Bug 695076 (CVE-2011-3662)

Crash in ANGLE's libGLESv2, in glTexImage2D on a cube map, invalid read in gl::Texture::createSurface

VERIFIED FIXED

Status

()

Core
Canvas: WebGL
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: bjacob, Assigned: bjacob)

Tracking

({crash, testcase})

unspecified
x86
Windows 7
crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox8- wontfix, firefox9- wontfix, firefox10+ verified, firefox11+ verified, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical][qa!], crash signature)

Attachments

(2 attachments)

Ben Hawkes reports that his testcase from Bug 686398,

  https://bugzilla.mozilla.org/attachment.cgi?id=559916

still crashes Firefox 10.0a1 on Windows. Here is a crash report:

https://crash-stats.mozilla.com/report/index/bp-75d8250b-6c46-4f0d-8115-6a6472111017

This is very different from Bug 686398, is a ANGLE bug (need to report upstream) and potentially a security concern (invalid read at non-null address).
(Assignee)

Comment 1

6 years ago
Created attachment 567544 [details] [diff] [review]
try this
Benoit, does the invalid read affect control flow? I.e. do you think this is sg:critical or lower?
(Assignee)

Comment 3

6 years ago
I don't know, this requires understanding ANGLE code better than I do.

Sorry I forgot to forward this bug to ANGLE until now.
(Assignee)

Comment 4

6 years ago
Pushed my tentative fix to try:
  https://tbpl.mozilla.org/?tree=Try&rev=eb63e500a6bb
this has less than 50% chances of working, please still give it a try.
(Assignee)

Comment 5

6 years ago
Filed http://code.google.com/p/angleproject/issues/detail?id=243
Did the try build (comment 4) fix the crash?

Based on the crash link this is crashing trying to read when doing
       image->surface->Release();
which means it could theoretically lead to calling an attacker-supplied function on a fake object.
Whiteboard: [sg:critical]

Comment 7

6 years ago
Suggest trying with ANGLE SVN head.  We've completely rewritten much of the texture code.
(Assignee)

Comment 8

6 years ago
(In reply to daniel-bzmz from comment #7)
> Suggest trying with ANGLE SVN head.  We've completely rewritten much of the
> texture code.

Will do the ANGLE update as soon as possible. Meanwhile, can you have a look at my patch here and check if this is something that you'd want to take in ANGLE anyway? It just adds some error checking.

Comment 9

6 years ago
We rewrote much of the texture handling code, so it may no longer be relevant.  We'll see if we can reproduce the problem before/after.

Updated

6 years ago
status-firefox10: --- → affected
status-firefox11: --- → affected
status-firefox8: --- → wontfix
status-firefox9: --- → affected
tracking-firefox10: --- → +
tracking-firefox11: --- → +
tracking-firefox8: --- → -
tracking-firefox9: --- → +

Comment 10

6 years ago
We found the underlying bug causing the problem here.  Will be fixed soon.

Comment 11

6 years ago
Fixed in ANGLE r885.  Should be easily cherry-pick-able if desired.
(Assignee)

Updated

6 years ago
Depends on: 703917
(Assignee)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical] → [sg:critical][qa+]
status1.9.2: --- → unaffected
If this is a major security concern for FF9/10, please nominate for approval on beta/aurora.
(In reply to daniel-bzmz from comment #11)
> Fixed in ANGLE r885.  Should be easily cherry-pick-able if desired.

Benoit: please prepare such a check-pick patch for landing in Firefox 10 (and if safe, Fx9).
Assignee: nobody → bjacob
status-firefox11: affected → fixed
status-firefox9: affected → wontfix
tracking-firefox9: + → -
Keywords: crash, testcase
Created attachment 582114 [details] [diff] [review]
import angle r885 in aurora

Here you go. No review because this is a ANGLE rev and already using it on m-c.

https://tbpl.mozilla.org/?tree=Try&rev=0e57ebad2fb5
Attachment #582114 - Flags: approval-mozilla-aurora?
Comment on attachment 582114 [details] [diff] [review]
import angle r885 in aurora

[Triage Comment]
Approved for Aurora. Please land on Monday 12/19 or earlier in order to make the cut-over to Beta.
Attachment #582114 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
http://hg.mozilla.org/releases/mozilla-aurora/rev/d68e03ca27dc
Thanks!
status-firefox10: affected → fixed
Alias: CVE-2011-3662
Group: core-security
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1

Verified with 11b3 and 10.0.1 on Windows 7 x86. No crash when running the testcase from comment 0.
Could previously replicate the crash on the affected branches (F8).
Status: RESOLVED → VERIFIED
status-firefox10: fixed → verified
status-firefox11: fixed → verified
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
You need to log in before you can comment on or make changes to this bug.