out-of-bound access in ShmemTextureReadLock::ReadUnlock
Categories
(Core :: Graphics, defect)
Tracking
()
People
(Reporter: dalmurino, Assigned: nical)
References
Details
(4 keywords, Whiteboard: [client-bounty-form][adv-main129+][adv-ESR115.14+][adv-ESR128.1+])
Attachments
(4 files)
|
7.12 KB,
text/x-patch
|
Details | |
|
8.26 KB,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
dveditz
:
approval-mozilla-beta+
dmeehan
:
approval-mozilla-esr115+
dmeehan
:
approval-mozilla-esr128+
dveditz
:
sec-approval+
|
Details | Review |
|
234 bytes,
text/plain
|
Details |
In |ReadUnlock()|, |mShmemSection|'s memory region is accessed without validation of offset1. An attacker can achieve an out of bound decrement using this vulnerability. It can manipulate the field of adjacent objects (e.g., length, Reference count, etc.) and there are already many public exploits related to this.
I attempted to get ASAN report but sadly, it didn't work. I guess that ASAN doesn't recognize |PR_ATOMIC_DECREMENT| macro. Therefore, I explain out of bound decrement with a callstack and some logs.
With the attached file, you can see that |info->readCount|, the argument of |PR_ATOMIC_DECREMENT|, is out of the memory region of |mShmemSection| and the destination is in another memory region.
Besides |ReadUnlock()|, the constructors of |ReadLock|, |GetReadCount| and |ShmemTextureReadLock| also have a similar pattern. Though I've only found the way to |ReadUnlock()|, I suggest adding some checks for the offset.
REPRODUCTION CASE
Type of vulnerbility: GPU Process
To reproduce crash, please follow these steps:
Apply patch.diff
Open https://webrtc.github.io/samples/src/content/capture/video-pc/ in browser
// patch.diff emulates a compromised content process
Even if running this Poc on the ASAN build, it is unlikely that a crash or ASAN report will occur. I recommend using a debugger to identify the point where the vulnerability occurs.
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 2•1 year ago
|
||
I think this qualifies as a sandbox escape.
|
||
Updated•1 year ago
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 3•1 year ago
|
||
The severity field is not set for this bug.
:bhood, could you have a look please?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 4•1 year ago
|
||
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 5•1 year ago
|
||
Comment on attachment 9410512 [details]
Bug 1902307 - Better validate shm sections. r=#gfx-reviewers
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The attacker needs to compromise the content process first. See comment 0 for more details about what the attacker could do then.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: all of them
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: The patch applied and builds on beta and central
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely
- Is the patch ready to land after security approval is given?: Yes
- Is Android affected?: Yes
|
|
Assignee | |
Comment 6•1 year ago
|
||
Comment on attachment 9410512 [details]
Bug 1902307 - Better validate shm sections. r=#gfx-reviewers
Beta/Release Uplift Approval Request
- User impact if declined: Security vulnerability
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It is a rather simple change where we use two separate types to represent the untrusted and the validated version of something with simple validation between the two.
- String changes made/needed: None
- Is Android affected?: Yes
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 7•1 year ago
|
||
Comment on attachment 9410512 [details]
Bug 1902307 - Better validate shm sections. r=#gfx-reviewers
sec-approval+ = dveditz, and a+ for early beta uplift.
|
|
||
Comment 9•1 year ago
|
||
|
||
Comment 10•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Comment 11•1 year ago
|
||
Comment on attachment 9410512 [details]
Bug 1902307 - Better validate shm sections. r=#gfx-reviewers
Approved for 115.14esr
|
|
||
Comment 12•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
|
||
Comment 13•1 year ago
|
||
Comment on attachment 9410512 [details]
Bug 1902307 - Better validate shm sections. r=#gfx-reviewers
Approved for 128.1esr.
|
|
||
Comment 14•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 15•1 year ago
|
||
|
|
||
Updated•1 year ago
|
|
|
||
Updated•11 months ago
|
Description
•