Closed Bug 1939228 Opened 1 year ago Closed 1 year ago

MacOS Firefox WebGL vertexAttribI4uiv OOB Read

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
Firefox 135
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1937097

People

(Reporter: pwn2car, Unassigned)

References

Details

(Keywords: csectype-bounds, reporter-external, sec-high)

Attachments

(2 files)

80037b6067fb3d72a60675863792d7f48ca7eceddbd80f358e232822eb535c88.html
294.38 KB, text/html
Details
asan.log
11.55 KB, application/octet-stream
Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

Steps to reproduce:

  1. Open Html file

  2. I will upload the RCA soon.

  3. My environment is Intel MacOS. I think this vulnerability can be triggered on m-series Macs.

Group: firefox-core-security → gfx-core-security
Component: Untriaged → Graphics
Product: Firefox → Core
See Also: → CVE-2024-11691, 1914707
Component: Graphics → Graphics: CanvasWebGL
See Also: → 1938184
See Also: → 1937294
See Also: 19372941938194
See Also: → 1937097
See Also: → 1937294
Attached file asan.log

RCA

(lldb) c
Process 75022 resuming
Process 75022 stopped
* thread #47, name = 'CanvasRenderer', queue = 'OpenGLMT', stop reason = EXC_BAD_ACCESS (code=1, address=0x12a911000)
    frame #0: 0x000000012bb1d0c7
->  0x12bb1d0c7: movups (%rsi,%rdx), %xmm2
    0x12bb1d0cb: movaps %xmm2, %xmm3
    0x12bb1d0ce: andps  %xmm0, %xmm3
    0x12bb1d0d1: cvtdq2ps %xmm3, %xmm3

(lldb) register read
General Purpose Registers:
       rax = 0x0000000167fea970
       rbx = 0x00006300001c0400
       rcx = 0x000061d001702080
       rdx = 0x000000012a911000
       rdi = 0x00006300001c0400
       rsi = 0x0000000000000000
       rbp = 0x000070000aba1800
       rsp = 0x000070000aba1800
        r8 = 0x00000001680cef00
        r9 = 0x0000000012a83591
       r10 = 0x000010002cff9e00
       r11 = 0x0000000000000000
       r12 = 0x000000000000ffee
       r13 = 0x0000000000e00000
       r14 = 0x0000000000e00000
       r15 = 0x000000000000bfda
       rip = 0x000000012bb1d0c7
    rflags = 0x0000000000000206
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x0000000000000000
  • When a given POC is executed, it calls the function pointer registered in glDrawArraysOrElements_ExecCore+0x290, which causes a crash referring to an address that does not exist. (rdx)
  • This is a different type of vulnerability from the similar vulnerability cases we reported before, so it doesn't seem to be duplicate. (like Issue 1937294)
  • Because these vulnerabilities like Issue 1937294 crash in a common function (gleRunVertexSubmitImmediate), but this vulnerability is a bit different.

The severity field is not set for this bug.
:jgilbert, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jgilbert)
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1937097
Flags: needinfo?(jgilbert)
Resolution: --- → DUPLICATE
See Also: 1937097
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: