WebGL vertex array object security leak

RESOLVED FIXED in Firefox 25

Status

()

Core
Canvas: WebGL
RESOLVED FIXED
5 years ago
2 years ago

People

(Reporter: Guillaume Abadie, Assigned: Guillaume Abadie)

Tracking

({csectype-bounds, regression, sec-high})

unspecified
mozilla25
csectype-bounds, regression, sec-high
Points:
---

Firefox Tracking Flags

(firefox24 unaffected, firefox25 fixed, firefox-esr17 unaffected, firefox-esr24 unaffected, b2g18 unaffected, b2g-v1.1hd unaffected, b2g-v1.2 unaffected)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
Vertex array object has a bug with the vertex array fetching security checker. Hacker might be able to access not owned memory.
(Assignee)

Updated

5 years ago
Assignee: nobody → gabadie
(Assignee)

Comment 1

5 years ago
Created attachment 777245 [details] [diff] [review]
patch disabling VAO extension

This patch disabled Vertex Array Object temporally.
Attachment #777245 - Flags: review?(jmuizelaar)
Attachment #777245 - Flags: review?(jmuizelaar) → review+
(Assignee)

Updated

5 years ago
Blocks: 738869
(Assignee)

Updated

5 years ago
Whiteboard: [leave open]
(Assignee)

Updated

5 years ago
Whiteboard: [leave open]
Comment on attachment 777245 [details] [diff] [review]
patch disabling VAO extension

Review of attachment 777245 [details] [diff] [review]:
-----------------------------------------------------------------

Would we tag the source (public) with a "this causes security problem" comment?
Keywords: csec-bounds, sec-high
(Assignee)

Comment 5

5 years ago
The patch disabling WebGL's vertex array object extension has been of the reasons inbound close because of the associated WebGL conformance test passed when it was supposed to fail. Also I mixed up jgilbert and jrmuizel on the commit message. So sorry about that.

The bug is : We would be able to read GPU memory by the following sequence :
 - create a vertex array object 1 with one attribute binded on small vertex buffer object
 - create a vertex array object 2 with one attribute binded on a big vertex buffer
 - draw once with vertex array object 2
 - draw with vertex array object 1 but with a number of vertices bigger than the small vertex buffer => the vertex shader would get back all the GPU memory around the small vertex buffer location.

The problem has been found and being fixed by https://bugzilla.mozilla.org/show_bug.cgi?id=893180 bringing changes on WebGLContext::ValidateBuffer
https://hg.mozilla.org/mozilla-central/rev/97a092648a62
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox25: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Does this not affect 24 (and therefore ESR24) at all?

How about waaaaay back in ESR17?

If this affects older versions, we'll need an ESR24 (and probably ESR17) patch.
status-firefox-esr17: --- → ?
status-firefox-esr24: --- → ?
This only affects Gecko 25+. Earlier versions just didn't support vertex array objects.
status-firefox-esr17: ? → ---
status-firefox-esr24: ? → ---
Changing status flags from --- to unaffected for ESR since we explicitly know this.
status-firefox-esr17: --- → unaffected
status-firefox-esr24: --- → unaffected
status-firefox24: --- → unaffected
status-b2g18: --- → unaffected
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.2: --- → unaffected
Group: core-security
Keywords: regression

Comment 11

2 years ago
Hi,

Could it be the reason why I am getting this in a WebGL2 context?

TypeError: Argument 1 of OES_vertex_array_object.bindVertexArrayOES does not implement interface WebGLVertexArrayObjectOES.
You need to log in before you can comment on or make changes to this bug.