New issue
Advanced search Search tips

Issue 820848 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Incorrect-function-pointer-type in gl::Debug::insertMessage

Project Member Reported by ClusterFuzz, Mar 12 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4527131972075520

Fuzzer: libFuzzer_gpu_angle_passthrough_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Incorrect-function-pointer-type
Crash Address: 
Crash State:
  gl::Debug::insertMessage
  gl::Debug::insertMessage
  gl::Context::handleError
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=538463:538477

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4527131972075520

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Mar 12 2018

Labels: Test-Predator-Auto-Owner
Owner: geoffl...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/fdec674e8373793d4eb226f0e18771bbeeea3792 (Improve the performance of the passthrough cmd decoder's error handling.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 2 by sheriffbot@chromium.org, Mar 12 2018

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Components: Internals>GPU>ANGLE
Project Member

Comment 4 by sheriffbot@chromium.org, Mar 13 2018

Labels: M-66
Project Member

Comment 5 by sheriffbot@chromium.org, Mar 13 2018

Labels: Pri-1
Project Member

Comment 6 by sheriffbot@chromium.org, Mar 14 2018

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 20 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/deps/mesa/+/803b1132096707417736df8d167176a33813aa9f

commit 803b1132096707417736df8d167176a33813aa9f
Author: Geoff Lang <geofflang@chromium.org>
Date: Mon Mar 19 16:15:15 2018

Update GLDEBUGPROC to the latest spec version.

The missing 'const' on the userParam argument causes problems with ubsan
when ANGLE compiles with the latest headers.

BUG= 820848 

Change-Id: I516141f132ef7e6a61f3543592df8f0f9b806363

[modify] https://crrev.com/803b1132096707417736df8d167176a33813aa9f/include/GL/glext.h

Project Member

Comment 8 by sheriffbot@chromium.org, Mar 26 2018

geofflang: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by bugdroid1@chromium.org, Mar 26 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5b12500886c296204e21797b9ee078800c485c4f

commit 5b12500886c296204e21797b9ee078800c485c4f
Author: Geoff Lang <geofflang@chromium.org>
Date: Mon Mar 26 19:04:28 2018

Update the GLDEBUGPROC typedef to the latest spec version.

The non-const parameter was causing issues with ubsan because ANGLE is
compiled with lasted typedefs.

BUG= 820848 
TBR=piman@chromium.org

Cq-Include-Trybots: luci.chromium.try:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I366e101fb8c42edec1d381e27cb55a51283f4e09
Reviewed-on: https://chromium-review.googlesource.com/969083
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#545858}
[modify] https://crrev.com/5b12500886c296204e21797b9ee078800c485c4f/DEPS
[modify] https://crrev.com/5b12500886c296204e21797b9ee078800c485c4f/gpu/command_buffer/service/gles2_cmd_decoder.cc
[modify] https://crrev.com/5b12500886c296204e21797b9ee078800c485c4f/gpu/command_buffer/service/gles2_cmd_decoder_passthrough.cc
[modify] https://crrev.com/5b12500886c296204e21797b9ee078800c485c4f/gpu/command_buffer/tests/fuzzer_main.cc
[modify] https://crrev.com/5b12500886c296204e21797b9ee078800c485c4f/third_party/khronos/GLES2/gl2ext.h
[modify] https://crrev.com/5b12500886c296204e21797b9ee078800c485c4f/third_party/mesa/README.chromium

Project Member

Comment 10 by ClusterFuzz, Mar 27 2018

ClusterFuzz has detected this issue as fixed in range 545850:545860.

Detailed report: https://clusterfuzz.com/testcase?key=4527131972075520

Fuzzer: libFuzzer_gpu_angle_passthrough_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Incorrect-function-pointer-type
Crash Address: 
Crash State:
  gl::Debug::insertMessage
  gl::Debug::insertMessage
  gl::Context::handleError
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=538463:538477
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=545850:545860

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4527131972075520

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by ClusterFuzz, Mar 27 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4527131972075520 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 12 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Merge-Request-66
Project Member

Comment 14 by sheriffbot@chromium.org, Mar 31 2018

Labels: -Merge-Request-66 Merge-Review-66 Hotlist-Merge-Review
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-66 Merge-Approved-66
Approving merge to M66. Branch:3359
Labels: -Security_Impact-Beta -ReleaseBlock-Stable -M-66 -Merge-Approved-66 Security_Impact-Head M-67
The merge is not needed for this bug.  It does not affect M66.

Sign in to add a comment