Closed Bug 555721 Opened 14 years ago Closed 14 years ago

Integer overflow in WebGL arrays

Categories

(Core :: Graphics: CanvasWebGL, defect)

x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: serg.glazunov, Assigned: vlad)

Details

(Keywords: testcase, Whiteboard: [sg:critical] w/exploit fixed-in-tracemonkey)

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1042 Safari/532.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a4pre) Gecko/20100329 Minefield/3.7a4pre

This bug provides arbitrary memory reading/writing.
JavaScript:
buffer = new WebGLArrayBuffer(0x10);
array = new WebGLUnsignedIntArray(buffer, 4, 0x3FFFFFFF);

4 (offset) + 0x3FFFFFFF (length) * 4 (sizeof(int)) = 0x100000000. We pass the boundary check due to 32-bit overflow. Then we can read/write outside the buffer.
PoC executing 'calc.exe' is attached.
Fortunately WebGL is only available in 3.7.

Reproducible: Always
Attached file proof-of-concept
Component: Security → Canvas: WebGL
Product: Firefox → Core
QA Contact: firefox → canvas.webgl
Assignee: nobody → vladimir
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: testcase
Whiteboard: [sg:critical] w/exploit
Attached patch fixSplinter Review
Bah.  Fix.  I really want the helpers from bug 555798...
Attachment #435691 - Flags: review?(jorendorff)
Attachment #435691 - Flags: review?(jorendorff) → review+
http://hg.mozilla.org/tracemonkey/rev/4a8f267a746b

fixed in TM, I can fix on trunk, but there should be a TM merge very soon.
Whiteboard: [sg:critical] w/exploit → [sg:critical] w/exploit fixed-in-tracemonkey
TM been merged to trunk.
http://hg.mozilla.org/mozilla-central/rev/4a8f267a746b
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
blocking2.0: ? → final+
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: