Issue metadata
Sign in to add a comment
|
Security: Heap Buffer Overflow (4 byte read) in sw::Blitter::blit3D (swiftshader) |
||||||||||||||||||||||
Issue description
The GPU command buffer fuzzer for swiftshader (gpu_swiftshader_fuzzer) has performance issues which I made some speculative fixes for locally.
In the process I discovered a read past the end of a heap buffer.
VERSION
ToT
REPRODUCTION CASE
1. Build gpu_swiftshader_fuzzer with asan.
2. Run it on the attached testcase
$ ./gpu_swiftshader_fuzzer swiftshader-crash
INFO: Seed: 2103927121
INFO: Loaded 4 modules (401631 guards): 15702 [0x7f1e8af16e60, 0x7f1e8af263b8), 318344 [0x26b5130, 0x27ebf50), 66351 [0x7f1e811242e0, 0x7f1e81164f9c), 1234 [0x7f1e8b00afa0, 0x7f1e8b00c2e8),
/usr/local/google/home/metzman/Downloads/libfuzzer-linux-release-545207/gpu_swiftshader_fuzzer: Running 1 inputs 1 time(s) each.
Running: swiftshader-crash
=================================================================
==142864==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000005190 at pc 0x7f1e80ea08ed bp 0x7ffcbb3d9690 sp 0x7ffcbb3d9688
READ of size 4 at 0x603000005190 thread T0
#0 0x7f1e80ea08ec in sw::Surface::Buffer::read(void*) const third_party/swiftshader/src/Renderer/Surface.cpp:580:25
#1 0x7f1e80ebf4f8 in sw::Surface::copyInternal(sw::Surface const*, int, int, int, float, float, float, bool) third_party/swiftshader/src/Renderer/Surface.cpp:3640:29
#2 0x7f1e80e3ddbf in sw::Blitter::blit3D(sw::Surface*, sw::Surface*) third_party/swiftshader/src/Renderer/Blitter.cpp:211:12
0x603000005190 is located 0 bytes to the right of 32-byte region [0x603000005170,0x603000005190)
allocated by thread T0 here:
#1 0x1f7207e in __allocate buildtools/third_party/libc++/trunk/include/new:228:10
#2 0x1f7207e in allocate buildtools/third_party/libc++/trunk/include/memory:1793
#3 0x1f7207e in allocate buildtools/third_party/libc++/trunk/include/memory:1547
#4 0x1f7207e in std::__1::__split_buffer<gpu::gles2::Texture::FaceInfo, std::__1::allocator<gpu::gles2::Texture::FaceInfo>&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<gpu::gles2::Texture::FaceInfo>&) buildtools/third_party/libc++/trunk/include/__split_buffer:311
#5 0x1f71d03 in std::__1::vector<gpu::gles2::Texture::FaceInfo, std::__1::allocator<gpu::gles2::Texture::FaceInfo> >::__append(unsigned long) buildtools/third_party/libc++/trunk/include/vector:1047:53
#6 0x1f79325 in gpu::gles2::Texture::SetTarget(unsigned int, int) gpu/command_buffer/service/texture_manager.cc:810:15
#7 0x1c03ff2 in gpu::gles2::BackTexture::Create() gpu/command_buffer/service/gles2_cmd_decoder.cc:2862:32
#8 0x1c0d8f2 in gpu::gles2::GLES2DecoderImpl::Initialize(scoped_refptr<gl::GLSurface> const&, scoped_refptr<gl::GLContext> const&, bool, gpu::gles2::DisallowedFeatures const&, gpu::ContextCreationAttribs const&) gpu/command_buffer/service/gles2_cmd_decoder.cc:3750:40
#9 0xa60302 in gpu::(anonymous namespace)::CommandBufferSetup::InitDecoder() gpu/command_buffer/tests/fuzzer_main.cc:340:29
#10 0xa5cf37 in gpu::(anonymous namespace)::CommandBufferSetup::RunCommandBuffer(unsigned char const*, unsigned long) gpu/command_buffer/tests/fuzzer_main.cc:389:10
#11 0xa5cd6e in LLVMFuzzerTestOneInput gpu/command_buffer/tests/fuzzer_main.cc:504:17
#12 0xa81e61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:515:13
#13 0xa62eda in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/libFuzzer/src/FuzzerDriver.cpp:280:6
#14 0xa691f0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:703:9
#15 0xa92fcc in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10
#16 0x7f1e8636b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/swiftshader/src/Renderer/Surface.cpp:580:25 in sw::Surface::Buffer::read(void*) const
Shadow bytes around the buggy address:
0x0c067fff89e0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c067fff89f0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
0x0c067fff8a00: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
0x0c067fff8a10: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00
0x0c067fff8a20: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
=>0x0c067fff8a30: 00 00[fa]fa 00 00 00 fa fa fa 00 00 00 00 fa fa
0x0c067fff8a40: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c067fff8a50: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
0x0c067fff8a60: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
0x0c067fff8a70: fd fd fd fd fa fa 00 00 00 fa fa fa 00 00 00 00
0x0c067fff8a80: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==142864==ABORTING
,
Mar 26 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5069222267584512.
,
Mar 27 2018
Detailed report: https://clusterfuzz.com/testcase?key=5069222267584512 Fuzzer: libFuzzer_gpu_swiftshader_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60a000032cd0 Crash State: sw::Surface::Buffer::read sw::Surface::copyInternal sw::Blitter::blit3D Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=539216:539237 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5069222267584512 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Mar 27 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/27a33c6510b49dda52c27035e4b580738b653a0f (Remove gpu workaround code that no config specifies). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Mar 27 2018
,
Mar 27 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
,
Mar 27 2018
I bisected my patch to make sure I hadn't messed up any logic, and I was able to "fix" the issue by adding the following lines.
diff --git a/gpu/config/gpu_driver_bug_workaround_type.h b/gpu/config/gpu_driver_bug_workaround_type.h
index 690ad3c9038e..6f4ca73fdcbd 100644
--- a/gpu/config/gpu_driver_bug_workaround_type.h
+++ b/gpu/config/gpu_driver_bug_workaround_type.h
@@ -25,6 +25,10 @@
avoid_stencil_buffers) \
GPU_OP(BROKEN_EGL_IMAGE_REF_COUNTING, \
broken_egl_image_ref_counting) \
+ GPU_OP(TESTING1, \
+ testing1) \
+ GPU_OP(TESTING2, \
+ testing2) \
GPU_OP(CLEAR_TO_ZERO_OR_ONE_BROKEN, \
clear_to_zero_or_one_broken) \
GPU_OP(CLEAR_UNIFORMS_BEFORE_FIRST_PROGRAM_USE, \
So, it seems my patch looks like the cause in the bisect because it changed workaround ids.
Assigning to swiftshader folks to take a look for the real underlying bug.
,
Mar 27 2018
Thanks Enne. It looks like this might be closely related to Issue 825252 .
,
Mar 28 2018
Detailed report: https://clusterfuzz.com/testcase?key=5069222267584512 Fuzzer: libFuzzer_gpu_swiftshader_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60a000032cd0 Crash State: sw::Surface::Buffer::read sw::Surface::copyInternal sw::Blitter::blit3D Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=539216:539237 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5069222267584512 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Mar 28 2018
I managed to reproduce the issue using the file provided by OP, but not with the clusterfuzz reproduce tool.
,
Mar 28 2018
That sounds bad, thanks for the heads up. Did you try it with https://clusterfuzz.com/v2/testcase-detail/5069222267584512?noredirect=1 ?
,
Mar 28 2018
Yes, that's the one I tried.
,
Mar 28 2018
,
Mar 28 2018
Thanks! Back to the cause of the crash: I found out that this testcase is creating a 256x0x4 volume texture (note the 0 height), and then wants to generate mipmaps for it. The OpenGL spec states that it results in a texture with log2(maxsize) + 1 mipmap levels, and the other levels' dimensions are max(1,width>>1) x max(1,height>>1) x max(1,depth>>1). So the second mipmap level is 128x1x2, and trying to copy filtered texels from the base level into it causes a crash because it has none. The simple fix is to not attempt to read from a texture where one of the dimensions is 0. Our mipmap generation for 2D textures has that safeguard. That said, it feels like a spec bug. After calling glGenerateMipmap(), the texture should be 'mipmap complete'. The desktop OpenGL specification is explicit about this. But this can't be satisfied with a base level that has a 0 dimension.
,
Mar 29 2018
Filed https://gitlab.khronos.org/opengl/API/issues/72 to get clarification on this from Khronos. In the meantime I'll fix the crash by checking for zero dimensions before trying to filter/blit between images.
,
Mar 29 2018
The following revision refers to this bug: https://swiftshader.googlesource.com/SwiftShader.git/+/f8cdc74c4b4afca9f1f807d9fda6ea8d530b358e commit f8cdc74c4b4afca9f1f807d9fda6ea8d530b358e Author: Nicolas Capens <capn@google.com> Date: Thu Mar 29 13:21:17 2018 Guard against copying from a zero-sized 3D image. Bug chromium:825545 Change-Id: I37d6192bf65115938943f45d43e153196a7d569a Reviewed-on: https://swiftshader-review.googlesource.com/18128 Tested-by: Nicolas Capens <nicolascapens@google.com> Reviewed-by: Alexis Hétu <sugoi@google.com> [modify] https://crrev.com/f8cdc74c4b4afca9f1f807d9fda6ea8d530b358e/src/OpenGL/libGLESv2/Device.cpp
,
Mar 29 2018
Note that this bug is causing us to copy out-of-bounds data into a texture image which can then be read from JavaScript using framebufferTextureLayer and readPixels. It's not a verbatim copy of the data; it's filtering it by averaging pairs of pixels. Still, if the data is a high-resolution image then a downsampled version could be a readable version of sensitive information. Of course an attacker would have other hurdles to overcome, but it's not great to have to depend on those. So I'm requesting a merge to M66.
,
Mar 29 2018
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 29 2018
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 29 2018
Let's let it bake in canary first, and we can review merge tomorrow.
,
Mar 29 2018
The fix only landed upstream so far. DEPS roll is in progress: https://chromium-review.googlesource.com/c/chromium/src/+/985899 Agreed that once it has landed we should check how it fares in Canary for a bit.
,
Mar 30 2018
Detailed report: https://clusterfuzz.com/testcase?key=5069222267584512 Fuzzer: libFuzzer_gpu_swiftshader_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60a000032cd0 Crash State: sw::Surface::Buffer::read sw::Surface::copyInternal sw::Blitter::blit3D Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=539216:539237 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5069222267584512 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Mar 30 2018
The DEPS roll has landed, but clusterfuzz has been showing "Fixed: Pending" for a whole day. I've verified the patch locally, so I think this might be another clusterfuzz issue.
,
Mar 31 2018
ClusterFuzz has detected this issue as fixed in range 546920:546945. Detailed report: https://clusterfuzz.com/testcase?key=5069222267584512 Fuzzer: libFuzzer_gpu_swiftshader_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60a000032cd0 Crash State: sw::Surface::Buffer::read sw::Surface::copyInternal sw::Blitter::blit3D Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=539216:539237 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=546920:546945 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5069222267584512 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 31 2018
ClusterFuzz testcase 5069222267584512 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 31 2018
,
Apr 2 2018
Can you please confirm if #17 still needs to be merged to M66?
,
Apr 2 2018
I think so, as per c#18. capn@ seems to be OOO today due to the public holiday.
,
Apr 3 2018
Approving merge to M66. Branch:3359
,
Apr 6 2018
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 9 2018
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 10 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/0a0bbed01d834dbe6fcb56423df2360043368ea4 commit 0a0bbed01d834dbe6fcb56423df2360043368ea4 Author: Nicolas Capens <capn@google.com> Date: Tue Apr 10 20:45:07 2018
,
Apr 10 2018
thanks!
,
Apr 10 2018
,
May 16 2018
The following revision refers to this bug: https://swiftshader.googlesource.com/SwiftShader.git/+/89c43d202302ec20e0d3b31d7273fed848b9ee23 commit 89c43d202302ec20e0d3b31d7273fed848b9ee23 Author: Nicolas Capens <capn@google.com> Date: Wed May 16 20:44:10 2018 Ignore glGenerateMipmap for unspecified or zero-sized textures. https://gitlab.khronos.org/opengl/API/issues/72 was resolved to treat these cases as a no-op and not generate an error. Bug chromium:825545 Change-Id: Ic4cfbc728156bb88a6dc70486ae57c3e12ea43ae Reviewed-on: https://swiftshader-review.googlesource.com/18870 Tested-by: Nicolas Capens <nicolascapens@google.com> Reviewed-by: Alexis Hétu <sugoi@google.com> [modify] https://crrev.com/89c43d202302ec20e0d3b31d7273fed848b9ee23/src/OpenGL/libGLESv2/Texture.cpp [modify] https://crrev.com/89c43d202302ec20e0d3b31d7273fed848b9ee23/src/OpenGL/libGLESv2/utilities.cpp
,
May 18 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/997bfdbc7f496a31e1675680d6b8ca098cd3884c commit 997bfdbc7f496a31e1675680d6b8ca098cd3884c Author: Nicolas Capens <capn@chromium.org> Date: Fri May 18 21:19:56 2018 Roll SwiftShader c8403ec..cbb80f5 https://swiftshader.googlesource.com/SwiftShader.git/+log/c8403ec..cbb80f5 BUG= chromium:835299 , chromium:825545 TBR=kbr@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=luci.chromium.try:win_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_chromium_cfi_rel_ng;luci.chromium.try:android_optional_gpu_tests_rel Change-Id: Ic37afa51eaa67f7a61902d2a3e2d8227065ae909 Reviewed-on: https://chromium-review.googlesource.com/1066397 Reviewed-by: Alexis Hétu <sugoi@chromium.org> Commit-Queue: Nicolas Capens <capn@chromium.org> Cr-Commit-Position: refs/heads/master@{#560042} [modify] https://crrev.com/997bfdbc7f496a31e1675680d6b8ca098cd3884c/DEPS
,
Jul 7
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Mar 25 2018