Bug 972622 (CVE-2014-1502)

WebGL.compressedTex(Sub)Image2D doesn't call MakeCurrent

RESOLVED FIXED in Firefox 28

Status

()

defect
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: jgilbert, Assigned: jgilbert)

Tracking

({sec-moderate})

unspecified
mozilla30
Points:
---

Firefox Tracking Flags

(firefox27 wontfix, firefox28+ fixed, firefox29 fixed, firefox30 fixed, firefox-esr24 wontfix, b2g18 wontfix, b2g-v1.1hd wontfix, b2g-v1.2 fixed, b2g-v1.3 fixed, b2g-v1.3T fixed, b2g-v1.4 fixed)

Details

(Whiteboard: [qa-][adv-main28+])

Attachments

(1 attachment)

Assignee

Description

5 years ago
Ok, this one is potentially dangerous, since it can change the data in another context. It can't steal data, only upload its own data, though.

Maybe a very low likelihood sec-vector?
Assignee

Comment 1

5 years ago
Attachment #8375877 - Flags: review?(dglastonbury)
Right; what would be a big problem is if we forgot to makecurrent in a WebGL entry point that can retrieve information out of a WebGL context...
Assignee

Comment 3

5 years ago
(In reply to Benoit Jacob [:bjacob] from comment #2)
> Right; what would be a big problem is if we forgot to makecurrent in a WebGL
> entry point that can retrieve information out of a WebGL context...

You could steal data from other GLContexts, possibly including the compositor. (I think not the compositor if we're on OMTC, though)
Right, the likely attack case is a WebGL context on the main thread stealing data from another WebGL context on the main thread, from a different origin.
Assignee

Comment 5

5 years ago
I was wrong about what sec-vector meant. This sounds like it's potentially sec-high, since you can potentially inject static images into other running WebGL. The difficulty in doing something targeted with it likely drops it down to sec-moderate, which is what I'll mark this.

The only danger here is if:
The malicious WebGL context can interleave its command stream with another context's rendering loop, but only in that it overwrites a specific texture to something phishy, or similar.
This is baaasically not viable.

It can happen more easily if an victim context renders using a texture without rebinding it, which more or less is never done in anything non-trivial.
Keywords: sec-vectorsec-moderate
Assignee

Comment 6

5 years ago
This bug is ancient. These are my recommendations for wontfix: Release, ESR24, B2G18, B2G 1.1.
Assignee

Updated

5 years ago
Assignee

Comment 8

5 years ago
Comment on attachment 8375877 [details] [diff] [review]
makecur-compressed

NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 728017
User impact if declined: Very unlikely sec concerns brought up in above comments.
Testing completed: Local
Risk to taking this patch (and alternatives if risky): none
String or UUID changes made by this patch: none
Attachment #8375877 - Flags: approval-mozilla-beta?
Attachment #8375877 - Flags: approval-mozilla-b2g28?
Attachment #8375877 - Flags: approval-mozilla-b2g26?
Attachment #8375877 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/b11d40f3ba4b
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Comment on attachment 8375877 [details] [diff] [review]
makecur-compressed

If this is approved and landed on beta, it will be merged to b2g28.
Attachment #8375877 - Flags: approval-mozilla-b2g28?
Attachment #8375877 - Flags: approval-mozilla-beta?
Attachment #8375877 - Flags: approval-mozilla-beta+
Attachment #8375877 - Flags: approval-mozilla-aurora?
Attachment #8375877 - Flags: approval-mozilla-aurora+
Attachment #8375877 - Flags: approval-mozilla-b2g26? → approval-mozilla-b2g26+
Matt, can you please evaluate if this needs testing before release?
Flags: needinfo?(mwobensmith)
Flags: needinfo?(mwobensmith)
Whiteboard: [qa-]
Whiteboard: [qa-] → [qa-][adv-main28+]
Alias: CVE-2014-1502
Group: core-security
You need to log in before you can comment on or make changes to this bug.