New issue
Advanced search Search tips
Starred by 3 users

Issue metadata

Status: Fixed
Closed: Sep 14
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 880906: Security: ANGLE TextureStorage11::setData Memory Corruption

Reported by, Sep 5

Issue description

I have tested this on Chrome Stable version 69.0.3497.81.
There is a crash which occurs on an invalid reference to pixelData in TextureStorage11::setData.

This is reproducible on any GPU driver, I have attached a testcase with Nvidia.

3:034> r
rax=0000022684109300 rbx=000082239303ed50 rcx=00007ffd2d04e96b
rdx=000082239303ed50 rsi=0000000000000004 rdi=0000022684109300
rip=00007ffd2d04e96b rsp=0000004c9edfd458 rbp=0000000000000000
 r8=0000000000000004  r9=00007ffd2bdb0000 r10=000082239303ed50
r11=0000022684109300 r12=0000000000000080 r13=0000000000000001
r14=0000000000000001 r15=0000000000000004
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
00007ffd`2d04e96b 8b0a            mov     ecx,dword ptr [rdx] ds:00008223`9303ed50=????????
3:034> k
 # Child-SP          RetAddr           Call Site
00 0000004c`9edfd458 00007ffd`2cbaabc5 nvwgf2umx_cfg!NVAPI_Thunk+0x80d8db
01 0000004c`9edfd460 00007ffd`2c135896 nvwgf2umx_cfg!NVAPI_Thunk+0x369b35
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SYSTEM32\d3d11.dll - 
02 0000004c`9edfd560 00007ffd`33442988 nvwgf2umx_cfg!OpenAdapter12+0x21d666
03 0000004c`9edfd600 00007ffc`fbfe4cc4 d3d11!CreateDirect3D11SurfaceFromDXGISurface+0x4ecb8
04 0000004c`9edfd710 00007ffc`fbfeea30 libglesv2!rx::TextureStorage11::setData+0x4da [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\TextureStorage11.cpp @ 791] 
05 0000004c`9edfdaf0 00007ffc`fbff5326 libglesv2!rx::TextureD3D::subImage+0xf8 [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\renderer\d3d\TextureD3D.cpp @ 277] 
06 0000004c`9edfdb90 00007ffc`fbeca026 libglesv2!rx::TextureD3D_2DArray::setSubImage+0x164 [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\renderer\d3d\TextureD3D.cpp @ 2955] 
07 0000004c`9edfdd60 00007ffc`fbfc4c3c libglesv2!gl::Texture::setSubImage+0xbe [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\Texture.cpp @ 986] 
08 0000004c`9edfde10 00007ffc`fbffbdc4 libglesv2!rx::IncompleteTextureSet::getIncompleteTexture+0x278 [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\renderer\renderer_utils.cpp @ 613] 
09 0000004c`9edfdf00 00007ffc`fbf8e94e libglesv2!rx::Context11::getIncompleteTexture+0x2a [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Context11.cpp @ 584] 
0a 0000004c`9edfdf40 00007ffc`fbfbb2f1 libglesv2!rx::Renderer11::getIncompleteTexture+0x1e [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Renderer11.cpp @ 3888] 
0b 0000004c`9edfdf80 00007ffc`fbfba1be libglesv2!rx::StateManager11::applyTextures+0xe9 [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\StateManager11.cpp @ 2386] 
0c 0000004c`9edfe030 00007ffc`fbfb9e13 libglesv2!rx::StateManager11::syncTextures+0x3c [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\StateManager11.cpp @ 2403] 
0d 0000004c`9edfe080 00007ffc`fbffb113 libglesv2!rx::StateManager11::updateState+0x2df [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\StateManager11.cpp @ 2049] 
0e 0000004c`9edfe110 00007ffc`fbffb151 libglesv2!rx::Context11::prepareForDrawCall+0x19 [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Context11.cpp @ 566] 
0f 0000004c`9edfe140 00007ffc`fbeb1783 libglesv2!rx::Context11::drawElementsInstanced+0x21 [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\renderer\d3d\d3d11\Context11.cpp @ 273] 
10 0000004c`9edfe190 00007ffc`fbe8cc2a libglesv2!gl::Context::drawElements+0xa5 [C:\b\c\b\win64_clang\src\third_party\angle\src\libANGLE\Context.cpp @ 2175] 
11 0000004c`9edfe220 00007ffc`ebbfae54 libglesv2!gl::DrawElements+0x95 [C:\b\c\b\win64_clang\src\third_party\angle\src\libGLESv2\entry_points_gles_2_0_autogen.cpp @ 790] 
12 0000004c`9edfe290 00007ffc`eb7c76b9 chrome_child!gpu::gles2::GLES2DecoderPassthroughImpl::DoDrawElements+0x4c [C:\b\c\b\win64_clang\src\gpu\command_buffer\service\ @ 1056] 
13 0000004c`9edfe2f0 00007ffc`eb05acd9 chrome_child!gpu::gles2::GLES2DecoderPassthroughImpl::HandleDrawElements+0x21 [C:\b\c\b\win64_clang\src\gpu\command_buffer\service\ @ 137] 
14 0000004c`9edfe320 00007ffc`eb05a869 chrome_child!gpu::gles2::GLES2DecoderPassthroughImpl::DoCommandsImpl<0>+0xdd [C:\b\c\b\win64_clang\src\gpu\command_buffer\service\ @ 576] 
15 0000004c`9edfe390 00007ffc`ea8930ed chrome_child!gpu::gles2::GLES2DecoderPassthroughImpl::DoCommands+0x25 [C:\b\c\b\win64_clang\src\gpu\command_buffer\service\ @ 517] 
16 0000004c`9edfe3c0 00007ffc`eb0fff97 chrome_child!gpu::CommandBufferService::Flush+0xef [C:\b\c\b\win64_clang\src\gpu\command_buffer\service\ @ 90] 
17 0000004c`9edfe510 00007ffc`eb0ffdfa chrome_child!gpu::CommandBufferStub::OnAsyncFlush+0xb9 [C:\b\c\b\win64_clang\src\gpu\ipc\service\ @ 614] 
18 0000004c`9edfe660 00007ffc`eb0feb3f chrome_child!IPC::MessageT<GpuCommandBufferMsg_AsyncFlush_Meta,std::tuple<int,unsigned int>,void>::Dispatch<gpu::CommandBufferStub,gpu::CommandBufferStub,void,void (gpu::CommandBufferStub::*)(int, unsigned int)>+0x92 [C:\b\c\b\win64_clang\src\ipc\ipc_message_templates.h @ 146] 
19 0000004c`9edfe760 00007ffc`eaa09cd6 chrome_child!gpu::CommandBufferStub::OnMessageReceived+0x219 [C:\b\c\b\win64_clang\src\gpu\ipc\service\ @ 280] 
1a 0000004c`9edfe990 00007ffc`eaa08802 chrome_child!gpu::GpuChannel::HandleMessageHelper+0x32 [C:\b\c\b\win64_clang\src\gpu\ipc\service\ @ 541] 
1b 0000004c`9edfe9d0 00007ffc`eaa00469 chrome_child!gpu::GpuChannel::HandleMessage+0x5e [C:\b\c\b\win64_clang\src\gpu\ipc\service\ @ 517] 
1c 0000004c`9edfea70 00007ffc`e8b8d2cc chrome_child!gpu::Scheduler::RunNextTask+0x2dd [C:\b\c\b\win64_clang\src\gpu\command_buffer\service\ @ 526] 
1d 0000004c`9edfebe0 00007ffc`e8b8cb37 chrome_child!base::debug::TaskAnnotator::RunTask+0x12c [C:\b\c\b\win64_clang\src\base\debug\ @ 101] 
1e 0000004c`9edfed00 00007ffc`e8b87ac8 chrome_child!base::MessageLoop::RunTask+0x247 [C:\b\c\b\win64_clang\src\base\message_loop\ @ 423] 
1f 0000004c`9edfee60 00007ffc`e8b87909 chrome_child!base::MessageLoop::DoWork+0x198 [C:\b\c\b\win64_clang\src\base\message_loop\ @ 480] 
20 0000004c`9edff050 00007ffc`e8b87621 chrome_child!base::MessagePumpDefault::Run+0x99 [C:\b\c\b\win64_clang\src\base\message_loop\ @ 37] 
21 0000004c`9edff0b0 00007ffc`ea5e93bb chrome_child!base::RunLoop::Run+0x31 [C:\b\c\b\win64_clang\src\base\ @ 108] 
22 0000004c`9edff0e0 00007ffc`ea24fbea chrome_child!content::GpuMain+0x397 [C:\b\c\b\win64_clang\src\content\gpu\ @ 348] 
23 0000004c`9edff3e0 00007ffc`e8b44bdb chrome_child!content::ContentMainRunnerImpl::Run+0x1ee [C:\b\c\b\win64_clang\src\content\app\ @ 951] 
24 0000004c`9edff590 00007ffc`e8b447d8 chrome_child!service_manager::Main+0x336 [C:\b\c\b\win64_clang\src\services\service_manager\embedder\ @ 472] 
25 0000004c`9edff8a0 00007ffc`e8b41c3d chrome_child!content::ContentMain+0x41 [C:\b\c\b\win64_clang\src\content\app\ @ 19] 
26 0000004c`9edff930 00007ff6`8851372c chrome_child!ChromeMain+0x118 [C:\b\c\b\win64_clang\src\chrome\app\ @ 104] 
27 0000004c`9edffa10 00007ff6`88511699 chrome!MainDllLoader::Launch+0x26c [C:\b\c\b\win64_clang\src\chrome\app\ @ 201] 
28 0000004c`9edffb00 00007ff6`885d4a72 chrome!wWinMain+0x699 [C:\b\c\b\win64_clang\src\chrome\app\ @ 230] 
29 0000004c`9edffee0 00007ffd`39dd3034 chrome!__scrt_common_main_seh+0x106 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283] 
2a 0000004c`9edfff20 00007ffd`3a4d1551 KERNEL32!BaseThreadInitThunk+0x14
2b 0000004c`9edfff50 00000000`00000000 ntdll!RtlUserThreadStart+0x21
3:034> lmv m chrome
Browse full module list
start             end                 module name
00007ff6`88510000 00007ff6`88682000   chrome     (private pdb symbols)  c:\symcache\chrome\chrome.exe.pdb\87C912AE57111EE90B876C7F2D30397F1\chrome.exe.pdb
    Loaded symbol image file: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Image path: chrome.exe
    Image name: chrome.exe
    Browse all global symbols  functions  data
    Timestamp:        Mon Sep  3 13:30:31 2018 (5B8D99E7)
    CheckSum:         0017457D
    ImageSize:        00172000
    File version:     69.0.3497.81
    Product version:  69.0.3497.81
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    Information from resource tables:
        CompanyName:      Google Inc.
        ProductName:      Google Chrome
        InternalName:     chrome_exe
        OriginalFilename: chrome.exe
        ProductVersion:   69.0.3497.81
        FileVersion:      69.0.3497.81
        FileDescription:  Google Chrome
        LegalCopyright:   Copyright 2017 Google Inc. All rights reserved.
2.1 KB View Download

Comment 1 by ClusterFuzz, Sep 5

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at

Comment 2 by ClusterFuzz, Sep 5

Project Member
Testcase 5165834497163264 failed to reproduce the crash. Please inspect the program output at

Comment 3 by ClusterFuzz, Sep 5

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at

Comment 4 by, Sep 5

Components: Internals>GPU>ANGLE
Labels: Security_Severity-High Security_Impact-Stable Pri-1
Status: Assigned (was: Unconfirmed)
Thanks for the bug report!

@jmadill and @cwallez, can you please investigate and assign a good owner?

Comment 5 by, Sep 5

Thanks for the report. I'll take a look at this first thing tomorrow.

Comment 6 by, Sep 6

Project Member
Labels: M-69 Target-69

Comment 7 by, Sep 7

This is a regression where the unpack buffer is used when initializing an incomplete texture. It only happens when rendering with an incomplete texture when an unpack buffer is bound. I'll look at making a fix.

Comment 8 by, Sep 11

Project Member
The following revision refers to this bug:

commit 0d0fb43f34eeea20bf78089ca2a4e1f2831cffe5
Author: Jamie Madill <>
Date: Tue Sep 11 01:43:38 2018

Pass unpack buffer as explicit parameter to texSubImage.

This allows us to override it in the incomplete texture init. Any
back-end that used incomplete textures was vulnerable to a bug where
the unpack buffer would be used to initialize the incomplete texture.

Bug:  chromium:880906 
Change-Id: Ica558e4a4d81de9212f0bc6619ccd812a048ad45
Reviewed-by: Yuly Novikov <>
Reviewed-by: Frank Henigman <>
Commit-Queue: Jamie Madill <>


Comment 9 by, Sep 11

Project Member
The following revision refers to this bug:

commit db0c0fa2872a51e9795e926b46f20d8eec21b032
Author: angle-chromium-autoroll <>
Date: Tue Sep 11 05:08:41 2018

Roll src/third_party/angle 63aa0e5b7001..0d0fb43f34ee (1 commits)

git log 63aa0e5b7001..0d0fb43f34ee --date=short --no-merges --format='%ad %ae %s'
2018-09-11 Pass unpack buffer as explicit parameter to texSubImage.

Created with:
  gclient setdep -r src/third_party/angle@0d0fb43f34ee

The AutoRoll server is located here:

Documentation for the AutoRoller is here:

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


BUG= chromium:880906

Change-Id: I83ce6ccf2c62c770845912f19ef043d6cd3c374e
Reviewed-by: angle-chromium-autoroll <>
Commit-Queue: angle-chromium-autoroll <>
Cr-Commit-Position: refs/heads/master@{#590205}

Comment 10 by, Sep 14

Labels: Merge-Request-69
Status: Fixed (was: Assigned)
This is fixed in Canary. I believe the fix made it into 70. Marking merge request to 69. It's been baking in Canary for a few days. Patch logic is fairly simple:

Fixes a potential out of bounds reads that leads to a crash.

Comment 11 by, Sep 14

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 12 by, Sep 14

Pls apply appropriate OSs label. 
M70 is already branched at 3538 on August 30th. This also need a merge to M70, pls request a merge to M70.

+awhalley@ for M69 merge review.

Comment 13 by, Sep 14

Labels: Merge-Request-70 M-70 OS-Windows
Added Windows Label and M70 tag. You're right it does need a merge to 70.

Comment 14 by, Sep 14

Project Member
Labels: -Merge-Request-70 Merge-Review-70 Hotlist-Merge-Review
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit - Your friendly Sheriffbot

Comment 15 by, Sep 14

Labels: -Merge-Review-70 Merge-Approved-70
Approved for M70 - branch:3538

Comment 16 by, Sep 14

This'll need some time in 70 beta before being considered for 69 at this point.  Cheers!

Comment 17 by, Sep 14

Project Member
Labels: -merge-approved-70 merge-merged-3538
The following revision refers to this bug:

commit 05c729f336efb544e224444c2485a412bd3a66b3
Author: Jamie Madill <>
Date: Fri Sep 14 19:14:22 2018

Pass unpack buffer as explicit parameter to texSubImage.

This allows us to override it in the incomplete texture init. Any
back-end that used incomplete textures was vulnerable to a bug where
the unpack buffer would be used to initialize the incomplete texture.

Cherry-picked to the chromium/3538 branch cleanly.

Bug:  chromium:880906 
Change-Id: Iead2a8c57674e8962915902d6d5896f44fe8ca88
Reviewed-by: Jamie Madill <>


Comment 18 by, Sep 17

Labels: reward-topanel

Comment 19 by, Sep 27

Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.

Comment 20 by, Sep 28

Thanks omair@! The VRP panel decided to award $1,000 for this report. Cheers!

Comment 21 by, Sep 28

Labels: -reward-unpaid reward-inprocess

Comment 22 by, Oct 8

Labels: -Merge-Request-69 Merge-Rejected-69
We're not planning any further M69 releases, Rejecting merge to M69.

Comment 23 by, Oct 15

Labels: Release-0-M70

Comment 24 by, Oct 16

Labels: CVE-2018-17466 CVE_description-missing

Comment 25 by, Nov 12

Labels: -CVE_description-missing CVE_description-submitted

Comment 26 by, Dec 21

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment