New issue
Advanced search Search tips

Issue 692274 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Feb 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

Incorrect-function-pointer-type in gl::InitializeANGLEPlatform

Project Member Reported by ClusterFuzz, Feb 14 2017

Issue description

Project Member

Comment 1 by sheriffbot@chromium.org, Feb 15 2017

Labels: M-58
Project Member

Comment 2 by sheriffbot@chromium.org, Feb 15 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Feb 15 2017

Labels: Pri-1

Comment 4 by och...@chromium.org, Feb 15 2017

Owner: jmad...@chromium.org
Status: Assigned (was: Untriaged)
jmadill, is this the same as  bug 678870 ?

Comment 5 by och...@chromium.org, Feb 15 2017

Components: Internals>GPU>ANGLE
Status: Started (was: Assigned)
Very similar. Looking.
Labels: -Pri-1 -ReleaseBlock-Beta Pri-2
Note that this is not a dangerous UB, but should be addressed.
Project Member

Comment 8 by bugdroid1@chromium.org, Feb 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/abe89c7d32d719ffd86ce2400505188b52b55e4c

commit abe89c7d32d719ffd86ce2400505188b52b55e4c
Author: Jamie Madill <jmadill@chromium.org>
Date: Thu Feb 16 16:20:22 2017

Tweak platform method signatures.

This works around a limitation in UBSAN which can't handle decltype.
Instead use void * and typedef where appropriate.

BUG= chromium:692274 

Change-Id: I4eab796db3aa2e51c0fc558170eb2af61f07223d
Reviewed-on: https://chromium-review.googlesource.com/443885
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>

[modify] https://crrev.com/abe89c7d32d719ffd86ce2400505188b52b55e4c/include/platform/Platform.h
[modify] https://crrev.com/abe89c7d32d719ffd86ce2400505188b52b55e4c/src/libANGLE/Platform.cpp

Project Member

Comment 9 by bugdroid1@chromium.org, Feb 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/68df1e047d45214f4f5d5d4c43b720f539a88f99

commit 68df1e047d45214f4f5d5d4c43b720f539a88f99
Author: jmadill <jmadill@chromium.org>
Date: Thu Feb 16 19:49:15 2017

Roll ANGLE feb8c68..abe89c7

https://chromium.googlesource.com/angle/angle.git/+log/feb8c68..abe89c7

BUG=692613,692618, chromium:692274 

TBR=geofflang@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2699923002
Cr-Commit-Position: refs/heads/master@{#451062}

[modify] https://crrev.com/68df1e047d45214f4f5d5d4c43b720f539a88f99/DEPS

Project Member

Comment 10 by ClusterFuzz, Feb 17 2017

ClusterFuzz has detected this issue as fixed in range 451020:451115.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6110477995474944

Fuzzer: libfuzzer_gpu_angle_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Incorrect-function-pointer-type
Crash Address: 
Crash State:
  gl::InitializeANGLEPlatform
  gl::GLSurfaceEGL::InitializeDisplay
  gl::GLSurfaceEGL::InitializeOneOff
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=450383:450426
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=451020:451115

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95xUHHLMMOqrQ1vXxK2VSqWz9-I2V_QpY6RfdiOT6eoOTyxn8YgnvUlnCp1zqN76-bPY4Hhc7QfPtbdW4nTXTed_KBtF4X8yf479b9Qnsp4eDJ6_O7mkb4eluIykxC37i2KBrHL3wqzCiDAf9ba0ajtTwtzW-xlLEoXfhlh5y2_xKHuZnA3zfmab1v01n8aYHg4JxFcSQJTyG8jCGWDd6eCKmrn33wKvyTeXoZ8dt8sDRBe9vs-dOJrdWcOcSqNkZIcApSJBh6sxws42HcWbTEqC61DskpVzso2Q0uwLW6p97zfXy7kPFmk_BQnP-YW4ICHIl5rirRVAIbX90Y4CkL5NsLzmlrLf7U2cmVhm2Eixp7fV4icvqTgq2fl77EIxpGMbr96Cm1nVlIFnsAxsEVcbq80tQ?testcase_id=6110477995474944


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by ClusterFuzz, Feb 17 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 6110477995474944 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 12 by sheriffbot@chromium.org, Feb 17 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 13 by sheriffbot@chromium.org, May 26 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment