New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Aug 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 141901: Security: mesa stack scribbling thingamadoo

Reported by miau...@gmail.com, Aug 10 2012

Issue description

VULNERABILITY DETAILS
https://bugzilla.mozilla.org/show_bug.cgi?id=777028


VERSION
Chrome Version: dev
Operating System: linux64bit

REPRODUCTION CASE
<html>
  <head>
    <script id="vshader" type="x-shader/x-vertex">
      void main()
      {
        vec4 x;
        gl_Position = x;
      }
    </script>

    <script id="fshader" type="x-shader/x-fragment">
      precision mediump float;
      uniform sampler2D uni[29];
      void main()
      {
        vec4 c;
        for (int i = 0; i < 2; i++) {
          c += texture2D(uni[i], vec2(0));
        }
      }
    </script>
    <script>
      function loadShaderFromScript(gl, name, shaderType) {
        var shader = gl.createShader(shaderType)
        var shaderSource = document.getElementById(name).text
        gl.shaderSource(shader, shaderSource)
        gl.compileShader(shader)
        return shader
      }
      onload = function() {
        var gl = document.createElement('canvas').getContext("experimental-webgl")
        var program = gl.createProgram()
        gl.attachShader(program, loadShaderFromScript(gl, 'vshader', gl.VERTEX_SHADER))
        gl.attachShader(program, loadShaderFromScript(gl, 'fshader', gl.FRAGMENT_SHADER))
        gl.linkProgram(program)
      }
    </script>
  </head>
  <body>
  </body>
</html>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: gpu + asan
Crash State: 
[3179:3179:1014762883:ERROR:sandbox_init_linux.cc(31)] InitializeSandbox() called with multiple threads in process gpu-process
[3179:3179:1014834080:ERROR:x11_util.cc(1273)] X Error detected: serial 31, error_code 8 (BadMatch (invalid parameter attributes)), request_code 72, minor_code 0 (X_PutImage)
ASAN:SIGSEGV
==3179== ERROR: AddressSanitizer crashed on unknown address 0x7fff00000187 (pc 0x7fffe74d0563 sp 0x7fffffff7410 bp 0x7fffdfef0a80 T0)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7fffe74d0563 in ?? ??:0
Stats: 16M malloced (23M for red zones) by 77971 calls
Stats: 0M realloced by 291 calls
Stats: 10M freed by 60262 calls
Stats: 0M really freed by 0 calls
Stats: 64M (16392 full pages) mmaped in 16 calls
  mmaps   by size class: 8:81915; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:512; 15:128; 16:64; 17:32; 18:16;
  mallocs by size class: 8:69778; 9:5252; 10:824; 11:1200; 12:272; 13:70; 14:470; 15:52; 16:17; 17:30; 18:6;
  frees   by size class: 8:56175; 9:2820; 10:459; 11:173; 12:188; 13:40; 14:338; 15:41; 16:12; 17:14; 18:2;
  rfrees  by size class:
Stats: malloc large: 36 small slow: 294
 
chromium1.html
1.1 KB View Download
chromium1.txt
1.1 KB View Download

Comment 1 by scarybea...@gmail.com, Aug 10 2012

Labels: reward-topanel
Owner: jorgelo@chromium.org
Jorge, I wonder if you're interested in investigating this one?
From my brief reading of the Mozilla bug, it looks like it's crashing in the underlying Mesa driver code. Presumably this might affect ChromeOS in default configuration?

Comment 2 by scarybea...@gmail.com, Aug 10 2012

Cc: kbr@chromium.org

Comment 3 by kbr@chromium.org, Aug 10 2012

Cc: piman@chromium.org marc...@chromium.org zmo@chromium.org gman@chromium.org
Mozilla provided a test case for this and a patch to Firefox working around the bug, attached. We should probably integrate this workaround into Chrome.
ff1.html
1.1 KB View Download
fix-security
4.8 KB View Download

Comment 4 by miau...@gmail.com, Aug 10 2012

I should add, I do:

--skip-gpu-data-loading

and maybe --in-process-gpu to help crashing along.

Comment 5 by cdn@chromium.org, Aug 10 2012

Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals Feature-GPU Feature-GPU-WebGL OS-Linux
Status: Assigned
Haven't been able to reproduce this locally yet. Seems reasonable to use Mozilla's workaround though.

Miaubiz, does this repro in Stable/Beta or just Dev?

Comment 6 by jorgelo@chromium.org, Aug 10 2012

Not repro-ing on Chrome OS ARM ToT-ish (that's what I had handy).

Comment 7 by miau...@gmail.com, Aug 10 2012

@c...: stable is affected also.

the number 29 in the file is a magical minimum number that causes the crash. somewhere around 65k is the maximum. you could try fiddling with that. sometimes I get a hang or chromium refuses to die.

here's the top of xdpyinfo:
name of display:    :0
version number:    11.0
vendor string:    The X.Org Foundation
vendor release number:    11103000
X.Org version: 1.11.3

ASAN:SIGSEGV
==6783== ERROR: AddressSanitizer crashed on unknown address 0x000700000007 (pc 0x000700000007 sp 0x7fffcd07a8f0 bp 0x000700000007 T22)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x700000007

Comment 8 by miau...@gmail.com, Aug 10 2012

also crashes non asan build:

[ 8139.464359] chromium-browse[977]: segfault at 700000007 ip 0000000700000007 sp 00007fffffff8ea0 error 14 in chromium-browser[555555554000+4ca9000]

and:

[ 8192.294499] chrome/21079: potentially unexpected fatal signal 11.
[ 8192.294552] RIP: 0033:[<0000000700000007>]  [<0000000700000007>] 0x700000006
[ 8192.294557] RSP: 002b:00007fffffffcdf0  EFLAGS: 00010206
[ 8192.294558] RAX: 0000000000000000 RBX: 0000000700000007 RCX: 0000000700000007
[ 8192.294559] RDX: 0000000700000007 RSI: 000055555a6c8130 RDI: 000055555a6629b0
[ 8192.294560] RBP: 0000000700000007 R08: 0000000000000034 R09: 0101010101010101
[ 8192.294561] R10: 0000000000000001 R11: 00007ffff1f8e4d0 R12: 0000000700000007
[ 8192.294562] R13: 0000000700000007 R14: 0000000700000007 R15: 0000000700000007
[ 8192.294564] FS:  00007ffff7fb29c0(0000) GS:ffff88082fd40000(0000) knlGS:0000000000000000
[ 8192.294565] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8192.294566] CR2: 0000000700000007 CR3: 00000007cdd8f000 CR4: 00000000000406e0
[ 8192.294567] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 8192.294569] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400

Comment 9 by marc...@chromium.org, Aug 10 2012

@comment 6 you won't repro on ARM which doesn't use mesa

Comment 10 by cdn@chromium.org, Aug 13 2012

Labels: SecImpacts-Stable SecImpacts-Beta
Setting impacts flags based on comment #7

Comment 11 by jorgelo@chromium.org, Aug 13 2012

I'm getting GPU process crashes on ToT Chrome OS on lumpy (x86) with both repros =(. GPU peeps, where in Chrome would one add a check for the number of samplers passed to Mesa?

Comment 12 by piman@chromium.org, Aug 13 2012

Lacking context (don't have access to the mozilla bug). What do you mean "number of samplers passed to mesa"?

Comment 13 by kbr@chromium.org, Aug 13 2012

I think the best place would be in ProgramManager::ProgramInfo::Link or nearby, in src/gpu/command_buffer/service/program_manager.cc.

Comment 14 by jorgelo@chromium.org, Aug 13 2012

My context is the same as yours =/. The workaround patch for FF (included in c#3) talks about samplers passed to Mesa:

(From the patch in c#3)

"""
+    //  bug 777028 
+    // Mesa can't handle more than 16 samplers per program, counting each array entry.
+    if (mIsMesa) {
+        if (program->UpperBoundNumSamplerUniforms() > 16) {
+            GenerateWarning("Programs with more than 16 samplers are disallowed on Mesa drivers "
+                            "to avoid a Mesa crasher.");
+            program->SetLinkStatus(false);
+            return;
+        }
+    }
"""

Comment 15 by piman@chromium.org, Aug 13 2012

So you want to disallow programs that use >16 samplers?
As kbr said, you want to hook that in ProgramManager::ProgramInfo::Link and fail the compilation. How are you going to count samplers though? In the preprocessing/validation step done by ANGLE?

Comment 16 by jorgelo@chromium.org, Aug 13 2012

piman: I have no idea ;-) first step was to try and use the workaround to confirm the bug.

Comment 17 by jorgelo@chromium.org, Aug 13 2012

One more question: running the repro shows a lot of crashes in about:gpu, but none of them show up on about:crashes. Is that expected behaviour? This is an official Chrome OS build with crash reporting enabled (e.g. about:crash shows up in about:crashes and in http://crash).

Comment 18 by kbr@chromium.org, Aug 13 2012

Cc: vangelis@chromium.org jbates@chromium.org
I don't know whether the fact that GPU process crashes don't show up in about:crashes is accidental or by design, but it's certainly annoying when diagnosing problems like this. jbates, should we file a bug about that?

Comment 19 by jbates@chromium.org, Aug 14 2012

I've never used about:crash, but based on the name it seems like it should include all chrome process crashes.

Comment 20 by miau...@gmail.com, Aug 14 2012

I don't know what a sampler is, but the number of samplers >16 is referring to this line:

      uniform sampler2D uni[29];

where 29 is the number of samplers in the example.

Comment 21 by piman@chromium.org, Aug 14 2012

Right, but to extract that number out of the shader source code, you need to parse it. Even if you let GL compile it (is it where it crashes? or on use?), it still doesn't have an API to give you that info.

So to workaround the problem in Chrome, we need to parse the shader code ourselves (using ANGLE?), extract the information, and decide that there's too many samplers and give up.

Alternatively we can fix the problem in the driver in Mesa, and backport in Chrome OS. On linux we can blacklist mesa drivers (don't we already?) prior to the version that has the fix.

Comment 22 by zmo@chromium.org, Aug 14 2012

We actually let out 8.* mesa drivers in Linux on a bunch of Intel GPUs as they pass most WebGL conformance tests.

Comment 23 by marc...@chromium.org, Aug 15 2012

Attached is the mesa fix. I also have a Chrome OS fix ready.

What's the next step? I can push it to mesa git, but I'm wondering if everyone is ok with that given that this bug is handled in a private manner.
8.1-array-overflow.patch
486 bytes View Download

Comment 24 by kbr@chromium.org, Aug 15 2012

I'd say just put the fix out there. It will have to be integrated at some point.

Are you sure that's the correct fix, though? Just clamping the sampler's uniform location doesn't seem right to me -- if the shader requests more samplers than the implementation supports then something should fail (probably program linking?), not silently succeed but render incorrectly.

Comment 25 by marc...@chromium.org, Aug 15 2012

Well, the MAX_SAMPLERS limit is mesa-wide. We can't just return more that MAX_SAMPLERS samplers and expect the rest of the stack to work. In the end I think there are two issues:
- we run past the end of the sampler array
- we don't have enough samplers

The patch fixes #1, we (mesa) can still bump MAX_SAMPLERS in the future.

Comment 26 by marc...@chromium.org, Aug 15 2012

Oh and of course, bumping MAX_SAMPLERS will have interesting consequences in the drivers, so it's no simple matter. That's the reason I don't want to handle this here.

Comment 27 by jorgelo@chromium.org, Aug 15 2012

Do we need to something on our side to pull the new Mesa version once the fix is applied upstream?

Comment 28 by bugdroid1@chromium.org, Aug 15 2012

Project Member
Commit: 4f4ddfd4bd68b72ba4cb9706c7a17d1af96e1386
 Email: marcheu@chromium.org

Mesa: Add a fix for mesa sampler array overflow.

Fixes a crash when we have too many samplers.

BUG= chromium:141901 
TEST=by hand

Change-Id: I4bfb9ad5ff8bfe7db0079e95fa04dac336b59bb7
Reviewed-on: https://gerrit.chromium.org/gerrit/30364
Tested-by: Stéphane Marchesin <marcheu@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Ready: Stéphane Marchesin <marcheu@chromium.org>

A	media-libs/mesa/files/8.1-array-overflow.patch
D	media-libs/mesa/mesa-8.1.0-r8.ebuild
A	media-libs/mesa/mesa-8.1.0-r9.ebuild
M	media-libs/mesa/mesa-9999.ebuild

Comment 29 by jorgelo@chromium.org, Aug 15 2012

Cc: sumit@chromium.org ddrew@chromium.org
Labels: Merge-Requested
We should merge this to 22 and 21.

Comment 30 by scarybea...@gmail.com, Aug 15 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify SecSeverity-Critical Mstone-21
Status: FixUnreleased
Jorge, I'm going to mark this Critical, since stable Chrome OS does not have a GPU sandbox at this time.

Am I correct that we use Critical in Chrome OS for bugs that manifest in the chronos user account? Of course, this bug isn't enough to silently persist past a reboot, but it could mess with the browser profile and install extensions, right?

Comment 31 by jorgelo@chromium.org, Aug 15 2012

That sounds correct, although with the Pwnium changes to the extension workflow I'm not sure a completely unattended extension install is possible. However, it might be possible to mess with the default extensions list or stuff like that.

Critical seems to be consistent with code execution for the chronos user account. Maybe we need a new category for bugs which allow persistence in Chrome OS, but that's another discussion.

Comment 33 by ddrew@chromium.org, Aug 15 2012

Cc: benhenry@chromium.org josa...@chromium.org

Comment 34 by jorgelo@chromium.org, Aug 16 2012

TPMs for 21 and 22, I can haz Merge-Approved?

Comment 35 by scarybea...@gmail.com, Aug 16 2012

Labels: -Merge-Requested Merge-Approved
This is a critical bug, so I'm approving it.

We should get the fix out sooner rather than later. Jorge, when is the next M21 patch for Chrome OS ? Who will merge this?

Comment 36 by jorgelo@chromium.org, Aug 16 2012

M21 refresh is next week, the CL's to merge are up, I'll submit them.

Comment 37 by jorgelo@chromium.org, Aug 17 2012

Labels: -Merge-Approved Merge-Merged
Merged to 21 and 22 after getting green trybot runs.

Comment 38 by bugdroid1@chromium.org, Aug 17 2012

Project Member
Commit: 372964830d5b6463002a0e8197d4bc4a89c35c73
 Email: marcheu@chromium.org

Mesa: Add a fix for mesa sampler array overflow.

Fixes a crash when we have too many samplers.

BUG= chromium:141901 
TEST=by hand

Change-Id: Ie776b7cbdc756b53bfffa11b5f9041f7d63f2333
Reviewed-on: https://gerrit.chromium.org/gerrit/30364
Tested-by: Stéphane Marchesin <marcheu@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Ready: Stéphane Marchesin <marcheu@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/30433
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>

A	media-libs/mesa/files/8.1-array-overflow.patch
D	media-libs/mesa/mesa-8.1.0-r7.ebuild
A	media-libs/mesa/mesa-8.1.0-r8.ebuild
M	media-libs/mesa/mesa-9999.ebuild

Comment 39 by ddrew@chromium.org, Aug 17 2012

Labels: -OS-Linux OS-Chrome Mstone-22

Comment 40 by bugdroid1@chromium.org, Aug 20 2012

Project Member
Commit: 42836814473ecb24fed6a21a792734ef7f5ba60b
 Email: marcheu@chromium.org

Mesa: Add a fix for mesa sampler array overflow.

Fixes a crash when we have too many samplers.

BUG= chromium:141901 
TEST=by hand

Change-Id: Id7bfacf83ee1c10855dd746b4870ccce205ff079
Reviewed-on: https://gerrit.chromium.org/gerrit/30364
Tested-by: Stéphane Marchesin <marcheu@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Ready: Stéphane Marchesin <marcheu@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/30434
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>

A	media-libs/mesa/files/8.1-array-overflow.patch
D	media-libs/mesa/mesa-8.1.0-r8.ebuild
A	media-libs/mesa/mesa-8.1.0-r9.ebuild
M	media-libs/mesa/mesa-9999.ebuild

Comment 41 by scarybea...@gmail.com, Aug 20 2012

Labels: -reward-topanel reward-3133 reward-unpaid
@miaubiz: very interesting bug you found here. The new seccomp-BPF stuff we have mitigates this down to "High" but given that M21 doesn't (AFAIK) have it turned on, we're going to pay out at the $3133.7 level -- congrats :)

If you wanted to spend more time fuzzing against the Mesa GPU backend, it could be profitable? I'm not sure anyone has written a kick-ass grammar-based fuzzer yet?

