1924184 - (CVE-2024-11691) [#1, Incomplete patch and variant vulnerabilities of 1914707] Parent Process (Unsandboxed) Out-Of-Bounds Write in WebGL CreateSampler

Status: RESOLVED FIXED

(Core :: Graphics: CanvasWebGL, defect, P1)

Description

[D4ni31 [:d4ni31]]

Attachment: 0-Day_firefox-MozFramebuffer-OOB-Write.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36

Steps to reproduce:

High-level overview of the vulnerability and the possible effect of using it

• A Out-Of-Bounds Write Vulnerability exists in the WebGL CreateSampler.

• An attacker must open a arbitrary generated HTML file to exploit this vulnerability.

• Exploiting this vulnerability can lead to a privileged process (GPU Process), enabling a sandbox escape.

  • like : CVE-2023-6856 => Heap-Buffer-Overflow Sandbox Escape in Mozilla Firefox WebGL

Exact product that was found to be vulnerable including complete version information

• OS : macOS Beta 15.1 (24B5070a) => Apple Macbook M1 Pro

• Product : Mozilla Firefox 131.0.2 (release) and 133.0a1 (2024-10-11)

• Important : Since this vulnerability is OS dependent, please test it on the M1 real machine using Apple's ARM silicon. (You may not be able to do this in a VM. The GPU configuration inside the VM is different from that of the real machine.)

Details

• This vulnerability is a variant of 1914707 and is evidence that the vulnerability in 1914707 has not been fully patched.

• Tested on 133.0a1 (2024-10-11) with patch 1914707 applied.

• Other details are the same as 1914707.

Proof-of-Concept

• Open poc.html in the attached file with Mozilla Firefox. (Apple M1 Pro Real-Machine)
• Now, if the Browser Process is corrupted, it is capable of sandbox escape.

Deadline

This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is "2025-01-10"

Actual results:

.

Expected results:

.

Comment 1

[D4ni31 [:d4ni31]]

Attachment: 0-Day_firefox-CreateSampler-OOB-Write.html

Comment 2

[D4ni31 [:d4ni31]]

Please do not dup this bug with other [#NIncomplete patch and variant vulnerabilities of 1914707], as this may result in other variants cases. Each case requires a review of the patch.

Comment 3

[Daniel Veditz [:dveditz]]

With bug 1914707 getting patched in Firefox 132 and equivalent ESRs, we need to patch the rest of this batch in 133. We don't want people getting inspired to poke around looking for other places that need the equivalent patch.

11 new "sec-high" bugs isn't useful so I'm using this one as a kind of meta bug placeholder. If this gets fixed before some of the others then we should transfer the sec-high to the remaining open ones so they don't drop off the radar.

Comment 4

[Daniel Veditz [:dveditz]]

We fixed bug 1914707 on the ESR-115 branch, but we didn't have to: 115.15 was the last supported release for any macOS new enough to run on Apple Silicon. We are still supporting the ESR-115 branch for a few more releases, but only for end-of-life OSes Windows 7/8 and macOS 10.12-10.14. Those Mac versions only run on Intel chips.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

The bug is marked as tracked for firefox133 (nightly). However, the bug still isn't assigned.

:bhood, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Comment 6

[Donal Meehan [:dmeehan]]

:jgilbert this is tracked for Fx133, but there is little time left since next week is the final week of beta.
Are there any concerns with having a patch in time?

Comment 7

[Donal Meehan [:dmeehan]]

(In reply to Donal Meehan [:dmeehan] from comment #6)

:jgilbert this is tracked for Fx133, but there is little time left since next week is the final week of beta.
Are there any concerns with having a patch in time?

:dveditz next week is the final week of beta for Fx133.
Mentioning since this since you tracked this for Fx133

Comment 8

[Kelsey Gilbert [:jgilbert]]

Testcase crash

Process 57777 stopped
* thread #50, name = 'CanvasRenderer', queue = 'OpenGLMT', stop reason = EXC_BAD_ACCESS (code=2, address=0x12f540000)
    frame #0: 0x00000001f21169e8 GLEngine`gleLLVMStoreDataToOutFloatInFloat + 68
GLEngine`gleLLVMStoreDataToOutFloatInFloat:
->  0x1f21169e8 <+68>: str    s0, [x8]
    0x1f21169ec <+72>: cmp    w9, #0x2
    0x1f21169f0 <+76>: b.lo   0x1f2116aac    ; <+264>
    0x1f21169f4 <+80>: str    wzr, [x8, #0x4]
Target 0: (firefox) stopped.

Backtrace

(lldb) bt 20
* thread #50, name = 'CanvasRenderer', queue = 'OpenGLMT', stop reason = EXC_BAD_ACCESS (code=2, address=0x12f540000)
  * frame #0: 0x00000001f21169e8 GLEngine`gleLLVMStoreDataToOutFloatInFloat + 68
    frame #1: 0x00000001f21156b8 GLEngine`gleRunVertexSubmitImmediate + 3548
    frame #2: 0x00000001f20afa68 GLEngine`gleDrawArraysOrElements_ExecCore + 624
    frame #3: 0x00000001f20a5eb8 GLEngine`glDrawArraysInstanced_STD_GL3Exec + 544
    frame #4: 0x00000001f20a598c GLEngine`glDrawArrays_UnpackThread + 48
    frame #5: 0x00000001f20cdd94 GLEngine`gleCmdProcessor + 120
    frame #6: 0x000000019aeb13e8 libdispatch.dylib`_dispatch_client_callout + 20
    frame #7: 0x000000019aec08d8 libdispatch.dylib`_dispatch_lane_barrier_sync_invoke_and_complete + 56
    frame #8: 0x00000001f206b8bc GLEngine`glGenSamplers_ExecThread + 44
    frame #9: 0x0000000115998038 XUL`mozilla::WebGLSampler::WebGLSampler(mozilla::WebGLContext*) [inlined] mozilla::gl::GLContext::fGenSamplers(this=0x000000012fed7400, count=1, samplers=0x0000000172dae124) at GLContext.h:3112:5 [opt]
    frame #10: 0x0000000115998008 XUL`mozilla::WebGLSampler::WebGLSampler(mozilla::WebGLContext*) [inlined] mozilla::WebGLSampler::WebGLSampler(mozilla::WebGLContext*)::$_0::operator()(this=<unavailable>) const at WebGLSampler.cpp:17:20 [opt]
    frame #11: 0x0000000115998004 XUL`mozilla::WebGLSampler::WebGLSampler(this=0x000000013096e390, webgl=<unavailable>) at WebGLSampler.cpp:15:47 [opt]
    frame #12: 0x0000000115932630 XUL`mozilla::WebGL2Context::CreateSampler(this=0x00000001362d8800) at WebGL2ContextSamplers.cpp:16:14 [opt]
    frame #13: 0x00000001158ee4b8 XUL`mozilla::HostWebGLContext::CreateSampler(this=0x00000001360c47c0, id=50) at HostWebGLContext.cpp:164:30 [opt]

Comment 9

[Kelsey Gilbert [:jgilbert]]

(In reply to Donal Meehan [:dmeehan] from comment #6)

:jgilbert this is tracked for Fx133, but there is little time left since next week is the final week of beta.
Are there any concerns with having a patch in time?

No, not concerned. I don't feel the need to rush on this one.

Comment 10

[Andrew McCreight [:mccr8]]

For what it is worth, the idea behind trying to get the fix for these issues quickly was that we've already shipped a fix for a similar issue, so it'll be easier for people to find variants like these.

Comment 11

[Daniel Veditz [:dveditz]]

bp-2d785406-dc43-4755-b39b-8b2810241108

We have an additional 10 other variations on bug 1914707. It would be better to fix them in one big go than dribble out fixes over many releases which will increasingly attract attention. Plus there are multiple broken websites related to the fix in bug 1914707 that we need to figure out so we can avoid breaking more sites with fixes for these related bugs.

Removing the tracking for 133 -- not realistic.

Comment 12

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1924184 - Use DoVertexAttrib instead of direct Enable/DisableVertexAttribArray.

Comment 22

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1924184 - Handle VertexAttribDivisor in DoFakeVertexAttrib0 and ScopedVertexAttribPointer.

ScopedVertexAttribPointer should really use VAOs where possible, though. (todo)

Comment 24

[Kelsey Gilbert [:jgilbert]]

[Tracking Requested - why for this release]:
We probably want to fix this in 132, because we are also seeing regressions from the logic issue regression that crept in because of the fix to bug 1914707, such as bug 1929834.

Comment 25

[Donal Meehan [:dmeehan]]

There's only one beta build left that could get this in for Fx133, that's if it lands before eod Thursday 2024-11-14

Comment 26

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9436979 [details]
Bug 1924184 - Handle VertexAttribDivisor in DoFakeVertexAttrib0 and ScopedVertexAttribPointer.

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Creating a full exploit from this would be hard, but identifying the bad state we're avoiding isn't that hard for one of the few people well-versed in GL state. (but this very few people)
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: beta, release, esr128
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: Should be easy
• How likely is this patch to cause regressions; how much testing does it need?: Unlikely. I tested it on all of #1-11 fuzzing testcases generated by the Reporter, the previous testcase in bug 1914707, as well as the real-world misrendering in bug 1929834: No issues anymore.
• Is the patch ready to land after security approval is given?: Yes
• Is Android affected?: No

Comment 27

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9436979 [details]
Bug 1924184 - Handle VertexAttribDivisor in DoFakeVertexAttrib0 and ScopedVertexAttribPointer.

Beta/Release Uplift Approval Request

• User impact if declined/Reason for urgency: Sec-high, and affected S2+ rendering issues in a couple reported websites, including Ticketmaster seat selection in bug 1929834.
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Medium
• Why is the change risky/not risky? (and alternatives if risky): We tried a fix in this area in bug 1914707 and it caused bug 1929834, so we know our testing is insufficient here.
  I have had two reviewers look at it though, and we think it's good.
• String changes made/needed: none
• Is Android affected?: No

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: Sec-high, and affected S2+ rendering issues in a couple reported websites, including Ticketmaster seat selection in bug 1929834.
• User impact if declined: Sec-high, and affected S2+ rendering issues in a couple reported websites, including Ticketmaster seat selection in bug 1929834.
• Fix Landed on Version: nightly134 and beta133
• Risk to taking this patch: Medium
• Why is the change risky/not risky? (and alternatives if risky): We tried a fix in this area in bug 1914707 and it caused bug 1929834, so we know our testing is insufficient here.
  I have had two reviewers look at it though, and we think it's good.

Comment 28

[Tom Ritter [:tjr]]

Comment on attachment 9436979 [details]
Bug 1924184 - Handle VertexAttribDivisor in DoFakeVertexAttrib0 and ScopedVertexAttribPointer.

sec-approved. Do we not need the other patch?

Comment 29

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9436555 [details]
Bug 1924184 - Use DoVertexAttrib instead of direct Enable/DisableVertexAttribArray.

We need both patches.

