Closed
Bug 727547
(CVE-2012-0478)
Opened 13 years ago
Closed 13 years ago
nsIDOMWebGLRenderingContext_Tex{,Sub}Image2D use JSVAL_TO_OBJECT on arbitrary objects
Categories
(Core :: Graphics: CanvasWebGL, defect)
Core
Graphics: CanvasWebGL
Tracking
()
VERIFIED
FIXED
mozilla13
People
(Reporter: Ms2ger, Assigned: Ms2ger)
References
Details
(Keywords: regression, reporter-external, Whiteboard: [sg:critical][qa!][gfx.relnote.13])
Attachments
(2 files)
|
2.03 KB,
patch
|
bzbarsky
:
review+
lsblakk
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
|
796 bytes,
patch
|
Details | Diff | Splinter Review |
Something like this should do the trick:
webglcontext.texImage2D(0, 0, 0, 0, 0, { width: 10, height: 10, data: 7 })
I'd test it, but we don't support WebGL on my hardware. Code was added in bug 573705.
Attachment #597496 -
Flags: review?(bzbarsky)
Comment 1•13 years ago
|
||
Comment on attachment 597496 [details] [diff] [review]
Patch v1
r=me, but do post a testcase in this bug so it can be landed at some point?
Attachment #597496 -
Flags: review?(bzbarsky) → review+
| Assignee | ||
Comment 2•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
| Assignee | ||
Comment 3•13 years ago
|
||
Updated•13 years ago
|
status-firefox13:
--- → fixed
Comment 4•13 years ago
|
||
Problem definitely affects the ESR (bp-b58535e5-276a-4867-a477-612372120317), what severity rating should this bug get? The given testcase is a near-null deref and isn't scary, but could data ever have anything in it that JSVAL_TO_OBJECT() would turn into something dangerous, maybe pointing at a fake object an attacker created?
We should probably just fix it rather than waste time figuring that out.
Blocks: 573705
status1.9.2:
--- → unaffected
status-firefox-esr10:
--- → affected
status-firefox11:
--- → wontfix
status-firefox12:
--- → affected
status-firefox14:
--- → fixed
tracking-firefox-esr10:
--- → ?
tracking-firefox12:
--- → +
tracking-firefox13:
--- → +
Keywords: regression
| Assignee | ||
Comment 5•13 years ago
|
||
Doing s/data: 7/data: 0xdeadbeef/ gives bp-1e0ff526-91d1-4b8b-b130-e03d72120317, which is somewhat less near-null
Updated•13 years ago
|
Whiteboard: [sg:critical]
Comment 6•13 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4)
> Problem definitely affects the ESR
> (bp-b58535e5-276a-4867-a477-612372120317), what severity rating should this
> bug get? The given testcase is a near-null deref and isn't scary, but could
> data ever have anything in it that JSVAL_TO_OBJECT() would turn into
> something dangerous, maybe pointing at a fake object an attacker created?
>
> We should probably just fix it rather than waste time figuring that out.
If that's the approach to take here, can someone please nominate the patch for approval-esr10? Would be great to get this landed in the next few days.
Comment 7•13 years ago
|
||
Ms2ger, Boris, this bug is still marked as status-firefox12:affected. What's the decision here: are we still trying to land a patch on beta for ff12, or are we wontfixing this for ff12?
Comment 8•13 years ago
|
||
Comment on attachment 597496 [details] [diff] [review]
Patch v1
I think we should fix this on beta and ESR.
[Approval Request Comment]
Regression caused by (bug #): 573705
User impact if declined: Allows web content to trigger probably-exploitable
crashes.
Testing completed (on m-c, etc.): Been on m-c and Aurora for a while
Risk to taking this patch (and alternatives if risky): Very very low-risk.
String changes made by this patch: None
Attachment #597496 -
Flags: approval-mozilla-esr10?
Attachment #597496 -
Flags: approval-mozilla-beta?
Comment 9•13 years ago
|
||
Comment on attachment 597496 [details] [diff] [review]
Patch v1
[triage comment]
low risk, lets get these in.
Attachment #597496 -
Flags: approval-mozilla-esr10?
Attachment #597496 -
Flags: approval-mozilla-esr10+
Attachment #597496 -
Flags: approval-mozilla-beta?
Attachment #597496 -
Flags: approval-mozilla-beta+
Comment 10•13 years ago
|
||
Updated•13 years ago
|
Alias: CVE-2012-0478
Comment 13•13 years ago
|
||
Verified it in nightly with testcase (which isn't checked in yet): Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120420 Firefox/14.0a1
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Updated•13 years ago
|
Updated•13 years ago
|
Updated•13 years ago
|
Comment 14•13 years ago
|
||
Verification complete using:
<html>
<head>
<script type="text/javascript">
function initWebGL(canvas) {
// Initialize the global variable gl to null.
gl = null;
try {
// Try to grab the standard context. If it fails, fallback to experimental.
gl = canvas.getContext("webgl") || canvas.getContext("experimental-webgl");
}
catch(e) {}
// If we don't have a GL context, give up now
if (!gl) {
alert("Unable to initialize WebGL. Your browser may not support it.");
}
}
function start() {
var canvas = document.getElementById("glcanvas");
initWebGL(canvas); // Initialize the GL context
// Only continue if WebGL is available and working
if (gl) {
gl.clearColor(0.0, 0.0, 0.0, 1.0); // Set clear color to black, fully opaque
gl.enable(gl.DEPTH_TEST); // Enable depth testing
gl.depthFunc(gl.LEQUAL); // Near things obscure far things
gl.clear(gl.COLOR_BUFFER_BIT|gl.DEPTH_BUFFER_BIT); // Clear the color as well as the depth buffer.
gl.texImage2D(0, 0, 0, 0, 0, { width: 10, height: 10, data: 7 });
}
}
</script>
</head>
<body onload="start()">
<canvas id="glcanvas" width="640" height="480">
Your browser doesn't appear to support the HTML5 <code><canvas></code> element.
</canvas>
</body>
</html>
Updated•13 years ago
|
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
Updated•13 years ago
|
Group: core-security
Updated•13 years ago
|
Whiteboard: [sg:critical][qa!] → [sg:critical][qa!][gfx.relnote.13]
| Assignee | ||
Comment 15•13 years ago
|
||
Landed the test:
https://hg.mozilla.org/mozilla-central/rev/7532bf93435c
Flags: in-testsuite? → in-testsuite+
Updated•11 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•