Integer Overflow in RecordedSourceSurfaceCreation
Categories
(Core :: Graphics, defect, P2)
Tracking
()
People
(Reporter: j51569436, Assigned: bradwerth)
Details
(5 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main117+] [adv-esr115.2+] [adv-esr102.15+])
Attachments
(5 files)
1.41 KB,
text/plain
|
Details | |
22.65 KB,
text/plain
|
Details | |
328 bytes,
text/html
|
Details | |
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-release-
RyanVM
:
approval-mozilla-esr102+
RyanVM
:
approval-mozilla-esr115+
tjr
:
sec-approval+
|
Details | Review |
274 bytes,
text/plain
|
Details |
An integer overflow occurs in RecordedSourceSurfaceCreation::RecordedSourceSurfaceCreation[1], which results in a heap buffer overflow[2].
ReturnWrite allows attacker to leak GPU process's heap data to the content process.
The provided patch.diff file simulates a compromised content process that may potentially cause the GPU process to crash. To reproduce the vulnerability, apply the patch and open the index.html.
[1] https://searchfox.org/mozilla-central/source/gfx/2d/RecordedEventImpl.h#3215
[2] https://searchfox.org/mozilla-central/source/gfx/layers/RecordedCanvasEventImpl.h#364
Updated•1 year ago
|
Updated•1 year ago
|
Comment 3•1 year ago
|
||
I can't tell from the the ASAN output that this is the GPU process crashing, but if it is then this could be a stepping stone to a sandbox escape. If it's crashing the same patched process then this wouldn't be valid. I'll rate it based on the reporter's claims but have not verified it.
Updated•1 year ago
|
Comment 4•1 year ago
|
||
I was unable to reproduce on Linux with an ASan build.
I apologize for the lack of information. This bug can only be triggered on windows.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Comment 6•1 year ago
|
||
We just need CheckedInt<size_t> validation like here: https://searchfox.org/mozilla-central/rev/0816653c3ab851fa0e362eaec48c643fb764eaf4/dom/canvas/ImageData.cpp#56-60
Assignee | ||
Comment 7•1 year ago
|
||
Updated•1 year ago
|
Updated•1 year ago
|
Assignee | ||
Comment 8•1 year ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Moderately. It's clear that the patch is validating size data sent in a stream, which implies that the size itself is the source of vulnerability.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Easy to create.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions.
- Is Android affected?: Unknown
Comment 9•1 year ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
Approved to land and uplift
Comment 10•1 year ago
|
||
Assignee | ||
Comment 11•1 year ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
Beta/Release Uplift Approval Request
- User impact if declined: Hijacked recordings could cause a leak of GPU heap to content process.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Fairly simple bounds checking by the deserializer that matches the existing bounds check done by the serializer.
- String changes made/needed:
- Is Android affected?: Unknown
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Hijacked recordings could cause a leak of GPU heap to content process.
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Fairly simple bounds checking by the deserializer that matches the existing bounds check done by the serializer.
Comment 12•1 year ago
|
||
Updated•1 year ago
|
Comment 13•1 year ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
This will be uplifted to 117 beta and will not be included in the next 116 dot release. If for any reason we do need to take this in the dot release, please feel free to NI me.
Comment 14•1 year ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
Approved for 117.0b7
Comment 15•1 year ago
|
||
uplift |
Updated•1 year ago
|
Updated•1 year ago
|
Comment 16•1 year ago
|
||
Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.
Approved for 115.2esr and 102.15esr.
Comment 17•1 year ago
|
||
uplift |
Updated•1 year ago
|
Comment 18•1 year ago
|
||
uplift |
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Comment 19•1 year ago
|
||
Updated•1 year ago
|
Updated•11 months ago
|
Updated•11 months ago
|
Updated•6 months ago
|
Description
•