Comment 30

[Pulsebot]

Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ecd6e8cb110c
Use DoVertexAttrib instead of direct Enable/DisableVertexAttribArray. r=gfx-reviewers,bradwerth
https://hg.mozilla.org/integration/autoland/rev/cbe1b21f1d03
Handle VertexAttribDivisor in DoFakeVertexAttrib0 and ScopedVertexAttribPointer. r=gfx-reviewers,lsalzman

Comment 31

[Pulsebot]

Backout by amarc@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7d29edd4cb62
Backed out 2 changesets for causing reftest failures @ color_quads.html. CLOSED TREE

Comment 32

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Backed out for causing retest failures @ color_quads.html

• Backout link
• Push with failures
• Failure Log
• Failure line:

REFTEST TEST-UNEXPECTED-FAIL | dom/canvas/test/reftest/color_quads.html?desc=straight-alpha&e_context=webgl&e_options={premultipliedAlpha:false}&e_color_o1=rgb(0,0,0,0.95)&e_color_o2=rgb(16,16,16,0.95)&e_color_o3=rgb(235,235,235,0.95)&e_color_o4=rgb(255,255,255,0.95)&e_color_i4=rgb(0,0,0,0) == dom/canvas/test/reftest/color_quads.html?e_color_o1=rgb(14,14,14)&e_color_o2=rgb(30,30,30)&e_color_o3=rgb(237,237,237)&e_color_i1=rgb(128,1,1)&e_color_i

Comment 33

[Donal Meehan [:dmeehan]]

Reminder that Monday 2024-11-18 is merge day so little time to land this before the end of this week

Comment 34

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1924184 - Revert "Bug 1914707 - Disable attrib divisor for non-array attribs."

No longer needed.

Comment 35

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1924184 - Fix incorrect rendering with FakeVertexAttrib0 and VertexAttribDivisor.

Comment 36

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9437886 [details]
Bug 1924184 - Fix incorrect rendering with FakeVertexAttrib0 and VertexAttribDivisor.

Security Approval Request

• How easily could an exploit be constructed based on the patch?: A whole exploit feels super difficult, but someone knowledgeable might be able to trigger this suspect-looking crash.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: all, yes
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: Easy, low risk since it's a reversion and a targetted fix that I believe I understand well.
• How likely is this patch to cause regressions; how much testing does it need?: We have a growing list of testcases that this passes all of, including both this and a previous sec issue, and real world content like the bugs this blocks.
• Is the patch ready to land after security approval is given?: Yes
• Is Android affected?: No

Comment 37

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9437885 [details]
Bug 1924184 - Revert "Bug 1914707 - Disable attrib divisor for non-array attribs."

(see preceding comment)

Comment 38

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9437886 [details]
Bug 1924184 - Fix incorrect rendering with FakeVertexAttrib0 and VertexAttribDivisor.

Beta/Release Uplift Approval Request

• User impact if declined/Reason for urgency: sec-high with real-world content correctness issues
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: No
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Medium
• Why is the change risky/not risky? (and alternatives if risky): While I believe I understand the issue pretty well now, and the new intervention is very targeted and minimal, we've been burned a bunch here and so we should proceed with caution.
• String changes made/needed: none
• Is Android affected?: No

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high with real-world content bugs
• User impact if declined: sec-high and real-world content bugs (see bugs blocked by this issue, and others)
• Fix Landed on Version: Depends on what gets approved!
• Risk to taking this patch: Medium
• Why is the change risky/not risky? (and alternatives if risky): While I believe I understand the issue pretty well now, and the new intervention is very targeted and minimal, we've been burned a bunch here and so we should proceed with caution.

Comment 39

[Kelsey Gilbert [:jgilbert]]

Try run, since this bounced once already:
https://treeherder.mozilla.org/jobs?repo=try&selectedTaskRun=CRyRTilXTA6-ISxuKNSvBg.0&revision=eec95147c88f7e10f786abc8fea6ec37d503a9a5
In particular we're watching the job that got us backed out last time: Android 7.0 x86-64 WebRender debug R-swr-nofis R3.

Comment 40

[Donal Meehan [:dmeehan]]

While I believe I understand the issue pretty well now, and the new intervention is very targeted and minimal, we've been burned a bunch here and so we should proceed with caution.

This is pending sec approval, but it is worth mentioning that next week is RC week, with Fx133 go-live scheduled for 2024-11-26.
There is little bake time before this hits release and esr. If this gets uplifted we need to react quickly to any regressions.
It's already exposed via Autoland where it bounced, so I assume it's not an option to defer this.

Comment 41

[Frederik Braun [:freddy] (OOO - Back April 8th)]

Comment on attachment 9437885 [details]
Bug 1924184 - Revert "Bug 1914707 - Disable attrib divisor for non-array attribs."

Approved to land.

Comment 42

[Frederik Braun [:freddy] (OOO - Back April 8th)]

Comment on attachment 9437886 [details]
Bug 1924184 - Fix incorrect rendering with FakeVertexAttrib0 and VertexAttribDivisor.

sec-approval+

Comment 43

[Pulsebot]

Pushed by fbraun@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bf9d4fd0d84e
Revert "Bug 1914707 - Disable attrib divisor for non-array attribs." r=gfx-reviewers,lsalzman
https://hg.mozilla.org/integration/autoland/rev/c9a8d7ce95f9
Fix incorrect rendering with FakeVertexAttrib0 and VertexAttribDivisor. r=gfx-reviewers,lsalzman

Comment 44

[Andrew McCreight [:mccr8]]

(In reply to Kelsey Gilbert [:jgilbert] from comment #37)

(see preceding comment)

Once you have sec-approval and have landed a patch that gets backed out, I don't think you should need to get sec-approval again to reland a slightly different patch, assuming all of the answers to your questions are the same. I'll talk to tjr to confirm that this is true and then update the sec approval documentation, as I don't see anything there about it. Thanks for your work on these collection of bugs.

Comment 45

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/bf9d4fd0d84e
https://hg.mozilla.org/mozilla-central/rev/c9a8d7ce95f9

Comment 46

[Kelsey Gilbert [:jgilbert]]

(In reply to Donal Meehan [:dmeehan] from comment #40)

While I believe I understand the issue pretty well now, and the new intervention is very targeted and minimal, we've been burned a bunch here and so we should proceed with caution.

This is pending sec approval, but it is worth mentioning that next week is RC week, with Fx133 go-live scheduled for 2024-11-26.
There is little bake time before this hits release and esr. If this gets uplifted we need to react quickly to any regressions.
It's already exposed via Autoland where it bounced, so I assume it's not an option to defer this.

I'll be checking in regularly to make sure I'm doing what I can to support any findings!

Comment 47

[Ryan VanderMeulen (PTO, back 6-April)]

(In reply to Daniel Veditz [:dveditz] from comment #4)

We fixed bug 1914707 on the ESR-115 branch, but we didn't have to: 115.15 was the last supported release for any macOS new enough to run on Apple Silicon. We are still supporting the ESR-115 branch for a few more releases, but only for end-of-life OSes Windows 7/8 and macOS 10.12-10.14. Those Mac versions only run on Intel chips.

Given that we now know that there were real-world regressions caused by bug 1914707 which impact all platforms, we should fix this on ESR115 also. The patches apply cleanly.

Comment 48

[Daniel Veditz [:dveditz]]

+1 to that. My comment 4 was made before I was aware the original fix caused cross-platform regressions and I was only speaking from a "security" POV. "support" for an ESR also includes fixing new regressions and stability problems.

Comment 49

[Donal Meehan [:dmeehan]]

Comment on attachment 9437885 [details]
Bug 1924184 - Revert "Bug 1914707 - Disable attrib divisor for non-array attribs."

Approved for 133.0 rc1

Comment 50

[Donal Meehan [:dmeehan]]

Comment on attachment 9437886 [details]
Bug 1924184 - Fix incorrect rendering with FakeVertexAttrib0 and VertexAttribDivisor.

Approved for 133.0 rc1

Comment 51

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/40ef26336165
https://hg.mozilla.org/releases/mozilla-beta/rev/5541dcb003ac

Comment 52

[Donal Meehan [:dmeehan]]

Comment on attachment 9437885 [details]
Bug 1924184 - Revert "Bug 1914707 - Disable attrib divisor for non-array attribs."

Approved for 128.5esr.

Comment 53

[Donal Meehan [:dmeehan]]

Comment on attachment 9437886 [details]
Bug 1924184 - Fix incorrect rendering with FakeVertexAttrib0 and VertexAttribDivisor.

Approved for 128.5esr.

Comment 54

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr128/rev/bdf069f4d8a8
https://hg.mozilla.org/releases/mozilla-esr128/rev/6a3bcbabebd0

Comment 55

[Donal Meehan [:dmeehan]]

Comment on attachment 9437885 [details]
Bug 1924184 - Revert "Bug 1914707 - Disable attrib divisor for non-array attribs."

Approved for 115.18esr

Comment 56

[Donal Meehan [:dmeehan]]

Comment on attachment 9437886 [details]
Bug 1924184 - Fix incorrect rendering with FakeVertexAttrib0 and VertexAttribDivisor.

Approved for 115.18esr

Comment 57

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr115/rev/6322d0a02ca4
https://hg.mozilla.org/releases/mozilla-esr115/rev/ddb7f235b8c0

Comment 60

[Alexandru Trif, Desktop Test Engineering [:atrif]]

Reproduced the crash with Firefox 132.0.2 and 133.0a1 (2024-1911) on macOS 15.1 M1 by loading the attached test case from comment 0 and comment 1 in a new tab.
The crash is no longer reproducible by using the attached test cases from comment 0 and comment 1 with Firefox 115.18.0esr, 128.5.0esr. 133.0, and 134.0a1 (2024-11-21) on macOS 15.1 M1.
We have also verified that the pages from bugs are correctly rendered on macOS 15.1 M1, macOS 14, Windows 11 and Ubuntu 22 with Firefox 115.18.0esr, 128.5.0esr. 133.0, and 134.0a1 (2024-11-21).

Comment 61

[Tom Ritter [:tjr]]

Attachment: advisory.txt

Comment 62

[D4ni31 [:d4ni31]]

Hello,

Can I use the CREDIT below?
CREDIT : Dohyun Lee (@l33d0hyun) of USELab, Korea Univ. & Youngho Choi of CEL, Korea Univ.

Comment 63

[D4ni31 [:d4ni31]]

Hello,

Can I use the CREDIT below?
CREDIT : Dohyun Lee (@l33d0hyun) of USELab, Korea University & Youngho Choi of CEL, Korea University & Geumhwan Cho of USELab, Korea University

Comment 64

[Tom Ritter [:tjr]]

Attachment: advisory.txt

Updated

Comment 65

[D4ni31 [:d4ni31]]

Looking at advisory.txt, it seems like the description of this bug is inadequate.

How about writing it with reference to bug 1914707 as follows?

Out-of-bounds write in WebGL
Dohyun Lee (@l33d0hyun) of USELab, Korea University & Youngho Choi of CEL, Korea University & Geumhwan Cho of USELab, Korea University

Certain WebGL operations on Apple silicon M series devices could have lead to an exploitable out-of-bounds write.  This issue could have allowed an attacker to perform remote code execution and sandbox escape.<br>*This bug only affected Firefox on Apple M series hardware. Other platforms were unaffected.*

Comment 66

[Tom Ritter [:tjr]]

From a severity and advisory point of view, we treat almost all memory corruption conservatively and rate it high to cover exploitability - even if we are personally unsure of it. But in the actual advisory text, we don't comment on the exploitability of the vulnerabilities in the advisories except in rare instances - we used to include the phrase "could have caused a potentially exploitable crash" but we've stopped doing so after someone incorrectly concluded "If it didn't crash, there was no exploit" (which is obviously wrong.)

I have updated the advisories with some details of your text though https://github.com/mozilla/foundation-security-advisories/commit/1b5cd95a6d5e1b8ff9e77df490fc163e8c59360a

Comment 67

[D4ni31 [:d4ni31]]

I have shared the report with Apple to help them address the root cause of this issue.