Closed Bug 727547 (CVE-2012-0478) Opened 11 years ago Closed 11 years ago

nsIDOMWebGLRenderingContext_Tex{,Sub}Image2D use JSVAL_TO_OBJECT on arbitrary objects

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla13
Tracking Flags:
Tracking Status
firefox11 --- wontfix
firefox12 + verified
firefox13 + verified
firefox14 --- verified
firefox-esr10 12+ verified
status1.9.2 --- unaffected

People

(Reporter: Ms2ger, Assigned: Ms2ger)

References

Details

(Keywords: regression, Whiteboard: [sg:critical][qa!][gfx.relnote.13])

Attachments

(2 files)

Patch v1
2.03 KB, patch
bzbarsky
: review+
lsblakk
: approval-mozilla-beta+
lsblakk
: approval-mozilla-esr10+
Details | Diff | Splinter Review
Test
796 bytes, patch
Details | Diff | Splinter Review
Attached patch Patch v1Splinter Review 
Something like this should do the trick:

webglcontext.texImage2D(0, 0, 0, 0, 0, { width: 10, height: 10, data: 7 })

I'd test it, but we don't support WebGL on my hardware. Code was added in bug 573705.
Attachment #597496 - Flags: review?(bzbarsky)
Comment on attachment 597496 [details] [diff] [review]
Patch v1

r=me, but do post a testcase in this bug so it can be landed at some point?
Attachment #597496 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/074b9b33b2a0
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
Attached patch TestSplinter Review 

    
    

    
  
Problem definitely affects the ESR (bp-b58535e5-276a-4867-a477-612372120317), what severity rating should this bug get? The given testcase is a near-null deref and isn't scary, but could data ever have anything in it that JSVAL_TO_OBJECT() would turn into something dangerous, maybe pointing at a fake object an attacker created?

We should probably just fix it rather than waste time figuring that out.
Blocks: 573705

          status1.9.2:
          --- → unaffected

          status-firefox-esr10:
          --- → affected

          status-firefox11:
          --- → wontfix

          status-firefox12:
          --- → affected

          status-firefox14:
          --- → fixed

          tracking-firefox-esr10:
          --- → ?

          tracking-firefox12:
          --- → +

          tracking-firefox13:
          --- → +
Keywords: regression

    
    

    
  
Doing s/data: 7/data: 0xdeadbeef/ gives bp-1e0ff526-91d1-4b8b-b130-e03d72120317, which is somewhat less near-null

          tracking-firefox-esr10:
          ?12+
Whiteboard: [sg:critical]

    
    

    
  
(In reply to Daniel Veditz [:dveditz] from comment #4)
> Problem definitely affects the ESR
> (bp-b58535e5-276a-4867-a477-612372120317), what severity rating should this
> bug get? The given testcase is a near-null deref and isn't scary, but could
> data ever have anything in it that JSVAL_TO_OBJECT() would turn into
> something dangerous, maybe pointing at a fake object an attacker created?
> 
> We should probably just fix it rather than waste time figuring that out.

If that's the approach to take here, can someone please nominate the patch for approval-esr10? Would be great to get this landed in the next few days.

    
    

    
  
Ms2ger, Boris, this bug is still marked as status-firefox12:affected. What's the decision here: are we still trying to land a patch on beta for ff12, or are we wontfixing this for ff12?

    
    

    
  
Comment on attachment 597496 [details] [diff] [review]
Patch v1

I think we should fix this on beta and ESR.

[Approval Request Comment]
Regression caused by (bug #): 573705 
User impact if declined: Allows web content to trigger probably-exploitable
   crashes.
Testing completed (on m-c, etc.): Been on m-c and Aurora for a while
Risk to taking this patch (and alternatives if risky): Very very low-risk.
String changes made by this patch: None

        Attachment #597496 -
        Flags: approval-mozilla-esr10?

        Attachment #597496 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 597496 [details] [diff] [review]
Patch v1

[triage comment]
low risk, lets get these in.

        Attachment #597496 -
        Flags: approval-mozilla-esr10?

        Attachment #597496 -
        Flags: approval-mozilla-esr10+

        Attachment #597496 -
        Flags: approval-mozilla-beta?

        Attachment #597496 -
        Flags: approval-mozilla-beta+

    
  
Whiteboard: [sg:critical] → [sg:critical][qa+]
Alias: CVE-2012-0478

    
    

    
  
Verified it in nightly with testcase (which isn't checked in yet): Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120420 Firefox/14.0a1
Status: RESOLVED → VERIFIED

    
    

    
  
Verification complete using:

<html>
	<head>
	<script type="text/javascript">
	function initWebGL(canvas) {  
  // Initialize the global variable gl to null.  
  gl = null;  
    
  try {  
    // Try to grab the standard context. If it fails, fallback to experimental.  
    gl = canvas.getContext("webgl") || canvas.getContext("experimental-webgl");  
  }  
  catch(e) {}  
    
  // If we don't have a GL context, give up now  
  if (!gl) {  
    alert("Unable to initialize WebGL. Your browser may not support it.");  
  }  
} 
	
	
	    function start() {  
      var canvas = document.getElementById("glcanvas");  
      
      initWebGL(canvas);      // Initialize the GL context  
        
      // Only continue if WebGL is available and working  
        
      if (gl) {  
        gl.clearColor(0.0, 0.0, 0.0, 1.0);                      // Set clear color to black, fully opaque  
        gl.enable(gl.DEPTH_TEST);                               // Enable depth testing  
        gl.depthFunc(gl.LEQUAL);                                // Near things obscure far things  
        gl.clear(gl.COLOR_BUFFER_BIT|gl.DEPTH_BUFFER_BIT);      // Clear the color as well as the depth buffer.
		gl.texImage2D(0, 0, 0, 0, 0, { width: 10, height: 10, data: 7 });
      }  
    }  
	</script>
	</head>
    <body onload="start()">  
      <canvas id="glcanvas" width="640" height="480">  
        Your browser doesn't appear to support the HTML5 <code>&lt;canvas&gt;</code> element.  
      </canvas>  
    </body>  
</html>
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
Group: core-security
Whiteboard: [sg:critical][qa!] → [sg:critical][qa!][gfx.relnote.13]

    
    

    
  
Landed the test:

https://hg.mozilla.org/mozilla-central/rev/7532bf93435c
Flags: in-testsuite? → in-testsuite+

    
    

    
  
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+

          You need to log in
          before you can comment on or make changes to this bug.