New issue
Advanced search Search tips

Issue 781443 link

Starred by 1 user
Status: WontFix
Owner:
capn@chromium.org
Closed: Nov 2017
Cc:
sugoi@chromium.org
dsinclair@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: heap-buffer-overflow libglesv2!sw::LValue

Reported by om...@krash.in, Nov 3 2017 
I have tested this on the asan-win32-release-513780 build on Windows 10.


==42900==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x0df80ec8 at pc 0x54568537 bp 0x04f97e40 sp 0x04f97e34
READ of size 4 at 0x0df80ec8 thread T0
    #0 0x54568536 in libGLESv2_swiftshader+0x539c5a (C:\Users\omair\Desktop\asan-coverage-win32-release-506366\swiftshader\libglesv2.dll+0x658536)
    #1 0x5457443f in libGLESv2_swiftshader+0x545b63 (C:\Users\omair\Desktop\asan-coverage-win32-release-506366\swiftshader\libglesv2.dll+0x66443f)
[snip] (no symbols)

Windbg Output:
05 (Inline) -------- libglesv2!sw::LValue+0x6a [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\Reactor\Reactor.hpp @ 2270] 
06 04f97e50 54574440 libglesv2!sw::Array<sw::Float4,1>::operator[]+0x8d [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\Reactor\Reactor.hpp @ 2619] 
07 04f97fd0 5457011f libglesv2!sw::RegisterArray<4096,0>::operator[]+0x3a0 [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\Shader\ShaderCore.hpp @ 197] 
08 04f99d94 54591bab libglesv2!sw::PixelProgram::applyShader+0x6de7 [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\Shader\PixelProgram.cpp @ 467] 
09 04f9ae60 541e72e2 libglesv2!sw::PixelRoutine::quad+0x5aa5 [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\Shader\PixelRoutine.cpp @ 224] 
0a 04f9c530 541e0f4a libglesv2!sw::QuadRasterizer::rasterize+0x5898 [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\Renderer\QuadRasterizer.cpp @ 291] 
0b 04f9c904 541dbf56 libglesv2!sw::QuadRasterizer::generate+0x664 [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\Renderer\QuadRasterizer.cpp @ 66] 
0c 04f9c934 541eea14 libglesv2!sw::PixelProcessor::routine+0x172 [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\Renderer\PixelProcessor.cpp @ 1179] 
0d 04f9d228 53f5d3b6 libglesv2!sw::Renderer::draw+0x752 [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\Renderer\Renderer.cpp @ 248] 
0e 04f9d24c 53f2b972 libglesv2!es2::Device::drawIndexedPrimitive+0x4c [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\OpenGL\libGLESv2\Device.cpp @ 326] 
0f 04f9d354 53ffb338 libglesv2!es2::Context::drawElements+0x424 [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\OpenGL\libGLESv2\Context.cpp @ 3534] 
10 04f9d384 5402a3e0 libglesv2!es2::DrawElements+0x11e [C:\b\c\b\win_asan_release_coverage\src\third_party\swiftshader\src\OpenGL\libGLESv2\libGLESv2.cpp @ 1616]
sw_overflow_chrome.html
2.4 KB View Download
sw_overflow.txt
18.0 KB View Download

Comment 1 by dominickn@chromium.org, Nov 8 2017

Cc: sugoi@chromium.org
Components: Internals>GPU>SwiftShader
Labels: Security_Impact-High
Owner: capn@chromium.org
Status: Assigned (was: Unconfirmed)
Looks like it's in SwiftShader. +capn/sugoi, can you please follow up?

Comment 2 by dominickn@chromium.org, Nov 8 2017

Labels: -Security_Impact-High Security_Severity-High OS-Windows Pri-1

Comment 3 by awhalley@chromium.org, Nov 8 2017

Labels: Security_Impact-Stable M-63

Comment 4 by capn@chromium.org, Nov 8 2017

Labels: -Pri-1 Pri-2
Possibly a duplicate of  Issue 781147 .

Comment 5 by om...@krash.in, Nov 15 2017 

Can I be cc'ed on the that issue?
Project Member

Comment 6 by ClusterFuzz, Nov 16 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5397830490652672.
Project Member

Comment 7 by ClusterFuzz, Nov 16 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5723983529115648.

Comment 8 by mmoroz@chromium.org, Nov 16 2017 

Sure, but we need to confirm that it's a duplicate indeed.
Project Member

Comment 9 by ClusterFuzz, Nov 16 2017

Components: Internals>GPU>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 10 by ClusterFuzz, Nov 16 2017 

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 11 by mmoroz@chromium.org, Nov 17 2017

Labels: -Security_Severity-High Security_Severity-Medium
Project Member

Comment 12 by sheriffbot@chromium.org, Nov 22 2017 

capn: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 13 by ClusterFuzz, Nov 30 2017

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5397830490652672 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 14 by sheriffbot@chromium.org, Mar 9 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment