Vertex array object has a bug with the vertex array fetching security checker. Hacker might be able to access not owned memory.
Created attachment 777245 [details] [diff] [review] patch disabling VAO extension This patch disabled Vertex Array Object temporally.
Attachment #777245 - Flags: review?(jmuizelaar)
Attachment #777245 - Flags: review?(jmuizelaar) → review+
Comment on attachment 777245 [details] [diff] [review] patch disabling VAO extension Review of attachment 777245 [details] [diff] [review]: ----------------------------------------------------------------- Would we tag the source (public) with a "this causes security problem" comment?
The patch disabling WebGL's vertex array object extension has been of the reasons inbound close because of the associated WebGL conformance test passed when it was supposed to fail. Also I mixed up jgilbert and jrmuizel on the commit message. So sorry about that. The bug is : We would be able to read GPU memory by the following sequence : - create a vertex array object 1 with one attribute binded on small vertex buffer object - create a vertex array object 2 with one attribute binded on a big vertex buffer - draw once with vertex array object 2 - draw with vertex array object 1 but with a number of vertices bigger than the small vertex buffer => the vertex shader would get back all the GPU memory around the small vertex buffer location. The problem has been found and being fixed by https://bugzilla.mozilla.org/show_bug.cgi?id=893180 bringing changes on WebGLContext::ValidateBuffer
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox25: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Does this not affect 24 (and therefore ESR24) at all? How about waaaaay back in ESR17? If this affects older versions, we'll need an ESR24 (and probably ESR17) patch.
status-firefox-esr17: --- → ?
status-firefox-esr24: --- → ?
This only affects Gecko 25+. Earlier versions just didn't support vertex array objects.
status-firefox-esr17: ? → ---
status-firefox-esr24: ? → ---
Changing status flags from --- to unaffected for ESR since we explicitly know this.
status-firefox-esr17: --- → unaffected
status-firefox-esr24: --- → unaffected
status-b2g18: --- → unaffected
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.2: --- → unaffected
Hi, Could it be the reason why I am getting this in a WebGL2 context? TypeError: Argument 1 of OES_vertex_array_object.bindVertexArrayOES does not implement interface WebGLVertexArrayObjectOES.
You need to log in before you can comment on or make changes to this bug.