the success rate (just for reproducing easily)
Crash State: see asan file
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 4•1 year ago
|
||
I was unable to reproduce this on Linux.
I'm sorry to hear that it's not reproducible on Linux. The vulnerability itself still exists in Linux, but I overlooked that the function used in the patch.diff is not called in Linux. Could you test it on Windows?
|
|
||
Comment 6•1 year ago
|
||
(In reply to sonakkbi from comment #5)
I'm sorry to hear that it's not reproducible on Linux. The vulnerability itself still exists in Linux, but I overlooked that the function used in the patch.diff is not called in Linux. Could you test it on Windows?
I did modify the patch to work on Linux, but perhaps I missed something. I was trying to get a rr/Pernosco session (Linux only) to hopefully save them some work. I'll leave it do a developer with more knowledge of this component to try.
|
||
Comment 7•1 year ago
|
||
Tyson, it might be possible to reproduce this with this test case on Linux instead of the attached one.
|
|
||
Comment 8•1 year ago
|
||
Bob, can you take a look at this?
|
|
||
Comment 9•1 year ago
|
||
(In reply to Jeff Muizelaar [:jrmuizel] from comment #7)
Tyson, it might be possible to reproduce this with this test case on Linux instead of the attached one.
I'd be happy to give it a try.
I also had issues with the patches not applying cleanly and targeting Windows. Could you have a look at them as well please?
|
Assignee | |
Comment 10•1 year ago
|
||
(In reply to Jeff Muizelaar [:jrmuizel] from comment #8)
Bob, can you take a look at this?
The patches were a bit mangled for me as well, so I applied them by hand.
I could see the issue either way from the description.
Pretty sure it will only affect Windows.
|
|
Assignee | |
Comment 11•1 year ago
|
||
(In reply to Bob Owen (:bobowen) from comment #10)
(In reply to Jeff Muizelaar [:jrmuizel] from comment #8)
Bob, can you take a look at this?
The patches were a bit mangled for me as well, so I applied them by hand.
I could see the issue either way from the description.
Pretty sure it will only affect Windows.
The crash I was getting turned out to be in webrender code and not a UAF.
By modifying the patch a bit I think I've now reproduced the issue raised here.
Once I've got something for this, I'll see if I can still reproduce the crash in webrender and file a separate bug.
|
|
Assignee | |
Comment 12•1 year ago
|
||
Here's my reproduction patch that I've rolled into one.
|
|
Assignee | |
Comment 13•1 year ago
|
||
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 14•1 year ago
|
||
Comment on attachment 9347656 [details]
Bug 1846687: Don't allow CanvasTranslator to be initialized twice. r=jrmuizel!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Assuming they knew it was a sec bug, working out the problem from the patch is probably fairly easy, but not trivial.
However, there isn't a known exploit of the vulnerability currently. - Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: (Patch grafts onto all required branches.)
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely, it adds an extra check that should never be triggered without an exploited content process.
- Is Android affected?: No
|
||
Comment 15•1 year ago
|
||
Comment on attachment 9347656 [details]
Bug 1846687: Don't allow CanvasTranslator to be initialized twice. r=jrmuizel!
Approved to land and uplift
|
||
Comment 16•1 year ago
|
||
|
|
Assignee | |
Comment 17•1 year ago
|
||
Comment on attachment 9347656 [details]
Bug 1846687: Don't allow CanvasTranslator to be initialized twice. r=jrmuizel!
Beta/Release Uplift Approval Request
- User impact if declined: Vulnerability that can be triggered in the GPU process from a compromised content process, which could potentially be used as part of a sandbox escape.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Simple is null check added that should never fail without a compromised content process.
- String changes made/needed: None
- Is Android affected?: No
|
|
Assignee | |
Comment 18•1 year ago
|
||
Comment on attachment 9347656 [details]
Bug 1846687: Don't allow CanvasTranslator to be initialized twice. r=jrmuizel!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
- User impact if declined: Vulnerability that can be triggered in the GPU process from a compromised content process, which could potentially be used as part of a sandbox escape.
- Fix Landed on Version: 118
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Simple is null check added that should never fail without a compromised content process.
|
||
Comment 19•1 year ago
|
||
|
||
Comment 20•1 year ago
|
||
Comment on attachment 9347656 [details]
Bug 1846687: Don't allow CanvasTranslator to be initialized twice. r=jrmuizel!
Approved for 117.0b6
|
|
||
Comment 21•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 22•1 year ago
|
||
Comment on attachment 9347656 [details]
Bug 1846687: Don't allow CanvasTranslator to be initialized twice. r=jrmuizel!
This will be roll out with 117 and will not be included in the next 116 dot release. If for any reason we do need to take this in the dot release, please feel free to NI me.
|
||
Updated•1 year ago
|
|
|
||
Comment 23•1 year ago
|
||
Comment on attachment 9347656 [details]
Bug 1846687: Don't allow CanvasTranslator to be initialized twice. r=jrmuizel!
Approved for 115.2esr and 102.15esr.
|
|
||
Comment 24•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
|
||
Comment 25•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 26•1 year ago
|
||
|
|
||
Updated•1 year ago
|
|
|
||
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
|
||
Updated•4 months ago
|
Description
•