New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Heap-buffer-overflow in gpu::gles2::GLES2Implementation::TexSubImage2DImpl
Project Member Reported by infe...@chromium.org, May 18 2012 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=48150599

Fuzzer: Inferno_twister

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7f23520b525d
Crash State:
  - crash stack -
  gpu::gles2::GLES2Implementation::TexSubImage2DImpl
  gpu::gles2::GLES2Implementation::TexSubImage2D
  WebCore::WebGLRenderingContext::texSubImage2DImpl
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=137400:137414

Minimized Testcase (0.48 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95UO38-nFG2hi-YWcJwVtPB9fJtXhTERzBLqmW6G8qSljwVZuCRGw2cgeqgilXyEfM0sY9PsXpaeEJW2XKT8hjO-dzaYQ5yLTsL0PTNCZo6Ug_XgeRSz9wIvzZ6qP4oHPQBUzzZ-dIld9oRTVQSExI7_pnIaQ
><script src=resources/webgl-test.js></script>
<script src=resources/webgl-test-utils.js></script>
>><canvas id=c width='1639%"'>>>>>><script>
var wtu = WebGLTestUtils;
var canvas = document.getElementById("testbed");
var gl = wtu.create3DContext(canvas);
var tex = gl.createTexture();
gl.bindTexture(gl.TEXTURE_2D, tex);
gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, gl.RGBA, gl.UNSIGNED_SHORT_4_4_4_4, c);
gl.texSubImage2D(gl.TEXTURE_2D, 0, 0,0, gl.RGBA, gl.UNSIGNED_SHORT_4_4_4_4, c);
</script>
>
 
Owner: kbr@chromium.org
Status: Assigned
Ken, can you please help with an owner for this.
Labels: -SecSeverity-High SecSeverity-Critical
Gpu command buffer and memcpy, sounds critical to me.
Comment 3 by kbr@chromium.org, May 18 2012
Cc: zmo@chromium.org kbr@chromium.org gman@chromium.org jbau...@chromium.org apatrick@chromium.org jbates@chromium.org
Owner: vangelis@chromium.org
Assigning to vangelis to redispatch and CC'ing a few people who might be able to pick it up tomorrow while Gregg's out.

Comment 4 by kbr@chromium.org, May 18 2012
Cc: vangelis@chromium.org
Owner: kbr@chromium.org
Actually, this is probably caused by WebKit revision 117191, if it is really a regression -- but the previous code was incorrect, so it's hard to believe that this wasn't happening before. Taking this back.

Labels: -SecImpacts-None -Mstone-20 SecImpacts-Stable Mstone-19 SecImpacts-Beta
Based on Ken's last comment, it is better to change milestone and uptake this fix.
Comment 6 by jsc...@chromium.org, May 18 2012
@aarya - None of this seems to involve browser code. Why do you think it's SecSeverity-Critical?
Comment 7 by kbr@chromium.org, May 18 2012
Correct; this out-of-bounds read is in the renderer process.

Labels: -SecSeverity-Critical SecSeverity-High
My bad. sorry.
Comment 9 by kbr@chromium.org, May 18 2012
Here's the detailed stack trace from ASAN:


==32736== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fb06caa825d at pc 0x7fb08634193c bp 0x7fffcba3f780 sp 0x7fffcba3f778
READ of size 1 at 0x7fb06caa825d thread T0
    #0 0x7fb08634193c in gpu::gles2::GLES2Implementation::TexSubImage2DImpl(unsigned int, int, int, int, int, int, unsigned int, unsigned int, unsigned int, void const*, unsigned int, unsigned char, gpu::ScopedTransferBufferPtr*, unsigned int) ???:0
    #1 0x7fb086341eb7 in gpu::gles2::GLES2Implementation::TexSubImage2D(unsigned int, int, int, int, int, int, unsigned int, unsigned int, void const*) ???:0
    #2 0x7fb08b1c2334 in WebCore::WebGLRenderingContext::texSubImage2DImpl(unsigned int, int, int, int, unsigned int, unsigned int, WebCore::Image*, bool, bool, int&) ???:0
    #3 0x7fb08b1c32c1 in WebCore::WebGLRenderingContext::texSubImage2D(unsigned int, int, int, int, unsigned int, unsigned int, WebCore::HTMLCanvasElement*, int&) ???:0
    #4 0x7fb088c644d6 in WebCore::WebGLRenderingContextV8Internal::texSubImage2DCallback(v8::Arguments const&) gen/webkit/bindings/V8DerivedSources19.cpp:0

Comment 10 by kenrb@chromium.org, May 18 2012
Why is this OOB read be SecSeverity-High? I thought these were usually rated as Medium.
Isnt this a size overflow in memcpy ? i guessed it from code - http://code.google.com/codesearch#OAMlx_jo-ck/src/gpu/command_buffer/client/gles2_implementation.cc&l=1663
Comment 12 by kenrb@chromium.org, May 18 2012
It could be, but the size for the destination buffer allocation is computed using the same calculation in TexSubImage2DImpl() so it wouldn't overflow if that was the case, so far it's just overrunning the source buffer. We could leave it as high and then reduce once we have a more thorough analysis if it turns out to have no potential for write overrun.
Labels: -SecSeverity-High SecSeverity-Medium
If we think it's a medium then we can keep it flagged as such for now. If it turns out to be high on analysis, then that's probably the best time to bump it up.
Comment 14 by gman@chromium.org, May 19 2012
I haven't looked at the code but I'm 99% sure this is a bug in the caller, not in GLES2Implementation. GLES2Implemenation is implementing the OpenGL ES 2.0 API which is not a safe API. If you pass it bad pointers or bad sizes it will attempt to call memcpy with bad addresses. There's nothing it can do to verify the addresses are safe. It's up to the caller, just like it's up to the caller to use memcpy correctly.

Comment 15 by kbr@chromium.org, May 21 2012
Labels: WebKit-ID-86877
Project Member Comment 16 by bugdroid1@chromium.org, May 21 2012
Labels: -WebKit-ID-86877 WebKit-ID-86877-ASSIGNED
https://bugs.webkit.org/show_bug.cgi?id=86877
Project Member Comment 17 by bugdroid1@chromium.org, May 22 2012
Labels: -WebKit-ID-86877-ASSIGNED WebKit-ID-86877-RESOLVED WebKit-Rev-117918
https://bugs.webkit.org/show_bug.cgi?id=86877
http://trac.webkit.org/changeset/117918
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Labels: -Mstone-19 Mstone-20
A bit fresh for M19! Can go to M20.
Project Member Comment 20 by clusterf...@chromium.org, May 23 2012
ClusterFuzz has detected this issue as fixed in range 138307:138403.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=48150599

Fuzzer: Inferno_twister

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7f23520b525d
Crash State:
  - crash stack -
  gpu::gles2::GLES2Implementation::TexSubImage2DImpl
  gpu::gles2::GLES2Implementation::TexSubImage2D
  WebCore::WebGLRenderingContext::texSubImage2DImpl
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=137400:137414
Fixed: https://cluster-fuzz.appspot.com/revisions?range=138307:138403

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95UO38-nFG2hi-YWcJwVtPB9fJtXhTERzBLqmW6G8qSljwVZuCRGw2cgeqgilXyEfM0sY9PsXpaeEJW2XKT8hjO-dzaYQ5yLTsL0PTNCZo6Ug_XgeRSz9wIvzZ6qP4oHPQBUzzZ-dIld9oRTVQSExI7_pnIaQ

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Comment 21 by kbr@chromium.org, May 23 2012
Labels: -Merge-Approved merge-merged-1132
Merged to M20 in https://chromiumcodereview.appspot.com/10441002 / http://trac.webkit.org/changeset/118259 .
Comment 22 by kbr@chromium.org, Jun 4 2012
Cc: dharani@chromium.org
Labels: CVE-2012-2826
Project Member Comment 24 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Status: Fixed
Project Member Comment 26 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -Type-Security -SecSeverity-Medium -SecImpacts-Stable -Mstone-20 -Stability-AddressSanitizer -SecImpacts-Beta Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Type-Bug-Security M-20 Performance-Memory-AddressSanitizer
Project Member Comment 27 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 28 by bugdroid1@chromium.org, Mar 14 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 30 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 31 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 32 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 33 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 34 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 35 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 36 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 37 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment