Issue 865728 link

Starred by 1 user

Issue metadata

Status:	Assigned
Merged:	issue 864792
Owner:	pwang@chromium.org
Cc:	pwang@chromium.org gurcheta...@chromium.org za...@chromium.org █ marc...@chromium.org jorgelo@chromium.org
Components:	OS>Kernel>Graphics
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	3
Type:	Bug

virglrenderer eat_opt_white buffer overflow (via vrend_create_shader)

Project Member Reported by davidri...@chromium.org, Jul 19

Issue description

Fuzzer found the following heap overflow.  Similar code path to  crbug.com/864792 , but looks like a slightly different path.

=================================================================
==238035==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300004a2d8 at pc 0x7efd32a6ee77 bp 0x7ffd6a54b370 sp 0x7ffd6a54b368
READ of size 1 at 0x60300004a2d8 thread T0
    #0 0x7efd32a6ee76 in eat_opt_white /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/gallium/auxiliary/tgsi/tgsi_text.c:170:11
    #1 0x7efd32a64f18 in translate /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/gallium/auxiliary/tgsi/tgsi_text.c:1817:4
    #2 0x7efd32a64c52 in tgsi_text_translate /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/gallium/auxiliary/tgsi/tgsi_text.c:1872:9
    #3 0x7efd3291c083 in vrend_create_shader /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_renderer.c:2599:12
    #4 0x7efd32a1ee37 in vrend_decode_create_shader /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:110:10
    #5 0x7efd32a1ee37 in vrend_decode_create_object /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:698
    #6 0x7efd32a1ee37 in vrend_decode_block /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:1210
    #7 0x558d9d70f938 in LLVMFuzzerTestOneInput /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/tests/fuzzer/virgl_fuzzer.c:181:4
    #8 0x558d9d61acfc in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2ccfc)
    #9 0x558d9d61a675 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2c675)
    #10 0x558d9d61c3d3 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2e3d3)
    #11 0x558d9d61cd95 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2ed95)
    #12 0x558d9d6116f2 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x236f2)
    #13 0x558d9d63be32  (/usr/libexec/fuzzers/virgl_fuzzer+0x4de32)
    #14 0x7efd31c2d735 in __libc_start_main /var/tmp/portage/cross-x86_64-cros-linux-gnu/glibc-2.23-r18/work/glibc-2.23/csu/../csu/libc-start.c:289
    #15 0x558d9d60ac58 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x1cc58)

0x60300004a2d8 is located 0 bytes to the right of 24-byte region [0x60300004a2c0,0x60300004a2d8)
allocated by thread T0 here:
    #0 0x558d9d6e2563 in malloc (/usr/libexec/fuzzers/virgl_fuzzer+0xf4563)
    #1 0x7efd32e34f39 in operator new(unsigned long) /build/amd64-generic/tmp/portage/sys-libs/libcxx-4.0.0-r14/work/libcxx-4.0.0.src-abi_x86_64.amd64/../libcxx-4.0.0.src/src/new.cpp:70:17
    #2 0x558d9d61ac11 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2cc11)
    #3 0x558d9d61a675 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2c675)
    #4 0x558d9d61c3d3 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2e3d3)
    #5 0x558d9d61cd95 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2ed95)
    #6 0x558d9d6116f2 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x236f2)
    #7 0x558d9d63be32  (/usr/libexec/fuzzers/virgl_fuzzer+0x4de32)
    #8 0x7efd31c2d735 in __libc_start_main /var/tmp/portage/cross-x86_64-cros-linux-gnu/glibc-2.23-r18/work/glibc-2.23/csu/../csu/libc-start.c:289
    #9 0x558d9d60ac58 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x1cc58)

SUMMARY: AddressSanitizer: heap-buffer-overflow /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/gallium/auxiliary/tgsi/tgsi_text.c:170:11 in eat_opt_white
Shadow bytes around the buggy address:
  0x0c0680001400: fd fd fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x0c0680001410: fd fd fd fd fa fa fd fd fd fa fa fa fa fa fa fa
  0x0c0680001420: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x0c0680001430: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680001440: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 fa
=>0x0c0680001450: fa fa fd fd fd fa fa fa 00 00 00[fa]fa fa fd fd
  0x0c0680001460: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680001470: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 fa
  0x0c0680001480: fa fa fa fa fa fa fa fa fd fd fd fd fa fa fd fd
  0x0c0680001490: fd fd fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
  0x0c06800014a0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==238035==ABORTING
MS: 1 EraseBytes-; base unit: 1a7a277ea262e086d2905ec5915bb9a8c68792db
0x1,0x4,0x5,0x0,0x4,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
\x01\x04\x05\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
artifact_prefix='./'; Test unit written to ./crash-29fd374c8f7391ab98fcbf0e81121b9aeaea8fcb
Base64: AQQFAAQAAAAAAAAAAAAAAAAAAAAAAAAA

crash-29fd374c8f7391ab98fcbf0e81121b9aeaea8fcb
24 bytes View Download

Comment 1 by pwang@chromium.org, Jul 20

Mergedinto: 864792
Status: Duplicate (was: Untriaged)

Comment 2 by pwang@chromium.org, Aug 3

Status: Fixed (was: Duplicate)

We ended with using different approach for these two issue.

Comment 3 by pwang@chromium.org, Aug 3

Status: Assigned (was: Fixed)

Comment 4 by pwang@chromium.org, Aug 15

Owner: pwang@chromium.org

►

Issue 865728 link

Issue metadata

virglrenderer eat_opt_white buffer overflow (via vrend_create_shader)

Issue description

Comment 1 by pwang@chromium.org, Jul 20

Comment 1 Deleted

Comment 2 by pwang@chromium.org, Aug 3

Comment 2 Deleted

Comment 3 by pwang@chromium.org, Aug 3

Comment 3 Deleted

Comment 4 by pwang@chromium.org, Aug 15

Comment 4 Deleted

Sign in to add a comment