Closed Bug 1846694 (CVE-2023-4576) Opened 1 year ago Closed 1 year ago

Integer Overflow in RecordedSourceSurfaceCreation

Categories

(Core :: Graphics, defect, P2)

Unspecified
Windows
defect

Tracking

()

RESOLVED FIXED
118 Branch
Tracking Status
firefox-esr102 117+ fixed
firefox-esr115 117+ fixed
firefox116 --- wontfix
firefox117 + fixed
firefox118 + fixed

People

(Reporter: j51569436, Assigned: bradwerth)

Details

(5 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main117+] [adv-esr115.2+] [adv-esr102.15+])

Attachments

(5 files)

Attached file patch.diff

An integer overflow occurs in RecordedSourceSurfaceCreation::RecordedSourceSurfaceCreation[1], which results in a heap buffer overflow[2].
ReturnWrite allows attacker to leak GPU process's heap data to the content process.

The provided patch.diff file simulates a compromised content process that may potentially cause the GPU process to crash. To reproduce the vulnerability, apply the patch and open the index.html.

[1] https://searchfox.org/mozilla-central/source/gfx/2d/RecordedEventImpl.h#3215
[2] https://searchfox.org/mozilla-central/source/gfx/layers/RecordedCanvasEventImpl.h#364

Flags: sec-bounty?
Attached file crash.asan
Attached file index.html
Group: firefox-core-security → gfx-core-security
Component: Security → Graphics
Product: Firefox → Core
Attachment #9346883 - Attachment mime type: text/x-patch → text/plain

I can't tell from the the ASAN output that this is the GPU process crashing, but if it is then this could be a stepping stone to a sandbox escape. If it's crashing the same patched process then this wouldn't be valid. I'll rate it based on the reporter's claims but have not verified it.

I was unable to reproduce on Linux with an ASan build.

OS: Unspecified → Windows

I apologize for the lack of information. This bug can only be triggered on windows.

Assignee: nobody → bwerth
Severity: -- → S2
Priority: -- → P2
Attachment #9347266 - Attachment description: Bug 1846694: constrain size in RecordedSourceSurfaceCreation. → Bug 1846694: Constrain size in RecordedSourceSurfaceCreation.
Attachment #9347266 - Attachment description: Bug 1846694: Constrain size in RecordedSourceSurfaceCreation. → Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.

Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Moderately. It's clear that the patch is validating size data sent in a stream, which implies that the size itself is the source of vulnerability.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Easy to create.
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions.
  • Is Android affected?: Unknown
Attachment #9347266 - Flags: sec-approval?

Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.

Approved to land and uplift

Attachment #9347266 - Flags: sec-approval? → sec-approval+
Pushed by bwerth@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a3eb32145f15
Additional validation in RecordedSourceSurfaceCreation. r=gfx-reviewers,jrmuizel

Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.

Beta/Release Uplift Approval Request

  • User impact if declined: Hijacked recordings could cause a leak of GPU heap to content process.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Fairly simple bounds checking by the deserializer that matches the existing bounds check done by the serializer.
  • String changes made/needed:
  • Is Android affected?: Unknown

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Hijacked recordings could cause a leak of GPU heap to content process.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Fairly simple bounds checking by the deserializer that matches the existing bounds check done by the serializer.
Attachment #9347266 - Flags: approval-mozilla-release?
Attachment #9347266 - Flags: approval-mozilla-esr115?
Attachment #9347266 - Flags: approval-mozilla-beta?
Group: gfx-core-security → core-security-release
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch

Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.

This will be uplifted to 117 beta and will not be included in the next 116 dot release. If for any reason we do need to take this in the dot release, please feel free to NI me.

Attachment #9347266 - Flags: approval-mozilla-release? → approval-mozilla-release-

Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.

Approved for 117.0b7

Attachment #9347266 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage] [qa-triaged]
Flags: qe-verify+

Comment on attachment 9347266 [details]
Bug 1846694: Additional validation in RecordedSourceSurfaceCreation.

Approved for 115.2esr and 102.15esr.

Attachment #9347266 - Flags: approval-mozilla-esr115?
Attachment #9347266 - Flags: approval-mozilla-esr115+
Attachment #9347266 - Flags: approval-mozilla-esr102+
Flags: sec-bounty? → sec-bounty+
Flags: qe-verify+ → qe-verify-
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [adv-main117+] [adv-esr115.2+] [adv-esr102.15+]
Group: core-security-release
Alias: CVE-2023-4576
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: