Integer-overflow in TConstantUnion::operator* |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5616355602857984 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: TConstantUnion::operator* TIntermConstantUnion::foldBinary TIntermBinary::fold Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (29.77 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96qpmapv_bxMZYFh7Xxi1Pa9OSJc5yzh5x1q6sLAdDbFIHMgmnBszSKOPP4N4hGKzMSSs-YLFVxR5KMRdhm-EGzl5nMrkANABfkiMRM22XMx7_Fh1H5t5h2Le4zs7zIoacoZ1TsaLOsreFKltrc--3tIszpAJMExJFasbIKzC9s1QyErPk?testcase_id=5616355602857984 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 11 2016
jmadill@ please have a look and please feel free to assigned back. Thanks in advance.
,
Aug 12 2016
I was trying to look, am not able to download the repro or visit the clusterfuzz site. Is it down?
,
Aug 15 2016
Frank, can you take a quick look? I'm traveling this week, can try looking on the train if not.
,
Aug 19 2016
I copied the shader into GLSLTest.cpp but it doesn't repro. The shader has a bunch of macros called with the wrong number of arguments and those errors are reported and the test fails. No crash. This is what I tried: https://chromium-review.googlesource.com/373145 I also tried it with ANGLE @ ff92e1f52a (back in February) because as far as I can make out from the clusterfuzz report it's running an old version. I'm either doing it wrong or we have to try to repro in chrome?
,
Aug 23 2016
Pulling this back to work on it.
,
Sep 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/47cb73ab1e90b2ce27b7bcfc288a728e6979ed29 commit 47cb73ab1e90b2ce27b7bcfc288a728e6979ed29 Author: Jamie Madill <jmadill@chromium.org> Date: Fri Sep 09 15:41:44 2016 Refactor TConstantUnion. In preparation for constant folding fixes. BUG= chromium:637050 Change-Id: I9ea49ce96b34c6ac3d2f0478b8fc6732c59e28be Reviewed-on: https://chromium-review.googlesource.com/373741 Reviewed-by: Corentin Wallez <cwallez@chromium.org> Reviewed-by: Geoff Lang <geofflang@chromium.org> Commit-Queue: Jamie Madill <jmadill@chromium.org> [modify] https://crrev.com/47cb73ab1e90b2ce27b7bcfc288a728e6979ed29/src/compiler/translator/ConstantUnion.h [modify] https://crrev.com/47cb73ab1e90b2ce27b7bcfc288a728e6979ed29/src/compiler.gypi [modify] https://crrev.com/47cb73ab1e90b2ce27b7bcfc288a728e6979ed29/src/compiler/translator/IntermNode.cpp [add] https://crrev.com/47cb73ab1e90b2ce27b7bcfc288a728e6979ed29/src/compiler/translator/ConstantUnion.cpp
,
Sep 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7c2f2c5e32e24154a72992fee6e8955de6268422 commit 7c2f2c5e32e24154a72992fee6e8955de6268422 Author: geofflang <geofflang@chromium.org> Date: Tue Sep 13 21:19:43 2016 Roll ANGLE e79c2d1..47cb73a https://chromium.googlesource.com/angle/angle.git/+log/e79c2d1..47cb73a BUG= chromium:637050 TBR=jmadill@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2337903003 Cr-Commit-Position: refs/heads/master@{#418372} [modify] https://crrev.com/7c2f2c5e32e24154a72992fee6e8955de6268422/DEPS
,
Sep 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/5db69f573c92886cabca590826ee30e20b21c692 commit 5db69f573c92886cabca590826ee30e20b21c692 Author: Jamie Madill <jmadill@chromium.org> Date: Thu Sep 15 16:47:32 2016 Add robust math to constant folding. Previously our multiplication and other operators could do overflows, which can lead to security bugs. BUG= chromium:637050 Change-Id: Icee22a87909e205b71bda1c5bc1627fcf5e26e90 Reviewed-on: https://chromium-review.googlesource.com/382678 Commit-Queue: Jamie Madill <jmadill@chromium.org> Reviewed-by: Corentin Wallez <cwallez@chromium.org> [modify] https://crrev.com/5db69f573c92886cabca590826ee30e20b21c692/src/compiler/translator/IntermNode.cpp [modify] https://crrev.com/5db69f573c92886cabca590826ee30e20b21c692/src/compiler/translator/ConstantUnion.cpp [modify] https://crrev.com/5db69f573c92886cabca590826ee30e20b21c692/src/tests/gl_tests/GLSLTest.cpp [modify] https://crrev.com/5db69f573c92886cabca590826ee30e20b21c692/src/compiler/translator/IntermNode.h [modify] https://crrev.com/5db69f573c92886cabca590826ee30e20b21c692/src/compiler/translator/ConstantUnion.h [modify] https://crrev.com/5db69f573c92886cabca590826ee30e20b21c692/src/common/debug.h [modify] https://crrev.com/5db69f573c92886cabca590826ee30e20b21c692/src/common/third_party/numerics/base/logging.h
,
Sep 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7265052d46cd24c7f9665bd298f8d878ef12274e commit 7265052d46cd24c7f9665bd298f8d878ef12274e Author: cwallez <cwallez@chromium.org> Date: Thu Sep 22 03:52:12 2016 Roll ANGLE 8b28a8b..c287ea6 https://chromium.googlesource.com/angle/angle.git/+log/8b28a8b..c287ea6 BUG= chromium:644033 , chromium:637050 ,648462, chromium:647807 TBR=geofflang@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2357933002 Cr-Commit-Position: refs/heads/master@{#420258} [modify] https://crrev.com/7265052d46cd24c7f9665bd298f8d878ef12274e/DEPS
,
Sep 22 2016
,
Sep 23 2016
ClusterFuzz has detected this issue as fixed in range 420229:420262. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5616355602857984 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: TConstantUnion::operator* TIntermConstantUnion::foldBinary TIntermBinary::fold Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=420229:420262 Minimized Testcase (29.77 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96qpmapv_bxMZYFh7Xxi1Pa9OSJc5yzh5x1q6sLAdDbFIHMgmnBszSKOPP4N4hGKzMSSs-YLFVxR5KMRdhm-EGzl5nMrkANABfkiMRM22XMx7_Fh1H5t5h2Le4zs7zIoacoZ1TsaLOsreFKltrc--3tIszpAJMExJFasbIKzC9s1QyErPk?testcase_id=5616355602857984 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/1be4d493df6ff0448b720f87888effafeb055175 commit 1be4d493df6ff0448b720f87888effafeb055175 Author: Olli Etuaho <oetuaho@nvidia.com> Date: Tue Sep 27 10:15:38 2016 Fix handling integer overflow in constant folding Integer operations that overflow are defined to wrap in the ESSL 3.00.6 spec. Constant folding that happens inside the shader translator should also follow the wrapping rules. The new implementations of wrapping integer addition and subtraction use unsigned integers to perform calculations. Unsigned integers are defined to implement arithmetic in modulo 2^n in the C++ spec. This behavior is also leveraged to implement wrapping unsigned integer multiplication. The implementation of wrapping signed integer multiplication is slightly trickier. The operands are casted to a wider type to perform the multiplication in a way that doesn't overflow, and then the result is truncated and casted back to the narrower integer type. Incorrect tests that expected errors to be generated from integer overflow in constant folding are removed. BUG= chromium:637050 TEST=angle_unittests Change-Id: I0de7e25881d254803455fbf22907c192f49d09ff Reviewed-on: https://chromium-review.googlesource.com/390252 Commit-Queue: Olli Etuaho <oetuaho@nvidia.com> Reviewed-by: Corentin Wallez <cwallez@chromium.org> [modify] https://crrev.com/1be4d493df6ff0448b720f87888effafeb055175/src/tests/gl_tests/GLSLTest.cpp [modify] https://crrev.com/1be4d493df6ff0448b720f87888effafeb055175/src/tests/compiler_tests/ConstantFolding_test.cpp [modify] https://crrev.com/1be4d493df6ff0448b720f87888effafeb055175/src/compiler/translator/ConstantUnion.cpp
,
Sep 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/42fad76d02feadb05fdda1f11e25770893bc9c5e commit 42fad76d02feadb05fdda1f11e25770893bc9c5e Author: Olli Etuaho <oetuaho@nvidia.com> Date: Wed Sep 28 09:06:29 2016 Handle negation of minimum representable integer Negating the minimum representable integer overflows, so it has undefined behavior in C++. Handle this as a special case in the code. BUG= chromium:637050 TEST=angle_unittests Change-Id: Ic6e6d638faddad9b70b5d1637bb4b42ef4f43784 Reviewed-on: https://chromium-review.googlesource.com/390551 Reviewed-by: Jamie Madill <jmadill@chromium.org> Reviewed-by: Corentin Wallez <cwallez@chromium.org> Commit-Queue: Olli Etuaho <oetuaho@nvidia.com> [modify] https://crrev.com/42fad76d02feadb05fdda1f11e25770893bc9c5e/src/tests/compiler_tests/ConstantFolding_test.cpp [modify] https://crrev.com/42fad76d02feadb05fdda1f11e25770893bc9c5e/src/compiler/translator/IntermNode.cpp
,
Sep 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/910e1c87b9a5f5e5c870372f0129c804e4434649 commit 910e1c87b9a5f5e5c870372f0129c804e4434649 Author: cwallez <cwallez@chromium.org> Date: Wed Sep 28 20:30:09 2016 Roll ANGLE 00ff119..1be4d49 https://chromium.googlesource.com/angle/angle.git/+log/00ff119..1be4d49 BUG= chromium:637050 , chromium:648135 TBR=geofflang@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2373373002 Cr-Commit-Position: refs/heads/master@{#421627} [modify] https://crrev.com/910e1c87b9a5f5e5c870372f0129c804e4434649/DEPS
,
Sep 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9c0333556e726233673266a98a654e61d12dec54 commit 9c0333556e726233673266a98a654e61d12dec54 Author: qiankun.miao <qiankun.miao@intel.com> Date: Thu Sep 29 03:41:28 2016 Roll ANGLE 1be4d49..886de36 https://chromium.googlesource.com/angle/angle.git/+log/1be4d49..886de36 BUG= chromium:650547 , chromium:637050 TEST=bots CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2382493003 Cr-Commit-Position: refs/heads/master@{#421737} [modify] https://crrev.com/9c0333556e726233673266a98a654e61d12dec54/DEPS
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mmohammad@chromium.org
, Aug 11 2016Components: Internals>GPU>ANGLE
Owner: jmad...@chromium.org
Status: Assigned (was: Untriaged)