Issue metadata
Sign in to add a comment
|
heap-buffer-overflow CopyNativeVertexData in ANGLE
Reported by
om...@krash.in,
Sep 8 2017
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
Steps to reproduce the problem:
1. Run the attached file to get a heap-bo in ANGLE. I have tested this on an ASAN build.
What is the expected behavior?
What went wrong?
==13980==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5000a0a0 at pc 0x00e52557 bp 0x0588c0f0 sp 0x0588c0e0
READ of size 96 at 0x5000a0a0 thread T0
#0 0xe52571 in __asan_memcpy e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_interceptors_memintrinsics.cc:23
#1 0x5fc757ad in rx::CopyNativeVertexData<float,3,3,0> C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\copyvertex.inl:17
#2 0x5fc6473c in rx::VertexBuffer11::storeVertexAttributes C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\VertexBuffer11.cpp:135
#3 0x5fde8645 in rx::StreamingVertexBufferInterface::storeDynamicAttribute C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\VertexBuffer.cpp:177
#4 0x5fc8b359 in rx::VertexDataManager::storeDynamicAttrib C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\VertexDataManager.cpp:512
#5 0x5fc8a8a3 in rx::VertexDataManager::storeDynamicAttribs C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\VertexDataManager.cpp:420
#6 0x5fc5b7e7 in rx::VertexArray11::updateDirtyAndDynamicAttribs C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\VertexArray11.cpp:238
#7 0x5fb07d6a in rx::StateManager11::applyVertexBuffer C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\StateManager11.cpp:1904
#8 0x5f9b30b3 in rx::Renderer11::genericDrawArrays C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Renderer11.cpp:4206
#9 0x5fc76aba in rx::Context11::drawArrays C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Context11.cpp:156
#10 0x5f6d0919 in gl::Context::drawArrays C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\Context.cpp:1750
#11 0x1b15ba73 in gpu::gles2::GLES2DecoderImpl::DoDrawArrays C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:10384
#12 0x1b0a80dd in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:10406
#13 0x1b12885f in gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<0> C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:5381
#14 0x1b127488 in gpu::gles2::GLES2DecoderImpl::DoCommands C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:5432
#15 0x1b09bcf0 in gpu::CommandBufferService::Flush C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\command_buffer_service.cc:90
#16 0x1b717baa in gpu::GpuCommandBufferStub::OnAsyncFlush C:\b\c\b\win_asan_release_coverage\src\gpu\ipc\service\gpu_command_buffer_stub.cc:996
#17 0x1b717403 in IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta,std::tuple<int,unsigned int,std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > >,void>::Dispatch<gpu::GpuCommandBufferStub,gpu::GpuCommandBufferStub,void,void (gpu::GpuCommandBufferStub::*)(int, unsigned int, const std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > &) __attribute__((thiscall))> C:\b\c\b\win_asan_release_coverage\src\ipc\ipc_message_templates.h:145
#18 0x1b710f2e in gpu::GpuCommandBufferStub::OnMessageReceived C:\b\c\b\win_asan_release_coverage\src\gpu\ipc\service\gpu_command_buffer_stub.cc:308
#19 0x1b6fc23f in gpu::GpuChannel::HandleMessageHelper C:\b\c\b\win_asan_release_coverage\src\gpu\ipc\service\gpu_channel.cc:1037
#20 0x1b6ec8d8 in gpu::GpuChannel::HandleMessage C:\b\c\b\win_asan_release_coverage\src\gpu\ipc\service\gpu_channel.cc:985
#21 0x1b7040d1 in base::internal::Invoker<base::internal::BindState<void (gpu::GpuChannel::*)(const IPC::Message &) __attribute__((thiscall)),base::WeakPtr<gpu::GpuChannel>,IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta> >,void ()>::RunOnce C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h:319
#22 0x1b1c85e5 in gpu::Scheduler::RunNextTask C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\scheduler.cc:501
#23 0x13de6254 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release_coverage\src\base\debug\task_annotator.cc:63
#24 0x13e9db66 in base::internal::IncomingTaskQueue::RunTask C:\b\c\b\win_asan_release_coverage\src\base\message_loop\incoming_task_queue.cc:143
#25 0x13cc5533 in base::MessageLoop::RunTask C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:406
#26 0x13cc6508 in base::MessageLoop::DeferOrRunPendingTask C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:417
#27 0x13cc7081 in base::MessageLoop::DoWork C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:524
#28 0x13ea4ec4 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_pump_default.cc:33
#29 0x13cc4240 in base::MessageLoop::Run C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:346
#30 0x13d65bbc in base::RunLoop::Run C:\b\c\b\win_asan_release_coverage\src\base\run_loop.cc:123
#31 0x19316dff in content::GpuMain C:\b\c\b\win_asan_release_coverage\src\content\gpu\gpu_main.cc:302
#32 0x13b37e2d in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release_coverage\src\content\app\content_main_runner.cc:426
#33 0x13b3968e in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release_coverage\src\content\app\content_main_runner.cc:709
#34 0x13b51d4b in service_manager::Main C:\b\c\b\win_asan_release_coverage\src\services\service_manager\embedder\main.cc:469
#35 0x13b379e8 in content::ContentMain C:\b\c\b\win_asan_release_coverage\src\content\app\content_main.cc:19
#36 0xfe212c6 in ChromeMain C:\b\c\b\win_asan_release_coverage\src\chrome\app\chrome_main.cc:122
#37 0xa5c0fc in MainDllLoader::Launch C:\b\c\b\win_asan_release_coverage\src\chrome\app\main_dll_loader_win.cc:199
#38 0xa51f5d in main C:\b\c\b\win_asan_release_coverage\src\chrome\app\chrome_exe_main_win.cc:275
#39 0xe6365a in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253
#40 0x73b58743 in BaseThreadInitThunk+0x23 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b818743)
#41 0x76f3582c in RtlGetAppContainerNamedObjectPath+0xfc (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e582c)
#42 0x76f357fc in RtlGetAppContainerNamedObjectPath+0xcc (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e57fc)
0x5000a0a0 is located 0 bytes to the right of 16-byte region [0x5000a090,0x5000a0a0)
allocated by thread T0 here:
#0 0xe5221c in malloc e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60
#1 0x5fe1a8c1 in angle::MemoryBuffer::resize C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\common\MemoryBuffer.cpp:44
#2 0x5fc47377 in rx::Buffer11::SystemMemoryStorage::resize C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:1526
#3 0x5fc354fe in rx::Buffer11::setSubData C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:391
#4 0x5fc33742 in rx::Buffer11::setData C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:322
#5 0x5f95c6e4 in gl::Buffer::bufferData C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\Buffer.cpp:82
#6 0x5f6e47c1 in gl::Context::bufferData C:\b\c\b\win_asan_release_coverage\src\third_party\angle\src\libANGLE\Context.cpp:3933
#7 0x1b25e101 in gpu::gles2::BufferManager::DoBufferData C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\buffer_manager.cc:459
#8 0x1b25da48 in gpu::gles2::BufferManager::ValidateAndDoBufferData C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\buffer_manager.cc:431
#9 0x1b0a18f8 in gpu::gles2::GLES2DecoderImpl::HandleBufferData C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:12834
#10 0x1b12885f in gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<0> C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:5381
#11 0x1b127488 in gpu::gles2::GLES2DecoderImpl::DoCommands C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\gles2_cmd_decoder.cc:5432
#12 0x1b09bcf0 in gpu::CommandBufferService::Flush C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\command_buffer_service.cc:90
#13 0x1b717baa in gpu::GpuCommandBufferStub::OnAsyncFlush C:\b\c\b\win_asan_release_coverage\src\gpu\ipc\service\gpu_command_buffer_stub.cc:996
#14 0x1b717403 in IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta,std::tuple<int,unsigned int,std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > >,void>::Dispatch<gpu::GpuCommandBufferStub,gpu::GpuCommandBufferStub,void,void (gpu::GpuCommandBufferStub::*)(int, unsigned int, const std::vector<ui::LatencyInfo,std::allocator<ui::LatencyInfo> > &) __attribute__((thiscall))> C:\b\c\b\win_asan_release_coverage\src\ipc\ipc_message_templates.h:145
#15 0x1b710f2e in gpu::GpuCommandBufferStub::OnMessageReceived C:\b\c\b\win_asan_release_coverage\src\gpu\ipc\service\gpu_command_buffer_stub.cc:308
#16 0x1b6fc23f in gpu::GpuChannel::HandleMessageHelper C:\b\c\b\win_asan_release_coverage\src\gpu\ipc\service\gpu_channel.cc:1037
#17 0x1b6ec8d8 in gpu::GpuChannel::HandleMessage C:\b\c\b\win_asan_release_coverage\src\gpu\ipc\service\gpu_channel.cc:985
#18 0x1b7040d1 in base::internal::Invoker<base::internal::BindState<void (gpu::GpuChannel::*)(const IPC::Message &) __attribute__((thiscall)),base::WeakPtr<gpu::GpuChannel>,IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta> >,void ()>::RunOnce C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h:319
#19 0x1b1c85e5 in gpu::Scheduler::RunNextTask C:\b\c\b\win_asan_release_coverage\src\gpu\command_buffer\service\scheduler.cc:501
#20 0x13de6254 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release_coverage\src\base\debug\task_annotator.cc:63
#21 0x13e9db66 in base::internal::IncomingTaskQueue::RunTask C:\b\c\b\win_asan_release_coverage\src\base\message_loop\incoming_task_queue.cc:143
#22 0x13cc5533 in base::MessageLoop::RunTask C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:406
#23 0x13cc6508 in base::MessageLoop::DeferOrRunPendingTask C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:417
#24 0x13cc7081 in base::MessageLoop::DoWork C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:524
#25 0x13ea4ec4 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_pump_default.cc:33
#26 0x13cc4240 in base::MessageLoop::Run C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:346
#27 0x13d65bbc in base::RunLoop::Run C:\b\c\b\win_asan_release_coverage\src\base\run_loop.cc:123
#28 0x19316dff in content::GpuMain C:\b\c\b\win_asan_release_coverage\src\content\gpu\gpu_main.cc:302
SUMMARY: AddressSanitizer: heap-buffer-overflow e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_interceptors_memintrinsics.cc:23 in __asan_memcpy
Shadow bytes around the buggy address:
0x3a0013c0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 fa
0x3a0013d0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fd fa
0x3a0013e0: fa fa 00 fa fa fa fd fa fa fa fd fa fa fa fd fa
0x3a0013f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x3a001400: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa 00 04
=>0x3a001410: fa fa 00 00[fa]fa 00 00 fa fa fd fa fa fa fd fd
0x3a001420: fa fa fd fd fa fa fd fa fa fa 00 fa fa fa fd fa
0x3a001430: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x3a001440: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
0x3a001450: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x3a001460: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
inline void CopyNativeVertexData(const uint8_t *input, size_t stride, size_t count, uint8_t *output)
{
const size_t attribSize = sizeof(T)* inputComponentCount;
if (attribSize == stride && inputComponentCount == outputComponentCount)
{ //attribSize = 12 & count is 8 in the test case
memcpy(output, input, count * attribSize);
return;
}
Did this work before? N/A
Chrome version: Channel: canary
OS Version: 10.0
Flash Version:
,
Sep 11 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5319206810943488.
,
Sep 12 2017
geofflang: Can you please take a look and reassign as appropriate? Thanks.
,
Sep 15 2017
I think this is fixed now in newer versions. I had reported this bug to Firefox as well which probably has something to do with this being fixed.
,
Sep 15 2017
Looks like it, couldn't reproduce it myself, same for clusterfuzz.
,
Sep 15 2017
Btw, I think clusterfuzz fails to anaylze another of my webgl bugs, 765469. But that's definitely not fixed.
,
Sep 19 2017
Judging by #4 and #5, I'll close this on the assumption that it got fixed. If you're able to reproduce it again, go ahead and file a new bug for it. +awhalley to determine how to handle VRP for this. geofflang, zmo, kbr: if you have clues as to which CL fixed it, that'd be great.
,
Dec 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 9 2017