New issue
Advanced search Search tips

Issue 877876 link

Starred by 1 user
Status: Duplicate
Merged: issue 877874
Owner: ----
Closed: Aug 27
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in gpu::gles2::Texture::ClearRenderableLevels

Reported by cdsrc2...@gmail.com, Aug 27 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36

Steps to reproduce the problem:
Version 70.0.3515.0 (Developer Build) (64-bit)(ubuntu)
68.0.3440.106(release)(32bit)(windows)

1.build new chrome with asan.
2. ./chrome ./poc.html

What is the expected behavior?

What went wrong?
==4191==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190001ab7a8 at pc 0x556387d0c63a bp 0x7ffc45a09070 sp 0x7ffc45a09068
READ of size 4 at 0x6190001ab7a8 thread T0 (chrome)
    #0 0x556387d0c639 in gpu::gles2::Texture::ClearRenderableLevels(gpu::DecoderContext*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/texture_manager.cc:1596:16
    #1 0x55638885d0b6 in gpu::gles2::GLES2DecoderImpl::ClearUnclearedTextures() /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:10282:37
    #2 0x556388861082 in gpu::gles2::GLES2DecoderImpl::DoDrawArrays(char const*, bool, unsigned int, int, int, int) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:10738:10
    #3 0x5563887b625d in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays(unsigned int, void const volatile*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:10787:10
    #4 0x556388838f7e in gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>(unsigned int, void const volatile*, int, int*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:5654:18
    #5 0x55638875ee54 in gpu::CommandBufferService::Flush(int, gpu::AsyncAPIInterface*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/command_buffer_service.cc:69:18
    #6 0x55638874fe5c in gpu::CommandBufferStub::OnAsyncFlush(int, unsigned int) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/ipc/service/command_buffer_stub.cc:619:22
    #7 0x55638874f6b1 in DispatchToMethodImpl<gpu::CommandBufferStub *, void (gpu::CommandBufferStub::*)(int, unsigned int), std::__1::tuple<int, unsigned int>, 0, 1> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/tuple.h:52:3
    #8 0x55638874f6b1 in DispatchToMethod<gpu::CommandBufferStub *, void (gpu::CommandBufferStub::*)(int, unsigned int), std::__1::tuple<int, unsigned int> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/tuple.h:60:0
    #9 0x55638874f6b1 in DispatchToMethod<gpu::CommandBufferStub, void (gpu::CommandBufferStub::*)(int, unsigned int), void, std::__1::tuple<int, unsigned int> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../ipc/ipc_message_templates.h:51:0
    #10 0x55638874f6b1 in bool IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta, std::__1::tuple<int, unsigned int>, void>::Dispatch<gpu::CommandBufferStub, gpu::CommandBufferStub, void, void (gpu::CommandBufferStub::*)(int, unsigned int)>(IPC::Message const*, gpu::CommandBufferStub*, gpu::CommandBufferStub*, void*, void (gpu::CommandBufferStub::*)(int, unsigned int)) /home/cowboy/chromium/src/out/chrome_asan_shared/../../ipc/ipc_message_templates.h:146:0
    #11 0x55638874bcb6 in gpu::CommandBufferStub::OnMessageReceived(IPC::Message const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/ipc/service/command_buffer_stub.cc:280:5
    #12 0x55638872e812 in gpu::GpuChannel::HandleMessageHelper(IPC::Message const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/ipc/service/gpu_channel.cc:540:23
    #13 0x556388728add in gpu::GpuChannel::HandleMessage(IPC::Message const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/ipc/service/gpu_channel.cc:516:3
    #14 0x55638896ee3c in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:99:12
    #15 0x55638896ee3c in gpu::Scheduler::RunNextTask() /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/scheduler.cc:526:0
    #16 0x5563842b05c0 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:99:12
    #17 0x5563842b05c0 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
    #18 0x5563842ab8ed in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:431:46
    #19 0x5563842acb78 in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:442:5
    #20 0x5563842acb78 in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:514:0
    #21 0x5563842b5df5 in HandleDispatch /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_glib.cc:263:25
    #22 0x5563842b5df5 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_glib.cc:109:0
    #23 0x7f8cdad8c286 in g_main_context_dispatch ??:0:0

Address 0x6190001ab7a8 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/cowboy/chromium/src/out/chrome_asan_shared/chrome+0x13600639)
Shadow bytes around the buggy address:
  0x0c328002d6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328002d6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328002d6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328002d6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328002d6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c328002d6f0: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c328002d700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328002d710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328002d720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328002d730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328002d740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4191==ABORTING
Received signal 6
    #0 0x55637c4fa741 in __interceptor_backtrace /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4024:13
    #1 0x55638447818e in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
    #2 0x5563844770dd in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
    #3 0x7f8cdd075890 in __funlockfile ??:?
    #4 0x7f8cdd075890 in ?? ??:0
    #5 0x7f8cd5fefe97 in __libc_signal_restore_set /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/nptl-signals.h:80:0
    #6 0x7f8cd5fefe97 in gsignal /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:48:0
    #7 0x7f8cd5ff1801 in abort /build/glibc-OTsEL5/glibc-2.27/stdlib/abort.c:79:0
    #8 0x55637c5702a7 in __sanitizer::Abort() /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc:157:3
    #9 0x55637c56ecf1 in __sanitizer::Die() /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:59:5
    #10 0x55637c55b099 in __asan::ScopedInErrorReport::~ScopedInErrorReport() _asan_rtl_:7
    #11 0x55637c55a593 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) _asan_rtl_:1
    #12 0x55637c55b38b in __asan_report_load4 _asan_rtl_:1
    #13 0x556387d0c63a in gpu::gles2::Texture::ClearRenderableLevels(gpu::DecoderContext*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/texture_manager.cc:1596:16
    #14 0x55638885d0b7 in gpu::gles2::GLES2DecoderImpl::ClearUnclearedTextures() /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:10282:37
    #15 0x556388861083 in gpu::gles2::GLES2DecoderImpl::DoDrawArrays(char const*, bool, unsigned int, int, int, int) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:10738:10
    #16 0x5563887b625e in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays(unsigned int, void const volatile*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:10787:10
    #17 0x556388838f7f in gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>(unsigned int, void const volatile*, int, int*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:5654:18
    #18 0x55638875ee55 in gpu::CommandBufferService::Flush(int, gpu::AsyncAPIInterface*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/command_buffer_service.cc:69:18
    #19 0x55638874fe5d in gpu::CommandBufferStub::OnAsyncFlush(int, unsigned int) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/ipc/service/command_buffer_stub.cc:619:22
    #20 0x55638874f6b2 in DispatchToMethodImpl<gpu::CommandBufferStub *, void (gpu::CommandBufferStub::*)(int, unsigned int), std::__1::tuple<int, unsigned int>, 0, 1> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/tuple.h:52:3
    #21 0x55638874f6b2 in DispatchToMethod<gpu::CommandBufferStub *, void (gpu::CommandBufferStub::*)(int, unsigned int), std::__1::tuple<int, unsigned int> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/tuple.h:60:0
    #22 0x55638874f6b2 in DispatchToMethod<gpu::CommandBufferStub, void (gpu::CommandBufferStub::*)(int, unsigned int), void, std::__1::tuple<int, unsigned int> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../ipc/ipc_message_templates.h:51:0
    #23 0x55638874f6b2 in bool IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta, std::__1::tuple<int, unsigned int>, void>::Dispatch<gpu::CommandBufferStub, gpu::CommandBufferStub, void, void (gpu::CommandBufferStub::*)(int, unsigned int)>(IPC::Message const*, gpu::CommandBufferStub*, gpu::CommandBufferStub*, void*, void (gpu::CommandBufferStub::*)(int, unsigned int)) /home/cowboy/chromium/src/out/chrome_asan_shared/../../ipc/ipc_message_templates.h:146:0
    #24 0x55638874bcb7 in gpu::CommandBufferStub::OnMessageReceived(IPC::Message const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/ipc/service/command_buffer_stub.cc:280:5
    #25 0x55638872e813 in gpu::GpuChannel::HandleMessageHelper(IPC::Message const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/ipc/service/gpu_channel.cc:540:23
    #26 0x556388728ade in gpu::GpuChannel::HandleMessage(IPC::Message const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/ipc/service/gpu_channel.cc:516:3
    #27 0x55638896ee3d in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:99:12
    #28 0x55638896ee3d in gpu::Scheduler::RunNextTask() /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/service/scheduler.cc:526:0
    #29 0x5563842b05c1 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:99:12
    #30 0x5563842b05c1 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
    #31 0x5563842ab8ee in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:431:46
    #32 0x5563842acb79 in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:442:5
    #33 0x5563842acb79 in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:514:0
    #34 0x5563842b5df6 in HandleDispatch /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_glib.cc:263:25
    #35 0x5563842b5df6 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_glib.cc:109:0
    #36 0x7f8cdad8c287 in g_main_context_dispatch ??:0:0
    #37 0x7f8cdad8c4c0 in g_main_context_dispatch ??:?
    #38 0x7f8cdad8c4c0 in ?? ??:0
    #39 0x7f8cdad8c54c in g_main_context_iteration ??:0:0
    #40 0x5563842b55f8 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_glib.cc:305:30
    #41 0x556384325c71 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
    #42 0x5563911fa9db in content::GpuMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/gpu/gpu_main.cc:347:21
    #43 0x5563836459a7 in content::ContentMainRunnerImpl::Run(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:891:10
    #44 0x556383773d25 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:472:29
    #45 0x556383640e7f in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
    #46 0x55637c584e60 in ChromeMain /home/cowboy/chromium/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12
    #47 0x7f8cd5fd2b97 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310:0
    #48 0x55637c4ad02a in _start ??:0:0
  r8: 0000000000000000  r9: 00007ffc45a080b0 r10: 0000000000000008 r11: 0000000000000246
 r12: 0000000000000000 r13: 00007ffc45a09068 r14: 00007ffc45a09010 r15: 0000556396aa7818
  di: 0000000000000002  si: 00007ffc45a080b0  bp: 00007ffc45a09040  bx: 0000556396a15350
  dx: 0000000000000000  ax: 0000000000000000  cx: 00007f8cd5fefe97  sp: 00007ffc45a080b0
  ip: 00007f8cd5fefe97 efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.

Did this work before? N/A 

Chrome version: Version 70.0.3515.0 (Developer Build) (64-bit)(ubuntu)  Channel: dev
OS Version: Ubuntu18.04
Flash Version:
poc.zip
257 KB Download
Project Member

Comment 1 by ClusterFuzz, Aug 27 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5125105953538048.
Project Member

Comment 2 by ClusterFuzz, Aug 27

Labels: Security_Severity-Medium
Summary: Heap-buffer-overflow in gpu::gles2::Texture::ClearRenderableLevels (was: AddressSanitizer: heap-buffer-overflow in gpu::gles2::Texture::ClearRenderableLevels(gpu::DecoderContext*) )
Detailed report: https://clusterfuzz.com/testcase?key=5125105953538048

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x61a00002f1a8
Crash State:
  gpu::gles2::Texture::ClearRenderableLevels
  gpu::gles2::GLES2DecoderImpl::ClearUnclearedTextures
  gpu::gles2::GLES2DecoderImpl::DoDrawArrays
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5125105953538048

See https://github.com/google/clusterfuzz-tools for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.

Comment 3 by cdsrc2...@gmail.com, Aug 27 

After a little in-depth analysis I found this issue and my another issue may be caused by same root.If right, please merge it to one issue.
https://bugs.chromium.org/p/chromium/issues/detail?id=877874

this line repor sig 11:
__cass__5__.texParameteri(__cass__5__.TEXTURE_3D, __cass__5__.TEXTURE_BASE_LEVEL, 1416354905);

this line repor heap-buffer-oveflow:
__cass__5__.texParameteri(__cass__5__.TEXTURE_3D, __cass__5__.TEXTURE_BASE_LEVEL, 500);

attachment is minimised poc.
minimised2.html
2.1 KB View Download
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 27

Labels: -Pri-2 Pri-1

Comment 5 by vakh@chromium.org, Aug 27

Mergedinto: 877874
Status: Duplicate (was: Unconfirmed)
Project Member

Comment 6 by sheriffbot@chromium.org, Dec 7

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment