capn can you please take a look? Thanks!

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This is crashing because 0x12f00 is passed into a glTexImage2D() call as the pointer to read pixels from, but it's not a valid address. So it's not a SwiftShader bug.

Note that it's an OpenGL ES 2.0 context, so there's no pixel unpack buffer bound (in which case the pointer would have been interpreted as an offset which can be validated against the buffer size). It doesn't crash with ANGLE because it calls TextureNULL::setImage() which does nothing but has a TODO to read all incoming pixel data to catch validation bugs.

This is probably not P1 or even a real security issue because there's no client accessible way to call glTexImage2D() with an invalid pointer, but I'll let others with more knowledge of the command buffer change the labels if appropriate.

Antoine, could you look into this or reassign?

Security concern is probably real, because any input given to the fuzzer can be given verbatim via a malicious NaCl/PNaCl module (or a compromized renderer).

I will take a look. Command Buffers obviously shouldn't pass invalid pointers to the driver.
Probably not a regression per se, just a good find from the fuzzer (that's why we have it).

Fix here: https://chromium-review.googlesource.com/c/553418/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/52d6b03db3028ff9bfe379f4495ab8d917b47394

commit 52d6b03db3028ff9bfe379f4495ab8d917b47394
Author: Antoine Labour <piman@chromium.org>
Date: Thu Jul 06 17:21:48 2017

Reject raw pointers in *TexSubImage*

When the *TexSubImage* commands specify a 0 shm, we interpret the offset as the
raw value to pass to the underlying driver. This makes sense when a PBO is
bound, but if it is not, the raw value is treated as a pointer on the service
side which is undesirable. Reject all such cases.

Bug:  734245 
Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: Ibf1f0aa226c15ef7c539667fac687cf3222bedf0
Reviewed-on: https://chromium-review.googlesource.com/553418
Commit-Queue: Antoine Labour <piman@chromium.org>
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#484649}
[modify] https://crrev.com/52d6b03db3028ff9bfe379f4495ab8d917b47394/gpu/command_buffer/service/gles2_cmd_decoder.cc
[modify] https://crrev.com/52d6b03db3028ff9bfe379f4495ab8d917b47394/gpu/command_buffer/service/gles2_cmd_decoder_unittest_textures.cc
[modify] https://crrev.com/52d6b03db3028ff9bfe379f4495ab8d917b47394/gpu/command_buffer/service/texture_manager.cc
[modify] https://crrev.com/52d6b03db3028ff9bfe379f4495ab8d917b47394/ui/gl/gl_mock.h

ClusterFuzz has detected this issue as fixed in range 484645:484777.

Detailed report: https://clusterfuzz.com/testcase?key=5141266831769600

Fuzzer: libFuzzer_gpu_swiftshader_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000012f00
Crash State:
  void LoadImageRow<
  void LoadImageData<
  egl::Image::loadImageData
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479882:479941
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=484645:484777

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5141266831769600


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5141266831769600 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot