New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 770491 link

Starred by 1 user
Status: WontFix
Owner:
zmo@chromium.org
Closed: Sep 2017
Cc:
kbr@chromium.org
vmi...@chromium.org
piman@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Free GPU texture memory without clearing

Reported by apoorva....@gmail.com, Sep 30 2017 
VULNERABILITY DETAILS
Chrome seems to be releasing texture memory on the GPU when a tab is closed. In my own application which uses a completely different OpenGL context, I am able to access these textures in legible format. I can thus see rendered text and images. See attachmed image, showing polygon.com and theverge.com framebuffer leakage. This could also potentially work across different users on the same machine, leading to one user being able to see anothers browser fragments.

VERSION
Chrome Version: [57.0.2987.110] + [stable]
Operating System: [Ubuntu 16.04]
GPU: NVIDIA GTX 970 (GM204 architecture)
GPU Driver: 375.39

REPRODUCTION CASE
Repro code is not possible since my OpenGL app is closed-source. However, it is allocating memory through standard OpenGL calls. A repro shouldn't be complicated. Chrome should clear its GPU textures before freeing them.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
N/A
chrome.png
128 KB View Download

Comment 1 by infe...@chromium.org, Sep 30 2017

Cc: kbr@chromium.org
Components: Internals>GPU
Labels: Pri-1
Owner: zmo@chromium.org
Status: Assigned (was: Unconfirmed)
zmo@ - is this an issue?

Comment 2 by kbr@chromium.org, Sep 30 2017

Cc: vmi...@chromium.org piman@chromium.org
In my opinion this is not a bug in Chrome. Chrome prevents untrusted web pages from seeing uninitialized video memory, which would be a security risk; but these native OpenGL applications have user privileges. Many OpenGL drivers unfortunately do not initialize allocated video memory, so these native applications can see uninitialized VRAM.

While Chrome could make a best effort to clear out textures when releasing them -- at a performance cost -- it can do nothing if the GPU process crashes.

I think this request is out of scope for Chrome's security model.

Comment 3 by infe...@chromium.org, Sep 30 2017

Status: WontFix (was: Assigned)
WontFix based on c#2.
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 7 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment