New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 629072 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in gpu::gles2::GLES2Implementation::DrawArrays

Project Member Reported by ClusterFuzz, Jul 18 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4676227353018368

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gpu::gles2::GLES2Implementation::DrawArrays
  blink::WebGLRenderingContextBase::drawArrays
  blink::WebGLRenderingContextV8Internal::drawArraysMethodCallback
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (23.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95XpQy3-S45uZ9wrS81gDcmpfEKqXLOi3vaY46wRjE5Xdks3b5AxKRu1FXMw7F5413PjybE_T75HYCCBfgbNn0xXPLEqMNuHqVGp-qcxgaScT0LsbDh68lZ3oVAG-jtr10ObAvoIfXRa8I8xtnhYJ57yNkuc4U0ZpZzpDJmsl4dtc2oioM?testcase_id=4676227353018368

Filer: brajkumar

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Labels: -Pri-1 findit-for-crash Te-Logged Pri-2
Owner: danakj@chromium.org
Status: Assigned (was: Available)
No CL in the regression range changes the crashed files. The result is the blame information.

Author: danakj
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/611de09a17728eb0c1713b30ab3c2178a106d146
Time: Fri Mar 18 20:54:10 2016
The CL last changed line 2228 of file WebGLRenderingContextBase.cpp, which is stack frame 1.

Suspected Project: chromium
Suspected Component: Internals>GPU>Internals
==============================
danakj@: Could you please look into this issue if it is related to your change, else please help us in assigning it to the right owner.

Thanks!

Comment 2 by danakj@chromium.org, Jul 18 2016

Cc: kbr@chromium.org zmo@chromium.org siev...@chromium.org piman@chromium.org
Owner: kbr@chromium.org
Probably bad use of WebGLRenderingContextBase::drawArrays?

Lots of GL errors before this occured:
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9018)] [.Offscreen-For-WebGL-0x12fb2d7d8500]RENDER WARNING: Render count or primcount is 0.
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9018)] [.Offscreen-For-WebGL-0x12fb2d7d8500]RENDER WARNING: Render count or primcount is 0.
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9018)] [.Offscreen-For-WebGL-0x12fb2d7d8500]RENDER WARNING: Render count or primcount is 0.
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(8987)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_ENUM : glDrawArrays: mode was 0x0009
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9018)] [.Offscreen-For-WebGL-0x12fb2d7d8500]RENDER WARNING: Render count or primcount is 0.
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9018)] [.Offscreen-For-WebGL-0x12fb2d7d8500]RENDER WARNING: Render count or primcount is 0.
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:gles2_cmd_decoder.cc(9004)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_VALUE : glDrawArrays: first < 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0
[21406:21406:0702/193858:ERROR:vertex_attrib_manager.cc(202)] [.Offscreen-For-WebGL-0x12fb2d7d8500]GL ERROR :GL_INVALID_OPERATION : glDrawArrays: attempt to access out of range vertices in attribute 0

Comment 3 by kbr@chromium.org, Jul 18 2016

Cc: thakis@chromium.org
Components: Blink>WebGL Internals>GPU>Internals
Owner: ----
Status: Available (was: Assigned)
This is mainly a negative test. It's expected to generate lots of errors.

I don't see any changes in this test compared to the version that's in the public WebGL conformance suite, and this code hasn't changed in a while. The most suspect change in the blamelist:
https://chromium.googlesource.com/chromium/src/+log/1e08b425b14774bffce86eee06d3deb3e7d13b1b..7d9f5804e4cc4bb6cc55133137a6e2060aa106b7?pretty=fuller

would be the clang upgrade:
https://chromium.googlesource.com/chromium/src/+/7d9f5804e4cc4bb6cc55133137a6e2060aa106b7

Comment 4 by piman@chromium.org, Jul 18 2016

Whether it is a regression or not, the overflow looks legit? Since the values come from Javascript (attacker-controlled), something should probably defend against it?

Not sure if best done in the command buffer code or WebGL code.

Comment 5 by kbr@chromium.org, Jul 18 2016

There are already defenses against attacks in this code. From a quick glance it looks like the overflow is happening in the "first + count" addition here:

https://cs.chromium.org/chromium/src/gpu/command_buffer/client/gles2_implementation.cc?rcl=0&l=4521

but that computed value is always discarded for WebGL, since it doesn't support client-side vertex arrays.

Comment 6 by piman@chromium.org, Jul 18 2016

But undefined behavior is undefined, and if we do run this code that causes integer overflow, the compiler is allowed to generated code that corrupts memory and allows attacks - it doesn't matter what happens to that overflowing value afterwards.

Comment 7 by kbr@chromium.org, Jul 18 2016

Fair point. Whether client-side arrays are supported should be exposed to the caller, and the SafeAdd* primitives used in the calling code before calling down into SetupSimulatedClientSideBuffers. I'll be happy to address this after SIGGRAPH.

Project Member

Comment 8 by bugdroid1@chromium.org, Aug 2 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d05fe0bb566dbffcef374f314403c340e4181711

commit d05fe0bb566dbffcef374f314403c340e4181711
Author: robert.bradford <robert.bradford@intel.com>
Date: Tue Aug 02 11:19:15 2016

gpu: Avoid integer overflow when setting up client side buffers

Use gpu::SafeAddInt32 to calculate the number of elements in the buffers
whilst avoiding overflow. The code is also refactored slightly to make
the setup of buffers conditional on them being supported via the new
SupportsClientSideBuffers() check.

BUG= 629072 
TEST=gpu_unittests
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2177513002
Cr-Commit-Position: refs/heads/master@{#409172}

[modify] https://crrev.com/d05fe0bb566dbffcef374f314403c340e4181711/gpu/command_buffer/client/gles2_implementation.cc
[modify] https://crrev.com/d05fe0bb566dbffcef374f314403c340e4181711/gpu/command_buffer/client/vertex_array_object_manager.cc
[modify] https://crrev.com/d05fe0bb566dbffcef374f314403c340e4181711/gpu/command_buffer/client/vertex_array_object_manager.h

Comment 9 by kbr@chromium.org, Aug 2 2016

Owner: robert.b...@intel.com
Status: Fixed (was: Available)
Project Member

Comment 10 by ClusterFuzz, Aug 3 2016

ClusterFuzz has detected this issue as fixed in range 407167:409418.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4676227353018368

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gpu::gles2::GLES2Implementation::DrawArrays
  blink::WebGLRenderingContextBase::drawArrays
  blink::WebGLRenderingContextV8Internal::drawArraysMethodCallback
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=407167:409418

Minimized Testcase (23.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95XpQy3-S45uZ9wrS81gDcmpfEKqXLOi3vaY46wRjE5Xdks3b5AxKRu1FXMw7F5413PjybE_T75HYCCBfgbNn0xXPLEqMNuHqVGp-qcxgaScT0LsbDh68lZ3oVAG-jtr10ObAvoIfXRa8I8xtnhYJ57yNkuc4U0ZpZzpDJmsl4dtc2oioM?testcase_id=4676227353018368

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment