Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Duep of  crbug.com/864792  (specifically crbug.com/865728)

Is there a reason  crbug.com/864792  isn't tracked as a security issue then? 

And does this mean the crash in  crbug.com/864792  isn't fixed?

 crbug.com/864792  wasn't marked as a security issue because virglrenderer isn't being use in CrOS at this time.  There's a command-line flag to crosvm that can turn usage on but we're a long way from actually shipping anything with it.

There's two different crash signatures with the same root cause (this is based on analysis from pwang@/ddmail@), so the one specifically mentioned in the description of  crbug.com/864792  is fixed, but the dupe bug crbug.com/865728 is not fixed.

Reassigning to pwang@ who's been working with upstream on the fixes.

We ended up using different approach with those two issue. Should we apply the patch locally to avoid the security issue?

Has a patch landed upstream?  If so, I'd rather just update upstream to include that.

pwang@ - see question in #10 - getting very close to the last chance to take this in 69.

The original patch is landed but with other problem it got reverted. I tried to pushed another fix. https://patchwork.freedesktop.org/patch/244398/
But as far as I know, the virglrenderer is not yet used by any product for now. Android studio is trying to use it but the thing is not yet happened. cc Joe as he might know better.

So, do we have fix for this issue or not?

pwang: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Hi, pwang is out of town right now.  I do see his patch merged upstream, it should be in the next cros mesa uprev.   

Detailed report: https://clusterfuzz.com/testcase?key=5962927847505920

Fuzzer: libFuzzer_chromeos_virgl_fuzzer
Job Type: libfuzzer_asan_chromeos
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x606000000238
Crash State:
  translate
  tgsi_text_translate
  vrend_create_shader
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_asan_chromeos&range=2801419:2801745

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5962927847505920

See https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md#Reproducing-crashes-from-ClusterFuzz for more information.

@djmk, what fix are you referencing? Is there a CL?

The fix is in the upstream. https://gitlab.freedesktop.org/virgl/virglrenderer 

Who's updating the virglrenderer ebuild to bring us in line with upstream then?

virgl_fuzzer is a special target for code that does not ship yet on Chromebooks. Hence it should not block the release. Applying label as suggested in #3 and #8.

Thanks. ihf@ for removing the blocker.
I'll do the update later once another fix is in. (Fix mentioned #16 is only partial due another mesa bug upstream).

ClusterFuzz testcase 5899981857488896 appears to be flaky, updating reproducibility label.

ClusterFuzz testcase 5899981857488896 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/d473c24e19d19ecff062735977badf6610c1ea44

commit d473c24e19d19ecff062735977badf6610c1ea44
Author: Po-Hsien Wang <pwang@chromium.org>
Date: Thu Sep 20 05:41:22 2018

virglrenderer: update to upstream

Update to upstream and move to 0.7.0.

From: 9c420d224d86215d408dff8dea599ed9414a24d6
To: 9b91cc380fdd5bf993f64a9cd452dbc4c98872fa

9b91cc3 update u_format_parse from mesa to handle python3
402c228 bump release to 0.7.0
de00899 vrend,feat: check for GL_OES_draw_buffers_indexed on GLES < 3.2
9813d10 shader: emit required extensions for 'sample' keyword on GLES 3.1 host
d725cd8 shader: emit GL_EXT_geometry_shader for glLayer on GLES 3.1 host
0d843ab shader: Emit GL_OES_shader_image_atomic on GLES 3.1 host when needed
fed5d2d vtest: Don't read past the iovec
fdcb5b5 vtest: Better error reporting
9b3bab8 vtest: Replace asserts with if cases
6373d5a vtest: Add backing store to each resource
33da736 vtest: Add versioning mechanism to protocol
6cc3162 vtest: Add ping protocol version cmd
003007e vrend_renderer: check for 0 length shader request.
2546d11 shader: Enable GL_ARB_texture_cube_map_array in shader on gles 3.1 host
71c75f2 configure: fix issues with GLX build
80b6b37 configure: delete duplicated line
4333584 shader: Add support for TGSI_FILE_HW_ATOMIC
cd8c1b6 renderer: Add support for TGSI_FILE_HW_ATOMIC
13ca94b vrend: send max_combined_shader_buffers to guest
1d8b215 gallium: Add changes needed for TGSI_FILE_HW_ATOMIC
30d2c0a shader: Declare ssbo_addr_temp for TGSI_FILE_MEMORY
e2ef712 vrend,features: Report PIPE_PRIM_PATCHES when tesselation is supported
36c919e shader: rework precise-emitting for built-ins
10ae7e3 vrend: Don't cache blend enable state and set it directly
a5bfada vrend_renderer: Check the shader terminator
76670ad vrend: do not overwrite a sampler-object that might be in use
2766ae7 only set texture params for non multisample surfaces
8bd7e08 vtest: destroy renderer in no-fork mode
8498354 blitter: add blitter destruction path
2d6713c vrend: Enhanced layout support.
4553faf vrend: alpha-textures are supported on GLES
0d6a243 vrend,feature: correct handling of feat_texture_buffer_range and use it
148d326 vrend,features: Corrext typo in GL_KHR_robust_buffer_access_behavior
026c80f vrend,features: expose GL_ARB_draw_buffers_blend also on a GLES 3.2 host
527f078 vrend,feature: Enable feat_indep_blend on a GLES 3.2 host
16fbc93 shader: don't emit ARB_gpu_shader5 if GLSL version is 320 es
aa0f6a7 vrend,features: Sample shading is provided by GLES 3.2
662a620 vrend: Lift glsl level on GLES 3.1 + some extensions to 400
967c508 vrend,features: Enable tessellation shaders for GLES >= 3.2 or OES_tessellation_shaders
4732489 shader: do not redeclare built-ins as precise
964d08a shader: also require GL_EXT_shader_framebuffer_fetch for gles
47b89a4 shader: on GLES most image formats always require the specification of ro/wo
547beea shader: Ensure that the AND operation has the same typed sources
ce99528 vrend: Enable required extensions on GLSL 3.10 ES
1c113dd format: assert that the multi-sample check enters with a clean error state
c31e6fa vrend, caps: multisample images are not available on GLES
8291760 renderer: query host for max texture sizes
945003ca Revert "shader: on GLES most image formats always require the specification of ro/wo"
a4b3a8f shader: Enable GL_OES_geometry_point_size when needed
19cef6b shader: Enable tesselation_point_size extension for all tesselation shaders
ab34c9d shader: Enable tesselation extension manually for GLSL version < 3.20
3e7a6ac shader: on GLES most image formats always require the specification of ro/wo
baa834d shader: Also don't convert when src type is SIGNED and input is int.
a135a16 shader: use different variable declarations for signed and unsigned (I|U)MUL_HI
d7c795c vrend_shader: don't always cast image operations
491d3b7 shader: fix conversion for return type of various bit operations
5153644 shader: subtract 1 if we have normal constant from ubo indexing.
82412e9 formats: Reject also formats that give GL_INVALID_OPERATION and correct STENCIL_INDEX
9932a4c shader: fix regression with image vs sampler array
510325e shader: emit precision for images on GLSL
ba349a1 shader: emit readonly-images
f97bec1 shader: generate bindings with layout qualifiers
921602d shader: refactor image declaration emitting
ea53530 shader: pass sampler directly to emit_sampler_decl
2d62498 shader: add missing precision specifier
b6cbb42 query: use 64-bit get for timer queries
fe745ce vrend_renderer: use GL_RGBA8UI instead of GL_RGBA8_SNORM
fd10f0a Revert "renderer: check for shader_text validity"
c37e9e6 vrend_shader: support integer memory
b0a4b4a vrend_shader: do a first pass analyzing tgsi instructions
272d9a4 renderer: fix warning.
3193c2c renderer: check for shader_text validity
fae89ca vrend_renderer.c: Fix warnings
f434be0 shader: Fix warnings:
5284499 gallium/auxiliary/util/u_debug.h: Fix "noreturn" warnings in debug mode
9ddf508 gallium/auxiliary/util/u_debug.c: Fix warnings
1df55d3 gallium/aux/tgsi/tgsi_scan.c: Fix warnings
a722f98 gallium/aux/util/u_cpu_detect.h: Fix warning in u_cpu_detect.c
ae89b77 gallizm/aux/util/u_format.c, u_debug_describe.c: Fix warnings
c7fe2bd gallium/aux/tgsi/tgsi_util.c: Fix warnings
4d89fee gallium/aux/tgsi/tgsi_ureg.*: Fix warnings
79cf595 gallium/aux/util/u_surface.c: Fix warning
ad731ee gallium/aux/tgsi/tgsi_text.c: Fix warnings
dfe2535 gallium/aux/util/u_debug_refcnt.h: Fix warnings:
22dadfc gallium/aux/tgsi/tgsi_sanity.c: Fix warnings
d30031a gallium/aux/tgsi/tgsi_parse.c: Fix warnings
d0d787c gallium/aux/tgsi/tgsi_dump.c: Fix warnings
16a06ce gallium/aux/tgsi/tgsi_build.c: Fix warnings
f0f9466 gallium/aux/cso_cache.c: Fix warnings
257cf11 vrend: correct blit/copy_image code path
d4ea731 vrend_shader: fixup typo in indirect image-handling
aaed5a6 add texture barrier implementation
a263998 formats: include compressed formats in the copy-compatibility check
f60737c add support for shader clock.
8c155ec check before calling multisample
bef8c7e vrend, features: enable sampler objects as provided by GLES 3.0
842c320 vrend, features: Add stencil texturing as feature provided by GLES 3.1
a457c57 vrend: don't call glShaderStorageBlockBinding on GLES and warn about it's use
7751ba2 vrend: Add geometry shaders on the GLES 3.1 host
5e63074 vrend, feature: Add GLSL version information for GLES 3.1 host
3d6213c vrend, features: add ARB_texture_gather to feature test
5eaf8f1 vrend, features: Correct ARB_draw_indirect and set available for GLES 3.1
c91500a vrend: Enable ARB_texture_storage on GLES
da81b0c shader: require GL_OES_texture_storage_multisample_2d_array for 2D MS.
41a0fd8 formats: reorder sample count reading and emultate it for low sample counts
0d93c22 vrend: Use the sample count that was read before
d9fee3c vrend_shader: fix uninitialized variable warning
f32948d vrend_renderer: Zero out tex parameters for TBOs
845dab3 vrend,caps: Move all v2 caps into according function (v4)
be46fce vrend,caps: move all caps for version 1 into one function (v4)
20592e3 vrend,caps: evaluate GLSL version before everything else  (v5)
e9a1d25 vrend,caps: unify GLSL version evaluation (v4)
0bed90c vrend,caps: Add GLES entry for gl_prim_restart
adbd163 vrend,caps: Unify feature code path and remove duplicates
56fe9d6 vrend,caps: move version-less common caps into common functions
1d35f3e vtest: Add --no-loop-or-fork flag
938352f vrend_shader: require glsl 150 for early depth stencil
244b110 vrend_shader: use require_glsl_ver function
5758881 shader: Do not adjust y coordinate if an application render to a FBO
7241f45 blitter: Make fbo sRGB state always act like on GLES
403875b vrend, feat: Add feat_texture_srgb_decode and protect calls
0364a2a expose FBFETCH-cap if supported
3e0f7bd vrend: grok FBFETCH instruction
6630710 gallium: add FBFETCH opcode to retrieve the current sample value
c2ee1af export GLSL 4.30 since we now have compute shaders and ssbos
8e822c9 add robust buffer access feature.
b4965e2 add framebuffer_no_attachment support
1a71bfd renderer: expose compute shaders to the host. (v2)
38207b5 compute: handle launch grid.
40a4b11 decode/renderer: handle compute shader creation
e869bad shaders: add compute shader support.
33f0170 shader: merge array types
64d0f12 sampler arrays: refactor to follow image arrays
ff77946 (shader) virgl/egl: Add option to use GLES
0475127 virgl/egl: Add option to use the surfaceless platform
7291627 virgl: expose glsl 4.20
8289e3f renderer: add memory barrier support. (v2)
de61327 renderer: expose TXQS capability to guest.
f565193 shader: add texture image samples query support.
950de33 renderer: add image support. (v4)
097c43e shader: add gl_HelperInvocation support
1fe8def shaders: handle early fragment tests
4472641 shader: add image support to shader parsing. (v3)
97d4246 shader: decode MEMBAR instruction.
fd849b2 gallium: add PIPE_MAX_SHADER_IMAGES and image read/write defines.
8ffd38a shader: bump some snprintf limits to 512

BUG= chromium:870119 
TEST=ASAN_OPTIONS='log_path=stderr' /usr/libexec/fuzzers/virgl_fuzzer

Change-Id: Ia94a9ae5ac6fc3b99024784a93fd7420f53ebbb1
Reviewed-on: https://chromium-review.googlesource.com/1232715
Commit-Ready: Pohsien Wang <pwang@chromium.org>
Tested-by: Pohsien Wang <pwang@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>

[modify] https://crrev.com/d473c24e19d19ecff062735977badf6610c1ea44/media-libs/virglrenderer/virglrenderer-9999.ebuild
[modify] https://crrev.com/d473c24e19d19ecff062735977badf6610c1ea44/media-libs/virglrenderer/Manifest
[rename] https://crrev.com/d473c24e19d19ecff062735977badf6610c1ea44/media-libs/virglrenderer/files/virglrenderer-0.7.0-libdrm.patch
[add] https://crrev.com/d473c24e19d19ecff062735977badf6610c1ea44/media-libs/virglrenderer/virglrenderer-0.7.0_p20180919-r1.ebuild
[rename] https://crrev.com/d473c24e19d19ecff062735977badf6610c1ea44/media-libs/virglrenderer/virglrenderer-0.7.0_p20180919.ebuild
[delete] https://crrev.com/64745680ae0c00005a780887c0ae78c48711aaa8/media-libs/virglrenderer/virglrenderer-0.6.0_p20180727-r2.ebuild

pwang: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please don't close ClusterFuzz filed bugs. Clusterfuzz will close it once the fix is verified.

And it can't verify the fix since https://chromium-review.googlesource.com/1232715 has broken the fuzzer builds (https://bugs.chromium.org/p/chromium/issues/detail?id=887492)

The fuzzer build seems to be working, why hasn't this been verified?

Stopped reproducing due to some bad build.

[2018-09-12 09:05:42 UTC] clusterfuzz-linux-cp80: Progression task started: r2922023.
[2018-09-12 09:34:15 UTC] clusterfuzz-linux-cp80: Progression task errored out: Known crash revision 2922023 did not crash.
[2018-09-12 09:34:15 UTC] clusterfuzz-linux-cp80: Progression task errored out: Testcase appears to be flaky

Clicking redo->fixed on testcase to reverify.

Sorry, I'm not familiar with the interface. Where should I push the button?

Checking all the open testcases in https://clusterfuzz.com/v2/testcases?fuzzer=libFuzzer_chromeos_virgl_fuzzer&open=yes 
but I can't find this issue listed. My guess is that the system somehow isn't tracking this any more?

I've re-run the task.

It seems like the bug is still there? https://clusterfuzz.com/v2/testcase-detail/5899981857488896

weird, it's not showing in my side and I have no access to the link you provided as well.

"You (email=ddmail@google.com) are not authorized to access this page!"
I could see other issues such as https://clusterfuzz.com/v2/testcase-detail/5980575845056512 though.

I'll take a look at this.
Re #37: Your Chromium account owns this bug, so you need to login into CF using your Chromium account.

Hmm.. It seems the package used in the fuzzer build is still old. 
(virglrenderer-0.6.0_p20180727)

My guess is that we need cherry-pick the cl to older branch to make it working. My guess is that we need d473c24e19d19ecff062735977badf6610c1ea44 in R69?

This bug requires manual review: We are only 10 days from stable.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

c#41 doesn't really apply because this code isn't in any product that we're shipping right now and we don't really care about it for R69 or R70.

The build linked in c#36 is testing against a two month old build:
https://viceroy.corp.google.com/chromeos/build_details?build_id=2802333

Alright, you are right. So I think the problem resides in the fuzzer side instead. 

I checked the recent amd64-generic-fuzzer build's build event, 
gsutil cat gs://chromeos-fuzzing-artifacts/libfuzzer-asan/amd64-generic-fuzzer/R71-11130.0.0-b3010348/build-events.json | grep virgl
{"category": "media-libs", "status": "pass", "version": "0.7.0_p20180919-r1", "name": "virglrenderer", "task_name": "EmergePackage", "finish_time": 1538764142.668132, "try_count": 1, "start_time": 1538764142.299424, "id": ["ParallelEmerge", 279]}
{"category": "media-libs", "status": "pass", "version": "0.7.0_p20180919-r1", "name": "virglrenderer", "task_name": "EmergePackage", "finish_time": 1538766642.445858, "try_count": 1, "start_time": 1538766597.432422, "id": ["ParallelEmerge", 525]}

virglrenderer should be with version 0.7.0_p20180919-r1 instead of 0.6.0_p20180727-r2. Where could I ask the fuzzer to go with a newer build? It seems "redo tasks" is still picking up 0.6.0_p20180727.

SA per clusterfuzz, the bug still reproduces on build 3011381 (See the string last tested stacktrace).

3011381 is from Oct 06.
$ gsutil.py ls -l gs://chromeos-fuzzing-artifacts/libfuzzer-asan/amd64-generic-fuzzer/*-b3011381 
       122  2018-10-06T01:35:03Z  gs://chromeos-fuzzing-artifacts/libfuzzer-asan/amd64-generic-fuzzer/R71-11130.0.0-b3011381/UPLOADED
    121201  2018-10-06T01:28:57Z  gs://chromeos-fuzzing-artifacts/libfuzzer-asan/amd64-generic-fuzzer/R71-11130.0.0-b3011381/build-events.json
      1489  2018-10-06T01:35:04Z  gs://chromeos-fuzzing-artifacts/libfuzzer-asan/amd64-generic-fuzzer/R71-11130.0.0-b3011381/index.html
      7090  2018-10-06T01:34:46Z  gs://chromeos-fuzzing-artifacts/libfuzzer-asan/amd64-generic-fuzzer/R71-11130.0.0-b3011381/metadata.json
      2076  2018-10-06T00:24:48Z  gs://chromeos-fuzzing-artifacts/libfuzzer-asan/amd64-generic-fuzzer/R71-11130.0.0-b3011381/partial-metadata.json
1155549732  2018-10-06T01:34:44Z  gs://chromeos-fuzzing-artifacts/libfuzzer-asan/amd64-generic-fuzzer/R71-11130.0.0-b3011381/sysroot_virtual_target-os.tar.xz
      2951  2018-10-06T01:34:51Z  gs://chromeos-fuzzing-artifacts/libfuzzer-asan/amd64-generic-fuzzer/R71-11130.0.0-b3011381/timeline-stages.html
       807  2018-10-06T01:35:01Z  gs://chromeos-fuzzing-artifacts/libfuzzer-asan/amd64-generic-fuzzer/R71-11130.0.0-b3011381/uploaded.json
TOTAL: 8 objects, 1155685468 bytes (1.08 GiB)

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The NextAction date has arrived: 2018-10-08

ClusterFuzz testcase 5899981857488896 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot