Incorrect-function-pointer-type in gl::Debug::insertMessage |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6394303336415232 Fuzzer: libFuzzer_gpu_angle_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Incorrect-function-pointer-type Crash Address: Crash State: gl::Debug::insertMessage gl::Debug::insertMessage gl::Context::handleError Sanitizer: undefined (UBSAN) Recommended Security Severity: Medium Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6394303336415232 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Nov 28 2017
zmo: could you ptal? Thanks!
,
Nov 28 2017
,
Nov 28 2017
I suspect this is another false positive like crbug.com/778918 or crbug.com/781168
,
Nov 28 2017
mmh, I think there is a mismatch between ANGLE's header (which is used in the ANGLE DLL) and the third_party/mesa headers that is used by chrome GL bindings: third_party/angle/include/GLES2/gl2ext.h: typedef void (GL_APIENTRY *GLDEBUGPROCKHR)(GLenum source,GLenum type,GLuint id,GLenum severity,GLsizei length,const GLchar *message,const void *userParam); third_party/mesa/src/include/GL/glext.h: typedef void (APIENTRY *GLDEBUGPROC)(GLenum source,GLenum type,GLuint id,GLenum severity,GLsizei length,const GLchar *message,GLvoid *userParam); Note the const difference in the 'userParam' param (GLvoid is typedef'ed to void). Looking at https://www.khronos.org/registry/OpenGL/extensions/KHR/KHR_debug.txt it was changed in revision 13, and ANGLE's header is more up-to-date. We can simply patch mesa's header there, I think. Removing security bits though: 1- this is not used by default in production (only with a flag, or in the fuzzer) 2- the users don't actually touch the userParam (it'll be null).
,
Mar 2 2018
I'll take this to close.
,
Mar 2 2018
https://chromium-review.googlesource.com/c/chromium/deps/mesa/+/946888 for the mesa header change
,
Mar 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/deps/mesa/+/92521a7a302b58aaa242b90192eaddb67ea3d0c2 commit 92521a7a302b58aaa242b90192eaddb67ea3d0c2 Author: Antoine Labour <piman@chromium.org> Date: Fri Mar 02 21:19:56 2018 Update GLDEBUGPROCARB to the latest spec version The latest spec version has the userParam argument to be const GLvoid*, and this is reflected in the ANGLE headers. Update the header to avoid type mismatch which UBSAN sees as a security issue. Bug: 788949 Change-Id: If16c77501c42412106c47c8427bc799d3d7c3db5 [modify] https://crrev.com/92521a7a302b58aaa242b90192eaddb67ea3d0c2/include/GL/glext.h
,
Mar 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bc02b84f5db51f036a5ee3f5eb1288f1b0dd573c commit bc02b84f5db51f036a5ee3f5eb1288f1b0dd573c Author: Antoine Labour <piman@chromium.org> Date: Fri Mar 02 23:49:00 2018 Roll third_party/mesa ef811c6..92521a7 Includes the following commit: 92521a7 Update GLDEBUGPROCARB to the latest spec version Bug: 788949 Change-Id: I89e981718b42e375db7c2d4eb236643631d80c44 Reviewed-on: https://chromium-review.googlesource.com/946903 Reviewed-by: Zhenyao Mo <zmo@chromium.org> Commit-Queue: Antoine Labour <piman@chromium.org> Cr-Commit-Position: refs/heads/master@{#540683} [modify] https://crrev.com/bc02b84f5db51f036a5ee3f5eb1288f1b0dd573c/DEPS [modify] https://crrev.com/bc02b84f5db51f036a5ee3f5eb1288f1b0dd573c/third_party/mesa/README.chromium
,
Mar 9 2018
This looks fixed, although CF doesn't seem to repro the original issue.
,
Mar 10 2018
,
Jun 16 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by sheriffbot@chromium.org
, Nov 28 2017