DrawCallVertexParams::ensureResolved overflows when indexRange.start is too large |
||||||||
Issue descriptionDrawCallVertexParams::ensureResolved overflows when mBaseVertex is added to indexRange.start. This bug can be triggered from WebGL. Call stack of memory corruption: libglesv2!rx::CopyNativeVertexData<unsigned char,3,4,1> libglesv2!rx::VertexBuffer11::storeVertexAttributes libglesv2!rx::StreamingVertexBufferInterface::storeDynamicAttribute libglesv2!rx::VertexDataManager::storeDynamicAttrib libglesv2!rx::VertexDataManager::storeDynamicAttribs libglesv2!rx::VertexArray11::updateDynamicAttribs libglesv2!rx::VertexArray11::syncStateForDraw libglesv2!rx::StateManager11::updateState libglesv2!rx::Context11::prepareForDrawCall libglesv2!rx::Context11::drawElementsInstanced libglesv2!gl::Context::drawElements libglesv2!gl::DrawElements
,
Jul 28
Hi geofflang@. By soon to be beta, do you mean it affects M69? rafael.cintron@ - would you be OK with us landing the patch the week before your Patch Tuesday (though not opening the bug). That would allow us to get the ball rolling on having the change tested in Dev and Canary so we could merge it to Beta around Aug 14th? I'm fine keeping the fix out for now, but we do have a pretty big (and end user) Beta population.
,
Jul 30
This bug affects the users an experiment for 50% of M69 in Dev but we had planned on continuing the experiment into M69 Beta. We can hold off on that if needed.
,
Aug 1
@awhalley, thank you very much for being willing to land the patch close to our Patch Tuesday. In conversations with @geofflang, he was open the initial commit having a non-security specific message and withholding the PoC. Would you mind doing this for the week-before fix and then, after Patch Tuesday, making a follow-on commit with the PoC? I think that strikes a good balance between getting feedback for the fix and keeping users safe from premature disclosure.
,
Aug 3
Hi rafael.cintron@ - I've confirmed with we can land the fix and PoC separately. Thanks geofflang@! (One thing to note is that this is an exception to our policy, and we don't do it lightly, but I've take an action to discuss how we should handle situations like this in the future to make it a bit smoother)
,
Aug 3
@awalley, just to confirm. When you say "we can land the fix separately", you mean that the first commit (with the fix) will have a non-security commit message. Yes?
,
Aug 4
rafael.cintron@ - correct, sorry for not being more precise :-)
,
Aug 4
@awhalley, great! I will inform the security people on my side. Thank you very much for being accommodating! We should definitely discuss how to handle situations like this in the future. Keeping open communications between both companies will be critical, regardless of who finds bugs first.
,
Aug 6
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/6ba9754f4a5668936976ca7d8f5ec69de30f9aee commit 6ba9754f4a5668936976ca7d8f5ec69de30f9aee Author: Geoff Lang <geofflang@chromium.org> Date: Mon Aug 06 16:33:22 2018 Refactor index range calculation in DrawCallParams. BUG= 864528 Change-Id: Iac418054ae56a2d9dd277d0474019997aeaa834b Reviewed-on: https://chromium-review.googlesource.com/1163633 Reviewed-by: Jamie Madill <jmadill@chromium.org> Commit-Queue: Geoff Lang <geofflang@chromium.org> [modify] https://crrev.com/6ba9754f4a5668936976ca7d8f5ec69de30f9aee/src/libANGLE/params.cpp
,
Aug 13
Requesting a merge for M69. This patch is small and has been in Canary for 6 days.
,
Aug 13
This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 13
govind@ - good for 69
,
Aug 13
,
Aug 13
Approving merge to M69 branch 3497 based on #12. Thank you.
,
Aug 13
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/6ffc489d4f184b151a3b612b755bdf28a05b3424 commit 6ffc489d4f184b151a3b612b755bdf28a05b3424 Author: Geoff Lang <geofflang@chromium.org> Date: Mon Aug 13 18:24:17 2018 Refactor index range calculation in DrawCallParams. BUG= 864528 Change-Id: Iac418054ae56a2d9dd277d0474019997aeaa834b Reviewed-on: https://chromium-review.googlesource.com/1163633 Reviewed-by: Jamie Madill <jmadill@chromium.org> Commit-Queue: Geoff Lang <geofflang@chromium.org> (cherry picked from commit 6ba9754f4a5668936976ca7d8f5ec69de30f9aee) Reviewed-on: https://chromium-review.googlesource.com/1172943 Reviewed-by: Geoff Lang <geofflang@chromium.org> [modify] https://crrev.com/6ffc489d4f184b151a3b612b755bdf28a05b3424/src/libANGLE/params.cpp
,
Aug 14
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/2363356f52f6f0d01f174b4a859561f1159f7e15 commit 2363356f52f6f0d01f174b4a859561f1159f7e15 Author: Geoff Lang <geofflang@chromium.org> Date: Tue Aug 14 20:38:32 2018 Make sure index ranges outside of the GLint range are handled correctly. IndexRange uses size_t values but DrawCallParams::mFirstVertex is a GLint. This makes sure all casting is safe. BUG= 864528 Change-Id: Iaa95019615af4d3f79b12bbcb0df13b44cb54339 Reviewed-on: https://chromium-review.googlesource.com/1140898 Reviewed-by: Geoff Lang <geofflang@chromium.org> Commit-Queue: Geoff Lang <geofflang@chromium.org> [modify] https://crrev.com/2363356f52f6f0d01f174b4a859561f1159f7e15/src/tests/gl_tests/WebGLCompatibilityTest.cpp [modify] https://crrev.com/2363356f52f6f0d01f174b4a859561f1159f7e15/src/tests/test_utils/ANGLETest.h [modify] https://crrev.com/2363356f52f6f0d01f174b4a859561f1159f7e15/src/tests/test_utils/ANGLETest.cpp
,
Aug 14
Is CL listed at #16 need a merge to M69?
,
Aug 14
No, it is just the proof-of-concept now
,
Aug 14
,
Sep 21
Any objections to opening this bug up now?
,
Sep 21
None on my side.
,
Sep 21
No objections.
,
Sep 21
Thanks both! |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by geoffl...@chromium.org
, Jul 26