Issue 851398: Stack-buffer-overflow in sw::Surface::Buffer::read
Reported by
om...@krash.in,
Jun 11 2018
|
|||||||||||||||||||||
Issue descriptionI have tested this on asan-linux-stable-67.0.3396.79. The attached testcase results in a crash and the following is the stack trace from the linux version: ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f660b49efb0 at pc 0x7f6608cb52f2 bp 0x7ffc003494d0 sp 0x7ffc003494c8 READ of size 4 at 0x7f660b49efb0 thread T0 (chrome) #0 0x7f6608cb52f1 in sw::Surface::Buffer::read(void*) const third_party/swiftshader/src/Renderer/Surface.cpp:1006:8 #1 0x7f6608c5e02b in sw::Blitter::blit(sw::Surface*, sw::SliceRectT<float> const&, sw::Surface*, sw::SliceRectT<int> const&, sw::Blitter::Options const&) third_party/swiftshader/src/Renderer/Blitter.cpp:182:11 The asan log attached is for the windows version, which gives a more detailed stack trace. Jun 11 2018, Project Member
Jun 11 2018,
Hi Omair! It's nice to see you chewing on Chrome. :) Thanks for the report. sugoi: This probably affects all Swiftshader platforms, right? (Does that include Android or Fuchsia? Please add if so.) Jun 11 2018,SwiftShader is not currently on Android or Fuschia. Jun 11 2018,This was also discovered by internal fuzzer in https://clusterfuzz.com/v2/testcase-detail/6124158002659328, but taking time to minimize. Jun 11 2018, Project Member
Detailed report: https://clusterfuzz.com/testcase?key=6717695438094336 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Stack-buffer-overflow READ 4 Crash Address: 0x7f263ee69c30 Crash State: sw::Surface::Buffer::read sw::Blitter::blit es2::Device::clearColor Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=546348:546351 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6717695438094336 See https://github.com/google/clusterfuzz-tools for more information. Jun 19 2018, Project MemberClusterFuzz has detected this issue as fixed in range 568270:568271. Detailed report: https://clusterfuzz.com/testcase?key=6717695438094336 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Stack-buffer-overflow READ 4 Crash Address: 0x7f263ee69c30 Crash State: sw::Surface::Buffer::read sw::Blitter::blit es2::Device::clearColor Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=546348:546351 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=568270:568271 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6717695438094336 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. Jun 19 2018, Project Member
ClusterFuzz testcase 6717695438094336 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. Jun 19 2018,Same root cause as Issue 851707 . Jun 19 2018, Project Member
Jun 26 2018,
Jun 27 2018, Project Member
Jun 27 2018, Project Member
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot Jun 27 2018,Duplicate of Issue 851707 . Jun 28 2018,
Seems like nothing to merge here. Jun 29 2018,This was fixed by the patch for Issue 851707 , but hasn't been merged to the M68 beta branch as far as I know. Jun 29 2018,
(also found internally) Jun 29 2018,Assuming the bug 851707 was reported after I reported this bug, would I still disqualify for a reward? Jul 6 2018,
Jul 6 2018,
Jul 6 2018, Project Member
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot Jul 9 2018,capn@ - can you comment on what specifically needs to be merged here? I don't see any associated CLs. Jul 9 2018,I fixed it in http://crbug.com/851707#c6 , which will require rolling the SwiftShader revision forward: https://swiftshader.googlesource.com/SwiftShader.git/+log/f398044..1fa2067 Jul 10 2018,
+ awhalley - thoughts on this merge? Jul 19 2018,friendly ping Jul 19 2018,
Sorry; we can pick this up in 69 Jul 19 2018,The SwiftShader roll which includes the fix landed in #567894, and M69 win-dev branched at 575194, so I think we're fine for that one? Jul 19 2018,
Yep, cheers! Aug 16,
Sep 4,
Sep 25, Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot Jan 4,
|
|||||||||||||||||||||
►
Sign in to add a comment |
Comment 1 by ClusterFuzz, Jun 11 2018
Project Member