Closed Bug 555721 Opened 13 years ago Closed 13 years ago

Integer overflow in WebGL arrays

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: serg.glazunov, Assigned: vlad)

Details

(Keywords: testcase, Whiteboard: [sg:critical] w/exploit fixed-in-tracemonkey)

Attachments

(1 file)

fix
2.65 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1042 Safari/532.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a4pre) Gecko/20100329 Minefield/3.7a4pre

This bug provides arbitrary memory reading/writing.
JavaScript:
buffer = new WebGLArrayBuffer(0x10);
array = new WebGLUnsignedIntArray(buffer, 4, 0x3FFFFFFF);

4 (offset) + 0x3FFFFFFF (length) * 4 (sizeof(int)) = 0x100000000. We pass the boundary check due to 32-bit overflow. Then we can read/write outside the buffer.
PoC executing 'calc.exe' is attached.
Fortunately WebGL is only available in 3.7.

Reproducible: Always
Attached file proof-of-concept 

    
  
Component: Security → Canvas: WebGL
Product: Firefox → Core
QA Contact: firefox → canvas.webgl

    
  
blocking2.0: --- → ?
Assignee: nobody → vladimir
Status: UNCONFIRMED → NEW

          status1.9.1:
          --- → unaffected

          status1.9.2:
          --- → unaffected
Ever confirmed: true
Keywords: testcase
Whiteboard: [sg:critical] w/exploit

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  
Bah.  Fix.  I really want the helpers from bug 555798...

        Attachment #435691 -
        Flags: review?(jorendorff)

        Attachment #435691 -
        Flags: review?(jorendorff) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/4a8f267a746b

fixed in TM, I can fix on trunk, but there should be a TM merge very soon.
Whiteboard: [sg:critical] w/exploit → [sg:critical] w/exploit fixed-in-tracemonkey

    
    

    
  
TM been merged to trunk.
http://hg.mozilla.org/mozilla-central/rev/4a8f267a746b
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
  
blocking2.0: ? → final+
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.