The default bug view has changed. See this FAQ.
Bug 743475 (CVE-2012-0473)

WebGLBuffer::FindMaxUshortElement passes wrong template arguments to FindMaxElementInSubArray

VERIFIED FIXED in Firefox 12

Status

()

Core
Canvas: WebGL
VERIFIED FIXED
5 years ago
3 years ago

People

(Reporter: dwarfcrank, Assigned: dwarfcrank)

Tracking

Trunk
mozilla14
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox12+ verified, firefox13+ verified, firefox14 verified, firefox-esr1012+ verified)

Details

(Whiteboard: [sg:high][qa!])

Attachments

(2 attachments)

(Assignee)

Description

5 years ago
Created attachment 613142 [details] [diff] [review]
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray

WebGLBuffer::FindMaxUshortElement in content/canvas/src/WebGLContext.h passes GLshort instead of GLushort to FindMaxElementInSubArray, even though only GLubyte or GLushort should be used.

I've attached a patch to fix the issue.
(Assignee)

Updated

5 years ago
Attachment #613142 - Attachment is patch: true
Attachment #613142 - Flags: review+
Attachment #613142 - Flags: checkin?(jgilbert)
Assignee: nobody → matias.juntunen
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
OS: Windows 7 → All
Hardware: x86_64 → All
https://hg.mozilla.org/integration/mozilla-inbound/rev/8a4ef59d7490
Target Milestone: --- → mozilla14
Attachment #613142 - Flags: checkin?(jgilbert) → checkin+
https://hg.mozilla.org/mozilla-central/rev/8a4ef59d7490
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Comment on attachment 613142 [details] [diff] [review]
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray

[Approval Request Comment]
Regression caused by (bug #): we've had this bug ever since we ship WebGL
User impact if declined: security risk, will explain once this bug is hidden
Testing completed (on m-c, etc.): just landed
Risk to taking this patch (and alternatives if risky): trivial fix, no risk
String changes made by this patch:
Attachment #613142 - Flags: approval-mozilla-beta?
Attachment #613142 - Flags: approval-mozilla-aurora?
Group: core-security
Keywords: sec-high
OK, now that this bug is hidden, here's the explanation.

WebGL.drawElements validates that all the indices are in range. It does that by computing the max index, and comparing that to the min buffer size.

This bug causes the max index computation to be wrong. Basically, indices >= 32768 are ignored by the max element computation.

An attacker could exploit this by drawing with indices all in the range 32768--65535. This would allow them to read some illegal video memory, whence the sec-high rating.
If it's landing on beta/Firefox 12 it also needs to land on the ESR branch
status-firefox-esr10: --- → affected
status-firefox12: --- → affected
status-firefox13: --- → affected
status-firefox14: --- → fixed
tracking-firefox-esr10: --- → ?
tracking-firefox12: --- → +
tracking-firefox13: --- → +
Keywords: sec-high
Whiteboard: [sg:high]

Comment 7

5 years ago
Comment on attachment 613142 [details] [diff] [review]
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray

[Triage Comment]
Approved for Beta 12 and Aurora 13 given the low risk evaluation and sg:high rating. Please land asap.
Attachment #613142 - Flags: approval-mozilla-beta?
Attachment #613142 - Flags: approval-mozilla-beta+
Attachment #613142 - Flags: approval-mozilla-aurora?
Attachment #613142 - Flags: approval-mozilla-aurora+
tracking-firefox-esr10: ? → 12+
http://hg.mozilla.org/releases/mozilla-aurora/rev/144d327b35a9
http://hg.mozilla.org/releases/mozilla-beta/rev/7b1f6af2b2d7
Attachment #613142 - Flags: approval-mozilla-esr10?
status-firefox12: affected → fixed
status-firefox13: affected → fixed
Is there a means to test this fix for verification purposes?
(In reply to Al Billings [:abillings] from comment #9)
> Is there a means to test this fix for verification purposes?

I'll whip a quick testcase.
Created attachment 613747 [details]
Testcase
Comment on attachment 613142 [details] [diff] [review]
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray

Please go ahead and land as per https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
Attachment #613142 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Verified fixed in trunk with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120411 Firefox/14.0a1 and Benoit's nice testcase.
Status: RESOLVED → VERIFIED
http://hg.mozilla.org/releases/mozilla-esr10/rev/76d2e9680f28
status-firefox-esr10: affected → fixed
Whiteboard: [sg:high] → [sg:high][qa+]
Alias: CVE-2012-0473

Updated

5 years ago
status-firefox12: fixed → verified

Updated

5 years ago
status-firefox13: fixed → verified

Updated

5 years ago
status-firefox14: fixed → verified

Updated

5 years ago
status-firefox-esr10: fixed → verified

Updated

5 years ago
Whiteboard: [sg:high][qa+] → [sg:high][qa!]
Group: core-security
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.