Issue metadata
Sign in to add a comment
|
Security: Intel Graphics Card Denial of Service Vulnerability
Reported by
yzy9...@gmail.com,
Aug 1
|
||||||||||||||||||||||
Issue description**Subject**: [FG-VD-18-123] Google Chrome Denial of Service Vulnerability Notification Dear Google, Fortinet's FortiGuard Labs have discovered a security issue in your product on 1 August 2018. We estimate its risk level is 3, on a scale of 1 (lowest) to 5 (highest), in terms of its impact. Please advise of the appropriate contact person in your company to handle this issue. Fortinet's research remains ethical at all times, and we therefore strive to Responsible Disclosure. Fortinet vulnerability disclosure policy can be found at https://fortiguard.com/zeroday/responsible-disclosure. For this particular issue, we will wait until 1 October 2018 to post an advisory on our website (https://fortiguard.com/zeroday) and/or any other publication form (e.g. conference talk, demo, podcast, etc). We might publish *earlier* than that date only if: 1) Public proof of concept code is released, increasing the danger of the vulnerability being exploited in the wild; 2) Or you patched or updated the vulnerability - a positive fact we'll be happy to mention. In the case you agree to patch this vulnerability and need more time, we are willing to delay publication to 90-days upon request. Fortinet will use reasonable efforts to communicate a schedule of planned mediums, including conferences with the appropriate stakeholders within the affected company. Our security researchers work on your product or service either because it is popular and/or interesting, so please take this positively. This research is done free of charge for you, although our researchers will appreciate being mentioned in a Hall of Fame or bug bounty if any. Threats to our security researchers are not acceptable and will be dealt with by our Legal team. We look forward to working closely with you to resolve this issue. If you wish to switch to confidential emails, you may pick up our PGP key on https://fortiguard.com/secresearch-pgpkey. Kind regards, Fortinet's FortiGuard Labs. ------------------ Please refer the PoC.txt for more information.
,
Aug 2
Can't reproduce on a Microsoft Surface laptop running Windows 10 and an Intel 520 GPU. See about:gpu info below. Regardless, there are plenty of ways to crash Chrome's GPU process, for example by allocating lots of large canvas elements. Such DoS attacks are not considered security vulnerabilities. In this case I suspect that the dropdown is causing a surface to be created which is so large that a texture can't be allocated for it. If the submitter can prove that the GPU process is crashing with some sort of exploitable memory corruption, feel free to reopen this bug. Until that point, I'm confident in closing this as WontFix (not a bug). Graphics Feature Status Canvas: Hardware accelerated Flash: Hardware accelerated Flash Stage3D: Hardware accelerated Flash Stage3D Baseline profile: Hardware accelerated Compositing: Hardware accelerated Multiple Raster Threads: Enabled Native GpuMemoryBuffers: Software only. Hardware acceleration disabled Out-of-process Rasterization: Disabled Hardware Protected Video Decode: Unavailable Rasterization: Software only. Hardware acceleration disabled Skia Deferred Display List: Disabled Skia Renderer: Disabled Surface Synchronization: Enabled Video Decode: Hardware accelerated Viz Service Display Compositor: Enabled WebGL: Hardware accelerated WebGL2: Hardware accelerated Driver Bug Workarounds clear_uniforms_before_first_program_use decode_encode_srgb_for_generatemipmap disable_accelerated_vpx_decode disable_discard_framebuffer disable_framebuffer_cmaa exit_on_context_lost force_cube_complete msaa_is_slow scalarize_vec_and_mat_constructor_args texsubimage_faster_than_teximage Problems Detected Older Intel GPUs cannot support protected video decoding in swap chains Disabled Features: protected_video_decode Some drivers are unable to reset the D3D device in the GPU process sandbox Applied Workarounds: exit_on_context_lost TexSubImage is faster for full uploads on ANGLE Applied Workarounds: texsubimage_faster_than_teximage Clear uniforms before first program use on all platforms: 124764, 349137 Applied Workarounds: clear_uniforms_before_first_program_use Always rewrite vec/mat constructors to be consistent: 398694 Applied Workarounds: scalarize_vec_and_mat_constructor_args ANGLE crash on glReadPixels from incomplete cube map texture: 518889 Applied Workarounds: force_cube_complete On Intel GPUs MSAA performance is not acceptable for GPU rasterization: 527565 Applied Workarounds: msaa_is_slow Framebuffer discarding can hurt performance on non-tilers: 570897 Applied Workarounds: disable_discard_framebuffer Use GL_INTEL_framebuffer_CMAA on ChromeOS: 535198 Applied Workarounds: disable_framebuffer_cmaa Disable KHR_blend_equation_advanced until cc shaders are updated: 661715 Applied Workarounds: disable(GL_KHR_blend_equation_advanced), disable(GL_KHR_blend_equation_advanced_coherent) Decode and Encode before generateMipmap for srgb format textures on Windows: 634519 Applied Workarounds: decode_encode_srgb_for_generatemipmap VPx decoding is too slow on Intel Broadwell, Skylake, and CherryView: 616318 Applied Workarounds: disable_accelerated_vpx_decode Don't expose disjoint_timer_query extensions to WebGL: 808744 Accelerated rasterization has been disabled, either via blacklist, about:flags or the command line. Disabled Features: rasterization Native GpuMemoryBuffers have been disabled, either via about:flags or command line. Disabled Features: native_gpu_memory_buffers Skia renderer is not used by default. Disabled Features: skia_renderer Skia deferred display list is not used by default. Disabled Features: skia_deferred_display_list Version Information Data exported 2018-08-02T00:01:16.047Z Chrome version Chrome/70.0.3507.0 Operating system Windows NT 10.0.17134 Software rendering list URL https://chromium.googlesource.com/chromium/src/+/4007f2d27a020a7a7abab69f4bbb1088679bcbf8/gpu/config/software_rendering_list.json Driver bug list URL https://chromium.googlesource.com/chromium/src/+/4007f2d27a020a7a7abab69f4bbb1088679bcbf8/gpu/config/gpu_driver_bug_list.json ANGLE commit id 5b3b5cc126a7 2D graphics backend Skia/70 823c88d37b4d493c1ba73b246f9c0295199622d5- Command Line "C:\Users\vosub\AppData\Local\Google\Chrome SxS\Application\chrome.exe" --profile-directory="Profile 2" --flag-switches-begin --disable-gpu-rasterization --trace-export-events-to-etw --flag-switches-end Driver Information Initialization time 436 In-process GPU false Passthrough Command Decoder false Sandboxed true GPU0 VENDOR = 0x8086 [Google Inc.], DEVICE= 0x1916 [ANGLE (Intel(R) HD Graphics 520 Direct3D11 vs_5_0 ps_5_0)] *ACTIVE* Optimus false AMD switchable false Desktop compositing Aero Glass Direct Composition true Supports overlays true Overlay capabilities YUY2 SCALING Diagonal Monitor Size of \\.\DISPLAY1 13.4" Driver D3D12 feature level D3D 12.1 Driver Vulkan API version Not supported Driver vendor Intel Corporation Driver version 22.20.16.4811 Driver date 9-23-2017 Pixel shader version 5.0 Vertex shader version 5.0 Max. MSAA samples 16 Machine model name Machine model version GL_VENDOR Google Inc. GL_RENDERER ANGLE (Intel(R) HD Graphics 520 Direct3D11 vs_5_0 ps_5_0) GL_VERSION OpenGL ES 2.0 (ANGLE 2.1.0.5b3b5cc126a7) GL_EXTENSIONS GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_parallel_shader_compile GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture Disabled Extensions GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent Disabled WebGL Extensions EXT_disjoint_timer_query EXT_disjoint_timer_query_webgl2 Window system binding vendor Google Inc. (adapter LUID: 000000000000bd80) Window system binding version 1.4 (ANGLE 2.1.0.5b3b5cc126a7) Window system binding extensions EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled Direct rendering Yes Reset notification strategy 0x8252 GPU process crash count 0 Compositor Information Tile Update Mode One-copy Partial Raster Enabled GpuMemoryBuffers Status ATC Software only ATCIA Software only DXT1 Software only DXT5 Software only ETC1 Software only R_8 Software only R_16 Software only RG_88 Software only BGR_565 Software only RGBA_4444 Software only RGBX_8888 GPU_READ, SCANOUT RGBA_8888 GPU_READ, SCANOUT BGRX_8888 Software only BGRX_1010102 Software only RGBX_1010102 Software only BGRA_8888 Software only RGBA_F16 Software only YVU_420 Software only YUV_420_BIPLANAR Software only UYVY_422 Software only Display(s) Information Info Display[2528732444] bounds=[0,0 1500x1000], workarea=[0,0 1500x960], scale=2, external. Color space information {primaries:BT709, transfer:IEC61966_2_1, matrix:RGB, range:FULL} Bits per color component 8 Bits per pixel 24 Video Acceleration Information Decode h264 baseline up to 4096x2304 pixels Decode h264 baseline up to 2304x4096 pixels Decode h264 main up to 4096x2304 pixels Decode h264 main up to 2304x4096 pixels Decode h264 high up to 4096x2304 pixels Decode h264 high up to 2304x4096 pixels Encode h264 baseline up to 3840x2176 pixels and/or 30.000 fps Encode h264 main up to 3840x2176 pixels and/or 30.000 fps Encode h264 high up to 3840x2176 pixels and/or 30.000 fps Diagnostics 0 b3DAccelerationEnabled true b3DAccelerationExists true bAGPEnabled true bAGPExistenceValid true bAGPExists true bCanRenderWindow true bDDAccelerationEnabled true bDriverBeta false bDriverDebug false bDriverSigned false bDriverSignedValid false bNoHardware false dwBpp 32 dwDDIVersion 12 dwHeight 2000 dwRefreshRate 60 dwWHQLLevel 0 dwWidth 3000 iAdapter 0 lDriverSize 60397072 lMiniVddSize 0 szAGPStatusEnglish Enabled szAGPStatusLocalized Enabled szChipType Intel(R) HD Graphics Family szD3DStatusEnglish Enabled szD3DStatusLocalized Enabled szDACType Internal szDDIVersionEnglish 12 szDDIVersionLocalized 12 szDDStatusEnglish Enabled szDDStatusLocalized Enabled szDXVAHDEnglish Supported szDXVAModes ModeMPEG2_A ModeMPEG2_C ModeWMV9_C ModeVC1_C szDescription Intel(R) HD Graphics 520 szDeviceId 0x1916 szDeviceIdentifier {D7B78E66-5A56-11CF-6F65-0420BCC2DB35} szDeviceName \\.\DISPLAY1 szDisplayMemoryEnglish 4186 MB szDisplayMemoryLocalized 4186 MB szDisplayModeEnglish 3000 x 2000 (32 bit) (60Hz) szDisplayModeLocalized 3000 x 2000 (32 bit) (60Hz) szDriverAssemblyVersion 22.20.16.4811 szDriverAttributes Final Retail szDriverDateEnglish 9/22/2017 5:00:00 PM szDriverDateLocalized 9/22/2017 17:00:00 szDriverLanguageEnglish English szDriverLanguageLocalized English szDriverModelEnglish WDDM 2.1 szDriverModelLocalized WDDM 2.1 szDriverName C:\WINDOWS\System32\DriverStore\FileRepository\64gh4811.inf_amd64_f02d96a3e7a6ed57\igdumdim64.dll,C:\WINDOWS\System32\DriverStore\FileRepository\64gh4811.inf_amd64_f02d96a3e7a6ed57\igd10iumd64.dll,C:\WINDOWS\System32\DriverStore\FileRepository\64gh4811.inf_amd64_f02d96a3e7a6ed57\igd10iumd64.dll,C:\WINDOWS\System32\DriverStore\FileRepository\64gh4811.inf_amd64_f02d96a3e7a6ed57\igd12umd64.dll szDriverNodeStrongName oem7.inf:5f63e534f36b7c6d:iSKLD_w10_DS:22.20.16.4811:pci\ven_8086&dev_1916&subsys_00141414 szDriverSignDate Unknown szDriverVersion 22.20.0016.4811 szKeyDeviceID Enum\PCI\VEN_8086&DEV_1916&SUBSYS_00141414&REV_07 szKeyDeviceKey \Registry\Machine\System\CurrentControlSet\Control\Video\{3DC0E0C3-4E58-11E8-9C91-D122725C5BF0}\0000 szManufacturer Intel Corporation szMiniVdd unknown szMiniVddDateEnglish Unknown szMiniVddDateLocalized unknown szMonitorMaxRes Unknown szMonitorName Surface Display szNotesEnglish No problems found. szNotesLocalized No problems found. szOverlayEnglish Supported szRankOfInstalledDriver 00D10001 szRegHelpText Unknown szRevision Unknown szRevisionId 0x0007 szSubSysId 0x00141414 szTestResultD3D7English Not run szTestResultD3D7Localized Not run szTestResultD3D8English Not run szTestResultD3D8Localized Not run szTestResultD3D9English Not run szTestResultD3D9Localized Not run szTestResultDDEnglish Not run szTestResultDDLocalized Not run szVdd unknown szVendorId 0x8086 Log Messages [12096:7300:0801/165953.896:ERROR:gles2_cmd_decoder.cc(5685)] : Error: 5 for Command kSetDrawRectangleCHROMIUM [12096:7300:0801/165953.914:ERROR:gles2_cmd_decoder.cc(9243)] : [GroupMarkerNotSet( crbug.com/242999 )!:90A26BC4F0010000]GL ERROR :GL_INVALID_OPERATION : glSetDrawRectangleCHROMIUM: failed on surface [12096:7300:0801/165953.914:ERROR:gles2_cmd_decoder.cc(9244)] : Context lost because SetDrawRectangleCHROMIUM failed. [12096:7300:0801/165953.914:ERROR:gles2_cmd_decoder.cc(5685)] : Error: 5 for Command kSetDrawRectangleCHROMIUM [12096:7300:0801/165953.930:ERROR:gles2_cmd_decoder.cc(9243)] : [GroupMarkerNotSet( crbug.com/242999 )!:90A26BC4F0010000]GL ERROR :GL_INVALID_OPERATION : glSetDrawRectangleCHROMIUM: failed on surface [12096:7300:0801/165953.930:ERROR:gles2_cmd_decoder.cc(9244)] : Context lost because SetDrawRectangleCHROMIUM failed. [12096:7300:0801/165953.930:ERROR:gles2_cmd_decoder.cc(5685)] : Error: 5 for Command kSetDrawRectangleCHROMIUM
,
Aug 2
Hi, I am not sure the reason you can't reproduce it. Following is my chrome://gpu report. The error message: [3860:10300:0802/110456.465:ERROR:gles2_cmd_decoder.cc(9163)] : [.DisplayCompositor-000001FBC9BEE1A0]GL ERROR :GL_INVALID_OPERATION : glSetDrawRectangleCHROMIUM: failed on surface [3860:10300:0802/110456.465:ERROR:gles2_cmd_decoder.cc(9164)] : Context lost because SetDrawRectangleCHROMIUM failed. [3860:10300:0802/110456.465:ERROR:gles2_cmd_decoder.cc(5619)] : Error: 5 for Command kSetDrawRectangleCHROMIUM [3860:10300:0802/110456.465:ERROR:gpu_channel_manager.cc(189)] : Exiting GPU process because some drivers cannot recover from problems. Thanks for your time. --------------------------------- Graphics Feature Status Canvas: Hardware accelerated Flash: Hardware accelerated Flash Stage3D: Hardware accelerated Flash Stage3D Baseline profile: Hardware accelerated Compositing: Hardware accelerated Multiple Raster Threads: Enabled Native GpuMemoryBuffers: Software only. Hardware acceleration disabled Hardware Protected Video Decode: Unavailable Rasterization: Hardware accelerated Skia Deferred Display List: Disabled Skia Renderer: Disabled Surface Synchronization: Enabled Video Decode: Hardware accelerated Viz Service Display Compositor: Disabled WebGL: Hardware accelerated WebGL2: Hardware accelerated Driver Bug Workarounds clear_uniforms_before_first_program_use decode_encode_srgb_for_generatemipmap disable_accelerated_vpx_decode disable_discard_framebuffer disable_framebuffer_cmaa exit_on_context_lost force_cube_complete msaa_is_slow scalarize_vec_and_mat_constructor_args texsubimage_faster_than_teximage Problems Detected Older Intel GPUs cannot support protected video decoding in swap chains Disabled Features: protected_video_decode Some drivers are unable to reset the D3D device in the GPU process sandbox Applied Workarounds: exit_on_context_lost TexSubImage is faster for full uploads on ANGLE Applied Workarounds: texsubimage_faster_than_teximage Clear uniforms before first program use on all platforms: 124764, 349137 Applied Workarounds: clear_uniforms_before_first_program_use Always rewrite vec/mat constructors to be consistent: 398694 Applied Workarounds: scalarize_vec_and_mat_constructor_args ANGLE crash on glReadPixels from incomplete cube map texture: 518889 Applied Workarounds: force_cube_complete On Intel GPUs MSAA performance is not acceptable for GPU rasterization: 527565 Applied Workarounds: msaa_is_slow Framebuffer discarding can hurt performance on non-tilers: 570897 Applied Workarounds: disable_discard_framebuffer Use GL_INTEL_framebuffer_CMAA on ChromeOS: 535198 Applied Workarounds: disable_framebuffer_cmaa Disable KHR_blend_equation_advanced until cc shaders are updated: 661715 Applied Workarounds: disable(GL_KHR_blend_equation_advanced), disable(GL_KHR_blend_equation_advanced_coherent) Decode and Encode before generateMipmap for srgb format textures on Windows: 634519 Applied Workarounds: decode_encode_srgb_for_generatemipmap VPx decoding is too slow on Intel Broadwell, Skylake, and CherryView: 616318 Applied Workarounds: disable_accelerated_vpx_decode Don't expose disjoint_timer_query extensions to WebGL: 808744 Native GpuMemoryBuffers have been disabled, either via about:flags or command line. Disabled Features: native_gpu_memory_buffers Viz service display compositor is not enabled by default. Disabled Features: viz_display_compositor Skia renderer is not used by default. Disabled Features: skia_renderer Skia deferred display list is not used by default. Disabled Features: skia_deferred_display_list Version Information Data exported 2018-08-02T18:05:01.928Z Chrome version Chrome/68.0.3440.84 Operating system Windows NT 10.0.17134 Software rendering list URL https://chromium.googlesource.com/chromium/src/+/520a5c14b858e4b1441dd2d3bab9bc745911a23b/gpu/config/software_rendering_list.json Driver bug list URL https://chromium.googlesource.com/chromium/src/+/520a5c14b858e4b1441dd2d3bab9bc745911a23b/gpu/config/gpu_driver_bug_list.json ANGLE commit id ba1627086779 2D graphics backend Skia/68 7d479192f0bf2a2f0e872d40e3fe3ce9978bf3cc- Command Line "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --flag-switches-begin --flag-switches-end -- "C:\Users\yzy99\Desktop\PoC.html" Driver Information Initialization time 262 In-process GPU false Passthrough Command Decoder false Direct Composition true Supports overlays false Sandboxed true GPU0 VENDOR = 0x8086 [Google Inc.], DEVICE= 0x1916 [ANGLE (Intel(R) HD Graphics 520 Direct3D11 vs_5_0 ps_5_0)] *ACTIVE* Optimus false AMD switchable false Desktop compositing Aero Glass Diagonal Monitor Size of \\.\DISPLAY1 21.9" Diagonal Monitor Size of \\.\DISPLAY1 13.9" Diagonal Monitor Size of \\.\DISPLAY2 13.9" Diagonal Monitor Size of \\.\DISPLAY3 13.9" Driver D3D12 feature level D3D 12.1 Driver Vulkan API version Vulkan API 1.0.0 Driver vendor Intel Corporation Driver version 22.20.16.4836 Driver date 10-17-2017 Pixel shader version 5.0 Vertex shader version 5.0 Max. MSAA samples 16 Machine model name Machine model version GL_VENDOR Google Inc. GL_RENDERER ANGLE (Intel(R) HD Graphics 520 Direct3D11 vs_5_0 ps_5_0) GL_VERSION OpenGL ES 2.0 (ANGLE 2.1.0.ba1627086779) GL_EXTENSIONS GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture Disabled Extensions GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent Disabled WebGL Extensions EXT_disjoint_timer_query EXT_disjoint_timer_query_webgl2 Window system binding vendor Google Inc. (adapter LUID: 000000000000abf1) Window system binding version 1.4 (ANGLE 2.1.0.ba1627086779) Window system binding extensions EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled Direct rendering Yes Reset notification strategy 0x8252 GPU process crash count 0 Compositor Information Tile Update Mode One-copy Partial Raster Enabled GpuMemoryBuffers Status ATC Software only ATCIA Software only DXT1 Software only DXT5 Software only ETC1 Software only R_8 Software only R_16 Software only RG_88 Software only BGR_565 Software only RGBA_4444 Software only RGBX_8888 GPU_READ, SCANOUT RGBA_8888 GPU_READ, SCANOUT BGRX_8888 Software only BGRX_1010102 Software only RGBX_1010102 Software only BGRA_8888 Software only RGBA_F16 Software only YVU_420 Software only YUV_420_BIPLANAR Software only UYVY_422 Software only Display(s) Information Info Display[2528732444] bounds=[0,0 1680x1050], workarea=[0,0 1680x1010], scale=1, external. Color space information {primaries:BT709, transfer:IEC61966_2_1, matrix:RGB, range:FULL} Bits per color component 8 Bits per pixel 24 Video Acceleration Information Decode h264 baseline up to 4096x2304 pixels Decode h264 baseline up to 2304x4096 pixels Decode h264 main up to 4096x2304 pixels Decode h264 main up to 2304x4096 pixels Decode h264 high up to 4096x2304 pixels Decode h264 high up to 2304x4096 pixels Encode h264 baseline up to 3840x2176 pixels and/or 30.000 fps Encode h264 main up to 3840x2176 pixels and/or 30.000 fps Encode h264 high up to 3840x2176 pixels and/or 30.000 fps Diagnostics 0 b3DAccelerationEnabled true b3DAccelerationExists true bAGPEnabled true bAGPExistenceValid true bAGPExists true bCanRenderWindow true bDDAccelerationEnabled true bDriverBeta false bDriverDebug false bDriverSigned false bDriverSignedValid false bNoHardware false dwBpp 32 dwDDIVersion 12 dwHeight 1050 dwRefreshRate 60 dwWHQLLevel 0 dwWidth 1680 iAdapter 0 lDriverSize 65449872 lMiniVddSize 0 szAGPStatusEnglish Enabled szAGPStatusLocalized Enabled szChipType Intel(R) HD Graphics Family szD3DStatusEnglish Enabled szD3DStatusLocalized Enabled szDACType Internal szDDIVersionEnglish 12 szDDIVersionLocalized 12 szDDStatusEnglish Enabled szDDStatusLocalized Enabled szDXVAHDEnglish Supported szDXVAModes ModeMPEG2_A ModeMPEG2_C ModeWMV9_C ModeVC1_C szDescription Intel(R) HD Graphics 520 szDeviceId 0x1916 szDeviceIdentifier {D7B78E66-5A56-11CF-7C61-CC26BCC2DB35} szDeviceName \\.\DISPLAY1 szDisplayMemoryEnglish 8231 MB szDisplayMemoryLocalized 8231 MB szDisplayModeEnglish 1680 x 1050 (32 bit) (60Hz) szDisplayModeLocalized 1680 x 1050 (32 bit) (60Hz) szDriverAssemblyVersion 22.20.16.4836 szDriverAttributes Final Retail szDriverDateEnglish 10/16/2017 5:00:00 PM szDriverDateLocalized 10/16/2017 17:00:00 szDriverLanguageEnglish English szDriverLanguageLocalized English szDriverModelEnglish WDDM 2.1 szDriverModelLocalized WDDM 2.1 szDriverName C:\WINDOWS\System32\DriverStore\FileRepository\ki125177.inf_amd64_d9d520fc51d8a7f4\igdumdim64.dll,C:\WINDOWS\System32\DriverStore\FileRepository\ki125177.inf_amd64_d9d520fc51d8a7f4\igd10iumd64.dll,C:\WINDOWS\System32\DriverStore\FileRepository\ki125177.inf_amd64_d9d520fc51d8a7f4\igd10iumd64.dll,C:\WINDOWS\System32\DriverStore\FileRepository\ki125177.inf_amd64_d9d520fc51d8a7f4\igd12umd64.dll szDriverNodeStrongName oem10.inf:5f63e534f36b7c6d:iSKLD_w10_DS:22.20.16.4836:pci\ven_8086&dev_1916&subsys_06dc1028 szDriverSignDate Unknown szDriverVersion 22.20.0016.4836 szKeyDeviceID Enum\PCI\VEN_8086&DEV_1916&SUBSYS_06DC1028&REV_07 szKeyDeviceKey \Registry\Machine\System\CurrentControlSet\Control\Video\{A1850868-5C89-11E8-8DC7-18DBF23252F1}\0000 szManufacturer Intel Corporation szMiniVdd unknown szMiniVddDateEnglish Unknown szMiniVddDateLocalized unknown szMonitorMaxRes Unknown szMonitorName Generic PnP Monitor szNotesEnglish No problems found. szNotesLocalized No problems found. szOverlayEnglish Supported szRankOfInstalledDriver 00D10001 szRegHelpText Unknown szRevision Unknown szRevisionId 0x0007 szSubSysId 0x06DC1028 szTestResultD3D7English Not run szTestResultD3D7Localized Not run szTestResultD3D8English Not run szTestResultD3D8Localized Not run szTestResultD3D9English Not run szTestResultD3D9Localized Not run szTestResultDDEnglish Not run szTestResultDDLocalized Not run szVdd unknown szVendorId 0x8086 Log Messages GpuProcessHostUIShim: The GPU process exited normally. Everything is okay. GpuProcessHostUIShim: The GPU process exited normally. Everything is okay. [3860:10300:0802/110456.465:ERROR:gles2_cmd_decoder.cc(9163)] : [.DisplayCompositor-000001FBC9BEE1A0]GL ERROR :GL_INVALID_OPERATION : glSetDrawRectangleCHROMIUM: failed on surface [3860:10300:0802/110456.465:ERROR:gles2_cmd_decoder.cc(9164)] : Context lost because SetDrawRectangleCHROMIUM failed. [3860:10300:0802/110456.465:ERROR:gles2_cmd_decoder.cc(5619)] : Error: 5 for Command kSetDrawRectangleCHROMIUM [3860:10300:0802/110456.465:ERROR:gpu_channel_manager.cc(189)] : Exiting GPU process because some drivers cannot recover from problems. GpuProcessHostUIShim: The GPU process exited normally. Everything is okay. [11524:16756:0802/110457.182:ERROR:gles2_cmd_decoder.cc(9163)] : [.DisplayCompositor-000001FBC9BE7480]GL ERROR :GL_INVALID_OPERATION : glSetDrawRectangleCHROMIUM: failed on surface [11524:16756:0802/110457.183:ERROR:gles2_cmd_decoder.cc(9164)] : Context lost because SetDrawRectangleCHROMIUM failed. [11524:16756:0802/110457.183:ERROR:gles2_cmd_decoder.cc(5619)] : Error: 5 for Command kSetDrawRectangleCHROMIUM [11524:16756:0802/110457.183:ERROR:gpu_channel_manager.cc(189)] : Exiting GPU process because some drivers cannot recover from problems. GpuProcessHostUIShim: The GPU process exited normally. Everything is okay. [5680:8732:0802/110457.871:ERROR:gles2_cmd_decoder.cc(18008)] : [.DisplayCompositor-000001FBC9BECF70]GL ERROR :GL_INVALID_OPERATION : glCreateAndConsumeTextureCHROMIUM: invalid mailbox name [5680:8732:0802/110457.871:ERROR:gles2_cmd_decoder.cc(10115)] : [.DisplayCompositor-000001FBC9BECF70]RENDER WARNING: texture bound to texture unit 0 is not renderable. It maybe non-power-of-2 and have incompatible texture filtering. [5680:8732:0802/110457.871:ERROR:gles2_cmd_decoder.cc(18008)] : [.DisplayCompositor-000001FBC9BECF70]GL ERROR :GL_INVALID_OPERATION : glCreateAndConsumeTextureCHROMIUM: invalid mailbox name [5680:8732:0802/110457.871:ERROR:gles2_cmd_decoder.cc(10115)] : [.DisplayCompositor-000001FBC9BECF70]RENDER WARNING: texture bound to texture unit 0 is not renderable. It maybe non-power-of-2 and have incompatible texture filtering. [5680:8732:0802/110457.871:ERROR:gles2_cmd_decoder.cc(18008)] : [.DisplayCompositor-000001FBC9BECF70]GL ERROR :GL_INVALID_OPERATION : glCreateAndConsumeTextureCHROMIUM: invalid mailbox name [5680:8732:0802/110457.871:ERROR:gles2_cmd_decoder.cc(10115)] : [.DisplayCompositor-000001FBC9BECF70]RENDER WARNING: texture bound to texture unit 0 is not renderable. It maybe non-power-of-2 and have incompatible texture filtering. [5680:8732:0802/110457.872:ERROR:gles2_cmd_decoder.cc(18008)] : [.DisplayCompositor-000001FBC9BECF70]GL ERROR :GL_INVALID_OPERATION : glCreateAndConsumeTextureCHROMIUM: invalid mailbox name [5680:8732:0802/110457.872:ERROR:gles2_cmd_decoder.cc(18008)] : [.DisplayCompositor-000001FBC9BECF70]GL ERROR :GL_INVALID_OPERATION : glCreateAndConsumeTextureCHROMIUM: invalid mailbox name [5680:8732:0802/110457.872:ERROR:gles2_cmd_decoder.cc(10115)] : [.DisplayCompositor-000001FBC9BECF70]RENDER WARNING: texture bound to texture unit 0 is not renderable. It maybe non-power-of-2 and have incompatible texture filtering. [5680:8732:0802/110457.872:ERROR:gles2_cmd_decoder.cc(10115)] : [.DisplayCompositor-000001FBC9BECF70]RENDER WARNING: texture bound to texture unit 0 is not renderable. It maybe non-power-of-2 and have incompatible texture filtering. [5680:8732:0802/110457.886:ERROR:gles2_cmd_decoder.cc(10115)] : [.DisplayCompositor-000001FBC9BECF70]RENDER WARNING: texture bound to texture unit 0 is not renderable. It maybe non-power-of-2 and have incompatible texture filtering. [5680:8732:0802/110457.887:ERROR:gles2_cmd_decoder.cc(10115)] : [.DisplayCompositor-000001FBC9BECF70]RENDER WARNING: texture bound to texture unit 0 is not renderable. It maybe non-power-of-2 and have incompatible texture filtering. [5680:8732:0802/110457.887:ERROR:gles2_cmd_decoder.cc(10115)] : [.DisplayCompositor-000001FBC9BECF70]RENDER WARNING: texture bound to texture unit 0 is not renderable. It maybe non-power-of-2 and have incompatible texture filtering. [5680:8732:0802/110457.898:ERROR:gles2_cmd_decoder.cc(10115)] : [.DisplayCompositor-000001FBC9BECF70]RENDER WARNING: texture bound to texture unit 0 is not renderable. It maybe non-power-of-2 and have incompatible texture filtering. GpuProcessHostUIShim: The GPU process exited normally. Everything is okay.
,
Aug 2
Submitter: if the GPU process is exiting because of these errors: [3860:10300:0802/110456.465:ERROR:gles2_cmd_decoder.cc(9163)] : [.DisplayCompositor-000001FBC9BEE1A0]GL ERROR :GL_INVALID_OPERATION : glSetDrawRectangleCHROMIUM: failed on surface [3860:10300:0802/110456.465:ERROR:gles2_cmd_decoder.cc(9164)] : Context lost because SetDrawRectangleCHROMIUM failed. [3860:10300:0802/110456.465:ERROR:gles2_cmd_decoder.cc(5619)] : Error: 5 for Command kSetDrawRectangleCHROMIUM [3860:10300:0802/110456.465:ERROR:gpu_channel_manager.cc(189)] : Exiting GPU process because some drivers cannot recover from problems. GpuProcessHostUIShim: The GPU process exited normally. Everything is okay. then this is happening completely cooperatively, because some surface is too large. There is no security issue.
,
Aug 2
Also see https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Are-denial-of-service-issues-considered-security-bugs if the only consequence is DoS.
,
Aug 3
Hi, I was thinking, the GPU (the display) dead, but the web page, the links & scripts are still running. To recover the black interface to normal, the user has to click the Chrome, if an attacker performs a full-screen button, a redirect and redirect back, an action needs user's click like add a plugin, these behaviours can be done in a black screen and the user won't notice it. Thanks.
,
Nov 8
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by palmer@chromium.org
, Aug 1Components: Internals>GPU
Labels: OS-Windows
2.3 KB
2.3 KB View Download