Last Comment Bug 695076 - (CVE-2011-3662) Crash in ANGLE's libGLESv2, in glTexImage2D on a cube map, invalid read in gl::Texture::createSurface
(CVE-2011-3662)
: Crash in ANGLE's libGLESv2, in glTexImage2D on a cube map, invalid read in gl...
Status: VERIFIED FIXED
[sg:critical][qa!]
: crash, testcase
Product: Core
Classification: Components
Component: Canvas: WebGL (show other bugs)
: unspecified
: x86 Windows 7
: -- normal (vote)
: ---
Assigned To: Benoit Jacob [:bjacob] (mostly away)
:
Mentors:
Depends on: 686398 703917
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-17 11:40 PDT by Benoit Jacob [:bjacob] (mostly away)
Modified: 2012-02-17 04:19 PST (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wontfix
-
wontfix
+
verified
+
verified
unaffected


Attachments
try this (1.02 KB, patch)
2011-10-17 12:51 PDT, Benoit Jacob [:bjacob] (mostly away)
no flags Details | Diff | Review
import angle r885 in aurora (4.35 KB, patch)
2011-12-15 14:31 PST, Benoit Jacob [:bjacob] (mostly away)
akeybl: approval‑mozilla‑aurora+
Details | Diff | Review

Description Benoit Jacob [:bjacob] (mostly away) 2011-10-17 11:40:19 PDT
Ben Hawkes reports that his testcase from Bug 686398,

  https://bugzilla.mozilla.org/attachment.cgi?id=559916

still crashes Firefox 10.0a1 on Windows. Here is a crash report:

https://crash-stats.mozilla.com/report/index/bp-75d8250b-6c46-4f0d-8115-6a6472111017

This is very different from Bug 686398, is a ANGLE bug (need to report upstream) and potentially a security concern (invalid read at non-null address).
Comment 1 Benoit Jacob [:bjacob] (mostly away) 2011-10-17 12:51:37 PDT
Created attachment 567544 [details] [diff] [review]
try this
Comment 2 Johnny Stenback (:jst, jst@mozilla.com) 2011-11-03 13:41:42 PDT
Benoit, does the invalid read affect control flow? I.e. do you think this is sg:critical or lower?
Comment 3 Benoit Jacob [:bjacob] (mostly away) 2011-11-03 14:29:04 PDT
I don't know, this requires understanding ANGLE code better than I do.

Sorry I forgot to forward this bug to ANGLE until now.
Comment 4 Benoit Jacob [:bjacob] (mostly away) 2011-11-03 14:49:49 PDT
Pushed my tentative fix to try:
  https://tbpl.mozilla.org/?tree=Try&rev=eb63e500a6bb
this has less than 50% chances of working, please still give it a try.
Comment 5 Benoit Jacob [:bjacob] (mostly away) 2011-11-03 14:59:56 PDT
Filed http://code.google.com/p/angleproject/issues/detail?id=243
Comment 6 Daniel Veditz [:dveditz] 2011-11-16 16:34:35 PST
Did the try build (comment 4) fix the crash?

Based on the crash link this is crashing trying to read when doing
       image->surface->Release();
which means it could theoretically lead to calling an attacker-supplied function on a fake object.
Comment 7 daniel-bzmz 2011-11-16 20:15:15 PST
Suggest trying with ANGLE SVN head.  We've completely rewritten much of the texture code.
Comment 8 Benoit Jacob [:bjacob] (mostly away) 2011-11-16 20:23:18 PST
(In reply to daniel-bzmz from comment #7)
> Suggest trying with ANGLE SVN head.  We've completely rewritten much of the
> texture code.

Will do the ANGLE update as soon as possible. Meanwhile, can you have a look at my patch here and check if this is something that you'd want to take in ANGLE anyway? It just adds some error checking.
Comment 9 daniel-bzmz 2011-11-17 08:26:31 PST
We rewrote much of the texture handling code, so it may no longer be relevant.  We'll see if we can reproduce the problem before/after.
Comment 10 daniel-bzmz 2011-11-18 05:09:14 PST
We found the underlying bug causing the problem here.  Will be fixed soon.
Comment 11 daniel-bzmz 2011-11-19 06:03:21 PST
Fixed in ANGLE r885.  Should be easily cherry-pick-able if desired.
Comment 12 Alex Keybl [:akeybl] 2011-12-05 19:45:30 PST
If this is a major security concern for FF9/10, please nominate for approval on beta/aurora.
Comment 13 Daniel Veditz [:dveditz] 2011-12-08 13:40:51 PST
(In reply to daniel-bzmz from comment #11)
> Fixed in ANGLE r885.  Should be easily cherry-pick-able if desired.

Benoit: please prepare such a check-pick patch for landing in Firefox 10 (and if safe, Fx9).
Comment 14 Benoit Jacob [:bjacob] (mostly away) 2011-12-15 14:31:45 PST
Created attachment 582114 [details] [diff] [review]
import angle r885 in aurora

Here you go. No review because this is a ANGLE rev and already using it on m-c.

https://tbpl.mozilla.org/?tree=Try&rev=0e57ebad2fb5
Comment 15 Alex Keybl [:akeybl] 2011-12-16 12:39:45 PST
Comment on attachment 582114 [details] [diff] [review]
import angle r885 in aurora

[Triage Comment]
Approved for Aurora. Please land on Monday 12/19 or earlier in order to make the cut-over to Beta.
Comment 16 Benoit Jacob [:bjacob] (mostly away) 2011-12-16 14:11:50 PST
http://hg.mozilla.org/releases/mozilla-aurora/rev/d68e03ca27dc
Comment 17 Daniel Veditz [:dveditz] 2011-12-16 15:05:53 PST
Thanks!
Comment 18 Virgil Dicu [:virgil] [QA] 2012-02-17 04:19:05 PST
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1

Verified with 11b3 and 10.0.1 on Windows 7 x86. No crash when running the testcase from comment 0.
Could previously replicate the crash on the affected branches (F8).

Note You need to log in before you can comment on or make changes to this bug.