The default bug view has changed. See this FAQ.
Bug 727547 (CVE-2012-0478)

nsIDOMWebGLRenderingContext_Tex{,Sub}Image2D use JSVAL_TO_OBJECT on arbitrary objects

VERIFIED FIXED in Firefox 12

Status

()

Core
Canvas: WebGL
VERIFIED FIXED
5 years ago
3 years ago

People

(Reporter: Ms2ger, Assigned: Ms2ger)

Tracking

({regression})

Trunk
mozilla13
regression
Points:
---
Bug Flags:
sec-bounty +
in-testsuite +

Firefox Tracking Flags

(firefox11 wontfix, firefox12+ verified, firefox13+ verified, firefox14 verified, firefox-esr1012+ verified, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical][qa!][gfx.relnote.13])

Attachments

(2 attachments)

(Assignee)

Description

5 years ago
Created attachment 597496 [details] [diff] [review]
Patch v1

Something like this should do the trick:

webglcontext.texImage2D(0, 0, 0, 0, 0, { width: 10, height: 10, data: 7 })

I'd test it, but we don't support WebGL on my hardware. Code was added in bug 573705.
Attachment #597496 - Flags: review?(bzbarsky)
Comment on attachment 597496 [details] [diff] [review]
Patch v1

r=me, but do post a testcase in this bug so it can be landed at some point?
Attachment #597496 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 2

5 years ago
https://hg.mozilla.org/mozilla-central/rev/074b9b33b2a0
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
(Assignee)

Comment 3

5 years ago
Created attachment 599758 [details] [diff] [review]
Test
status-firefox13: --- → fixed
Problem definitely affects the ESR (bp-b58535e5-276a-4867-a477-612372120317), what severity rating should this bug get? The given testcase is a near-null deref and isn't scary, but could data ever have anything in it that JSVAL_TO_OBJECT() would turn into something dangerous, maybe pointing at a fake object an attacker created?

We should probably just fix it rather than waste time figuring that out.
Blocks: 573705
status1.9.2: --- → unaffected
status-firefox-esr10: --- → affected
status-firefox11: --- → wontfix
status-firefox12: --- → affected
status-firefox14: --- → fixed
tracking-firefox-esr10: --- → ?
tracking-firefox12: --- → +
tracking-firefox13: --- → +
Keywords: regression
(Assignee)

Comment 5

5 years ago
Doing s/data: 7/data: 0xdeadbeef/ gives bp-1e0ff526-91d1-4b8b-b130-e03d72120317, which is somewhat less near-null
tracking-firefox-esr10: ? → 12+
Whiteboard: [sg:critical]
(In reply to Daniel Veditz [:dveditz] from comment #4)
> Problem definitely affects the ESR
> (bp-b58535e5-276a-4867-a477-612372120317), what severity rating should this
> bug get? The given testcase is a near-null deref and isn't scary, but could
> data ever have anything in it that JSVAL_TO_OBJECT() would turn into
> something dangerous, maybe pointing at a fake object an attacker created?
> 
> We should probably just fix it rather than waste time figuring that out.

If that's the approach to take here, can someone please nominate the patch for approval-esr10? Would be great to get this landed in the next few days.
Ms2ger, Boris, this bug is still marked as status-firefox12:affected. What's the decision here: are we still trying to land a patch on beta for ff12, or are we wontfixing this for ff12?
Comment on attachment 597496 [details] [diff] [review]
Patch v1

I think we should fix this on beta and ESR.

[Approval Request Comment]
Regression caused by (bug #): 573705 
User impact if declined: Allows web content to trigger probably-exploitable
   crashes.
Testing completed (on m-c, etc.): Been on m-c and Aurora for a while
Risk to taking this patch (and alternatives if risky): Very very low-risk.
String changes made by this patch: None
Attachment #597496 - Flags: approval-mozilla-esr10?
Attachment #597496 - Flags: approval-mozilla-beta?
Comment on attachment 597496 [details] [diff] [review]
Patch v1

[triage comment]
low risk, lets get these in.
Attachment #597496 - Flags: approval-mozilla-esr10?
Attachment #597496 - Flags: approval-mozilla-esr10+
Attachment #597496 - Flags: approval-mozilla-beta?
Attachment #597496 - Flags: approval-mozilla-beta+
http://hg.mozilla.org/releases/mozilla-beta/rev/d982174345c8
https://hg.mozilla.org/releases/mozilla-esr10/rev/b325ffb43e5d
status-firefox-esr10: affected → fixed
status-firefox12: affected → fixed
Whiteboard: [sg:critical] → [sg:critical][qa+]
Alias: CVE-2012-0478
Verified it in nightly with testcase (which isn't checked in yet): Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120420 Firefox/14.0a1
Status: RESOLVED → VERIFIED

Updated

5 years ago
status-firefox12: fixed → verified

Updated

5 years ago
status-firefox-esr10: fixed → verified

Updated

5 years ago
status-firefox13: fixed → verified

Updated

5 years ago
status-firefox14: fixed → verified
Verification complete using:

<html>
	<head>
	<script type="text/javascript">
	function initWebGL(canvas) {  
  // Initialize the global variable gl to null.  
  gl = null;  
    
  try {  
    // Try to grab the standard context. If it fails, fallback to experimental.  
    gl = canvas.getContext("webgl") || canvas.getContext("experimental-webgl");  
  }  
  catch(e) {}  
    
  // If we don't have a GL context, give up now  
  if (!gl) {  
    alert("Unable to initialize WebGL. Your browser may not support it.");  
  }  
} 
	
	
	    function start() {  
      var canvas = document.getElementById("glcanvas");  
      
      initWebGL(canvas);      // Initialize the GL context  
        
      // Only continue if WebGL is available and working  
        
      if (gl) {  
        gl.clearColor(0.0, 0.0, 0.0, 1.0);                      // Set clear color to black, fully opaque  
        gl.enable(gl.DEPTH_TEST);                               // Enable depth testing  
        gl.depthFunc(gl.LEQUAL);                                // Near things obscure far things  
        gl.clear(gl.COLOR_BUFFER_BIT|gl.DEPTH_BUFFER_BIT);      // Clear the color as well as the depth buffer.
		gl.texImage2D(0, 0, 0, 0, 0, { width: 10, height: 10, data: 7 });
      }  
    }  
	</script>
	</head>
    <body onload="start()">  
      <canvas id="glcanvas" width="640" height="480">  
        Your browser doesn't appear to support the HTML5 <code>&lt;canvas&gt;</code> element.  
      </canvas>  
    </body>  
</html>

Updated

5 years ago
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
Group: core-security

Updated

5 years ago
Whiteboard: [sg:critical][qa!] → [sg:critical][qa!][gfx.relnote.13]
(Assignee)

Comment 15

5 years ago
Landed the test:

https://hg.mozilla.org/mozilla-central/rev/7532bf93435c
Flags: in-testsuite? → in-testsuite+
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.