Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/385508dc888ef15d272cdd2705b17996abc519d6 (Implement immutable texture base/max level clamping).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is inside SwiftShader. capn@: could you take a look?

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This appears to be caused by the texture's base level index being larger than the array of images.

That would definitely be a SwiftShader bug (we need to clamp it, or whatever the spec expects), but there might also be a Chromium-side issue where previously this was prevented by the command buffer validation and now it's exposed.

@zmo could you check if https://chromium-review.googlesource.com/1194994 has an off-by-one bug or something like that?

I didn't change the clamping, only now I store the clamped values to use later.

What happens (educated guess) could be: before we have base level out of range. But according to clamping rule for immutable textures, there is at least one level valid. So before we could also exclude that level, but now because we use the clamped value, this level is in the range, therefore calling into lower driver, which in turn exposes a bug in lower driver.

If you already reduced a few gl calls that leads to the crash, please share and I can take another look.

Should be fixed by Alexis' patch: https://swiftshader-review.googlesource.com/20488

This is marked as M-70, but I don't think a merge is necessary. Well-formed WebGL apps are not affected. The security impact seems limited to crashing the GPU process, which is considered unsafe/crashable anyway.

ClusterFuzz testcase 4669543168081920 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 591377:591378.

Detailed report: https://clusterfuzz.com/testcase?key=6493529443139584

Fuzzer: libFuzzer_gpu_swiftshader_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x6120000584e0
Crash State:
  es2::Texture2D::getFormat
  es2::GenerateMipmap
  gpu::gles2::GLES2DecoderImpl::DoGenerateMipmap
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=587263:587264
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=591377:591378

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6493529443139584

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot