Closed Bug 895010 Opened 11 years ago Closed 11 years ago

WebGL vertex array object security leak

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla25
Tracking Flags:
Tracking Status
firefox24 --- unaffected
firefox25 --- fixed
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected

People

(Reporter: guillaume.abadie, Assigned: guillaume.abadie)

References

Details

(Keywords: csectype-bounds, regression, sec-high)

Attachments

(1 file)

patch disabling VAO extension
1.20 KB, patch
jrmuizel
: review+
Details | Diff | Splinter Review 
Vertex array object has a bug with the vertex array fetching security checker. Hacker might be able to access not owned memory.
Assignee: nobody → gabadie
This patch disabled Vertex Array Object temporally.
Attachment #777245 - Flags: review?(jmuizelaar)
Attachment #777245 - Flags: review?(jmuizelaar) → review+
Blocks: 738869
Whiteboard: [leave open]
Whiteboard: [leave open]
Comment on attachment 777245 [details] [diff] [review]
patch disabling VAO extension

Review of attachment 777245 [details] [diff] [review]:
-----------------------------------------------------------------

Would we tag the source (public) with a "this causes security problem" comment?
The patch disabling WebGL's vertex array object extension has been of the reasons inbound close because of the associated WebGL conformance test passed when it was supposed to fail. Also I mixed up jgilbert and jrmuizel on the commit message. So sorry about that.

The bug is : We would be able to read GPU memory by the following sequence :
 - create a vertex array object 1 with one attribute binded on small vertex buffer object
 - create a vertex array object 2 with one attribute binded on a big vertex buffer
 - draw once with vertex array object 2
 - draw with vertex array object 1 but with a number of vertices bigger than the small vertex buffer => the vertex shader would get back all the GPU memory around the small vertex buffer location.

The problem has been found and being fixed by https://bugzilla.mozilla.org/show_bug.cgi?id=893180 bringing changes on WebGLContext::ValidateBuffer
https://hg.mozilla.org/mozilla-central/rev/97a092648a62
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox25: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Does this not affect 24 (and therefore ESR24) at all?

How about waaaaay back in ESR17?

If this affects older versions, we'll need an ESR24 (and probably ESR17) patch.
status-firefox-esr17: --- → ?
status-firefox-esr24: --- → ?
This only affects Gecko 25+. Earlier versions just didn't support vertex array objects.
status-firefox-esr17: ? → ---
status-firefox-esr24: ? → ---
Changing status flags from --- to unaffected for ESR since we explicitly know this.
status-firefox-esr17: --- → unaffected
status-firefox-esr24: --- → unaffected
Group: core-security
Keywords: regression
Hi,

Could it be the reason why I am getting this in a WebGL2 context?

TypeError: Argument 1 of OES_vertex_array_object.bindVertexArrayOES does not implement interface WebGLVertexArrayObjectOES.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: