New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 826389 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in gpu::CommandBufferHelper::Finish

Project Member Reported by ClusterFuzz, Mar 27 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4632002918350848

Fuzzer: webDEViL_webgl
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  gpu::CommandBufferHelper::Finish
  gpu::ImplementationBase::WaitForCmd
  gpu::gles2::GLES2Implementation::~GLES2Implementation
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4632002918350848

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
 
Project Member

Comment 1 by ClusterFuzz, Mar 27 2018

Labels: Fuzz-Blocker M-67 ReleaseBlock-Beta
This crash occurs very frequently on windows platform and is likely preventing the fuzzer webDEViL_webgl from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.
Project Member

Comment 2 by ClusterFuzz, Mar 27 2018

Components: Internals>GPU>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 3 by mmoroz@chromium.org, Mar 27 2018

Owner: piman@chromium.org
Status: Assigned (was: Untriaged)
Antoine, are you a right owner for this? Could you please take a look?

Comment 4 by piman@chromium.org, Mar 28 2018

I'll take a look. The variables on that line are all initialized, so maybe they're taking an uninitialized value from somewhere, although it's also possible that they're taking a value from shared memory which msan doesn't know about?

Comment 5 by piman@chromium.org, Mar 28 2018

I should also note, it looks like the browser is getting killed while the compositor context being initialized (from the logs:
[1:10:0100/000000.984652:ERROR:broker_posix.cc(39)] Recvmsg error: Connection reset by peer (104)
[1:10:0100/000000.042964:ERROR:implementation_base.cc(188)] ContextResult::kFatalFailure: TransferBuffer::Initialize() failed
), and while we need to handle this gracefully, it's almost certain that the renderer can't do much at that point.
It also likely explains the poor reproducibility, because this stems from a race.

Comment 6 by piman@chromium.org, Mar 28 2018

Cc: backer@chromium.org
The uninitialized value is actually a UAF, introduced in https://chromium-review.googlesource.com/c/chromium/src/+/952080 . If initialization fails at the wrong point, we keep a GLES2Implementation alive but destroy the CommandBufferHelper it uses. Should be an easy fix.

Comment 7 by piman@chromium.org, Mar 28 2018

Cc: sadrul@chromium.org
https://chromium-review.googlesource.com/c/chromium/src/+/983132 has the fix.

Comment 8 by piman@chromium.org, Mar 28 2018

Labels: Pri-1

Comment 9 Deleted

A friendly reminder that M67 branch is coming soon on 04/12! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP to trunk. This way we branch M67 from a high quality trunk. Thank you.
Project Member

Comment 11 by sheriffbot@chromium.org, Mar 28 2018

Labels: Security_Impact-Head
Thanks for the fix Antoine!
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 28 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4388b4ad02daa01ffee5c7b70699801bf7e15b73

commit 4388b4ad02daa01ffee5c7b70699801bf7e15b73
Author: Antoine Labour <piman@chromium.org>
Date: Wed Mar 28 13:17:09 2018

Fix UAF in ContextProviderCommandBuffer in failure case

If GLES2Implementation fails to initialize, we would keep it around, but
destroy the CommandBufferHelper that it needs.
Instead, make sure we always keep both, or neither.

Bug:  826389 
Change-Id: I3167e4e113235e28b23a029bd106746e0bead073
Reviewed-on: https://chromium-review.googlesource.com/983132
Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org>
Reviewed-by: Jonathan Backer <backer@chromium.org>
Commit-Queue: Jonathan Backer <backer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#546468}
[modify] https://crrev.com/4388b4ad02daa01ffee5c7b70699801bf7e15b73/services/ui/public/cpp/gpu/context_provider_command_buffer.cc

Comment 14 by piman@chromium.org, Mar 28 2018

Status: Fixed (was: Assigned)
Project Member

Comment 15 by sheriffbot@chromium.org, Mar 28 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Security_Severity-Medium Security_Severity-High
High severity since this is a use-after-free.
Labels: -reward-topanel reward-0
Trunk churn - found by many fuzzers.
Labels: -ReleaseBlock-Beta
Project Member

Comment 19 by sheriffbot@chromium.org, Jul 4

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment