heap-buffer-overflow linking shader inside PowerVR Rogue driver
Reported by
mkrasow...@opera.com,
Jan 17 2017
|
|||||
Issue descriptionChrome Version: recent master (dddbf3dfa410003fd7af45513a488ac523ac660d) OS: Android 6.0 on Nexus Player Crash ID: (attached translated ASan in both multi- and single-process) What steps will reproduce this crash (or if it's not reproducible, what were you doing just before the crash)? (1) adb shell am start \ -a android.intent.action.VIEW \ -n org.chromium.content_shell_apk/.ContentShellActivity \ --es activeUrl "http://chromium.org" Can you reproduce this crash? Yes 01-17 13:36:45.426 17713 17756 I : ================================================================= 01-17 13:36:45.426 17713 17756 I : ==17713==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xcb12d7f7 at pc 0xf72080b0 bp 0xac109ba8 sp 0xac109768 01-17 13:36:45.427 17713 17756 I : READ of size 18 at 0xcb12d7f7 thread T807 (Chrome_InProcGp) 01-17 13:36:45.436 17713 17756 I : #0 memcmp None 01-17 13:36:45.436 17713 17756 I : #1 0xce42109a (/system/vendor/lib/egl/libGLESv2_POWERVR_ROGUE.so+0x3c09a) 01-17 13:36:45.436 17713 17756 I : #2 0xce4273f2 (/system/vendor/lib/egl/libGLESv2_POWERVR_ROGUE.so+0x423f2) 01-17 13:36:45.437 17713 17756 I : #3 0xce499038 (/system/vendor/lib/egl/libGLESv2_POWERVR_ROGUE.so+0xb4038) 01-17 13:36:45.437 17713 17756 I : #4 gl::GLApiBase::glGetUniformLocationFn(unsigned int, char const*) /home/mkrasowski/chromium/src/out/asan_x86/../../ui/gl/gl_bindings_autogen_gl.cc:10472 01-17 13:36:45.437 17713 17756 I : #5 UpdateUniforms /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/command_buffer/service/program_manager.cc:821 01-17 13:36:45.437 17713 17756 I : #6 Update /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/command_buffer/service/program_manager.cc:756 01-17 13:36:45.437 17713 17756 I : #7 Link /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/command_buffer/service/program_manager.cc:1397 01-17 13:36:45.437 17713 17756 I : #8 DoLinkProgram /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:8607 01-17 13:36:45.438 17713 17756 I : #9 gpu::gles2::GLES2DecoderImpl::HandleLinkProgram(unsigned int, void const volatile*) /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/command_buffer/service/gles2_cmd_decoder_autogen.h:2402 01-17 13:36:45.438 17713 17756 I : #10 DoCommandsImpl<false> /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:5212 01-17 13:36:45.438 17713 17756 I : #11 gpu::gles2::GLES2DecoderImpl::DoCommands(unsigned int, void const volatile*, int, int*) /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:5264 01-17 13:36:45.438 17713 17756 I : #12 gpu::CommandParser::ProcessCommands(int) /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/command_buffer/service/cmd_parser.cc:53 01-17 13:36:45.438 17713 17756 I : #13 PutChanged /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/command_buffer/service/command_executor.cc:61 01-17 13:36:45.438 17713 17756 I : #14 PutChanged /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/ipc/service/gpu_command_buffer_stub.cc:960 01-17 13:36:45.439 17713 17756 I : #15 Invoke<gpu::GpuCommandBufferStub *> /home/mkrasowski/chromium/src/out/asan_x86/../../base/bind_internal.h:214 01-17 13:36:45.439 17713 17756 I : #16 Run /home/mkrasowski/chromium/src/out/asan_x86/../../base/callback.h:85 01-17 13:36:45.439 17713 17756 I : #17 OnAsyncFlush /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/ipc/service/gpu_command_buffer_stub.cc:911 01-17 13:36:45.439 17713 17756 I : #18 DispatchToMethodImpl<gpu::GpuCommandBufferStub *, void (gpu::GpuCommandBufferStub::*)(int, unsigned int, const std::__ndk1::vector<ui::LatencyInfo, std::__ndk1::allocator<ui::LatencyInfo> > &), const std::__ndk1::tuple<int, unsigned int, std::__ndk1::vector<ui::LatencyInfo, std::__ndk1::allocator<ui::LatencyInfo> > > &, 0, 1, 2> /home/mkrasowski/chromium/src/out/asan_x86/../../base/tuple.h:91 01-17 13:36:45.439 17713 17756 I : #19 OnMessageReceived /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/ipc/service/gpu_command_buffer_stub.cc:298 01-17 13:36:45.440 17713 17756 I : #20 RouteMessage /home/mkrasowski/chromium/src/out/asan_x86/../../ipc/message_router.cc:56 01-17 13:36:45.440 17713 17756 I : #21 HandleMessageHelper /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/ipc/service/gpu_channel.cc:806 01-17 13:36:45.440 17713 17756 I : #22 HandleMessage /home/mkrasowski/chromium/src/out/asan_x86/../../gpu/ipc/service/gpu_channel.cc:786 01-17 13:36:45.440 17713 17756 I : #23 Invoke<const base::WeakPtr<gpu::GpuChannel> &, const scoped_refptr<gpu::GpuChannelMessageQueue> &> /home/mkrasowski/chromium/src/out/asan_x86/../../base/bind_internal.h:214 01-17 13:36:45.440 17713 17756 I : #24 Run /home/mkrasowski/chromium/src/out/asan_x86/../../base/callback.h:68 01-17 13:36:45.440 17713 17756 I : #25 RunTask /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_loop.cc:421 01-17 13:36:45.441 17713 17756 I : #26 DeferOrRunPendingTask /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_loop.cc:430 01-17 13:36:45.441 17713 17756 I : #27 DoWork /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_loop.cc:523 01-17 13:36:45.441 17713 17756 I : #28 Run /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_pump_default.cc:33 01-17 13:36:45.441 17713 17756 I : #29 RunHandler /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_loop.cc:386 01-17 13:36:45.441 17713 17756 I : #30 Run /home/mkrasowski/chromium/src/out/asan_x86/../../base/run_loop.cc:37 01-17 13:36:45.441 17713 17756 I : #31 base::Thread::Run(base::RunLoop*) /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/thread.cc:245 01-17 13:36:45.441 17713 17756 I : #32 ThreadMain /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/thread.cc:328 01-17 13:36:45.442 17713 17756 I : #33 ThreadFunc /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/platform_thread_posix.cc:71 01-17 13:36:45.442 17713 17756 I : #34 __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) None 01-17 13:36:45.442 17713 17756 I : #35 asan_thread_start(void*) None 01-17 13:36:45.442 17713 17756 I : #36 0xf6e108a9 (/system/lib/libc.so+0x988a9) 01-17 13:36:45.442 17713 17756 I : #37 0xf6da812a (/system/lib/libc.so+0x3012a) 01-17 13:36:45.442 17713 17756 I : #38 0xf6d8e686 (/system/lib/libc.so+0x16686) 01-17 13:36:45.443 17713 17756 I : 0xcb12d7f7 is located 0 bytes to the right of 7-byte region [0xcb12d7f0,0xcb12d7f7) 01-17 13:36:45.443 17713 17756 I : allocated by thread T807 (Chrome_InProcGp) here: 01-17 13:36:45.443 17713 17756 I : #0 malloc None 01-17 13:36:45.443 17713 17756 I : Thread T807 (Chrome_InProcGp) created by T793 (Chrome_IOThread) here: 01-17 13:36:45.444 17713 17756 I : #0 pthread_create None 01-17 13:36:45.444 17713 17756 I : #1 CreateThread /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/platform_thread_posix.cc:110 01-17 13:36:45.445 17713 17756 I : #2 base::PlatformThread::CreateWithPriority(unsigned int, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/platform_thread_posix.cc:191 01-17 13:36:45.445 17713 17756 I : #3 StartWithOptions /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/thread.cc:112 01-17 13:36:45.445 17713 17756 I : #4 Init /home/mkrasowski/chromium/src/out/asan_x86/../../content/browser/gpu/gpu_process_host.cc:609 01-17 13:36:45.445 17713 17756 I : #5 content::GpuProcessHost::Get(content::GpuProcessHost::GpuProcessKind, bool) /home/mkrasowski/chromium/src/out/asan_x86/../../content/browser/gpu/gpu_process_host.cc:380 01-17 13:36:45.445 17713 17756 I : #6 EstablishOnIO /home/mkrasowski/chromium/src/out/asan_x86/../../content/browser/gpu/browser_gpu_channel_host_factory.cc:111 01-17 13:36:45.445 17713 17756 I : #7 Invoke<const scoped_refptr<content::BrowserGpuChannelHostFactory::EstablishRequest> &> /home/mkrasowski/chromium/src/out/asan_x86/../../base/bind_internal.h:214 01-17 13:36:45.446 17713 17756 I : #8 Run /home/mkrasowski/chromium/src/out/asan_x86/../../base/callback.h:68 01-17 13:36:45.446 17713 17756 I : #9 RunTask /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_loop.cc:421 01-17 13:36:45.446 17713 17756 I : #10 DeferOrRunPendingTask /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_loop.cc:430 01-17 13:36:45.446 17713 17756 I : #11 DoWork /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_loop.cc:523 01-17 13:36:45.446 17713 17756 I : #12 Run /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_pump_libevent.cc:218 01-17 13:36:45.446 17713 17756 I : #13 RunHandler /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_loop.cc:386 01-17 13:36:45.447 17713 17756 I : #14 Run /home/mkrasowski/chromium/src/out/asan_x86/../../base/run_loop.cc:37 01-17 13:36:45.447 17713 17756 I : #15 base::Thread::Run(base::RunLoop*) /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/thread.cc:245 01-17 13:36:45.447 17713 17756 I : #16 IOThreadRun /home/mkrasowski/chromium/src/out/asan_x86/../../content/browser/browser_thread_impl.cc:276 01-17 13:36:45.447 17713 17756 I : #17 Run /home/mkrasowski/chromium/src/out/asan_x86/../../content/browser/browser_thread_impl.cc:311 01-17 13:36:45.447 17713 17756 I : #18 ThreadMain /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/thread.cc:328 01-17 13:36:45.447 17713 17756 I : #19 ThreadFunc /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/platform_thread_posix.cc:71 01-17 13:36:45.448 17713 17756 I : #20 __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) None 01-17 13:36:45.448 17713 17756 I : Thread T793 (Chrome_IOThread) created by T0 (ntent_shell_apk) here: 01-17 13:36:45.448 17713 17756 I : #0 pthread_create None 01-17 13:36:45.448 17713 17756 I : #1 CreateThread /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/platform_thread_posix.cc:110 01-17 13:36:45.448 17713 17756 I : #2 base::PlatformThread::CreateWithPriority(unsigned int, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/platform_thread_posix.cc:191 01-17 13:36:45.449 17713 17756 I : #3 StartWithOptions /home/mkrasowski/chromium/src/out/asan_x86/../../base/threading/thread.cc:112 01-17 13:36:45.449 17713 17756 I : #4 StartWithOptions /home/mkrasowski/chromium/src/out/asan_x86/../../content/browser/browser_thread_impl.cc:402 01-17 13:36:45.449 17713 17756 I : #5 CreateThreads /home/mkrasowski/chromium/src/out/asan_x86/../../content/browser/browser_main_loop.cc:1128 01-17 13:36:45.449 17713 17756 I : #6 Invoke<content::BrowserMainLoop *> /home/mkrasowski/chromium/src/out/asan_x86/../../base/bind_internal.h:214 01-17 13:36:45.449 17713 17756 I : #7 Run /home/mkrasowski/chromium/src/out/asan_x86/../../base/callback.h:85 01-17 13:36:45.449 17713 17756 I : #8 Invoke<content::StartupTaskRunner *> /home/mkrasowski/chromium/src/out/asan_x86/../../base/bind_internal.h:214 01-17 13:36:45.450 17713 17756 I : #9 Run /home/mkrasowski/chromium/src/out/asan_x86/../../base/callback.h:68 01-17 13:36:45.450 17713 17756 I : #10 RunTask /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_loop.cc:421 01-17 13:36:45.450 17713 17756 I : #11 DeferOrRunPendingTask /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_loop.cc:430 01-17 13:36:45.450 17713 17756 I : #12 DoWork /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_loop.cc:523 01-17 13:36:45.450 17713 17756 I : #13 DoRunLoopOnce /home/mkrasowski/chromium/src/out/asan_x86/../../base/message_loop/message_pump_android.cc:44 01-17 13:36:45.450 17713 17756 I : #14 0xee109b0c (/data/app/org.chromium.content_shell_apk-1/oat/x86/base.odex+0x96cb0c) 01-17 13:36:45.451 17713 17756 I : SUMMARY: AddressSanitizer: heap-buffer-overflow (/system/lib/libclang_rt.asan-i686-android.so+0x4d0af) 01-17 13:36:45.451 17713 17756 I : Shadow bytes around the buggy address: 01-17 13:36:45.451 17713 17756 I : 0x19625aa0: fa fa 04 fa fa fa fd fd fa fa 01 fa fa fa 00 fa 01-17 13:36:45.451 17713 17756 I : 0x19625ab0: fa fa 04 fa fa fa 04 fa fa fa 00 02 fa fa 00 fa 01-17 13:36:45.451 17713 17756 I : 0x19625ac0: fa fa 00 04 fa fa 00 04 fa fa 00 01 fa fa 00 04 01-17 13:36:45.451 17713 17756 I : 0x19625ad0: fa fa 00 02 fa fa 00 00 fa fa 00 00 fa fa 06 fa 01-17 13:36:45.451 17713 17756 I : 0x19625ae0: fa fa 00 05 fa fa 01 fa fa fa 01 fa fa fa 01 fa 01-17 13:36:45.451 17713 17756 I : =>0x19625af0: fa fa 01 fa fa fa 00 02 fa fa 00 03 fa fa[07]fa 01-17 13:36:45.451 17713 17756 I : 0x19625b00: fa fa 00 02 fa fa 00 00 fa fa 00 05 fa fa 00 04 01-17 13:36:45.451 17713 17756 I : 0x19625b10: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 fa 01-17 13:36:45.451 17713 17756 I : 0x19625b20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 00 01-17 13:36:45.451 17713 17756 I : 0x19625b30: fa fa 00 04 fa fa 00 04 fa fa 04 fa fa fa 00 00 01-17 13:36:45.451 17713 17756 I : 0x19625b40: fa fa 00 04 fa fa 04 fa fa fa fd fa fa fa 00 04 01-17 13:36:45.451 17713 17756 I : Shadow byte legend (one shadow byte represents 8 application bytes): 01-17 13:36:45.451 17713 17756 I : Addressable: 00 01-17 13:36:45.451 17713 17756 I : Partially addressable: 01 02 03 04 05 06 07 01-17 13:36:45.451 17713 17756 I : Heap left redzone: fa 01-17 13:36:45.451 17713 17756 I : Freed heap region: fd 01-17 13:36:45.451 17713 17756 I : Stack left redzone: f1 01-17 13:36:45.451 17713 17756 I : Stack mid redzone: f2 01-17 13:36:45.451 17713 17756 I : Stack right redzone: f3 01-17 13:36:45.451 17713 17756 I : Stack after return: f5 01-17 13:36:45.451 17713 17756 I : Stack use after scope: f8 01-17 13:36:45.451 17713 17756 I : Global redzone: f9 01-17 13:36:45.451 17713 17756 I : Global init order: f6 01-17 13:36:45.451 17713 17756 I : Poisoned by user: f7 01-17 13:36:45.451 17713 17756 I : Container overflow: fc 01-17 13:36:45.451 17713 17756 I : Array cookie: ac 01-17 13:36:45.452 17713 17756 I : Intra object redzone: bb 01-17 13:36:45.452 17713 17756 I : ASan internal: fe 01-17 13:36:45.452 17713 17756 I : Left alloca redzone: ca 01-17 13:36:45.452 17713 17756 I : Right alloca redzone: cb 01-17 13:36:45.452 17713 17756 I : ==17713==ABORTING
,
Jan 17 2017
,
Jan 17 2017
This looks like a GPU-specific problem and not a general bug in Chromium's GL bindings. Removing Kai and myself from the CC: list and CC'ing some folks who work more on Chrome on Android's GPU stack.
,
Jan 17 2017
I guess this is an issue with GPU driver, similar to https://bugs.chromium.org/p/chromium/issues/detail?id=527761#c12
,
Jan 17 2017
,
Jan 18 2017
It's restricted. Can you give me privileges to view it?
,
Jan 18 2017
There's not much useful information on http://crbug.com/527761, it's a Qualcomm shader compile crasher from a fuzzer. ssid@ was just noting the general pattern is similar.
,
Jan 18 2017
So... content shell crashes on nexus player 6.0 immediately on chromium.org (so presumably any other page as well), no other interaction required? Nexus player has updated to 7.1 already. Can you see if this still happens there? I think nexus player is supposed to auto update and there is no (easy) way to turn it off.
,
Jan 19 2017
There's no real-world problem with Nexus Player. This only happens within ASAN.
,
Jan 19 2017
yep I understand
,
Jan 19 2017
@boliu, I can do that. I'll keep you posted.
,
Jan 19 2017
Chainfire's adb insecure doesn't work on this FW. I've got the su binary installed on user build. tools/android/asan/third_party/asan_device_setup.sh doesn't work when on non-userdebug build. Do you've got any good method on rooting nexus player 7.1.1? Can we somehow obtain userdebug builds for this device?
,
Jan 19 2017
build aosp? You'll probably need driver binaries as well: https://developers.google.com/android/drivers#fugunmf26r
,
Jan 19 2017
I'll do that. However it most probably will take me few days, so expect me to answer on Monday.
,
Jan 19 2017
sure. I don't think there is any rush here. It's probably a driver bug, which means probably can't do much from chrome side. And need to check if latest driver still has the problem or not.
,
Jan 19 2017
,
Jan 20 2017
Not sure.. when you flashed the build, did you use the -w option to wipe the data partition? maybe new build doesn't like left over files (although that's not supposed to happen on upgrades..)? otherwise, I don't know what it could be. Nothing very damning in those logs
,
Jan 23 2017
I made a clean flash of vanilla NMF26R from https://developers.google.com/android/images#fugu, then flashed the compiled image with 'fastboot flashall -w' Also tried flashing the boot/update.zip files built with 'make otapackage', with same results. All the 3rd party binaries matching NMF26R were extracted prior the build.
,
Mar 22 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mkrasow...@opera.com
, Jan 17 2017