This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Hi sievers, this appears to be in the auto-generated GL bindings you checked in a while ago, but I'm not sure why this is only coming up now. Do you mind taking a look?

Reassigning. Do you mind taking a look at this?

Adding yunchao.

Since you can't access the test case, here you are:

var wtu = WebGLTestUtils;
var width = 8;
var height = 8;
var gl = wtu.create3DContext("example", undefined, 2);
if (!gl) {
} else {
    blit_region_test();
}
function blit_region_test() {
    var tex1 = gl.createTexture();
    gl.bindTexture(gl.TEXTURE_2D, tex1);
    gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA8, width, height, 0, gl.RGBA, gl.UNSIGNED_BYTE, null);
    var fb1 = gl.createFramebuffer();
    gl.bindFramebuffer(gl.READ_FRAMEBUFFER, fb1);
    gl.framebufferTexture2D(gl.READ_FRAMEBUFFER, gl.COLOR_ATTACHMENT0, gl.TEXTURE_2D, tex1, 0);
    if ((gl.READ_FRAMEBUFFER != gl.FRAMEBUFFER_COMPLETE) ||
gl.DRAW_FRAMEBUFFER != gl.FRAMEBUFFER_COMPLETE) {
    }
    var max = 0x7fffffff;
    gl.blitFramebuffer(0, 0, width, height, 0, 0, max, max, gl.COLOR_BUFFER_BIT, gl.NEAREST);
}

This apparently caused driver malfunctioning in some drivers, so we will need to put up a defense against it.

Thanks for the code snippet, @zmo. I will take a look these two days. 

Hi Zhenyao and all, I can not reproduce the sample code by zmo@ on Mac Intel. In addition, if the sample code by zmo@ conforms to the original crashed case, then the original test case has been covered by WebGL 2 conformance test blitframebuffer-size-overflow.html. Then the Chromium bots should catch that faiure. 

Per #9 moving this to RBS while we investigate.

zmo: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

zmo: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I don't think this is a release blocker because we don't see such crashes on real Mac drivers.

We could defend against such blit by putting an artificial upper limit to the coordinates, but that's not spec compliant.

Ken, Kai, what's your take on this?

Not a release blocker, but we should add a workaround. Is this reproducible?

Can we limit the maximum value to the value of the queryable parameter GL_MAX_VIEWPORT_DIMS?

In theory you can Blit from (100k, 100k) to (50k, 50k), it's the same as blit from (w, h) to (w/2, h/2), where w, h is the actual fbo's size. I think we can put any large number as a high bound (and also negative low bound), and any developer to go beyond that being punished is OK.

Yes, generating INVALID_OPERATION as an implementation detail sounds fine to me too.

zmo@ - I'm afraid this is a security issue so the fact it's not being seen isn't relevant; if this could be exploited then attacker would contrive to trigger it. We mark security regressions as release blockers; comments 4 suggests that this has been around awhile, does it exist in stable?

Yeah BlitFramebuffer has been exposed through an extension to the GPU process for a long time.  That said, now we expose the API through WebGL2 to end users, making it more accessible.

I can put up the defense as kbr suggested.  I still don't think it's a threat in real world though.  The crash came from the software renderer, not a real driver.

awhalley@: more to the point: there are plenty of ways to crash Chrome's GPU process, including allocating tons of GPU resources. A GPU process crash is not inherently a security risk. Because of denial of service defenses that are already in Chrome, it will cause a WebGL context loss event, and prevent the domain from being able to run WebGL content until the user manually allows it again.

Thanks for the details!  Removing Release Block and moving to M57. Cheers!

As explained above, this should not be a Release blocker.

A friendly reminder that M57 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

Reading the thread, it's not clear if we consider this a security bug. Is there an invalid memory access here, or are we crashing in a controlled fashion?

Crash came from driver, not from us.  I don't think this is a security threat - crashing the driver / GPU process doesn't cause a vulnerability in Chrome.

Looking more carefully at the test case, agreed that this isn't security relevant. 

ClusterFuzz has detected this issue as fixed in range 474922:474938.

Detailed report: https://clusterfuzz.com/testcase?key=5112085437743104

Fuzzer: inferno_twister_custom_bundle
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Bus
Crash Address: 0x603000040000
Crash State:
  storeColor
  glgProcessColor
  __glgProcessPixelsWithProcessor_block_invoke
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=434476:434480
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=474922:474938

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5112085437743104


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 474922:474938.

Detailed report: https://clusterfuzz.com/testcase?key=5112085437743104

Fuzzer: inferno_twister_custom_bundle
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Bus
Crash Address: 0x603000040000
Crash State:
  storeColor
  glgProcessColor
  __glgProcessPixelsWithProcessor_block_invoke
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=434476:434480
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=474922:474938

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5112085437743104


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 474922:474938.

Detailed report: https://clusterfuzz.com/testcase?key=5112085437743104

Fuzzer: inferno_twister_custom_bundle
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Bus
Crash Address: 0x603000040000
Crash State:
  storeColor
  glgProcessColor
  __glgProcessPixelsWithProcessor_block_invoke
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=434476:434480
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=474922:474938

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5112085437743104


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 474922:474938.

Detailed report: https://clusterfuzz.com/testcase?key=5112085437743104

Fuzzer: inferno_twister_custom_bundle
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Bus
Crash Address: 0x603000040000
Crash State:
  storeColor
  glgProcessColor
  __glgProcessPixelsWithProcessor_block_invoke
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=434476:434480
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=474922:474938

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5112085437743104


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 474922:474938.

Detailed report: https://clusterfuzz.com/testcase?key=5112085437743104

Fuzzer: inferno_twister_custom_bundle
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Bus
Crash Address: 0x603000040000
Crash State:
  storeColor
  glgProcessColor
  __glgProcessPixelsWithProcessor_block_invoke
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=434476:434480
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=474922:474938

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5112085437743104


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5112085437743104 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.