Issue metadata
Sign in to add a comment
|
Bad-cast to blink::WebGLObject from invalid vptr;blink::WebGLProgram::deleteObjectImpl;blink::WebGLSharedObject::detachContextGroup |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6615220550369280 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x3b04349f64c8 Crash State: Bad-cast to blink::WebGLObject from invalid vptr blink::WebGLProgram::deleteObjectImpl blink::WebGLSharedObject::detachContextGroup Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=397239:397396 Minimized Testcase (48.84 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95kX5MiywnM4H8j-2XEIWWuFE8HNHRTZihKhWvT4oCntz-hFhpQqAMUpAhirAy24aU2HuJ8qiSpVnNopVEtplAa4hJuOZdyNMlvgjomW-ucLs_TgflH9yZLhAB6AsLrFqD6oxcIlZ-NLicCGBZSdcD9lU1g3s-ZOTz0lbMpTyw54o72g1A Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2016
,
Jun 12 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 12 2016
,
Jun 13 2016
,
Jun 13 2016
,
Jun 13 2016
There haven't been significant changes to the WebGL context teardown code recently. How reproducible is this with the given test case? What kind of build is needed? ubsan_vptr=1 per https://dev.chromium.org/developers/testing/undefinedbehaviorsanitizer ? Is this supported in GN yet?
,
Jun 18 2016
Yes this is supported in GN and that wiki gives instructions. this is fully reproducible with content_shell, see command line in report.
,
Jun 19 2016
Let me take a look.
,
Jun 19 2016
Not able to reproduce locally w/ original & minimized testcase (after having added some object-size suppressions against libc). vptr errors are against calling onDetached() on WebGLProgram::m_vertexShader and ::m_fragmentShader. WebGLProgram keeps those traced & alive, so they can't have been finalized prematurely somehow.
,
Jun 20 2016
inferno@: https://bugs.chromium.org/p/chromium/issues/detail?id=609786 seems to suggest that you need to build with is_ubsan_security set to 'true' - still the case?
,
Jun 20 2016
If I do rebuild with is_ubsan_security=true, then I trip up on an ubsan crash when running the testcase: Received signal 11 SEGV_MAPERR 000000000018 #0 0x0000066bbebc base::debug::StackTrace::StackTrace() #1 0x0000066bb607 base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7f02fcf34330 <unknown> #3 0x7f0303737e1b __dynamic_cast #4 0x0000004e03b6 __ubsan::checkDynamicType() #5 0x0000004df4a2 HandleDynamicTypeCacheMiss() #6 0x0000004df472 __ubsan_handle_dynamic_type_cache_miss #7 0x7f02f4f466ee <unknown> #8 0x7f02f4d73992 <unknown> #9 0x7f02f4ce0fb1 <unknown> #10 0x000000e09399 gpu::gles2::Shader::DoCompile() #11 0x000000d0781a gpu::gles2::GLES2DecoderImpl::DoGetShaderiv() #12 0x000000c54a98 gpu::gles2::GLES2DecoderImpl::HandleGetShaderiv() #13 0x000000ccc5d1 gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<>() #14 0x000000bd63bf gpu::CommandParser::ProcessCommands() #15 0x000000bdab6e gpu::CommandExecutor::PutChanged() Seems to uniformly fail on first shader compile; built with a toolchain that's been built locally wrt local clang ToT (r270823) (The comment on #10 was relative to using the supplied build on the crash report and a local toolchain, btw.) The above crash prevents investigation, but data so far seems to point to this being a build/ubsan issue wrt the recently enabled vptr checks ( issue 609786 ) ? These shader objects have the expected type and if they were to be accessed after finalization, ASan would have picked up on the issue as we poison finalized objects. Adjusting issue ownership accordingly.
,
Jun 23 2016
M53 is branching soon and will be promoted to Beta in July.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
,
Jun 26 2016
inferno: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 28 2016
ClusterFuzz has detected this issue as fixed in range 402252:402311. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6615220550369280 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x3b04349f64c8 Crash State: Bad-cast to blink::WebGLObject from invalid vptr blink::WebGLProgram::deleteObjectImpl blink::WebGLSharedObject::detachContextGroup Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=397239:397396 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=402252:402311 Minimized Testcase (48.84 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95kX5MiywnM4H8j-2XEIWWuFE8HNHRTZihKhWvT4oCntz-hFhpQqAMUpAhirAy24aU2HuJ8qiSpVnNopVEtplAa4hJuOZdyNMlvgjomW-ucLs_TgflH9yZLhAB6AsLrFqD6oxcIlZ-NLicCGBZSdcD9lU1g3s-ZOTz0lbMpTyw54o72g1A?testcase_id=6615220550369280 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 28 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 28 2016
,
Jul 26 2016
ClusterFuzz has detected this issue as fixed in range 402252:402311. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6615220550369280 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x3b04349f64c8 Crash State: Bad-cast to blink::WebGLObject from invalid vptr blink::WebGLProgram::deleteObjectImpl blink::WebGLSharedObject::detachContextGroup Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=397239:397396 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=402252:402311 Minimized Testcase (48.84 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95kX5MiywnM4H8j-2XEIWWuFE8HNHRTZihKhWvT4oCntz-hFhpQqAMUpAhirAy24aU2HuJ8qiSpVnNopVEtplAa4hJuOZdyNMlvgjomW-ucLs_TgflH9yZLhAB6AsLrFqD6oxcIlZ-NLicCGBZSdcD9lU1g3s-ZOTz0lbMpTyw54o72g1A?testcase_id=6615220550369280 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 27 2016
,
Oct 4 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jun 12 2016Owner: danakj@chromium.org
Status: Assigned (was: Available)