1910306 - (CVE-2024-7526) WebGL in Firefox does not pre-initialize out-variable that lead to possible vulnerability/leak (mac/linux/android)

Status: RESOLVED FIXED

(Core :: Graphics: CanvasWebGL, defect, P1)

Description

[s48gs.w]

Attachment: screenshot of bug-pattern change

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0

Steps to reproduce:

This is only AMD GPU OpenGL Firefox in Linux bug.
AMD GPU - required.
Linux - required.

I tested bug on Vega8 integrated GPU.
I tested bug on Firefox 127, 129, 130 - works same.

Why this is Firefox bug - because on same PC in Chrome this bug not happening - because Chrome pre-initialize all "out" variables.

Bug:
0. Linux - Firefox - AMD GPU

1. visit https://www.shadertoy.com/view/XcjyWz
2. if you see noise on Shadertoy canvas - bug is working.
3. Now open any active-redraw anything, even youtube video in other tab/browser - and look on pattern change.

That fact that "color" or/and pattern of noise change/depends from outside activity - is bug.
And in case of integrated GPU - where GPU VRAM allocated in RAM - it may be possible to "do more" with this bug.

Actual results:

Watch this video of this bug working:
https://youtu.be/sZFNDh3JzfI

Screenshots from this video in attachment.

Expected results:

No noise on screen, color not leaking.

Comment 1

[Kelsey Gilbert [:jgilbert]]

ANGLE bug was fixed: https://chromium-review.googlesource.com/c/angle/angle/+/4375137

Comment 2

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1910306 - [angle] Cherry-pick zero-initialization of unwritten GLSL out params.

Comment 3

[Kelsey Gilbert [:jgilbert]]

[Tracking Requested - why for this release]: sec-high that we want to fix before 129 goes to Release.

Comment 4

[Kelsey Gilbert [:jgilbert]]

[Tracking Requested - why for this release]: sec-high that we want to fix before 129 goes to Release.

I don't think we want to try to push this into 128, but we should make sure it gets in 129, and goes back to ESRs.

Comment 5

[Andrew McCreight [:mccr8]]

Marking sec-high per comment 3. That sounds like a reasonable rating to me.

Following the link in the commit from comment 1, it looks like a fix was landed in March 2023. Kind of odd that the chromium issue is still closed.

Comment 6

[Kelsey Gilbert [:jgilbert]]

It looks like this should apply cleanly to all backports: beta129, esr128, and esr115! :D

Comment 7

[Donal Meehan [:dmeehan]]

:jgilbert/:dveditz we are in RC week for Fx129
Fx129 is already in release and we have already built ESR128 and ESR115 release candidates.
Wondering if this should wait for Fx130 and it's corresponding ESR128/ESR115 releases?

Comment 8

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9416686 [details]
Bug 1910306 - [angle] Cherry-pick zero-initialization of unwritten GLSL out params.

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Moderate difficulty to develop an exploit to gather eavesdropped gpu data. Weaponizing sounds hard but not impossible.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
• Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: all
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?:
• How likely is this patch to cause regressions; how much testing does it need?: Unlikely, since this is what ANGLE patched upstream, but there is risk that there was a follow-up to fix a regression there that I didn't notice.
  CI testing will assure reliability.
  Manual testing should be done to confirm that the patch works though.
• Is the patch ready to land after security approval is given?: Yes
• Is Android affected?: Yes

Comment 9

[Daniel Veditz [:dveditz]]

Comment on attachment 9416686 [details]
Bug 1910306 - [angle] Cherry-pick zero-initialization of unwritten GLSL out params.

sec-approval+ = dveditz for landing in 130/mozilla-central.

It can't really hurt too much to land the patch now since the ANGLE fix has been public for over a year. On the other hand, if chrome didn't announce the fix (their bug is still private) people might have missed the ANGLE version and we're giving them another chance to discover it now. I think that's OK: this appears to be mainly a memory disclosure issue and not memory corruption.

This isn't a "stop-ship/chemspill" kind of bug so I think we have to live with having missed RC. I'd love to get it into any point release as a ride-along, though. The main complication is we need to fix all the branches and we don't always do point releases for ESR.

Comment 10

[Daniel Veditz [:dveditz]]

(In reply to Andrew McCreight [:mccr8] from comment #5)

Following the link in the commit from comment 1, it looks like a fix was landed in March 2023. Kind of odd that the chromium issue is still closed.

I can easily imagine that one or more other bugs might cause Chrome to update the ANGLE changeset they pull (they do that all the time), and then Chrome picks up all the fixes in between without consciously tracking them. But this diff is explicitly tagged with a chromium bug number and not an angle bug which makes very unlikely they just "accidentally" fixed it without their tree and sheriff bots noticing. Curious.

Comment 11

[Daniel Veditz [:dveditz]]

[Tracking Requested - why for this release]:

It would be safer to fix this as a ride-along in a 129-and-equivalent-ESRs point release. But if we don't do an ESR point release (and we usually don't) then it's probably safe enough to wait until 130. But looking at comment 4 maybe Kelsey knows something about this patch that we don't.

Comment 12

[Daniel Veditz [:dveditz]]

restoring Kelsey's needinfo for Donal's question in comment 7. I suspect it was cleared unintentionally when adding the sec-approval request (happens to me all the time)

Comment 13

[Donal Meehan [:dmeehan]]

We could respin 129.0 RC, 128.1esr, and 115.14esr to include this before next week's go-live.
To include this the patch would need to land today and get uplift requests for release, esr115, and esr128.
Then we are all set to respin the RC builds tomorrow.

Comment 14

[Kelsey Gilbert [:jgilbert]]

@ahale says:

confirmed that your fix works on the Framework 13 AMD laptop running Linux Mint 22, I built it with and without your patch and the shadertoy display is black with your patch, uninitialized data noise without your patch

Comment 15

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1910306 - [angle] Cherry-pick zero-initialization of unwritten GLSL out params.

Original Revision: https://phabricator.services.mozilla.com/D218019

Comment 16

[Pulsebot]

Pushed by jgilbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/94848c2cb22e
[angle] Cherry-pick zero-initialization of unwritten GLSL out params. r=gfx-reviewers,nical

Comment 17

[Phabricator Automation]

beta Uplift Approval Request

• User impact if declined: sec-high
• Code covered by automated testing: no
• Fix verified in Nightly: yes
• Needs manual QE test: yes
• Steps to reproduce for manual QE testing: Testing steps in bug description
• Risk associated with taking this patch: Low
• Explanation of risk level: Patch for this purpose from upstream, vetted and baked there.
• String changes made/needed: none
• Is Android affected?: yes

Comment 18

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1910306 - [angle] Cherry-pick zero-initialization of unwritten GLSL out params.

Original Revision: https://phabricator.services.mozilla.com/D218019

Comment 19

[Phabricator Automation]

esr128 Uplift Approval Request

• User impact if declined: sec-high
• Code covered by automated testing: no
• Fix verified in Nightly: yes
• Needs manual QE test: yes
• Steps to reproduce for manual QE testing: Test steps in bug description
• Risk associated with taking this patch: low
• Explanation of risk level: Targetting cherry-picked patch, vetted and baked upstream
• String changes made/needed: none
• Is Android affected?: yes

Comment 20

[Kelsey Gilbert [:jgilbert]]

@ahale says:

confirmed that your fix works on the Framework 13 AMD laptop running Linux Mint 22, I built it with and without your patch and the shadertoy display is black with your patch, uninitialized data noise without your patch

Comment 21

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1910306 - [angle] Cherry-pick zero-initialization of unwritten GLSL out params.

Original Revision: https://phabricator.services.mozilla.com/D218019

Comment 22

[Phabricator Automation]

esr115 Uplift Approval Request

• User impact if declined: sec-high
• Code covered by automated testing: no
• Fix verified in Nightly: yes
• Needs manual QE test: yes
• Steps to reproduce for manual QE testing: Testing steps in bug description
• Risk associated with taking this patch: low
• Explanation of risk level: Targetted patch, vetted and baked upstream
• String changes made/needed: none
• Is Android affected?: yes

Comment 23

[Kelsey Gilbert [:jgilbert]]

Windows is unaffected, but Mac, Linux, and Android are affected.

Comment 24

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/94848c2cb22e

Comment 25

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:jgilbert, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox129 to wontfix.

For more information, please visit BugBot documentation.

Comment 26

[Donal Meehan [:dmeehan]]

This already has the required uplift requests

Comment 27

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-release/rev/2d113ed75bf0

Comment 28

[Bogdan Maris, Desktop Test Engineering]

Reproduced the issue described in comment 0 using a machine with AMD Radeon HD5450 (Cedar) and AMD® Fx(tm)-8320 eight-core processor on Firefox 129.0 (Ubuntu 22.04).
Verified that using latest Nightly build 130.0a1 from treeherder containing the fix there is no noise in the demo website at all, not even if I open a few videos in Nightly or other browser.

Comment 29

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr128/rev/5b6dd31f9ddf

Comment 30

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr115/rev/e1174a2473ad

Comment 31

[Tyson Smith [:tsmith]]

Attachment: advisory.txt

Comment 32

[Bogdan Maris, Desktop Test Engineering]

Also verified using latest builds of Firefox 115.14.0esr, Firefox 128.1.0esr and Firefox 129.0 with the fix on the same machine used to reproduce this and this is no longer an issue.