New issue
Advanced search Search tips

Issue 889887 link

Starred by 1 user
Status: Duplicate
Merged: issue 879226
Owner:
capn@chromium.org
Closed: Sep 28
Cc:
sugoi@chromium.org
zmo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

Out of bound read in Texture2D::getFormat

Reported by cdsrc2...@gmail.com, Sep 27 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce the problem:
1. download and unzip the release asan chromium :asan-linux-release-593799
2. Run ./chrome crash.html

What is the expected behavior?

What went wrong?
es2::Texture did not validate the mBaseLevel parameter,which cause out of bound read by using mBaseLevel.
In src/third_party/swiftshader/src/OpenGL/libGLESv2/libGLESv2.cpp:

void GenerateMipmap(GLenum target)
{
	....
	if(!IsMipmappable(texture->getFormat(target, texture->getBaseLevel()))) <--------get mBaseLevel without validation
	{
		return error(GL_INVALID_OPERATION);
	}
	texture->generateMipmaps();
	}
}

Then in src/third_party/swiftshader/src/OpenGL/libGLESv2/Texture.cpp:

GLint Texture2D::getFormat(GLenum target, GLint level) const
{
	ASSERT(target == getTarget());
	return image[level] ? image[level]->getFormat() : GL_NONE;             <-------image[level] could read data out of bound.
}

The poc is simple:call texParameteri() to set the base_level number,then call generateMipmap() to trigger the bug.

And im not sure why the stacktrace shows that is a sig11 in 0x7fxxxxxxxxx(the address arena of i965_dri.so) and sometimes i can't debug to step into GenerateMipmap(GLenum target) on linux.The crash happened just after the 
function gpu::gles2::GLES2DecoderImpl::DoGenerateMipmap(unsigned int) to be called.So i upload the crash stacktrace both in windows and linux and my debug stacktrace into SwiftShader.

If can't repro,could change the TEXTURE_BASE_LEVEL number in line:23(on my machine,201 is the best value) and refresh to make it happened.

Did this work before? N/A 

Chrome version: 71.0.3561.0  Channel: n/a
OS Version: 16.04
Flash Version:
crash.html
872 bytes View Download
utility.js
2.0 KB View Download
sig11_linux.log
5.0 KB View Download
sig11_windows.log
5.6 KB View Download
debug_stacktrace
6.1 KB View Download

Comment 1 by dominickn@chromium.org, Sep 28

Cc: zmo@chromium.org sugoi@chromium.org
Components: Internals>GPU>SwiftShader
Labels: Security_Severity-High Security_Impact-Head
Owner: capn@chromium.org
Status: Assigned (was: Unconfirmed)
SwiftShader folks, do you mind taking a look?

Comment 2 by capn@chromium.org, Sep 28

Mergedinto: 879226
Status: Duplicate (was: Assigned)
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 4

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment