jbauman: could you please help triage? Thanks!

Looks like angle is erroring out with GL_INVALID_ENUM for glGetIntegerv(GL_UNIFORM_BUFFER_SIZE ), which means that the params variable isn't written to. This uninitialized data is then copied to the transfer buffer, and reading it back in is causing the uninitialized read.

I think giving an error for that enum may be a bug in ANGLE. Also it might be best if Chrome initialized that memory before asking the driver to write to it.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Geoff is out until Tuesday, can look.

John or Mo, can you help with this? I am having trouble debugging the crash, I can't seem to printf, trigger crashes, or debug with gdb.

ANGLE certainly *should* be returning INVALID_ENUM if command buffer is calling glGetIntegerv(GL_UNIFORM_BUFFER_SIZE), since this is an indexed query value (glGetInteger64i_v). ANGLE should be correctly downcasting 64-bit values if it is called with glGetIntegeri_v instead of the 64-bit version.

Not a Release blocker because the feature isn't shipped yet

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8957bc684e5bd230a61a47c1740329a6b47759d5

commit 8957bc684e5bd230a61a47c1740329a6b47759d5
Author: zmo <zmo@chromium.org>
Date: Sat Feb 18 01:18:09 2017

A potential use of uninitialized data on buggy driver impl.

BUG= 693072 
TEST=test listed in the bug
R=jbauman@chromium.org,jmadill@chromium.org
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2699033003
Cr-Commit-Position: refs/heads/master@{#451408}

[modify] https://crrev.com/8957bc684e5bd230a61a47c1740329a6b47759d5/gpu/command_buffer/service/gles2_cmd_decoder.cc

ClusterFuzz has detected this issue as fixed in range 451393:451409.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5161371559002112

Fuzzer: libfuzzer_gpu_angle_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  gpu::gles2::GLES2DecoderImpl::HandleGetBooleanv
  gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>
  gpu::CommandParser::ProcessCommands
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=450717:450741
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=451393:451409

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94eDJE__ivpL2FlmZdaHW31NGGdgQlwpStCGmeHMz3lAUfG_utNnnvUUNP8Dsgf741EscWbMIpeI5a9T1Y_UXC-BlvNYHXMMPBSoaQpa_-u5ApAPbhtFTrqtWP-OXmFRpMaCmdNPmgRw1hs9q2w3jl-2Wmm2faadBnPJO4bXrsox0_bWZ5kkfV3lQS4CpxigeHB89ODtNr-RveJMmI5KX-2eldQ4jTggeiGnS7zwVrFFeV3av6F_m2N2fOxUpTmrsOQnewbmVx5F12kGndKTP64s2Afp0l_VaXtdE-x7m1mNAfrSkR1nPA3DxsR9Tu_plS6xh7xfgQEYjU7Se3QvIoo6McJOMSOgBXubC5i9avEX2DbzVOVmvW2fgufehZgh_ztij6NKZUtYuMNYCsUVusiw5sm4w?testcase_id=5161371559002112


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5161371559002112 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot