Issue metadata
Sign in to add a comment
|
Stack-buffer-overflow in sw::Surface::Buffer::read |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6124158002659328 Fuzzer: inferno_twister_c Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Stack-buffer-overflow READ 4 Crash Address: 0x7f2b73652330 Crash State: sw::Surface::Buffer::read sw::Blitter::blit es2::Device::clearColor Sanitizer: address (ASAN) Recommended Security Severity: Medium Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6124158002659328 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 12 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 12 2018
,
Jun 14 2018
CF can't do a regression range, but a few changes have recently been made to blitting by capn@ so can you have a look to triage this?
,
Jun 15 2018
,
Jun 15 2018
The following revision refers to this bug: https://swiftshader.googlesource.com/SwiftShader.git/+/700a1a67d569fd5a4960ec36fce9c35d2b59aca2 commit 700a1a67d569fd5a4960ec36fce9c35d2b59aca2 Author: Nicolas Capens <capn@google.com> Date: Fri Jun 15 17:33:47 2018 Fix clearing of dirty textures. When clear operations fall back to the slow path (i.e. neither fastClear nor blitReactor is used), we were copying a rectangle the size of the destination image. It should only sample within the 1x1 source pixel instead. Bug chromium:852641 , chromium:851707 Change-Id: I9f247483f6167f92be8308b8470c021f5641b657 Reviewed-on: https://swiftshader-review.googlesource.com/19448 Reviewed-by: Alexis Hétu <sugoi@google.com> Tested-by: Nicolas Capens <nicolascapens@google.com> [modify] https://crrev.com/700a1a67d569fd5a4960ec36fce9c35d2b59aca2/src/Renderer/Blitter.cpp [modify] https://crrev.com/700a1a67d569fd5a4960ec36fce9c35d2b59aca2/src/Renderer/Surface.cpp [modify] https://crrev.com/700a1a67d569fd5a4960ec36fce9c35d2b59aca2/tests/unittests/unittests.cpp
,
Jun 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/083b6f261561e534a5f68c6477cef6c0b64ea710 commit 083b6f261561e534a5f68c6477cef6c0b64ea710 Author: Nicolas Capens <capn@chromium.org> Date: Sat Jun 16 15:51:53 2018 Roll SwiftShader 88482c3..700a1a6 https://swiftshader.googlesource.com/SwiftShader.git/+log/88482c3..700a1a6 BUG= chromium:845700 , chromium:852641 , chromium:851707 TBR=kbr@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=luci.chromium.try:win_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_chromium_cfi_rel_ng;luci.chromium.try:android_optional_gpu_tests_rel Change-Id: Ic36ddc1988cd83970a4a53b52a1ce1b229d17137 Reviewed-on: https://chromium-review.googlesource.com/1102886 Commit-Queue: Nicolas Capens <capn@chromium.org> Reviewed-by: Alexis Hétu <sugoi@chromium.org> Cr-Commit-Position: refs/heads/master@{#567894} [modify] https://crrev.com/083b6f261561e534a5f68c6477cef6c0b64ea710/DEPS
,
Jun 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f3a2fd4ce7fefe8dea3c5607982856f91c69ec8c commit f3a2fd4ce7fefe8dea3c5607982856f91c69ec8c Author: Dirk Pranke <dpranke@chromium.org> Date: Sat Jun 16 21:30:31 2018 Revert "Roll SwiftShader 88482c3..700a1a6" This reverts commit 083b6f261561e534a5f68c6477cef6c0b64ea710. Reason for revert: I think this is causing crashes on Mac 10.13 (dbg). See https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Mac10.13%20Tests%20%28dbg%29/3362. Original change's description: > Roll SwiftShader 88482c3..700a1a6 > > https://swiftshader.googlesource.com/SwiftShader.git/+log/88482c3..700a1a6 > > BUG= chromium:845700 , chromium:852641 , chromium:851707 > > TBR=kbr@chromium.org > > TEST=bots > > CQ_INCLUDE_TRYBOTS=luci.chromium.try:win_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_chromium_cfi_rel_ng;luci.chromium.try:android_optional_gpu_tests_rel > > Change-Id: Ic36ddc1988cd83970a4a53b52a1ce1b229d17137 > Reviewed-on: https://chromium-review.googlesource.com/1102886 > Commit-Queue: Nicolas Capens <capn@chromium.org> > Reviewed-by: Alexis Hétu <sugoi@chromium.org> > Cr-Commit-Position: refs/heads/master@{#567894} TBR=sugoi@chromium.org,capn@chromium.org Change-Id: I96e96329f4de1581ca11fca443fa943e58ce8f4c No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:845700 , chromium:852641 , chromium:851707 Cq-Include-Trybots: luci.chromium.try:win_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_chromium_cfi_rel_ng;luci.chromium.try:android_optional_gpu_tests_rel Reviewed-on: https://chromium-review.googlesource.com/1103398 Reviewed-by: Dirk Pranke <dpranke@chromium.org> Commit-Queue: Dirk Pranke <dpranke@chromium.org> Cr-Commit-Position: refs/heads/master@{#567898} [modify] https://crrev.com/f3a2fd4ce7fefe8dea3c5607982856f91c69ec8c/DEPS
,
Jun 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/efddbaa1da8640c7556477a5040462ddd6f2bb69 commit efddbaa1da8640c7556477a5040462ddd6f2bb69 Author: Alexis Hetu <sugoi@google.com> Date: Tue Jun 19 01:01:03 2018 Roll SwiftShader 88482c3..1fa2067 https://swiftshader.googlesource.com/SwiftShader.git/+log/88482c3..1fa2067 BUG= chromium:845700 chromium:852641 chromium:851707 TBR=kbr@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=luci.chromium.try:win_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_chromium_cfi_rel_ng;luci.chromium.try:android_optional_gpu_tests_rel Change-Id: I86645f0e44657bd864a347728994e469b789bc75 Reviewed-on: https://chromium-review.googlesource.com/1104986 Commit-Queue: Alexis Hétu <sugoi@chromium.org> Reviewed-by: Alexis Hétu <sugoi@chromium.org> Cr-Commit-Position: refs/heads/master@{#568271} [modify] https://crrev.com/efddbaa1da8640c7556477a5040462ddd6f2bb69/DEPS
,
Jun 19 2018
ClusterFuzz has detected this issue as fixed in range 568270:568271. Detailed report: https://clusterfuzz.com/testcase?key=6124158002659328 Fuzzer: inferno_twister_c Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Stack-buffer-overflow READ 4 Crash Address: 0x7f2b73652330 Crash State: sw::Surface::Buffer::read sw::Blitter::blit es2::Device::clearColor Sanitizer: address (ASAN) Recommended Security Severity: Medium Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=568270:568271 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6124158002659328 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 19 2018
ClusterFuzz testcase 6124158002659328 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 19 2018
,
Jun 29 2018
,
Sep 26
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jun 12 2018