Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on suspected regression changelists:

Fix attribute location binding by sugoi@google.com - https://swiftshader.googlesource.com/SwiftShader/+/23f54d74e1e613a0e90e79056e96cb8a339373a8

Fix build issues. by capn@google.com - https://swiftshader.googlesource.com/SwiftShader/+/cbd20d9de071350b6241d82ba9d70e82dba95150

Structure field type validation by sugoi@google.com - https://swiftshader.googlesource.com/SwiftShader/+/924513cdde1271f47353b7945480ad2fb8100bb4

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

sugoi: Have you had a chance to look at this? This is a high severity security vulnerability affecting stable.

I'm OOO this week (conference) and next week (vacation), back on Monday August 27th.
I'll try to have a look tomorrow.
Note: I'm assuming the "linux_asan_chrome_v8_arm" isn't really an ARM bot, right?SwiftShader doesn't run on ARM bots.

Ok, I see what it is, the Clusterfuzz test case is assigning a location of 2000000000.
I'll verify how to handle this case according to the spec.

Double-checked: That shader shouldn't compile, a location larger or equal to GL_MAX_VERTEX_ATTRIBS is illegal. Also, it shouldn't link, which should already be handled, so that probably need a fix. Investigating.

Ah, I see it, the attribute location we get here:
https://cs.chromium.org/chromium/src/third_party/swiftshader/src/OpenGL/libGLESv2/Program.cpp?l=1664

can come from here:
https://cs.chromium.org/chromium/src/third_party/swiftshader/src/OpenGL/libGLESv2/Program.cpp?l=1682

and this value is never checked. An out of bounds check and an aliasing check has to be added somewhere within Program::linkAttributes().

I assumed this was caused by my recent change https://swiftshader-review.googlesource.com/20168, but actually we haven't rolled Chromium to that revision yet, and I believe it might fix this.

ClusterFuzz has detected this issue as fixed in range 588163:588168.

Detailed report: https://clusterfuzz.com/testcase?key=6749460160577536

Fuzzer: inferno_layout_test_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0xccf7a434
Crash State:
  es2::Program::linkAttributes
  es2::Program::link
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=529743:529750
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=588163:588168

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6749460160577536

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6749460160577536 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot