Integer Overflow in RecordedSourceSurfaceCreation
Categories
(Core :: Graphics, defect, P2)
Tracking
()
People
(Reporter: j51569436, Assigned: bradwerth)
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main117+] [adv-esr115.2+] [adv-esr102.15+])
Attachments
(5 files)
|
1.41 KB,
text/plain
|
Details | |
|
22.65 KB,
text/plain
|
Details | |
|
328 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-release-
RyanVM
:
approval-mozilla-esr102+
RyanVM
:
approval-mozilla-esr115+
tjr
:
sec-approval+
|
Details | Review |
|
274 bytes,
text/plain
|
Details |
An integer overflow occurs in RecordedSourceSurfaceCreation::RecordedSourceSurfaceCreation[1], which results in a heap buffer overflow[2].
ReturnWrite allows attacker to leak GPU process's heap data to the content process.
The provided patch.diff file simulates a compromised content process that may potentially cause the GPU process to crash. To reproduce the vulnerability, apply the patch and open the index.html.
[1] https://searchfox.org/mozilla-central/source/gfx/2d/RecordedEventImpl.h#3215
[2] https://searchfox.org/mozilla-central/source/gfx/layers/RecordedCanvasEventImpl.h#364
|
||
Updated•9 months ago
|
|
||
Updated•9 months ago
|
|
|
||
Comment 3•9 months ago
|
||
I can't tell from the the ASAN output that this is the GPU process crashing, but if it is then this could be a stepping stone to a sandbox escape. If it's crashing the same patched process then this wouldn't be valid. I'll rate it based on the reporter's claims but have not verified it.
|
|
||
Updated•9 months ago
|
|
||
Comment 4•9 months ago
|
||
I was unable to reproduce on Linux with an ASan build.
I apologize for the lack of information. This bug can only be triggered on windows.
|
Assignee | |
Updated•9 months ago
|
|
|
Assignee | |
Updated•9 months ago
|
|
||
Comment 6•9 months ago
|
||
We just need CheckedInt<size_t> validation like here: https://searchfox.org/mozilla-central/rev/0816653c3ab851fa0e362eaec48c643fb764eaf4/dom/canvas/ImageData.cpp#56-60
|
|
Assignee | |
Comment 7•9 months ago
|
||
|
||
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
|
|
Assignee | |
Comment 8•9 months ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Moderately. It's clear that the patch is validating size data sent in a stream, which implies that the size itself is the source of vulnerability.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Easy to create.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions.
- Is Android affected?: Unknown
|
||
Comment 9•9 months ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
Approved to land and uplift
|
||
Comment 10•9 months ago
|
||
Pushed by bwerth@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a3eb32145f15 Additional validation in RecordedSourceSurfaceCreation. r=gfx-reviewers,jrmuizel
|
|
Assignee | |
Comment 11•9 months ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
Beta/Release Uplift Approval Request
- User impact if declined: Hijacked recordings could cause a leak of GPU heap to content process.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Fairly simple bounds checking by the deserializer that matches the existing bounds check done by the serializer.
- String changes made/needed:
- Is Android affected?: Unknown
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Hijacked recordings could cause a leak of GPU heap to content process.
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Fairly simple bounds checking by the deserializer that matches the existing bounds check done by the serializer.
|
||
Comment 12•9 months ago
|
||
|
||
Updated•9 months ago
|
|
||
Comment 13•9 months ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
This will be uplifted to 117 beta and will not be included in the next 116 dot release. If for any reason we do need to take this in the dot release, please feel free to NI me.
|
|
||
Comment 14•9 months ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
Approved for 117.0b7
|
|
||
Comment 15•9 months ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/fe2aaa3aafcf
|
|
||
Updated•9 months ago
|
|
||
Updated•9 months ago
|
|
||
Comment 16•9 months ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
Approved for 115.2esr and 102.15esr.
|
|
||
Comment 17•9 months ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr115/rev/bc14a71e04a2
|
|
||
Updated•9 months ago
|
|
|
||
Comment 18•9 months ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr102/rev/5528da6e9d7b
|
|
||
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
|
||
Comment 19•8 months ago
|
||
|
|
||
Updated•8 months ago
|
|
|
||
Updated•4 months ago
|
|
|
||
Updated•4 months ago
|
Description
•