Bug 695076 (CVE-2011-3662)

Crash in ANGLE's libGLESv2, in glTexImage2D on a cube map, invalid read in gl::Texture::createSurface




Canvas: WebGL
6 years ago
6 years ago


(Reporter: bjacob, Assigned: bjacob)


({crash, testcase})

Windows 7
crash, testcase
Dependency tree / graph

Firefox Tracking Flags

(firefox8- wontfix, firefox9- wontfix, firefox10+ verified, firefox11+ verified, status1.9.2 unaffected)


(Whiteboard: [sg:critical][qa!], crash signature)


(2 attachments)

Ben Hawkes reports that his testcase from Bug 686398,


still crashes Firefox 10.0a1 on Windows. Here is a crash report:


This is very different from Bug 686398, is a ANGLE bug (need to report upstream) and potentially a security concern (invalid read at non-null address).

Comment 1

6 years ago
Created attachment 567544 [details] [diff] [review]
try this
Benoit, does the invalid read affect control flow? I.e. do you think this is sg:critical or lower?

Comment 3

6 years ago
I don't know, this requires understanding ANGLE code better than I do.

Sorry I forgot to forward this bug to ANGLE until now.

Comment 4

6 years ago
Pushed my tentative fix to try:
this has less than 50% chances of working, please still give it a try.

Comment 5

6 years ago
Filed http://code.google.com/p/angleproject/issues/detail?id=243
Did the try build (comment 4) fix the crash?

Based on the crash link this is crashing trying to read when doing
which means it could theoretically lead to calling an attacker-supplied function on a fake object.
Whiteboard: [sg:critical]

Comment 7

6 years ago
Suggest trying with ANGLE SVN head.  We've completely rewritten much of the texture code.

Comment 8

6 years ago
(In reply to daniel-bzmz from comment #7)
> Suggest trying with ANGLE SVN head.  We've completely rewritten much of the
> texture code.

Will do the ANGLE update as soon as possible. Meanwhile, can you have a look at my patch here and check if this is something that you'd want to take in ANGLE anyway? It just adds some error checking.

Comment 9

6 years ago
We rewrote much of the texture handling code, so it may no longer be relevant.  We'll see if we can reproduce the problem before/after.


6 years ago
status-firefox10: --- → affected
status-firefox11: --- → affected
status-firefox8: --- → wontfix
status-firefox9: --- → affected
tracking-firefox10: --- → +
tracking-firefox11: --- → +
tracking-firefox8: --- → -
tracking-firefox9: --- → +

Comment 10

6 years ago
We found the underlying bug causing the problem here.  Will be fixed soon.

Comment 11

6 years ago
Fixed in ANGLE r885.  Should be easily cherry-pick-able if desired.


6 years ago
Depends on: 703917


6 years ago
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical] → [sg:critical][qa+]
status1.9.2: --- → unaffected
If this is a major security concern for FF9/10, please nominate for approval on beta/aurora.
(In reply to daniel-bzmz from comment #11)
> Fixed in ANGLE r885.  Should be easily cherry-pick-able if desired.

Benoit: please prepare such a check-pick patch for landing in Firefox 10 (and if safe, Fx9).
Assignee: nobody → bjacob
status-firefox11: affected → fixed
status-firefox9: affected → wontfix
tracking-firefox9: + → -
Keywords: crash, testcase
Created attachment 582114 [details] [diff] [review]
import angle r885 in aurora

Here you go. No review because this is a ANGLE rev and already using it on m-c.

Attachment #582114 - Flags: approval-mozilla-aurora?
Comment on attachment 582114 [details] [diff] [review]
import angle r885 in aurora

[Triage Comment]
Approved for Aurora. Please land on Monday 12/19 or earlier in order to make the cut-over to Beta.
Attachment #582114 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
status-firefox10: affected → fixed
Alias: CVE-2011-3662
Group: core-security
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1

Verified with 11b3 and 10.0.1 on Windows 7 x86. No crash when running the testcase from comment 0.
Could previously replicate the crash on the affected branches (F8).
status-firefox10: fixed → verified
status-firefox11: fixed → verified
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
You need to log in before you can comment on or make changes to this bug.