New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 804118 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: WriteTexture heap-buffer-overflow in WebGL on macOS

Reported by om...@krash.in, Jan 20 2018

Issue description

heap overflow in WriteTextureData on macOS, tested on asan-mac-release-529226.zip

==801==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000046a04 at pc 0x000101cc248b bp 0x7ffeedf9f5f0 sp 0x7ffeedf9ed90
READ of size 8 at 0x602000046a04 thread T0
    #0 0x101cc248a  (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x1a48a)
    #1 0x12f6af75b in glrWriteTextureData (AppleIntelBDWGraphicsGLDriver:x86_64+0x1375b)
    #2 0x7fff3858db49 in glTexImage2D_Exec (GLEngine:x86_64+0x19b49)
    #3 0x7fff379fd63e in glTexImage2D (libGL.dylib:x86_64+0x363e)
    #4 0x116a395a8 in gl::GLApiBase::glTexImage2DFn(unsigned int, int, int, int, int, int, unsigned int, unsigned int, void const*) gl_bindings_autogen_gl.cc:4372
    #5 0x116a86e37 in gl::RealGLApi::glTexImage2DFn(unsigned int, int, int, int, int, int, unsigned int, unsigned int, void const*) gl_gl_api_implementation.cc:374
    #6 0x117489714 in gpu::gles2::TextureManager::DoTexImage(gpu::gles2::DecoderTextureState*, gpu::gles2::ContextState*, gpu::gles2::DecoderFramebufferState*, char const*, gpu::gles2::TextureRef*, gpu::gles2::TextureManager::DoTexImageArguments const&) texture_manager.cc:3381
    #7 0x117487a35 in gpu::gles2::TextureManager::DoCubeMapWorkaround(gpu::gles2::DecoderTextureState*, gpu::gles2::ContextState*, gpu::gles2::DecoderFramebufferState*, gpu::gles2::TextureRef*, char const*, gpu::gles2::TextureManager::DoTexImageArguments const&) texture_manager.cc:2694
    #8 0x1172b00bd in gpu::gles2::GLES2DecoderImpl::DoCopyTexImage2D(unsigned int, int, unsigned int, int, int, int, int, int) texture_manager.h:1102
 
writeTexture.html
1.6 KB View Download
asan.txt
9.6 KB View Download
Project Member

Comment 1 by ClusterFuzz, Jan 22 2018

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5920132118609920.
Project Member

Comment 2 by ClusterFuzz, Jan 22 2018

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5002286467383296.
Components: Internals>GPU
Neither of these could be reproduced on CF, either on Mac or Linux. Is there a special setup required?
Trying a different CF job...
Project Member

Comment 5 by ClusterFuzz, Jan 22 2018

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6066698078912512.

Comment 6 by om...@krash.in, Jan 23 2018

#1 0x12f6af75b in glrWriteTextureData (AppleIntelBDWGraphicsGLDriver:x86_64+0x1375b)

I guess you require a Intel HD Graphics based MacOS for this to reproduce. 
Project Member

Comment 7 by ClusterFuzz, Jan 25 2018

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5699413012643840.

Comment 8 by mea...@chromium.org, Jan 25 2018

Labels: Security_Severity-High OS-Mac
Owner: zmo@chromium.org
Status: Assigned (was: Unconfirmed)
I can repro with a 2012 Macbook Pro using the integrated graphics. Uploaded another test case with mac_asan_chrome job type.

zmo: Can you please take a look, or reassign? Thanks.

Comment 9 by zmo@chromium.org, Jan 25 2018

Cc: yunchao...@intel.com yang...@intel.com piman@chromium.org
Labels: Pri-1
Status: Started (was: Assigned)
It seems we fail to reset pixel unpack params in TextureManager::DoCubeMapWorkaround before calling TexImage*(). I will patch this up.

That said, the underlying Intel driver should really generate an INVALID_OPERATION rather than crash.
Labels: Security_Impact-Head
Project Member

Comment 11 by sheriffbot@chromium.org, Jan 27 2018

Labels: M-65
Project Member

Comment 12 by sheriffbot@chromium.org, Jan 27 2018

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 13 by sheriffbot@chromium.org, Jan 28 2018

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 14 by zmo@chromium.org, Jan 29 2018

Labels: -ReleaseBlock-Stable
No need to block release since this has been in many releases.

That said, I will fix this soon.

Comment 15 by zmo@chromium.org, Jan 29 2018

Labels: -M-65
> No need to block release since this has been in many releases.

Does it mean this impacts stable? Or is beta accurate? (I incorrectly marked it as Security_Impact-Beta based on the asan build in the original report (529226))

Comment 17 by zmo@chromium.org, Jan 29 2018

This affects all (date back a couple years). That's why this should not be a blocker because this is not a regression. That said, this should still be fixed in this release.
Labels: -Security_Impact-Beta Security_Impact-Stable
Thanks for confirming. Not sure why sheriffbot thought it impacts Beta.

Comment 19 by zmo@chromium.org, Jan 30 2018

Here is a simplified test case. I deleted unrelated shader/program setup.
simplied_test_case_for_crbug_804118.html
516 bytes View Download

Comment 20 by zmo@chromium.org, Jan 30 2018

Cc: kbr@chromium.org kainino@chromium.org jdarpinian@chromium.org

Comment 22 by zmo@chromium.org, Jan 30 2018

Conformance test is added in https://github.com/KhronosGroup/WebGL/pull/2593 (except it only catch the bug in MSAN bot)
Project Member

Comment 23 by bugdroid1@chromium.org, Jan 30 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a89aa4642cefb79e312c95ca3c66bbaff5263a22

commit a89aa4642cefb79e312c95ca3c66bbaff5263a22
Author: Zhenyao Mo <zmo@chromium.org>
Date: Tue Jan 30 04:22:34 2018

Fix CopyTexImage behavior when cubemap workaround is involved.

The bug is, we need to reset PIXEL_UNPACK_BUFFER as well as UNPACK params
in order to upload data to textures correctly.

BUG= 804118 
TEST=tests in the bug
R=piman@chromium.org
NOTRY=true

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I743f03cdc98b2c6993449ca615b246eb42ef4dfa
Reviewed-on: https://chromium-review.googlesource.com/892282
Commit-Queue: Zhenyao Mo <zmo@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Reviewed-by: Kai Ninomiya <kainino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532749}
[modify] https://crrev.com/a89aa4642cefb79e312c95ca3c66bbaff5263a22/gpu/command_buffer/service/texture_manager.cc

Comment 24 by zmo@chromium.org, Jan 30 2018

Labels: M-65 Merge-Request-65
Status: Fixed (was: Started)
It's a simple CL, so let's at least merge back to M65.
Project Member

Comment 25 by sheriffbot@chromium.org, Jan 31 2018

Labels: -Merge-Request-65 Hotlist-Merge-Approved Merge-Approved-65
Your change meets the bar and is auto-approved for M65. Please go ahead and merge the CL to branch 3325 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Pls merge your change to M65 branch 3325 ASAP so we can pick it up for next M65 dev release. Thank you.
Project Member

Comment 27 by bugdroid1@chromium.org, Jan 31 2018

Labels: -merge-approved-65 merge-merged-3325
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fccae1a6842d24b1fb02b6ea5aa37c887e0a11d3

commit fccae1a6842d24b1fb02b6ea5aa37c887e0a11d3
Author: Zhenyao Mo <zmo@chromium.org>
Date: Wed Jan 31 18:50:12 2018

Fix CopyTexImage behavior when cubemap workaround is involved.

The bug is, we need to reset PIXEL_UNPACK_BUFFER as well as UNPACK params
in order to upload data to textures correctly.

BUG= 804118 
TEST=tests in the bug
R=piman@chromium.org
TBR=zmo@chromium.org
NOTRY=true

(cherry picked from commit a89aa4642cefb79e312c95ca3c66bbaff5263a22)

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I743f03cdc98b2c6993449ca615b246eb42ef4dfa
Reviewed-on: https://chromium-review.googlesource.com/892282
Commit-Queue: Zhenyao Mo <zmo@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Reviewed-by: Kai Ninomiya <kainino@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#532749}
Reviewed-on: https://chromium-review.googlesource.com/895907
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Cr-Commit-Position: refs/branch-heads/3325@{#208}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
[modify] https://crrev.com/fccae1a6842d24b1fb02b6ea5aa37c887e0a11d3/gpu/command_buffer/service/texture_manager.cc

Labels: reward-topanel
Project Member

Comment 29 by sheriffbot@chromium.org, Feb 8 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Labels: -Security_Severity-High Security_Severity-Medium
Hello! The VRP panel decided to reward $1,000 for this report - cheers!
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M65
Labels: CVE-2018-6073
Project Member

Comment 35 by bugdroid1@chromium.org, Apr 12 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d5fd79c66c041e669cb7cc0d0a41dbcdac886649

commit d5fd79c66c041e669cb7cc0d0a41dbcdac886649
Author: Kenneth Russell <kbr@chromium.org>
Date: Thu Apr 12 23:23:34 2018

Roll WebGL aef0b3a..7c0541d

https://chromium.googlesource.com/external/khronosgroup/webgl.git/+log/aef0b3a..7c0541d

Bug:  804118 ,  818336 ,  828262 ,  angleproject:2381 
Tbr: zmo@chromium.org, kainino@chromium.org, jdarpinian@chromium.org
Cq-Include-Trybots: luci.chromium.try:win_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_angle_rel_ng;luci.chromium.try:win_angle_rel_ng
Change-Id: I28b3d55e43f5633ffe4c8cd6e7e375dd2fba2b9b
Reviewed-on: https://chromium-review.googlesource.com/1010910
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Commit-Queue: Kenneth Russell <kbr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550408}
[modify] https://crrev.com/d5fd79c66c041e669cb7cc0d0a41dbcdac886649/DEPS
[modify] https://crrev.com/d5fd79c66c041e669cb7cc0d0a41dbcdac886649/content/test/gpu/gpu_tests/webgl_conformance_revision.txt

Project Member

Comment 36 by bugdroid1@chromium.org, Apr 17 2018

Labels: merge-merged-testbranch
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d5fd79c66c041e669cb7cc0d0a41dbcdac886649

commit d5fd79c66c041e669cb7cc0d0a41dbcdac886649
Author: Kenneth Russell <kbr@chromium.org>
Date: Thu Apr 12 23:23:34 2018

Roll WebGL aef0b3a..7c0541d

https://chromium.googlesource.com/external/khronosgroup/webgl.git/+log/aef0b3a..7c0541d

Bug:  804118 ,  818336 ,  828262 ,  angleproject:2381 
Tbr: zmo@chromium.org, kainino@chromium.org, jdarpinian@chromium.org
Cq-Include-Trybots: luci.chromium.try:win_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_angle_rel_ng;luci.chromium.try:win_angle_rel_ng
Change-Id: I28b3d55e43f5633ffe4c8cd6e7e375dd2fba2b9b
Reviewed-on: https://chromium-review.googlesource.com/1010910
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Commit-Queue: Kenneth Russell <kbr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550408}
[modify] https://crrev.com/d5fd79c66c041e669cb7cc0d0a41dbcdac886649/DEPS
[modify] https://crrev.com/d5fd79c66c041e669cb7cc0d0a41dbcdac886649/content/test/gpu/gpu_tests/webgl_conformance_revision.txt

Labels: CVE_description-missing
Project Member

Comment 38 by sheriffbot@chromium.org, May 8 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment