Issue metadata
Sign in to add a comment
|
Security: (libANGLE) Buffer Overflow in glUniform*v
Reported by
nedwilli...@gmail.com,
Nov 2 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS The glUniform*v functions do not perform bounds checking on arrays passed in from the user. While the GPU command buffer prevents this from being exploitable on current Chrome stable, it appears that overflow checks exist for other functions, and so checks should probably be added here as well. VERSION Chrome Version: Stable (libANGLE) Operating System: Ubuntu 16.04 REPRODUCTION CASE See attached poc.cc FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: underlying library OOB write Crash State: see ASAN log
,
Nov 3 2016
,
Nov 3 2016
Thanks for the report, I uploaded a fix: https://chromium-review.googlesource.com/406745
,
Nov 5 2016
,
Nov 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/9863a3ef180edb17307665e0cc65a16603222103 commit 9863a3ef180edb17307665e0cc65a16603222103 Author: Corentin Wallez <cwallez@chromium.org> Date: Thu Nov 03 21:06:39 2016 Program: clamp the number of uniforms to be copied BUG= 661413 Change-Id: I1a146dae0d01edeb272a58610355261b0e23dec1 Reviewed-on: https://chromium-review.googlesource.com/406745 Reviewed-by: Jamie Madill <jmadill@chromium.org> Commit-Queue: Corentin Wallez <cwallez@chromium.org> [modify] https://crrev.com/9863a3ef180edb17307665e0cc65a16603222103/src/tests/gl_tests/UniformTest.cpp [modify] https://crrev.com/9863a3ef180edb17307665e0cc65a16603222103/src/libANGLE/Uniform.cpp [modify] https://crrev.com/9863a3ef180edb17307665e0cc65a16603222103/src/libANGLE/Uniform.h [modify] https://crrev.com/9863a3ef180edb17307665e0cc65a16603222103/src/libANGLE/Program.cpp
,
Nov 14 2016
,
Nov 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ae472b3e687a3caf68c09c8efb10e3ecc04042fb commit ae472b3e687a3caf68c09c8efb10e3ecc04042fb Author: jmadill <jmadill@chromium.org> Date: Mon Nov 14 23:15:27 2016 Roll ANGLE d749096..9863a3e https://chromium.googlesource.com/angle/angle.git/+log/d749096..9863a3e BUG= chromium:658898 , 661413 TBR=geofflang@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2500073003 Cr-Commit-Position: refs/heads/master@{#431955} [modify] https://crrev.com/ae472b3e687a3caf68c09c8efb10e3ecc04042fb/DEPS
,
Nov 15 2016
,
Nov 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/15ac534a96ee58fbdb0e022b7dc67a7674cf1395 commit 15ac534a96ee58fbdb0e022b7dc67a7674cf1395 Author: Corentin Wallez <cwallez@chromium.org> Date: Thu Nov 03 21:06:39 2016 Program: clamp the number of uniforms to be copied Reland with a temporary test suppression. BUG= 661413 Change-Id: I552b64de754b326dcd499b84d9f337b9d015dc8e Reviewed-on: https://chromium-review.googlesource.com/411473 Reviewed-by: Corentin Wallez <cwallez@chromium.org> Commit-Queue: Corentin Wallez <cwallez@chromium.org> [modify] https://crrev.com/15ac534a96ee58fbdb0e022b7dc67a7674cf1395/src/tests/gl_tests/UniformTest.cpp [modify] https://crrev.com/15ac534a96ee58fbdb0e022b7dc67a7674cf1395/src/libANGLE/Uniform.cpp [modify] https://crrev.com/15ac534a96ee58fbdb0e022b7dc67a7674cf1395/src/libANGLE/Uniform.h [modify] https://crrev.com/15ac534a96ee58fbdb0e022b7dc67a7674cf1395/src/libANGLE/Program.cpp
,
Nov 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/8b7d8144b427f64d1c782ae7735521698787e5de commit 8b7d8144b427f64d1c782ae7735521698787e5de Author: Corentin Wallez <cwallez@chromium.org> Date: Tue Nov 15 18:40:37 2016 Clamp "count" in glUniform* before passing to the backend The OpenGL spec allows "count" to overflow safely implemented but some drivers like the Intel Windows OpenGL driver don't handle this correctly and crash on overflow tests. BUG= 661413 Change-Id: I10de9292c75daa375f002850900bb5e1cbfce3b6 Reviewed-on: https://chromium-review.googlesource.com/411387 Reviewed-by: Geoff Lang <geofflang@chromium.org> Reviewed-by: Jamie Madill <jmadill@chromium.org> Commit-Queue: Corentin Wallez <cwallez@chromium.org> [modify] https://crrev.com/8b7d8144b427f64d1c782ae7735521698787e5de/src/libANGLE/Program.h [modify] https://crrev.com/8b7d8144b427f64d1c782ae7735521698787e5de/src/tests/gl_tests/UniformTest.cpp [modify] https://crrev.com/8b7d8144b427f64d1c782ae7735521698787e5de/src/libANGLE/Program.cpp
,
Nov 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bf4d8f4e8ca46c12e420cc57ed39bfa349ec47a2 commit bf4d8f4e8ca46c12e420cc57ed39bfa349ec47a2 Author: jmadill <jmadill@chromium.org> Date: Thu Nov 17 03:57:51 2016 Roll ANGLE 9863a3e..555009c https://chromium.googlesource.com/angle/angle.git/+log/9863a3e..555009c BUG= chromium:593024 , 661413 , 602737 TBR=zmo@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2506143003 Cr-Commit-Position: refs/heads/master@{#432733} [modify] https://crrev.com/bf4d8f4e8ca46c12e420cc57ed39bfa349ec47a2/DEPS
,
Feb 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by nparker@chromium.org
, Nov 3 2016Components: Internals>GPU>ANGLE
Labels: Security_Severity-Low Security_Impact-Stable
Owner: cwallez@chromium.org
Status: Assigned (was: Unconfirmed)