Last Comment Bug 727547 - (CVE-2012-0478) nsIDOMWebGLRenderingContext_Tex{,Sub}Image2D use JSVAL_TO_OBJECT on arbitrary objects
(CVE-2012-0478)
: nsIDOMWebGLRenderingContext_Tex{,Sub}Image2D use JSVAL_TO_OBJECT on arbitrary...
Status: VERIFIED FIXED
[sg:critical][qa!][gfx.relnote.13]
: regression
Product: Core
Classification: Components
Component: Canvas: WebGL (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla13
Assigned To: :Ms2ger (⌚ UTC+1/+2)
:
Mentors:
Depends on:
Blocks: 573705
  Show dependency treegraph
 
Reported: 2012-02-15 11:21 PST by :Ms2ger (⌚ UTC+1/+2)
Modified: 2014-06-27 14:07 PDT (History)
9 users (show)
rforbes: sec‑bounty+
Ms2ger: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
+
verified
+
verified
verified
12+
verified
unaffected


Attachments
Patch v1 (2.03 KB, patch)
2012-02-15 11:21 PST, :Ms2ger (⌚ UTC+1/+2)
bzbarsky: review+
lukasblakk+bugs: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑esr10+
Details | Diff | Splinter Review
Test (796 bytes, patch)
2012-02-22 13:32 PST, :Ms2ger (⌚ UTC+1/+2)
no flags Details | Diff | Splinter Review

Description :Ms2ger (⌚ UTC+1/+2) 2012-02-15 11:21:24 PST
Created attachment 597496 [details] [diff] [review]
Patch v1

Something like this should do the trick:

webglcontext.texImage2D(0, 0, 0, 0, 0, { width: 10, height: 10, data: 7 })

I'd test it, but we don't support WebGL on my hardware. Code was added in bug 573705.
Comment 1 Boris Zbarsky [:bz] 2012-02-15 11:43:39 PST
Comment on attachment 597496 [details] [diff] [review]
Patch v1

r=me, but do post a testcase in this bug so it can be landed at some point?
Comment 2 :Ms2ger (⌚ UTC+1/+2) 2012-02-22 13:08:38 PST
https://hg.mozilla.org/mozilla-central/rev/074b9b33b2a0
Comment 3 :Ms2ger (⌚ UTC+1/+2) 2012-02-22 13:32:34 PST
Created attachment 599758 [details] [diff] [review]
Test
Comment 4 Daniel Veditz [:dveditz] 2012-03-17 09:07:53 PDT
Problem definitely affects the ESR (bp-b58535e5-276a-4867-a477-612372120317), what severity rating should this bug get? The given testcase is a near-null deref and isn't scary, but could data ever have anything in it that JSVAL_TO_OBJECT() would turn into something dangerous, maybe pointing at a fake object an attacker created?

We should probably just fix it rather than waste time figuring that out.
Comment 5 :Ms2ger (⌚ UTC+1/+2) 2012-03-17 09:32:17 PDT
Doing s/data: 7/data: 0xdeadbeef/ gives bp-1e0ff526-91d1-4b8b-b130-e03d72120317, which is somewhat less near-null
Comment 6 Lukas Blakk [:lsblakk] use ?needinfo 2012-04-06 14:56:50 PDT
(In reply to Daniel Veditz [:dveditz] from comment #4)
> Problem definitely affects the ESR
> (bp-b58535e5-276a-4867-a477-612372120317), what severity rating should this
> bug get? The given testcase is a near-null deref and isn't scary, but could
> data ever have anything in it that JSVAL_TO_OBJECT() would turn into
> something dangerous, maybe pointing at a fake object an attacker created?
> 
> We should probably just fix it rather than waste time figuring that out.

If that's the approach to take here, can someone please nominate the patch for approval-esr10? Would be great to get this landed in the next few days.
Comment 7 Benoit Jacob [:bjacob] (mostly away) 2012-04-10 15:22:22 PDT
Ms2ger, Boris, this bug is still marked as status-firefox12:affected. What's the decision here: are we still trying to land a patch on beta for ff12, or are we wontfixing this for ff12?
Comment 8 Boris Zbarsky [:bz] 2012-04-10 18:34:32 PDT
Comment on attachment 597496 [details] [diff] [review]
Patch v1

I think we should fix this on beta and ESR.

[Approval Request Comment]
Regression caused by (bug #): 573705 
User impact if declined: Allows web content to trigger probably-exploitable
   crashes.
Testing completed (on m-c, etc.): Been on m-c and Aurora for a while
Risk to taking this patch (and alternatives if risky): Very very low-risk.
String changes made by this patch: None
Comment 9 Lukas Blakk [:lsblakk] use ?needinfo 2012-04-11 16:24:36 PDT
Comment on attachment 597496 [details] [diff] [review]
Patch v1

[triage comment]
low risk, lets get these in.
Comment 13 Al Billings [:abillings] 2012-04-23 17:43:18 PDT
Verified it in nightly with testcase (which isn't checked in yet): Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120420 Firefox/14.0a1
Comment 14 Jason Smith [:jsmith] 2012-05-17 23:38:41 PDT
Verification complete using:

<html>
	<head>
	<script type="text/javascript">
	function initWebGL(canvas) {  
  // Initialize the global variable gl to null.  
  gl = null;  
    
  try {  
    // Try to grab the standard context. If it fails, fallback to experimental.  
    gl = canvas.getContext("webgl") || canvas.getContext("experimental-webgl");  
  }  
  catch(e) {}  
    
  // If we don't have a GL context, give up now  
  if (!gl) {  
    alert("Unable to initialize WebGL. Your browser may not support it.");  
  }  
} 
	
	
	    function start() {  
      var canvas = document.getElementById("glcanvas");  
      
      initWebGL(canvas);      // Initialize the GL context  
        
      // Only continue if WebGL is available and working  
        
      if (gl) {  
        gl.clearColor(0.0, 0.0, 0.0, 1.0);                      // Set clear color to black, fully opaque  
        gl.enable(gl.DEPTH_TEST);                               // Enable depth testing  
        gl.depthFunc(gl.LEQUAL);                                // Near things obscure far things  
        gl.clear(gl.COLOR_BUFFER_BIT|gl.DEPTH_BUFFER_BIT);      // Clear the color as well as the depth buffer.
		gl.texImage2D(0, 0, 0, 0, 0, { width: 10, height: 10, data: 7 });
      }  
    }  
	</script>
	</head>
    <body onload="start()">  
      <canvas id="glcanvas" width="640" height="480">  
        Your browser doesn't appear to support the HTML5 <code>&lt;canvas&gt;</code> element.  
      </canvas>  
    </body>  
</html>
Comment 15 :Ms2ger (⌚ UTC+1/+2) 2012-08-09 04:06:52 PDT
Landed the test:

https://hg.mozilla.org/mozilla-central/rev/7532bf93435c
Comment 16 Raymond Forbes[:rforbes] 2013-07-19 18:46:50 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.