No CL in the regression range changes the crashed files. The result is the blame information.

Author: danakj
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/611de09a17728eb0c1713b30ab3c2178a106d146
Time: Fri Mar 18 20:54:10 2016
The CL last changed line 2228 of file WebGLRenderingContextBase.cpp, which is stack frame 1.

Suspected Project: chromium
Suspected Component: Internals>GPU>Internals
==============================
danakj@: Could you please look into this issue if it is related to your change, else please help us in assigning it to the right owner.

Thanks!

Probably bad use of WebGLRenderingContextBase::drawArrays?

Lots of GL errors before this occured:
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9018)] [.Offscreen-For-WebGL-0x12fb2d7d8500]RENDER WARNING: Render count or primcount is 0.
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9018)] [.Offscreen-For-WebGL-0x12fb2d7d8500]RENDER WARNING: Render count or primcount is 0.
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9018)] [.Offscreen-For-WebGL-0x12fb2d7d8500]RENDER WARNING: Render count or primcount is 0.
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(8987)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_ENUM : glDrawArrays: mode was 0x0009
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9018)] [.Offscreen-For-WebGL-0x12fb2d7d8500]RENDER WARNING: Render count or primcount is 0.
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9018)] [.Offscreen-For-WebGL-0x12fb2d7d8500]RENDER WARNING: Render count or primcount is 0.
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0

This is mainly a negative test. It's expected to generate lots of errors.

I don't see any changes in this test compared to the version that's in the public WebGL conformance suite, and this code hasn't changed in a while. The most suspect change in the blamelist:
https://chromium.googlesource.com/chromium/src/+log/1e08b425b14774bffce86eee06d3deb3e7d13b1b..7d9f5804e4cc4bb6cc55133137a6e2060aa106b7?pretty=fuller

would be the clang upgrade:
https://chromium.googlesource.com/chromium/src/+/7d9f5804e4cc4bb6cc55133137a6e2060aa106b7

Whether it is a regression or not, the overflow looks legit? Since the values come from Javascript (attacker-controlled), something should probably defend against it?

Not sure if best done in the command buffer code or WebGL code.

There are already defenses against attacks in this code. From a quick glance it looks like the overflow is happening in the "first + count" addition here:

https://cs.chromium.org/chromium/src/gpu/command_buffer/client/gles2_implementation.cc?rcl=0&l=4521

but that computed value is always discarded for WebGL, since it doesn't support client-side vertex arrays.

But undefined behavior is undefined, and if we do run this code that causes integer overflow, the compiler is allowed to generated code that corrupts memory and allows attacks - it doesn't matter what happens to that overflowing value afterwards.

Fair point. Whether client-side arrays are supported should be exposed to the caller, and the SafeAdd* primitives used in the calling code before calling down into SetupSimulatedClientSideBuffers. I'll be happy to address this after SIGGRAPH.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d05fe0bb566dbffcef374f314403c340e4181711

commit d05fe0bb566dbffcef374f314403c340e4181711
Author: robert.bradford <robert.bradford@intel.com>
Date: Tue Aug 02 11:19:15 2016

gpu: Avoid integer overflow when setting up client side buffers

Use gpu::SafeAddInt32 to calculate the number of elements in the buffers
whilst avoiding overflow. The code is also refactored slightly to make
the setup of buffers conditional on them being supported via the new
SupportsClientSideBuffers() check.

BUG= 629072 
TEST=gpu_unittests
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2177513002
Cr-Commit-Position: refs/heads/master@{#409172}

[modify] https://crrev.com/d05fe0bb566dbffcef374f314403c340e4181711/gpu/command_buffer/client/gles2_implementation.cc
[modify] https://crrev.com/d05fe0bb566dbffcef374f314403c340e4181711/gpu/command_buffer/client/vertex_array_object_manager.cc
[modify] https://crrev.com/d05fe0bb566dbffcef374f314403c340e4181711/gpu/command_buffer/client/vertex_array_object_manager.h

ClusterFuzz has detected this issue as fixed in range 407167:409418.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4676227353018368

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gpu::gles2::GLES2Implementation::DrawArrays
  blink::WebGLRenderingContextBase::drawArrays
  blink::WebGLRenderingContextV8Internal::drawArraysMethodCallback
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=407167:409418

Minimized Testcase (23.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95XpQy3-S45uZ9wrS81gDcmpfEKqXLOi3vaY46wRjE5Xdks3b5AxKRu1FXMw7F5413PjybE_T75HYCCBfgbNn0xXPLEqMNuHqVGp-qcxgaScT0LsbDh68lZ3oVAG-jtr10ObAvoIfXRa8I8xtnhYJ57yNkuc4U0ZpZzpDJmsl4dtc2oioM?testcase_id=4676227353018368

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot