Closed
Bug 974356
Opened 11 years ago
Closed 11 years ago
MemoryTexture's do not validate that the client is same-process
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: bjacob, Assigned: bjacob)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-priv-escalation, sec-high, Whiteboard: [qa-])
Attachments
(4 files, 2 obsolete files)
914 bytes,
patch
|
nical
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
895 bytes,
patch
|
nical
:
review+
|
Details | Diff | Splinter Review |
1.87 KB,
patch
|
bent.mozilla
:
review+
|
Details | Diff | Splinter Review |
6.42 KB,
patch
|
bjacob
:
review+
|
Details | Diff | Splinter Review |
MemoryTexture's are like ShmemTexture's, but sharing a plain pointer. This of course only makes sense in the case of same-process clients, but this isn't validated at the moment. As a result, untrusted client processes can tell the parent process to dereference arbitrary pointers, leading to incorrect rendering, crashes, and a sec-vector that in conjunction with another flaw exposing the compositor's output, would allow an attacker to read data illegally from the parent process.
Assignee | ||
Comment 1•11 years ago
|
||
Question 1: In IPDL, who knows whether the link is same-process?
Answer: The actors do, and expose it via their OtherProcess() method, which returns 0 in the case of a same-process link.
Question 2: Can we call OtherProcess() during actor construction?
Answer: No, since OtherProcess() needs member data that is only set after the AllocPFoo method has returned.
Question 3: OK, so we need to call OtherProcess() on an actor that is already constructed before we start constructing PTexture actors, and that is accessible from there. What would that be?
Answer: PTexture actors know about an ISurfaceAllocator, which knows about a PLayerTransaction or PImageBridge actor, which is constructed earlier.
---> so this patch adds a IsSameProcess() method to ISurfaceAllocator, getting information from the PLayerTransaction or PImageBridge actor.
Attachment #8378255 -
Flags: review?(nical.bugzilla)
Assignee | ||
Comment 2•11 years ago
|
||
As a matter of fact, current widget code is constructing PCompositorParent's by hand, without going through the normal IPC dance (create child, call SendConstructor method). The resulting PCompositorParent then has an uninitialized mOtherProcess field = 0xa5a5a5a5a5...
Attachment #8378257 -
Flags: review?(bent.mozilla)
Assignee | ||
Comment 3•11 years ago
|
||
Attachment #8378258 -
Flags: review?(nical.bugzilla)
Assignee | ||
Comment 4•11 years ago
|
||
I'm not certain that we strictly need this, but this seemed like the right thing to do.
Attachment #8378259 -
Flags: review?(nical.bugzilla)
Updated•11 years ago
|
Attachment #8378255 -
Flags: review?(nical.bugzilla) → review+
Updated•11 years ago
|
Attachment #8378258 -
Flags: review?(nical.bugzilla) → review+
Updated•11 years ago
|
Attachment #8378259 -
Flags: review?(nical.bugzilla) → review+
Updated•11 years ago
|
Assignee: nobody → bjacob
Updated•11 years ago
|
Assignee: bjacob → nobody
Updated•11 years ago
|
Assignee: nobody → bjacob
Keywords: csectype-priv-escalation,
sec-high
Assignee | ||
Comment 5•11 years ago
|
||
Comment on attachment 8378255 [details] [diff] [review]
Part 1: add an IsSameProcess method to ISurfaceAllocator
*** Note: I'm writing only one sec-approval request for all 4 patches here. The patch actually closing the security issue here is part 3. ***
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
The present bug is not AFAICS exploitable by itself. By itself, it's only allowing a client to crash the parent process, i.e. a mere DOS. But maybe the more worrying aspect of this bug is as a vector of exploiting other bugs. This bug allows making the compositor use untrusted memory buffers as sources i.e. it could be used to feed sensitive data into the compositor, and then exploit another bug to get at the compositor output, to read that sensitive data.
The present patch makes it quite clear how to use the vector (how to feed bad data to the compositor) but does not contain a hint about any other bug that this vector could be used on, to gain access to sensitive data.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No
Which older supported branches are affected by this flaw?
All of them.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
No backport, and would be medium complexity to write.
How likely is this patch to cause regressions; how much testing does it need?
Medium risk. We're talking about backporting 3 patches here, that's not nothing.
Attachment #8378255 -
Flags: sec-approval?
Comment on attachment 8378257 [details] [diff] [review]
Part 2: in IPDL actors, initialize the mOtherProcess field to zero
Review of attachment 8378257 [details] [diff] [review]:
-----------------------------------------------------------------
::: ipc/ipdl/ipdl/lower.py
@@ +2884,5 @@
> [ ExprVar.THIS ]) ]),
> ExprMemberInit(p.lastActorIdVar(),
> [ p.actorIdInit(self.side) ]),
> + ExprMemberInit(p.otherProcessVar(),
> + [ ExprLiteral.ZERO ]),
Hm, 0 isn't really correct. We need to use -1 on POSIX, INVALID_HANDLE_VALUE on Windows. Something like http://mxr.mozilla.org/mozilla-central/source/ipc/chromium/src/base/platform_file.h#19
Attachment #8378257 -
Flags: review?(bent.mozilla) → review-
Updated•11 years ago
|
status-b2g18:
--- → affected
status-b2g-v1.1hd:
--- → affected
status-b2g-v1.2:
--- → affected
status-b2g-v1.3:
--- → affected
status-b2g-v1.3T:
--- → affected
status-b2g-v1.4:
--- → affected
status-firefox27:
--- → wontfix
status-firefox28:
--- → affected
status-firefox29:
--- → affected
status-firefox30:
--- → affected
status-firefox-esr24:
--- → affected
tracking-firefox28:
--- → +
tracking-firefox29:
--- → +
tracking-firefox30:
--- → +
tracking-firefox-esr24:
--- → +
Comment 7•11 years ago
|
||
Comment on attachment 8378255 [details] [diff] [review]
Part 1: add an IsSameProcess method to ISurfaceAllocator
sec-approval+ for trunk.
We should get Aurora, Beta, and ESR24 patches for this after it goes into mozilla-central.
Attachment #8378255 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Comment 8•11 years ago
|
||
Attachment #8378257 -
Attachment is obsolete: true
Attachment #8381042 -
Flags: review?(bent.mozilla)
Assignee | ||
Comment 9•11 years ago
|
||
Attachment #8378255 -
Attachment is obsolete: true
Attachment #8381044 -
Flags: review+
Assignee | ||
Comment 10•11 years ago
|
||
Comment on attachment 8378258 [details] [diff] [review]
Part 3: Make TextureHost::CreateIPDLActor check for bad MemoryTextures
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
The patch gives away that MemoryTexture, which is essentially a same-process-IPC protocol to share plain pointers, doesn't check that the client really is same-process. In the parent process, MemoryTextures are used only by the compositor. So this patch gives away that an attacker can cause the compositor to use arbitrary pointers instead of the buffers that it should be reading from. However, that isn't an exploit by itself, because the output of the compositor is not exposed to attackers unless we have another flaw that would be a sec-high by itself. So the present bug is more like a vector to (considerably) worsen the impact of other sec-high's.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No
Which older supported branches are affected by this flaw?
All of them.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
No, and I don't think we should worry about backporting select IPC fuzzing fixes like this until we've fixed the majority of our IPC security problems.
How likely is this patch to cause regressions; how much testing does it need?
Medium risk.
Attachment #8378258 -
Flags: sec-approval?
Assignee | ||
Comment 11•11 years ago
|
||
Updated•11 years ago
|
Attachment #8381042 -
Flags: review?(bent.mozilla) → review+
Updated•11 years ago
|
Comment 12•11 years ago
|
||
Comment on attachment 8378258 [details] [diff] [review]
Part 3: Make TextureHost::CreateIPDLActor check for bad MemoryTextures
sec-approval+ for trunk.
Attachment #8378258 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Comment 13•11 years ago
|
||
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/490d3e8706c3
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/b4a5fe646f27
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/20c507b7615e
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/321b2a16f0d7
Comment 14•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/490d3e8706c3
https://hg.mozilla.org/mozilla-central/rev/b4a5fe646f27
https://hg.mozilla.org/mozilla-central/rev/20c507b7615e
https://hg.mozilla.org/mozilla-central/rev/321b2a16f0d7
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Comment 15•11 years ago
|
||
esr24- based on comment 10 and Andrew marking 24 as disabled.
Comment 16•11 years ago
|
||
If we were going to backport these to 1.2 and 1.3, that time was a long time ago.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•