Comment 42 by scarybea...@gmail.com, Aug 21 2012

Labels: CVE-2012-2864

Comment 43 by jorgelo@chromium.org, Aug 22 2012

Status: Fixed
Marking as fixed since we started pushing R21 today with the fix.

Comment 44 by krisr@chromium.org, Aug 22 2012

Cc: bhaveshmm@chromium.org

Comment 45 by bhaveshmm@chromium.org, Aug 22 2012

Cc: krisr@chromium.org
Labels: PendingDev-Feedback
Is there any QA steps for verification?

Comment 46 by miau...@gmail.com, Aug 29 2012

I am still seeing this if I reload the tab quickly or open multiple tabs with the repro
wtfgl.html
1.2 KB View Download

Comment 47 by miau...@gmail.com, Aug 29 2012

ASAN:SIGSEGV
=================================================================
==11483== ERROR: AddressSanitizer crashed on unknown address 0x7fff00000187 (pc 0x7fffe74c55c8 sp 0x7fffffff6ed0 bp 0x7fffdffa8e80 T0)
AddressSanitizer can not provide additional info.
    #0 0x7fffe74c55c8 (/usr/lib/x86_64-linux-gnu/dri/libglsl.so+0x6c5c8)
Stats: 16M malloced (22M for red zones) by 74949 calls
Stats: 0M realloced by 291 calls
Stats: 9M freed by 57231 calls
Stats: 0M really freed by 0 calls
Stats: 64M (16392 full pages) mmaped in 16 calls
  mmaps   by size class: 8:81915; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:512; 15:128; 16:64; 17:32; 18:16; 
  mallocs by size class: 8:66753; 9:5252; 10:826; 11:1201; 12:272; 13:70; 14:470; 15:52; 16:17; 17:30; 18:6; 
  frees   by size class: 8:53144; 9:2820; 10:458; 11:174; 12:188; 13:40; 14:338; 15:41; 16:12; 17:14; 18:2; 
  rfrees  by size class: 
Stats: malloc large: 36 small slow: 288
==11483== ABORTING

Comment 48 by jorgelo@chromium.org, Aug 29 2012

miaubiz: This was only fixed on Chrome OS. Are you testing on Chrome OS?

Comment 49 by scarybea...@gmail.com, Aug 29 2012

I'm not sure miaubiz has a ChromeOS device? That's an oversight I intend to fix one day :)

Comment 50 by miau...@gmail.com, Aug 30 2012

@jorg: ok. thanks. this is going to be a pain going forward :|

Comment 51 by jorgelo@chromium.org, Aug 30 2012

miaubiz: I don't disagree ;-). Our GPU stack did not expose the number of samplers in a way accessible from Chrome code, so that's why the fix had to go in Mesa.

The good thing is that we're upstreaming to Mesa in parallel with fixing in Chrome OS.

Most of these bugs should also reproduce in Chromium OS, which you can run in a VM using Hexxeh's images.

Comment 52 by scarybea...@gmail.com, Sep 12 2012

Labels: -reward-unpaid

Comment 53 by krisr@chromium.org, Sep 19 2012

Status: Verified

Comment 54 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-Internals -Feature-GPU -Feature-GPU-WebGL -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-Critical -Mstone-21 -Mstone-22 Cr-Internals-GPU-WebGL Cr-Internals-GPU Security-Impact-Stable Security-Impact-Beta M-22 M-21 Cr-Internals Type-Bug-Security Security-Severity-Critical

Comment 55 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 56 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 57 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-Critical Security_Severity-Critical

Comment 58 by bugdroid1@chromium.org, Apr 10 2013

Project Member
Labels: -Cr-Internals-GPU-WebGL Cr-Blink-WebGL

Comment 59 by jsc...@chromium.org, Nov 18 2013

Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Comment 60 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 61 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 62 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 63 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 64 by bugdroid1@chromium.org, Jul 26 2017

Project Member
Labels: merge-merged-arc-17.2.0-pre1
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/mesa/+/4a87b3221cabe0ae76ac0ed017bbc7e86a88a90e

commit 4a87b3221cabe0ae76ac0ed017bbc7e86a88a90e
Author: Stéphane Marchesin <marcheu@chromium.org>
Date: Wed Jul 26 01:34:20 2017

CHROMIUM: glsl: Avoid crash when overflowing the samplers array

Fixes a crash when we have too many samplers.

BUG= chromium:141901 
TEST=by hand

Signed-off-by: Prince Agyeman <prince.agyeman@intel.com>
Signed-off-by: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
Signed-off-by: James Ausmus <james.ausmus@intel.com>
(applied manually from src/third_party/media-libs/mesa/files)

BUG=b:33533853
TEST=No CTS regressions on Cyan and Reef.

Signed-off-by: Tomasz Figa <tfiga@chromium.org>
Change-Id: I5a997d65080fee8f4536cca86f06a38af3786682
Reviewed-on: https://chromium-review.googlesource.com/558122
Reviewed-by: Chad Versace <chadversary@chromium.org>

[modify] https://crrev.com/4a87b3221cabe0ae76ac0ed017bbc7e86a88a90e/src/compiler/glsl/link_uniforms.cpp

Comment 65 by bugdroid1@chromium.org, Nov 22 2017

Project Member
Labels: merge-merged-arc-17.3.0-rc5
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/mesa/+/403ab711523bc8cdb054f9c31b2ac9025ff4f74a

commit 403ab711523bc8cdb054f9c31b2ac9025ff4f74a
Author: Stéphane Marchesin <marcheu@chromium.org>
Date: Wed Nov 22 15:45:37 2017

CHROMIUM: glsl: Avoid crash when overflowing the samplers array

Fixes a crash when we have too many samplers.

BUG= chromium:141901 
TEST=by hand

Signed-off-by: Prince Agyeman <prince.agyeman@intel.com>
Signed-off-by: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
Signed-off-by: James Ausmus <james.ausmus@intel.com>
(applied manually from src/third_party/media-libs/mesa/files)

BUG=b:33533853
TEST=No CTS regressions on Cyan and Reef.

Signed-off-by: Tomasz Figa <tfiga@chromium.org>
Change-Id: I5a997d65080fee8f4536cca86f06a38af3786682
Reviewed-on: https://chromium-review.googlesource.com/558122
Reviewed-by: Chad Versace <chadversary@chromium.org>
(cherry picked from commit 4a87b3221cabe0ae76ac0ed017bbc7e86a88a90e)

BUG=b:69553386
TEST=No regressions on Eve in `cts-tradefed run cts -m CtsDeqpTestCases`.

Change-Id: I9eafec1dee5ee2e9b156cffa4731212d83585240
Reviewed-on: https://chromium-review.googlesource.com/780785
Tested-by: Chad Versace <chadversary@chromium.org>
Commit-Queue: Chad Versace <chadversary@chromium.org>
Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org>

[modify] https://crrev.com/403ab711523bc8cdb054f9c31b2ac9025ff4f74a/src/compiler/glsl/link_uniforms.cpp

Comment 66 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Comment 67 by bugdroid1@chromium.org, Jul 12 2018

Project Member
Labels: merge-merged-arc-18.2.0-pre1
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/mesa/+/f408dc0e460edad50f1ef8032628c885604881f4

commit f408dc0e460edad50f1ef8032628c885604881f4
Author: Stéphane Marchesin <marcheu@chromium.org>
Date: Thu Jul 12 18:17:20 2018

CHROMIUM: glsl: Avoid crash when overflowing the samplers array

Fixes a crash when we have too many samplers.

BUG= chromium:141901 
TEST=by hand

Signed-off-by: Prince Agyeman <prince.agyeman@intel.com>
Signed-off-by: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
Signed-off-by: James Ausmus <james.ausmus@intel.com>
(cherry picked from commit 403ab711523bc8cdb054f9c31b2ac9025ff4f74a)

BUG=b:77235812
TEST=emerge-grunt arc-mesa; emerge-eve arc-mesa

Change-Id: I8ffebdae3bdab68da4277193fe367959ab719796
Reviewed-on: https://chromium-review.googlesource.com/1105702
Commit-Queue: Chad Versace <chadversary@chromium.org>
Tested-by: Chad Versace <chadversary@chromium.org>
Reviewed-by: Stéphane Marchesin <marcheu@chromium.org>

[modify] https://crrev.com/f408dc0e460edad50f1ef8032628c885604881f4/src/compiler/glsl/link_uniforms.cpp

Sign in to add a comment