695076 - (CVE-2011-3662) Crash in ANGLE's libGLESv2, in glTexImage2D on a cube map, invalid read in gl::Texture::createSurface

Status: VERIFIED FIXED

(Core :: Graphics: CanvasWebGL, defect)

Description

[Benoit Jacob [:bjacob] (mostly away)]

Ben Hawkes reports that his testcase from Bug 686398,

  https://bugzilla.mozilla.org/attachment.cgi?id=559916

still crashes Firefox 10.0a1 on Windows. Here is a crash report:

https://crash-stats.mozilla.com/report/index/bp-75d8250b-6c46-4f0d-8115-6a6472111017

This is very different from Bug 686398, is a ANGLE bug (need to report upstream) and potentially a security concern (invalid read at non-null address).

Comment 1

[Benoit Jacob [:bjacob] (mostly away)]

Attachment: try this

Comment 2

[Johnny Stenback (:jst)]

Benoit, does the invalid read affect control flow? I.e. do you think this is sg:critical or lower?

Comment 3

[Benoit Jacob [:bjacob] (mostly away)]

I don't know, this requires understanding ANGLE code better than I do.

Sorry I forgot to forward this bug to ANGLE until now.

Comment 4

[Benoit Jacob [:bjacob] (mostly away)]

Pushed my tentative fix to try:
  https://tbpl.mozilla.org/?tree=Try&rev=eb63e500a6bb
this has less than 50% chances of working, please still give it a try.

Comment 5

[Benoit Jacob [:bjacob] (mostly away)]

Filed http://code.google.com/p/angleproject/issues/detail?id=243

Comment 6

[Daniel Veditz [:dveditz]]

Did the try build (comment 4) fix the crash?

Based on the crash link this is crashing trying to read when doing
       image->surface->Release();
which means it could theoretically lead to calling an attacker-supplied function on a fake object.

Comment 7

[daniel-bzmz]

Suggest trying with ANGLE SVN head.  We've completely rewritten much of the texture code.

Comment 8

[Benoit Jacob [:bjacob] (mostly away)]

(In reply to daniel-bzmz from comment #7)
> Suggest trying with ANGLE SVN head.  We've completely rewritten much of the
> texture code.

Will do the ANGLE update as soon as possible. Meanwhile, can you have a look at my patch here and check if this is something that you'd want to take in ANGLE anyway? It just adds some error checking.

Comment 9

[daniel-bzmz]

We rewrote much of the texture handling code, so it may no longer be relevant.  We'll see if we can reproduce the problem before/after.

Comment 10

[daniel-bzmz]

We found the underlying bug causing the problem here.  Will be fixed soon.

Comment 11

[daniel-bzmz]

Fixed in ANGLE r885.  Should be easily cherry-pick-able if desired.

Comment 12

[Alex Keybl [:akeybl]]

If this is a major security concern for FF9/10, please nominate for approval on beta/aurora.

Comment 13

[Daniel Veditz [:dveditz]]

(In reply to daniel-bzmz from comment #11)
> Fixed in ANGLE r885.  Should be easily cherry-pick-able if desired.

Benoit: please prepare such a check-pick patch for landing in Firefox 10 (and if safe, Fx9).

Comment 14

[Benoit Jacob [:bjacob] (mostly away)]

Attachment: import angle r885 in aurora

Here you go. No review because this is a ANGLE rev and already using it on m-c.

https://tbpl.mozilla.org/?tree=Try&rev=0e57ebad2fb5

Comment 15

[Alex Keybl [:akeybl]]

Comment on attachment 582114 [details] [diff] [review]
import angle r885 in aurora

[Triage Comment]
Approved for Aurora. Please land on Monday 12/19 or earlier in order to make the cut-over to Beta.

Comment 16

[Benoit Jacob [:bjacob] (mostly away)]

http://hg.mozilla.org/releases/mozilla-aurora/rev/d68e03ca27dc

Comment 17

[Daniel Veditz [:dveditz]]

Thanks!

Comment 18

[Virgil Dicu [:virgil] [QA]]

Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1

Verified with 11b3 and 10.0.1 on Windows 7 x86. No crash when running the testcase from comment 0.
Could previously replicate the crash on the affected branches (F8).