virglrenderer vrend_decode_create_shader buffer overflow |
||
Issue descriptionvirgl fuzzer run locally found the following buffer overflow: okaybye2 /saved-20180717b # ASAN_OPTIONS="log_path=stderr" /usr/libexec/fuzzers/virgl_fuzzer ./crash-9d897ebd230b8113564dbb920c53b249315c448a INFO: Seed: 461975458 INFO: Loaded 2 modules (36921 inline 8-bit counters): 36899 [0x7f00438a1140, 0x7f00438aa163), 22 [0x5636b2199268, 0x5636b219927e), INFO: Loaded 2 PC tables (36921 PCs): 36899 [0x7f00438aa168,0x7f004393a398), 22 [0x5636b2199280,0x5636b21993e0), /usr/libexec/fuzzers/virgl_fuzzer: Running 1 inputs 1 time(s) each. Running: ./crash-9d897ebd230b8113564dbb920c53b249315c448a gl_version 30 - es profile enabled WARNING: running without ARB/KHR robustness in place may crash ================================================================= ==31584==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000118 at pc 0x7f004372ce49 bp 0x7fff6010cb40 sp 0x7fff6010cb38 READ of size 4 at 0x603000000118 thread T0 #0 0x7f004372ce48 in get_buf_entry /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r1/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:55:11 #1 0x7f0043728b2f in vrend_decode_create_shader /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r1/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:92:33 #2 0x7f0043728b2f in vrend_decode_create_object /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r1/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:698 #3 0x7f0043728b2f in vrend_decode_block /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r1/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:1210 #4 0x5636b214f964 in LLVMFuzzerTestOneInput /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/tests/fuzzer/virgl_fuzzer.c:181:4 #5 0x5636b205aa1c in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2ca1c) #6 0x5636b204b3a6 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x1d3a6) #7 0x5636b205124c in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2324c) #8 0x5636b207bb52 (/usr/libexec/fuzzers/virgl_fuzzer+0x4db52) #9 0x7f004293c735 in __libc_start_main /var/tmp/portage/cross-x86_64-cros-linux-gnu/glibc-2.23-r18/work/glibc-2.23/csu/../csu/libc-start.c:289 #10 0x5636b204a968 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x1c968) 0x603000000119 is located 0 bytes to the right of 25-byte region [0x603000000100,0x603000000119) allocated by thread T0 here: #0 0x5636b2122283 in malloc (/usr/libexec/fuzzers/virgl_fuzzer+0xf4283) #1 0x7f0043b21f39 in operator new(unsigned long) /build/amd64-generic/tmp/portage/sys-libs/libcxx-4.0.0-r14/work/libcxx-4.0.0.src-abi_x86_64.amd64/../libcxx-4.0.0.src/src/new.cpp:70:17 #2 0x5636b205a931 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2c931) #3 0x5636b204b3a6 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x1d3a6) #4 0x5636b205124c in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2324c) #5 0x5636b207bb52 (/usr/libexec/fuzzers/virgl_fuzzer+0x4db52) #6 0x7f004293c735 in __libc_start_main /var/tmp/portage/cross-x86_64-cros-linux-gnu/glibc-2.23-r18/work/glibc-2.23/csu/../csu/libc-start.c:289 #7 0x5636b204a968 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x1c968) SUMMARY: AddressSanitizer: heap-buffer-overflow /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r1/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:55:11 in get_buf_entry Shadow bytes around the buggy address: 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 0x0c067fff8010: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 01 fa fa =>0x0c067fff8020: 00 00 00[01]fa fa 00 00 00 03 fa fa 00 00 00 00 0x0c067fff8030: fa fa 00 00 07 fa fa fa 00 00 07 fa fa fa 00 00 0x0c067fff8040: 01 fa fa fa 00 00 01 fa fa fa 00 00 00 01 fa fa 0x0c067fff8050: 00 00 00 01 fa fa 00 00 00 01 fa fa 00 00 00 01 0x0c067fff8060: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 0x0c067fff8070: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==31584==ABORTING
,
Jul 20
Both from reading get_buf_entry without check.
,
Jul 28
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/02c8bd18a6cecea1cb0b8acff9dba529454f89d0 commit 02c8bd18a6cecea1cb0b8acff9dba529454f89d0 Author: David Riley <davidriley@chromium.org> Date: Sat Jul 28 05:33:19 2018 virglrenderer: Update to upstream, remove local fuzzer patch. From: 0fb73b11e4cdadced885e52848002b2e9c79e3f5 To: 9c420d224d86215d408dff8dea599ed9414a24d6 9c420d2 vrend, caps: Move GL only caps into newly created function f4ac4c6 vrend, caps: Move the sanity checks up in the call hierarchy 60521af vrend, caps: Split GL/GLES version checking and move caps set check up 97ddb62 vrend: remove superfluous initializations c2e457e vrend: correct the stride if the client sends it cd14ff1 renderer: Protect glSampleMaski and GL_SAMPLE_MASK. 519a091 shader_buffers: fix macros and use in decode. 42e2a4c vrend: use the row-stride when directly reading back to an IOV 34809ef vrend: Set scissor_state_dirty correctly. 58e521c get rid of yet another bind-flag set 2e84388 discourage using legacy-definitions dc1bc1e get rid of diplicate definition of VREND_RES_BIND-flags 5ff40d5 add VIRGL_BIND_*-flags from mesa 9eaf2c8 features: disallow ssbos if we don't have the feature (v2) 6a6f3c4 features: add ubo feature (v2) 7958225 features: add transform_feedback feature (v2) 4145714 features: add multisample texture feature. dd2f62b features: add cube map array feature. c8d3c59 features: add texture array feature 4593bef features: add conditional render inverted. 0dc96e9 features: add transform feedback overflow query ea7f3c1 features: add geometry shader feature e8eeea7 features: add dual src blend support 1497dd9 features: add viewport array feature 4ed679c features: use correct extensions for tbo size 2704d81 features: add independent blend function feature. c402e82 features: add indirect draw feature. 35356ec features: add independent blend enable feature 36ac335 features: add base instance feature. 7c23f33 features: add draw_instance feature. c8269ae renderer: get return value from draw vbo. 31049f6 features: move existing features to a table init (v2) 87d8671 features: add transform_feedback3 feature 6ff41a3 features: move some caps to use has_feature flags edd2478 Fix create_shader buf boundary check fe7a1ef gles: report maximum vertex-attrib stride to guest e898b8f Avoid needless repetition 2c0d096 use short-hand state accessors 7a37a36 Fix NULL dereference in vrend_draw_bind_samplers_shader 87b346a fuzzer: Add a libFuzzer based fuzzer. 5057fb9 tests: Fix virgl_init_cbs_wrong_ver test 79479ac blitter, GL blit fallback: clean up framebuffer after use eb9555c features: convert current feature list to an array (v2) cdf8860 renderer: fix ambiguous else warning 97b9df0 add a cap for TGSI precise modifiers 47387e4 emit precise keyword ef70cef tgsi/text: parse _PRECISE modifier 46d2cf8 tgsi: populate precise 654647c protect calls to glPrimitiveRestart on GLES 3.1 39add38 protect gl{Begin, End}ConditionalRendering calls 4349893 protect call to glDeleteSamplers 89f7995 protect call to glPrimitiveRestartIndex ec454b9 renderer: fix ssbo != -1 comparison. df7322e ssbo: reorder var assignment 083d97f renderer: add shader_storage_buffer_object support. (v4) 1800bd4 shader: add basic shader_storage_buffer_object parsing. (v4) 4013fbc gallium: import MAX_SHADER_BUFFERS from mesa dfa1e8c u_math: bring over u_bit_scan_consecutive_range. 7f96206 shader: drop unused sviews_used 249fb00 shader: pass sinfo/dinfo into translate_tex a04a63e virgl-caps: Report support for GL_ARB_copy_image to the guest 8ad0201 vrend_formats: Replace RGB(8|16) formats with RGBX(8|16) 2846dcf vrend: If available use glCopyImageSubData to execute memcopy like blits be3b107 vrend: Remove bad sRGB warning on GLES cae96e1 shader: drop unused function. e387116 report maximum vertex-attrib stride to host 6a4ef6d renderer: swizzle sampler border color channel if we emulate alpha format BUG= chromium:852111 , chromium:864689 , chromium:862699 , chromium:864695 , chromium:864792 TEST=ASAN_OPTIONS="log_path=stderr" /usr/libexec/fuzzers/virgl_fuzzer Change-Id: I6e9b40675053dc1f18af6dfd888a145caecf13b7 Reviewed-on: https://chromium-review.googlesource.com/1153607 Commit-Ready: Manoj Gupta <manojgupta@chromium.org> Tested-by: Manoj Gupta <manojgupta@chromium.org> Reviewed-by: Pohsien Wang <pwang@chromium.org> [delete] https://crrev.com/6c1c4a5360e6a3a124cc64ebdc22943fbeb8211a/media-libs/virglrenderer/files/virglrenderer-0.6.0-fuzzer.patch [delete] https://crrev.com/6c1c4a5360e6a3a124cc64ebdc22943fbeb8211a/media-libs/virglrenderer/virglrenderer-0.6.0_p20180716-r2.ebuild [modify] https://crrev.com/02c8bd18a6cecea1cb0b8acff9dba529454f89d0/media-libs/virglrenderer/Manifest [rename] https://crrev.com/02c8bd18a6cecea1cb0b8acff9dba529454f89d0/media-libs/virglrenderer/virglrenderer-0.6.0_p20180727.ebuild
,
Jul 30
The crash in the description of this bug no longer occurs. The crash from issue 865728 still occurs.
,
Aug 3
We ended up using different approach to these two issues. |
||
►
Sign in to add a comment |
||
Comment 1 by pwang@chromium.org
, Jul 20