New issue
Advanced search Search tips

Issue 856494 link

Starred by 1 user
Status: Duplicate
Merged: issue 825545
Owner:
capn@chromium.org
Closed: Jun 2018
Cc:
sugoi@chromium.org
piman@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in sw::Surface::Buffer::read

Project Member Reported by ClusterFuzz, Jun 26 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5178132886454272

Fuzzer: libFuzzer_gpu_swiftshader_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x604000013180
Crash State:
  sw::Surface::Buffer::read
  sw::Surface::copyInternal
  sw::Blitter::blit3D
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=512679:512741

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5178132886454272

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
Project Member

Comment 1 by ClusterFuzz, Jun 26 2018

Components: Internals>GPU>SwiftShader
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jun 26 2018

Labels: Test-Predator-Auto-Owner
Owner: piman@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/72bb29070e415e215e2a0095b9266c3ec1c75599 (gpu fuzzers: take configuration bits from input data).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 3 by sheriffbot@chromium.org, Jun 26 2018

Labels: M-68 Target-68
Project Member

Comment 4 by sheriffbot@chromium.org, Jun 26 2018

Labels: Pri-1

Comment 5 by piman@chromium.org, Jun 26 2018

Cc: sugoi@chromium.org piman@chromium.org
Owner: capn@chromium.org
That CL gets found by the bisect because it changes the interpretation of the input data, but the bug predates it.

Comment 6 by capn@chromium.org, Jun 26 2018 

Closely related to  Issue 825545 , possibly duplicate. Reproduces at latest tested revision 4be2115e0abf80619cbf702d0619520d0c4c868d (Mar 16) while the other issue was fixed on Mar 29. Does not reproduce at a390e0340ad7432fc2bbdcf863b04ac3bf290f57 (May 18).

Comment 7 by capn@chromium.org, Jun 26 2018

Mergedinto: 825545
Status: Duplicate (was: Assigned)
Confirmed duplicate by cherry-picking the fix.
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 3

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment