1924189 - [#5, Incomplete patch and variant vulnerabilities of 1914707] Parent Process (Unsandboxed) Out-Of-Bounds Write on WebGL Finish

Status: RESOLVED DUPLICATE of bug 1924184

(Core :: Graphics: CanvasWebGL, defect)

Description

[D4ni31 [:d4ni31]]

Attachment: 0-Day_firefox-Finish-OOB-Write.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36

Steps to reproduce:

High-level overview of the vulnerability and the possible effect of using it

• A Out-Of-Bounds Write Vulnerability exists in the WebGL Finish.

• An attacker must open a arbitrary generated HTML file to exploit this vulnerability.

• Exploiting this vulnerability can lead to a privileged process (GPU Process), enabling a sandbox escape.

  • like : CVE-2023-6856 => Heap-Buffer-Overflow Sandbox Escape in Mozilla Firefox WebGL

Exact product that was found to be vulnerable including complete version information

• OS : macOS Beta 15.1 (24B5070a) => Apple Macbook M1 Pro

• Product : Mozilla Firefox 131.0.2 (release) and 133.0a1 (2024-10-11)

• Important : Since this vulnerability is OS dependent, please test it on the M1 real machine using Apple's ARM silicon. (You may not be able to do this in a VM. The GPU configuration inside the VM is different from that of the real machine.)

Details

• This vulnerability is a variant of 1914707 and is evidence that the vulnerability in 1914707 has not been fully patched.

• Tested on 133.0a1 (2024-10-11) with patch 1914707 applied.

• Other details are the same as 1914707.

• Please do not dup this bug with other [#NIncomplete patch and variant vulnerabilities of 1914707], as this may result in other variants cases. Each case requires a review of the patch.

Proof-of-Concept

• Open poc.html in the attached file with Mozilla Firefox. (Apple M1 Pro Real-Machine)
• Now, if the Browser Process is corrupted, it is capable of sandbox escape.

Deadline

This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is "2025-01-10"

Actual results:

.

Expected results:

.

Comment 1

[Daniel Veditz [:dveditz]]

These variant bugs should all be fixed in one patch

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The bug is marked as tracked for firefox133 (nightly). However, the bug still isn't assigned.

:bhood, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

This is a reminder regarding comment #3!

The bug is marked as tracked for firefox133 (beta). We have limited time to fix this, the soft freeze is in 14 days. However, the bug still isn't assigned.

Comment 5

[Donal Meehan [:dmeehan]]

https://bugzilla.mozilla.org/show_bug.cgi?id=1924184#c11

Comment 6

[Kelsey Gilbert [:jgilbert]]

Fixed by patch for 1924184.