Issue 851398: Stack-buffer-overflow in sw::Surface::Buffer::read
Reported by
om...@krash.in,
Jun 11 2018
|
|||||||||||||||||||||
Issue description
I have tested this on asan-linux-stable-67.0.3396.79. The attached testcase results in a crash and the following is the stack trace from the linux version:
ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f660b49efb0 at pc 0x7f6608cb52f2 bp 0x7ffc003494d0 sp 0x7ffc003494c8
READ of size 4 at 0x7f660b49efb0 thread T0 (chrome)
#0 0x7f6608cb52f1 in sw::Surface::Buffer::read(void*) const third_party/swiftshader/src/Renderer/Surface.cpp:1006:8
#1 0x7f6608c5e02b in sw::Blitter::blit(sw::Surface*, sw::SliceRectT<float> const&, sw::Surface*, sw::SliceRectT<int> const&, sw::Blitter::Options const&) third_party/swiftshader/src/Renderer/Blitter.cpp:182:11
The asan log attached is for the windows version, which gives a more detailed stack trace.
, Jun 11 2018Project Member
, Jun 11 2018
Hi Omair! It's nice to see you chewing on Chrome. :) Thanks for the report. sugoi: This probably affects all Swiftshader platforms, right? (Does that include Android or Fuchsia? Please add if so.) , Jun 11 2018SwiftShader is not currently on Android or Fuschia. , Jun 11 2018This was also discovered by internal fuzzer in https://clusterfuzz.com/v2/testcase-detail/6124158002659328, but taking time to minimize. , Jun 11 2018Project Member
Detailed report: https://clusterfuzz.com/testcase?key=6717695438094336 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Stack-buffer-overflow READ 4 Crash Address: 0x7f263ee69c30 Crash State: sw::Surface::Buffer::read sw::Blitter::blit es2::Device::clearColor Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=546348:546351 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6717695438094336 See https://github.com/google/clusterfuzz-tools for more information. , Jun 19 2018Project MemberClusterFuzz has detected this issue as fixed in range 568270:568271. Detailed report: https://clusterfuzz.com/testcase?key=6717695438094336 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Stack-buffer-overflow READ 4 Crash Address: 0x7f263ee69c30 Crash State: sw::Surface::Buffer::read sw::Blitter::blit es2::Device::clearColor Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=546348:546351 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=568270:568271 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6717695438094336 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. , Jun 19 2018Project Member
ClusterFuzz testcase 6717695438094336 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. , Jun 19 2018Same root cause as Issue 851707 . , Jun 19 2018Project Member
, Jun 26 2018
, Jun 27 2018Project Member
, Jun 27 2018Project Member
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot , Jun 27 2018Duplicate of Issue 851707 . , Jun 28 2018
Seems like nothing to merge here. , Jun 29 2018This was fixed by the patch for Issue 851707 , but hasn't been merged to the M68 beta branch as far as I know. , Jun 29 2018
(also found internally) , Jun 29 2018Assuming the bug 851707 was reported after I reported this bug, would I still disqualify for a reward? , Jul 6 2018
, Jul 6 2018
, Jul 6 2018Project Member
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot , Jul 9 2018capn@ - can you comment on what specifically needs to be merged here? I don't see any associated CLs. , Jul 9 2018I fixed it in http://crbug.com/851707#c6 , which will require rolling the SwiftShader revision forward: https://swiftshader.googlesource.com/SwiftShader.git/+log/f398044..1fa2067 , Jul 10 2018
+ awhalley - thoughts on this merge? , Jul 19 2018friendly ping , Jul 19 2018
Sorry; we can pick this up in 69 , Jul 19 2018The SwiftShader roll which includes the fix landed in #567894, and M69 win-dev branched at 575194, so I think we're fine for that one? , Jul 19 2018
Yep, cheers! , Aug 16
, Sep 4
, Sep 25Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot , Jan 4
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz, Jun 11 2018
Project Member