1866209 - Firefox WebGL DrawArrays Heap-Buffer-Overflow Vulnerability (Mesa VM driver / Linux)

Status: RESOLVED DUPLICATE of bug 1843782

(Core :: Graphics: CanvasWebGL, defect)

Description

[D4ni31 [:d4ni31]]

Attachment: poc.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36

Steps to reproduce:

Vulnerability Title

-Firefox WebGL DrawArrays Heap-Buffer-Overflow Vulnerability

Summary

• This vulnerability is very similar to 1843782 and 1865531.
• A Heap-Buffer-Overflow Vulnerability exists in the WebGL DrawArrays
• An attacker must open a arbitrary generated HTML file to exploit this vulnerability.
• Exploiting this vulnerability can lead to a privileged processor, enabling a sandbox escape.

Test environment

• Product : Firefox 120 (Stable) & Firefox 121.0a1 (Dev)
• VM : Virtualbox 7.0.8
• GUEST OS : Ubuntu Desktop 23.04

Root Cause Analysis

• Firefox Address Sanitizer

=================================================================
==2714==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x53100008b6c8 at pc 0x55948fcefd71 bp 0x7f6ae71b5710 sp 0x7f6ae71b4ec8
READ of size 84704 at 0x53100008b6c8 thread T29
    #0 0x55948fcefd70 in memcpy /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115:5
    #1 0x7f6ab1a4c961  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa4c961) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
    #2 0x7f6ab1a5da8c  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa5da8c) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
    #3 0x7f6ab1a3873c  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa3873c) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
    #4 0x7f6ab1a3c7a2  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa3c7a2) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
    #5 0x7f6ab1a38f32  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa38f32) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
    #6 0x7f6ab1a38ffc  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa38ffc) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
    #7 0x7f6ab1a39073  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa39073) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
    #8 0x7f6ab1a2cc2c  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0xa2cc2c) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
    #9 0x7f6ab12f3b54  (/usr/lib/x86_64-linux-gnu/dri/vmwgfx_dri.so+0x2f3b54) (BuildId: d04a40e4062a8d444ff6f23d4fe768215b2e32c7)
    #10 0x7f6b02391ad1 in raw_fDrawArrays /builds/worker/checkouts/gecko/gfx/gl/GLContext.h:1069:5
    #11 0x7f6b02391ad1 in mozilla::gl::GLContext::fDrawArrays(unsigned int, int, int) /builds/worker/checkouts/gecko/gfx/gl/GLContext.h:1083:5
    #12 0x7f6b0238e631 in mozilla::WebGLContext::DrawArraysInstanced(unsigned int, int, int, int) /builds/worker/checkouts/gecko/dom/canvas/WebGLContextDraw.cpp:827:13
    #13 0x7f6b0246bd89 in DrawArraysInstanced /builds/worker/checkouts/gecko/dom/canvas/HostWebGLContext.h:750:15
    #14 0x7f6b0246bd89 in auto bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 100ul, void (mozilla::HostWebGLContext::*)(unsigned int, int, int, int) const, &mozilla::HostWebGLContext::DrawArraysInstanced(unsigned int, int, int, int) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)::operator()<unsigned int, int, int, int>(auto&...) const /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:253:13
    #15 0x7f6b0241a08b in __invoke_impl<bool, (lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), unsigned int &, int &, int &, int &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #16 0x7f6b0241a08b in __invoke<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), unsigned int &, int &, int &, int &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #17 0x7f6b0241a08b in __apply_impl<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), std::tuple<unsigned int, int, int, int> &, 0UL, 1UL, 2UL, 3UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
    #18 0x7f6b0241a08b in apply<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), std::tuple<unsigned int, int, int, int> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14

''' cut

• Linux vmwgfx_dri.so Driver Crash Point

char *__fastcall sub_A4C890(unsigned int *a1)
{
  char *v2; // r8
  char *v3; // rdi
  size_t v4; // rbp
  char *result; // rax
  unsigned int v6; // r14d
  unsigned __int64 v7; // r12
  __int64 v8; // rax

  sub_A4C670(a1, 6197LL);
  sub_A4C670(a1, 4 * a1[5268] + 2);
  v2 = (char *)*((_QWORD *)a1 + 2);
  v3 = (char *)*((_QWORD *)a1 + 1);
  v4 = 16LL * a1[5268];
  result = (char *)(v4 + *((_QWORD *)a1 + 2) - (_QWORD)v3);
  if ( *a1 > (unsigned __int64)result )
  {
LABEL_7:
    result = (char *)memcpy(v2, a1 + 1169, v4); // Heap Buffer Overflow!
    *((_QWORD *)a1 + 2) += v4;
    *((_BYTE *)a1 + 21160) = 1;
  }

	''' cut

  return result;
}

• When using WebGL2 in Firefox on Linux, invoking the DrawArrays function during the processing of a substantial amount of data in the shader leads to a Heap Buffer Overflow.
• In WebGL implemented in Firefox, after the DrawArrays operation, a call is made to the GPU driver. In Linux using Mesa as the backend, during the data processing phase in the Memcpy function, an Out-of-Bounds (OOB) Access is triggered.
• Ultimately, this vulnerability occurs in the Firefox Privileged Process, making it a potential vulnerability for Sandbox Escape. Reproducing the vulnerability results in a crash in the Browser Process.

Proof-of-Concept

• Please check the attached file!

Reproduce

• open a poc.html in Firefox

Comment 1

[D4ni31 [:d4ni31]]

This issue can be mitigated with the addition of blocklisting in the Mesa driver (bug 1843782).
However, blocking driver access through a blocklisting is only a preliminary measure.

Comment 2

[D4ni31 [:d4ni31]]

Hello,

Could you please update the status of this issue?

Comment 3

[Ashley Hale [:ahale]]

I am not sure how this bug meaningfully differs from bug 1843782 - it contains the same shader compiler heap buffer overflow as in that bug, which we have a solid idea of how to fix (lowering a limit in the ANGLE shader validator so it can't overflow this limit in Mesa, fixing Mesa, and of course the software rendering blocklist that we are putting in place).

Is it demonstrating a different mechanism of vulnerability or is it just the same shader compiler heap buffer overflow as the main mechanism?

Comment 4

[D4ni31 [:d4ni31]]

Since this uses the same mechanism, it added a dependency on the previously reported bug 1843782. However, I find this questionable. Upon reviewing reports related to Mesa in Firefox so far, there seem to be several recent shader issues. It remains uncertain whether these bugs can be completely prevented.

If bug 1843782 gets patched, please keep this report in the fixed state.
Thank you.

Comment 5

[D4ni31 [:d4ni31]]

This bug, which depended on Bug 1843782, has been fixed. Could you please update the status of this?