Issue metadata
Sign in to add a comment
|
Stack-buffer-overflow in sw::Nucleus::createConstantVector |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5316997610209280 Fuzzer: inferno_twister Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Stack-buffer-overflow READ {*} Crash Address: 0x00ef982f Crash State: sw::Nucleus::createConstantVector sw::Nucleus::createNullValue sw::Int4::Int4 Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=464127:464479 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97auy3SkX0BZRRdKD6kpIhWHXTMa9GgvuECaM-24Yd5l7Gpf3oxbwpOs3Qv3y-3s_kZz33nRLx84I25pw2l_bGDtb9x31m4RWs0fQ7ll5oYYjWBUMyfC_enHlA25kA2wh4k3xNsr8QrV3ex1e9cqk5jQF_ZAGnrgA-nmIC6cRXq5XuWn7eKWbuYoyRNocKfebrgAGeqIMj2p_slvRso20vhMTC-a61e6ETxyicxJAHbXmE-YDaiv5lLAkj-5bvbmKHOsndA0mY80AVABk7KzqKSSjwujI-KoDt3a3KjbjYD9K88rpUdiqXElJSBjaiKcsW04l1u9DiGpbrWlQIAIYnezdXZRmVRrDNtSVV3mlgk52-0QCk?testcase_id=5316997610209280 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 18 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 18 2017
,
Apr 18 2017
,
Apr 18 2017
,
Apr 18 2017
The following revision refers to this bug: https://swiftshader.googlesource.com/SwiftShader.git/+/30385f0f418b2c366acd7ef9bf6024b41bd4a1e1 commit 30385f0f418b2c366acd7ef9bf6024b41bd4a1e1 Author: Nicolas Capens <capn@google.com> Date: Tue Apr 18 17:17:08 2017 Fix buffer overflow. Bug chromium:712624 Change-Id: I8e7813aac44c9fef1a2311be550da8cea5a65d16 Reviewed-on: https://swiftshader-review.googlesource.com/9330 Reviewed-by: Nicolas Capens <capn@google.com> Tested-by: Nicolas Capens <capn@google.com> [modify] https://crrev.com/30385f0f418b2c366acd7ef9bf6024b41bd4a1e1/src/Reactor/SubzeroReactor.cpp
,
Apr 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bc7e2f84f28afd7fc567685df21b3f7e43fe80d3 commit bc7e2f84f28afd7fc567685df21b3f7e43fe80d3 Author: capn <capn@chromium.org> Date: Tue Apr 18 23:01:02 2017 Roll SwiftShader 400667e..30385f0 https://swiftshader.googlesource.com/SwiftShader.git/+log/400667e..30385f0 Includes buffer overrun fix. BUG= 712624 TBR=kbr@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2822023004 Cr-Commit-Position: refs/heads/master@{#465410} [modify] https://crrev.com/bc7e2f84f28afd7fc567685df21b3f7e43fe80d3/DEPS
,
Apr 19 2017
The fix has landed in master, but I'm not a committer so if this needs to be cherry-picked please go ahead or assign it to someone who can take care of it.
,
Apr 19 2017
ClusterFuzz has detected this issue as fixed in range 465403:465427. Detailed report: https://clusterfuzz.com/testcase?key=5316997610209280 Fuzzer: inferno_twister Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Stack-buffer-overflow READ {*} Crash Address: 0x00ef982f Crash State: sw::Nucleus::createConstantVector sw::Nucleus::createNullValue sw::Int4::Int4 Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=464127:464479 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=465403:465427 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97auy3SkX0BZRRdKD6kpIhWHXTMa9GgvuECaM-24Yd5l7Gpf3oxbwpOs3Qv3y-3s_kZz33nRLx84I25pw2l_bGDtb9x31m4RWs0fQ7ll5oYYjWBUMyfC_enHlA25kA2wh4k3xNsr8QrV3ex1e9cqk5jQF_ZAGnrgA-nmIC6cRXq5XuWn7eKWbuYoyRNocKfebrgAGeqIMj2p_slvRso20vhMTC-a61e6ETxyicxJAHbXmE-YDaiv5lLAkj-5bvbmKHOsndA0mY80AVABk7KzqKSSjwujI-KoDt3a3KjbjYD9K88rpUdiqXElJSBjaiKcsW04l1u9DiGpbrWlQIAIYnezdXZRmVRrDNtSVV3mlgk52-0QCk?testcase_id=5316997610209280 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 19 2017
ClusterFuzz testcase 5316997610209280 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 20 2017
,
Apr 20 2017
,
Apr 20 2017
This bug requires manual review: DEPS changes referenced in bugdroid comments. Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 20 2017
+awhalley@ for security review.
,
Apr 20 2017
abdulsyed@ - good for 59
,
Apr 21 2017
based on comment 15, approving merge for M59.
,
Apr 21 2017
Please merge your change to M59 branch #3071 latest before 4:00 PM PT, Monday (04/24) so we can take it for next week last M59 dev release. Thank you.
,
Apr 24 2017
I don't know the procedure for merging SwiftShader to a branch, so I'm not the right owner for this.
,
Apr 25 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2017
Hi capn@ - are you able to do the merge to 59?
,
Apr 26 2017
I'm not a Chromium committer, so I can't use Drover, but I can manually prepare a cherry-pick of https://chromium.googlesource.com/chromium/src.git/+/bc7e2f84f28afd7fc567685df21b3f7e43fe80d3 if that helps?
,
Apr 26 2017
,
Apr 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ede61fa298e52aad0cbab98b73def75d564e6089 commit ede61fa298e52aad0cbab98b73def75d564e6089 Author: capn <capn@chromium.org> Date: Wed Apr 26 14:52:59 2017 Roll SwiftShader 400667e..30385f0 https://swiftshader.googlesource.com/SwiftShader.git/+log/400667e..30385f0 Includes buffer overrun fix. BUG= 712624 TBR=kbr@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel (cherry picked from commit bc7e2f84f28afd7fc567685df21b3f7e43fe80d3) Review-Url: https://codereview.chromium.org/2822023004 Cr-Original-Commit-Position: refs/heads/master@{#465410} Change-Id: I471404d62ad7d664fc05689c16821ffef6c53591 Reviewed-on: https://chromium-review.googlesource.com/487505 Reviewed-by: Andrew Whalley <awhalley@chromium.org> Cr-Commit-Position: refs/branch-heads/3071@{#225} Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641} [modify] https://crrev.com/ede61fa298e52aad0cbab98b73def75d564e6089/DEPS
,
Apr 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ede61fa298e52aad0cbab98b73def75d564e6089 commit ede61fa298e52aad0cbab98b73def75d564e6089 Author: capn <capn@chromium.org> Date: Wed Apr 26 14:52:59 2017 Roll SwiftShader 400667e..30385f0 https://swiftshader.googlesource.com/SwiftShader.git/+log/400667e..30385f0 Includes buffer overrun fix. BUG= 712624 TBR=kbr@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel (cherry picked from commit bc7e2f84f28afd7fc567685df21b3f7e43fe80d3) Review-Url: https://codereview.chromium.org/2822023004 Cr-Original-Commit-Position: refs/heads/master@{#465410} Change-Id: I471404d62ad7d664fc05689c16821ffef6c53591 Reviewed-on: https://chromium-review.googlesource.com/487505 Reviewed-by: Andrew Whalley <awhalley@chromium.org> Cr-Commit-Position: refs/branch-heads/3071@{#225} Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641} [modify] https://crrev.com/ede61fa298e52aad0cbab98b73def75d564e6089/DEPS
,
Apr 26 2017
capn@ - many thanks!
,
May 18 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/4c54802b8c32deb32093688a836a8c17cdfe8bc6 commit 4c54802b8c32deb32093688a836a8c17cdfe8bc6 Author: Nicolas Capens <capn@google.com> Date: Thu May 18 15:31:13 2017
,
Jul 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Apr 18 2017