New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 916924 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Dec 22
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug

Blocking:
issue 739604



Sign in to add a comment

Null-dereference READ in gpu::ImplementationBase::SetBucketContents

Reported by hemida...@gmail.com, Dec 20

Issue description



VULNERABILITY DETAILS

This bug tested in 618131-chrome-linux Chromium 73.0.3647.0.
Trigger by gl.CompressedTexSubImage2D

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

Received signal 11 SEGV_MAPERR 000000000020
#0 0x55c79e1e2b6f base::debug::StackTrace::StackTrace()
#1 0x55c79e1e26e1 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f723204b390 <unknown>
#3 0x7f722c001025 <unknown>
#4 0x55c79f0798b9 gpu::ImplementationBase::SetBucketContents()
#5 0x55c79f04d7aa gpu::gles2::GLES2Implementation::CompressedTexSubImage2D()
#6 0x55c7a1c7c857 blink::V8WebGL2RenderingContext::CompressedTexSubImage2DMethodCallback()
#7 0x55c79d251b29 v8::internal::FunctionCallbackArguments::Call()
#8 0x55c79d251106 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#9 0x55c79d25066b v8::internal::Builtin_Impl_HandleApiCall()
#10 0x55c79d9c26eb <unknown>
  r8: 0000000000000000  r9: 0000000000000019 r10: 0000000000000081 r11: 000055c79f04d500
 r12: 0000000000000000 r13: 0000294dcd20b008 r14: 0000294dce22f700 r15: 000000000000000f
  di: 00007f72079bd040  si: 0000000000000019  bp: 00007f72109de0e0  bx: 00007f72109de088
  dx: 000000000000000f  ax: 00007f72079bd040  cx: e697aea11b203b00  sp: 00007f72109de068
  ip: 00007f722c001025 efl: 0000000000010202 cgf: 002b000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000020
[end of stack trace]
Calling _exit(1). Core file will not be generated.
~/chromium-latest-linux$ [1220/152304.038996:ERROR:nacl_helper_linux.cc(310)] NaCl helper process running without a sandbox!
Most likely you need to configure your SUID sandbox correctly


Debug log:

#0  0x00007f5f9df1bb35 in __memmove_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
#1  0x000055ff93c45906 in __asan_memcpy() () at /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23
#2  0x000055ff9f9695c0 in SetBucketContents() () at ../../gpu/command_buffer/client/implementation_base.cc:247
#3  0x000055ff9f8a1f83 in CompressedTexSubImage2D() () at ../../gpu/command_buffer/client/gles2_implementation.cc:2560
#4  0x000055ffa62d125e in CompressedTexSubImage2DMethodCallback() () at gen/third_party/blink/renderer/bindings/modules/v8/v8_webgl2_rendering_context.cc:3235
#5  0x000055ffa62d125e in CompressedTexSubImage2DMethodCallback() ()
#6  0x000055ffa62d125e in CompressedTexSubImage2DMethodCallback() () at gen/third_party/blink/renderer/bindings/modules/v8/v8_webgl2_rendering_context.cc:14397
#7  0x000055ff9714a0a3 in Call() () at ../../v8/src/api-arguments-inl.h:146
#8  0x000055ff971478dd in HandleApiCallHelper<false>() () at ../../v8/src/builtins/builtins-api.cc:109
#9  0x000055ff97144f36 in Builtin_Impl_HandleApiCall() () at ../../v8/src/builtins/builtins-api.cc:139
#10 0x000055ff98f1facb in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit ()
#11 0x000055ff98e7ff35 in Builtins_InterpreterEntryTrampoline ()
#12 0x00007e8fcc7804c9 in  ()
#13 0x00007ed0f7a791b9 in  ()
#14 0x0000000e00000000 in  ()
#15 0x00007e8fcc7805a9 in  ()
#16 0x0000001900000000 in  ()
#17 0x0000000f00000000 in  ()
#18 0x00007e8fcc7804c9 in  ()
#19 0x0000008100000000 in  ()
#20 0x0000005f00000000 in  ()
#21 0x0000001f00000000 in  ()
#22 0x0000001100000000 in  ()
#23 0x0000000000000000 in  ()



 
bug_02.html
734 bytes View Download
Project Member

Comment 1 by ClusterFuzz, Dec 20

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4894545002889216.
Project Member

Comment 2 by ClusterFuzz, Dec 20

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5672391222755328.
Status: Available (was: Unconfirmed)
crash/717231eae71af2ef 
Cc: piman@chromium.org
Components: Blink>WebGL
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Owner: sunn...@chromium.org
sunnyps@ -- if you're not the right owner, can you please help triage this better? thanks.
Labels: Security_Severity-High Security_Impact-Head
Status: Assigned (was: Available)
Project Member

Comment 6 by ClusterFuzz, Dec 20

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5180621365968896.
Project Member

Comment 7 by ClusterFuzz, Dec 20

Testcase 5672391222755328 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5672391222755328.
Cc: sunn...@chromium.org jdarpinian@chromium.org zmo@chromium.org
Owner: kbr@chromium.org
I'll be OOO soon

->kbr@ for triage

+jdarpinian@ because you looked at SetBucketContents during the transfer buffer optimization IIRC

+zmo@ because you're familiar with command buffer code
This is another corner case of WebGL side buffer binding tracking.

In this case, bound_pixel_unpack_buffer_ should be 0 and INVALID_OPERATION should be generated in WebGL2RenderingContextBase::compressedTexSubImage2D.

This is because when we call DeleteBuffer(), the underlying buffer isn't actually deleted because it's used by a non-current VAO. However, when that VAO becomes current, the buffer should be automatically deleted at that point, therefore setting bound_pixel_unpack_buffer_ to 0.
Cc: kbr@chromium.org
Owner: jdarpinian@chromium.org
jdarpinian volunteered to triage this more deeply - thanks James.

Seems to me like the issue is that we allow bindBuffer after deleting the buffer. That should be INVALID_OPERATION.
That's true, but the issue I pointed out still exist. You can bindBuffer to PIXEL_UNPACK_BUFFER first, then deleteBuffer. Because buffer is used in a non-current VAO, it's not actually deleted and the binding at PIXEL_UNPACK_BUFFER is still valid. Later at bindVertexArray, the buffer should be deleted and binding at PIXEL_UNPACK_BUFFER should become 0. I don't think that happens today.
If you bindBuffer to PIXEL_UNPACK_BUFFER first, then the binding is zeroed out when you deleteBuffer, so there's no issue.
Testing a potential fix: https://chromium-review.googlesource.com/c/chromium/src/+/1388032

This prevents bindBuffer from working after you have called deleteBuffer, even if the buffer wasn't deleted due to being referenced elsewhere.
Blocking: 739604
Project Member

Comment 16 by ClusterFuzz, Dec 21

Components: Internals>GPU>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 17 by ClusterFuzz, Dec 21

Labels: -Security_Impact-Head Security_Impact-Stable
Detailed report: https://clusterfuzz.com/testcase?key=4894545002889216

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  gpu::ImplementationBase::SetBucketContents
  gpu::gles2::GLES2Implementation::CompressedTexSubImage2D
  blink::V8WebGL2RenderingContext::CompressedTexSubImage2DMethodCallback
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=495501:495712

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4894545002889216

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
Project Member

Comment 18 by ClusterFuzz, Dec 21

Summary: Null-dereference READ in gpu::ImplementationBase::SetBucketContents (was: Security: WebGL2 CompressedTexSubImage2D use-after-free)
Detailed report: https://clusterfuzz.com/testcase?key=5180621365968896

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  gpu::ImplementationBase::SetBucketContents
  gpu::gles2::GLES2Implementation::CompressedTexSubImage2D
  blink::V8WebGL2RenderingContext::CompressedTexSubImage2DMethodCallback
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=495551:495784

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5180621365968896

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
Project Member

Comment 19 by bugdroid1@chromium.org, Dec 21

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5394466865517b38f95c074e43efddde95875d6b

commit 5394466865517b38f95c074e43efddde95875d6b
Author: James Darpinian <jdarpinian@chromium.org>
Date: Fri Dec 21 05:30:26 2018

WebGL: Check object deletion flag

Bug:  916924 ,  739604 
Change-Id: I36f6280226e3c03ed8ae89bd9ff59a82631a9a21
Reviewed-on: https://chromium-review.googlesource.com/c/1388032
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Commit-Queue: James Darpinian <jdarpinian@chromium.org>
Cr-Commit-Position: refs/heads/master@{#618464}
[modify] https://crrev.com/5394466865517b38f95c074e43efddde95875d6b/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.cc

Project Member

Comment 20 by sheriffbot@chromium.org, Dec 21

Labels: Target-71 M-71
Project Member

Comment 21 by sheriffbot@chromium.org, Dec 21

Labels: Pri-1
Project Member

Comment 22 by ClusterFuzz, Dec 21

ClusterFuzz has detected this issue as fixed in range 618463:618464.

Detailed report: https://clusterfuzz.com/testcase?key=4894545002889216

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  gpu::ImplementationBase::SetBucketContents
  gpu::gles2::GLES2Implementation::CompressedTexSubImage2D
  blink::V8WebGL2RenderingContext::CompressedTexSubImage2DMethodCallback
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=495501:495712
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=618463:618464

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4894545002889216

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Labels: Merge-Request-71 Merge-Request-72
Project Member

Comment 24 by sheriffbot@chromium.org, Dec 21

Labels: -Merge-Request-72 Merge-Review-72 Hotlist-Merge-Review
This bug requires manual review: M72 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: govind@(Android), kariahda@(iOS), djmm@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-72 Merge-Approved-72
Approved for 72. Branch:3626
Project Member

Comment 26 by bugdroid1@chromium.org, Dec 21

Labels: -merge-approved-72 merge-merged-3626
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99488969407932b90aab9a881cbf71246f48dd6b

commit 99488969407932b90aab9a881cbf71246f48dd6b
Author: James Darpinian <jdarpinian@chromium.org>
Date: Fri Dec 21 22:00:16 2018

WebGL: Check object deletion flag

Bug:  916924 ,  739604 
Change-Id: I36f6280226e3c03ed8ae89bd9ff59a82631a9a21
Reviewed-on: https://chromium-review.googlesource.com/c/1388032
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Commit-Queue: James Darpinian <jdarpinian@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#618464}(cherry picked from commit 5394466865517b38f95c074e43efddde95875d6b)
Reviewed-on: https://chromium-review.googlesource.com/c/1388563
Reviewed-by: James Darpinian <jdarpinian@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#508}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
[modify] https://crrev.com/99488969407932b90aab9a881cbf71246f48dd6b/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.cc

Labels: Merge-Merged-72-3626
The following revision refers to this bug: 
https://chromium.googlesource.com/chromium/src.git/+/99488969407932b90aab9a881cbf71246f48dd6b

Commit: 99488969407932b90aab9a881cbf71246f48dd6b
Author: jdarpinian@chromium.org
Commiter: jdarpinian@chromium.org
Date: 2018-12-21 22:00:16 +0000 UTC

WebGL: Check object deletion flag

Bug:  916924 ,  739604 
Change-Id: I36f6280226e3c03ed8ae89bd9ff59a82631a9a21
Reviewed-on: https://chromium-review.googlesource.com/c/1388032
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Commit-Queue: James Darpinian <jdarpinian@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#618464}(cherry picked from commit 5394466865517b38f95c074e43efddde95875d6b)
Reviewed-on: https://chromium-review.googlesource.com/c/1388563
Reviewed-by: James Darpinian <jdarpinian@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#508}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Waiting for merge approval for 71.
Project Member

Comment 29 by sheriffbot@chromium.org, Dec 22

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 30 by sheriffbot@chromium.org, Dec 23

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 31 by ClusterFuzz, Dec 23

ClusterFuzz has detected this issue as fixed in range 618463:618464.

Detailed report: https://clusterfuzz.com/testcase?key=5180621365968896

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  gpu::ImplementationBase::SetBucketContents
  gpu::gles2::GLES2Implementation::CompressedTexSubImage2D
  blink::V8WebGL2RenderingContext::CompressedTexSubImage2DMethodCallback
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=495551:495784
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=618463:618464

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5180621365968896

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 32 by ClusterFuzz, Dec 23

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5180621365968896 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Cc: awhalley@google.com
+ awhalley@ (Security TPM) for M71 merge review (Note: At the moment there is no plan for M71 respin for Desktop).
We can consider for a 71 merge after the 72 one has made it out to beta.
Labels: reward-topanel
Labels: -Type-Bug-Security -Restrict-View-SecurityNotify -reward-topanel -Security_Impact-Stable -Security_Severity-High reward-0 Type-Bug
Hi - I'm afraid the VRP panel declined to reward for this bug, as they deemed it not to be exploitable. Cheers!

Sign in to add a comment