New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 851398 link

Starred by 1 user
Status: Verified
Owner:
capn@chromium.org
Closed: Jun 2018
Cc:
kbr@chromium.org
nicolasc...@google.com
sugoi@chromium.org
capn@chromium.org
awhalley@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Stack-buffer-overflow in sw::Surface::Buffer::read

Reported by om...@krash.in, Jun 11 2018 
I have tested this on asan-linux-stable-67.0.3396.79. The attached testcase results in a crash and the following is the stack trace from the linux version:

ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f660b49efb0 at pc 0x7f6608cb52f2 bp 0x7ffc003494d0 sp 0x7ffc003494c8
READ of size 4 at 0x7f660b49efb0 thread T0 (chrome)
    #0 0x7f6608cb52f1 in sw::Surface::Buffer::read(void*) const third_party/swiftshader/src/Renderer/Surface.cpp:1006:8
    #1 0x7f6608c5e02b in sw::Blitter::blit(sw::Surface*, sw::SliceRectT<float> const&, sw::Surface*, sw::SliceRectT<int> const&, sw::Blitter::Options const&) third_party/swiftshader/src/Renderer/Blitter.cpp:182:11

The asan log attached is for the windows version, which gives a more detailed stack trace.
blit.html
1.1 KB View Download
asan.txt
8.2 KB View Download
Project Member

Comment 1 by ClusterFuzz, Jun 11 2018 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6717695438094336.
Project Member

Comment 2 by ClusterFuzz, Jun 11 2018

Labels: OS-Linux

Comment 3 by palmer@chromium.org, Jun 11 2018

Cc: nicolasc...@google.com kbr@chromium.org
Components: Internals>GPU>SwiftShader
Labels: M-68 Security_Severity-Medium Security_Impact-Stable OS-Chrome OS-Mac OS-Windows Pri-1
Owner: sugoi@chromium.org
Status: Assigned (was: Unconfirmed)
Hi Omair! It's nice to see you chewing on Chrome. :) Thanks for the report.

sugoi: This probably affects all Swiftshader platforms, right? (Does that include Android or Fuchsia? Please add if so.)

Comment 4 by sugoi@chromium.org, Jun 11 2018 

SwiftShader is not currently on Android or Fuschia.

Comment 5 by infe...@chromium.org, Jun 11 2018 

This was also discovered by internal fuzzer in https://clusterfuzz.com/v2/testcase-detail/6124158002659328, but taking time to minimize.
Project Member

Comment 6 by ClusterFuzz, Jun 11 2018

Summary: Stack-buffer-overflow in sw::Surface::Buffer::read (was: Security: stack-buffer-overflow in sw::Surface::Buffer::read)
Detailed report: https://clusterfuzz.com/testcase?key=6717695438094336

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-buffer-overflow READ 4
Crash Address: 0x7f263ee69c30
Crash State:
  sw::Surface::Buffer::read
  sw::Blitter::blit
  es2::Device::clearColor
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=546348:546351

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6717695438094336

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 7 by ClusterFuzz, Jun 19 2018 

ClusterFuzz has detected this issue as fixed in range 568270:568271.

Detailed report: https://clusterfuzz.com/testcase?key=6717695438094336

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-buffer-overflow READ 4
Crash Address: 0x7f263ee69c30
Crash State:
  sw::Surface::Buffer::read
  sw::Blitter::blit
  es2::Device::clearColor
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=546348:546351
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=568270:568271

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6717695438094336

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Jun 19 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6717695438094336 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 9 by nicolasc...@google.com, Jun 19 2018 

Same root cause as  Issue 851707 .
Project Member

Comment 10 by sheriffbot@chromium.org, Jun 19 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 11 by awhalley@chromium.org, Jun 26 2018

Labels: reward-topanel
Project Member

Comment 12 by sheriffbot@chromium.org, Jun 27 2018

Labels: Merge-Request-68
Project Member

Comment 13 by sheriffbot@chromium.org, Jun 27 2018

Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 14 by nicolasc...@google.com, Jun 27 2018 

Duplicate of  Issue 851707 .

Comment 15 by abdulsyed@google.com, Jun 28 2018

Labels: -Merge-Review-68
Seems like nothing to merge here.

Comment 16 by nicolasc...@google.com, Jun 29 2018 

This was fixed by the patch for  Issue 851707 , but hasn't been merged to the M68 beta branch as far as I know.

Comment 17 by awhalley@chromium.org, Jun 29 2018

Labels: -reward-topanel reward-0
(also found internally)

Comment 18 by om...@krash.in, Jun 29 2018 

Assuming the  bug 851707  was reported after I reported this bug, would I still disqualify for a reward?

Comment 19 by sugoi@chromium.org, Jul 6

Cc: capn@chromium.org

Comment 20 by capn@chromium.org, Jul 6

Cc: sugoi@chromium.org
Labels: Merge-Request-68
Owner: capn@chromium.org
Project Member

Comment 21 by sheriffbot@chromium.org, Jul 6

Labels: -Merge-Request-68 Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 22 by abdulsyed@google.com, Jul 9 

capn@ - can you comment on what specifically needs to be merged here? I don't see any associated CLs.

Comment 23 by capn@chromium.org, Jul 9 

I fixed it in  http://crbug.com/851707#c6 , which will require rolling the SwiftShader revision forward: https://swiftshader.googlesource.com/SwiftShader.git/+log/f398044..1fa2067

Comment 24 by abdulsyed@google.com, Jul 10

Cc: awhalley@chromium.org
+ awhalley - thoughts on this merge?

Comment 25 by abdulsyed@google.com, Jul 19 

friendly ping

Comment 26 by awhalley@chromium.org, Jul 19

Labels: -M-68 M-69
Sorry; we can pick this up in 69

Comment 27 by capn@chromium.org, Jul 19 

The SwiftShader roll which includes the fix landed in #567894, and M69 win-dev branched at 575194, so I think we're fine for that one?

Comment 28 by awhalley@chromium.org, Jul 19

Labels: -Merge-Review-68
Yep, cheers!

Comment 29 by awhalley@google.com, Aug 16

Labels: Release-0-M69

Comment 30 by awhalley@chromium.org, Sep 4

Labels: CVE-2018-16082 CVE_description-missing
Project Member

Comment 31 by sheriffbot@chromium.org, Sep 25

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 32 by awhalley@chromium.org, Jan 4

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment