Closed Bug 743475 (CVE-2012-0473) Opened 8 years ago Closed 8 years ago

WebGLBuffer::FindMaxUshortElement passes wrong template arguments to FindMaxElementInSubArray

Categories

(Core :: Canvas: WebGL, defect)

defect
Not set

Tracking

()

VERIFIED FIXED
mozilla14
Tracking Status
firefox12 + verified
firefox13 + verified
firefox14 --- verified
firefox-esr10 12+ verified

People

(Reporter: dwarfcrank, Assigned: dwarfcrank)

Details

(Whiteboard: [sg:high][qa!])

Attachments

(2 files)

WebGLBuffer::FindMaxUshortElement in content/canvas/src/WebGLContext.h passes GLshort instead of GLushort to FindMaxElementInSubArray, even though only GLubyte or GLushort should be used.

I've attached a patch to fix the issue.
Attachment #613142 - Attachment is patch: true
Attachment #613142 - Flags: review+
Attachment #613142 - Flags: checkin?(jgilbert)
Assignee: nobody → matias.juntunen
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
OS: Windows 7 → All
Hardware: x86_64 → All
Attachment #613142 - Flags: checkin?(jgilbert) → checkin+
https://hg.mozilla.org/mozilla-central/rev/8a4ef59d7490
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment on attachment 613142 [details] [diff] [review]
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray

[Approval Request Comment]
Regression caused by (bug #): we've had this bug ever since we ship WebGL
User impact if declined: security risk, will explain once this bug is hidden
Testing completed (on m-c, etc.): just landed
Risk to taking this patch (and alternatives if risky): trivial fix, no risk
String changes made by this patch:
Attachment #613142 - Flags: approval-mozilla-beta?
Attachment #613142 - Flags: approval-mozilla-aurora?
Group: core-security
Keywords: sec-high
OK, now that this bug is hidden, here's the explanation.

WebGL.drawElements validates that all the indices are in range. It does that by computing the max index, and comparing that to the min buffer size.

This bug causes the max index computation to be wrong. Basically, indices >= 32768 are ignored by the max element computation.

An attacker could exploit this by drawing with indices all in the range 32768--65535. This would allow them to read some illegal video memory, whence the sec-high rating.
If it's landing on beta/Firefox 12 it also needs to land on the ESR branch
Keywords: sec-high
Whiteboard: [sg:high]
Comment on attachment 613142 [details] [diff] [review]
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray

[Triage Comment]
Approved for Beta 12 and Aurora 13 given the low risk evaluation and sg:high rating. Please land asap.
Attachment #613142 - Flags: approval-mozilla-beta?
Attachment #613142 - Flags: approval-mozilla-beta+
Attachment #613142 - Flags: approval-mozilla-aurora?
Attachment #613142 - Flags: approval-mozilla-aurora+
Attachment #613142 - Flags: approval-mozilla-esr10?
Is there a means to test this fix for verification purposes?
(In reply to Al Billings [:abillings] from comment #9)
> Is there a means to test this fix for verification purposes?

I'll whip a quick testcase.
Comment on attachment 613142 [details] [diff] [review]
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray

Please go ahead and land as per https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
Attachment #613142 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Verified fixed in trunk with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120411 Firefox/14.0a1 and Benoit's nice testcase.
Status: RESOLVED → VERIFIED
Whiteboard: [sg:high] → [sg:high][qa+]
Alias: CVE-2012-0473
Whiteboard: [sg:high][qa+] → [sg:high][qa!]
Group: core-security
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.