Null-dereference READ in gpu::ImplementationBase::SetBucketContents
Reported by
hemida...@gmail.com,
Dec 20
|
|||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS This bug tested in 618131-chrome-linux Chromium 73.0.3647.0. Trigger by gl.CompressedTexSubImage2D FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Received signal 11 SEGV_MAPERR 000000000020 #0 0x55c79e1e2b6f base::debug::StackTrace::StackTrace() #1 0x55c79e1e26e1 base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7f723204b390 <unknown> #3 0x7f722c001025 <unknown> #4 0x55c79f0798b9 gpu::ImplementationBase::SetBucketContents() #5 0x55c79f04d7aa gpu::gles2::GLES2Implementation::CompressedTexSubImage2D() #6 0x55c7a1c7c857 blink::V8WebGL2RenderingContext::CompressedTexSubImage2DMethodCallback() #7 0x55c79d251b29 v8::internal::FunctionCallbackArguments::Call() #8 0x55c79d251106 v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #9 0x55c79d25066b v8::internal::Builtin_Impl_HandleApiCall() #10 0x55c79d9c26eb <unknown> r8: 0000000000000000 r9: 0000000000000019 r10: 0000000000000081 r11: 000055c79f04d500 r12: 0000000000000000 r13: 0000294dcd20b008 r14: 0000294dce22f700 r15: 000000000000000f di: 00007f72079bd040 si: 0000000000000019 bp: 00007f72109de0e0 bx: 00007f72109de088 dx: 000000000000000f ax: 00007f72079bd040 cx: e697aea11b203b00 sp: 00007f72109de068 ip: 00007f722c001025 efl: 0000000000010202 cgf: 002b000000000033 erf: 0000000000000004 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000020 [end of stack trace] Calling _exit(1). Core file will not be generated. ~/chromium-latest-linux$ [1220/152304.038996:ERROR:nacl_helper_linux.cc(310)] NaCl helper process running without a sandbox! Most likely you need to configure your SUID sandbox correctly Debug log: #0 0x00007f5f9df1bb35 in __memmove_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136 #1 0x000055ff93c45906 in __asan_memcpy() () at /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23 #2 0x000055ff9f9695c0 in SetBucketContents() () at ../../gpu/command_buffer/client/implementation_base.cc:247 #3 0x000055ff9f8a1f83 in CompressedTexSubImage2D() () at ../../gpu/command_buffer/client/gles2_implementation.cc:2560 #4 0x000055ffa62d125e in CompressedTexSubImage2DMethodCallback() () at gen/third_party/blink/renderer/bindings/modules/v8/v8_webgl2_rendering_context.cc:3235 #5 0x000055ffa62d125e in CompressedTexSubImage2DMethodCallback() () #6 0x000055ffa62d125e in CompressedTexSubImage2DMethodCallback() () at gen/third_party/blink/renderer/bindings/modules/v8/v8_webgl2_rendering_context.cc:14397 #7 0x000055ff9714a0a3 in Call() () at ../../v8/src/api-arguments-inl.h:146 #8 0x000055ff971478dd in HandleApiCallHelper<false>() () at ../../v8/src/builtins/builtins-api.cc:109 #9 0x000055ff97144f36 in Builtin_Impl_HandleApiCall() () at ../../v8/src/builtins/builtins-api.cc:139 #10 0x000055ff98f1facb in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit () #11 0x000055ff98e7ff35 in Builtins_InterpreterEntryTrampoline () #12 0x00007e8fcc7804c9 in () #13 0x00007ed0f7a791b9 in () #14 0x0000000e00000000 in () #15 0x00007e8fcc7805a9 in () #16 0x0000001900000000 in () #17 0x0000000f00000000 in () #18 0x00007e8fcc7804c9 in () #19 0x0000008100000000 in () #20 0x0000005f00000000 in () #21 0x0000001f00000000 in () #22 0x0000001100000000 in () #23 0x0000000000000000 in ()
,
Dec 20
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5672391222755328.
,
Dec 20
crash/717231eae71af2ef
,
Dec 20
sunnyps@ -- if you're not the right owner, can you please help triage this better? thanks.
,
Dec 20
,
Dec 20
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5180621365968896.
,
Dec 20
Testcase 5672391222755328 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5672391222755328.
,
Dec 20
I'll be OOO soon ->kbr@ for triage +jdarpinian@ because you looked at SetBucketContents during the transfer buffer optimization IIRC +zmo@ because you're familiar with command buffer code
,
Dec 20
This is another corner case of WebGL side buffer binding tracking. In this case, bound_pixel_unpack_buffer_ should be 0 and INVALID_OPERATION should be generated in WebGL2RenderingContextBase::compressedTexSubImage2D. This is because when we call DeleteBuffer(), the underlying buffer isn't actually deleted because it's used by a non-current VAO. However, when that VAO becomes current, the buffer should be automatically deleted at that point, therefore setting bound_pixel_unpack_buffer_ to 0.
,
Dec 20
jdarpinian volunteered to triage this more deeply - thanks James.
,
Dec 20
Seems to me like the issue is that we allow bindBuffer after deleting the buffer. That should be INVALID_OPERATION.
,
Dec 20
That's true, but the issue I pointed out still exist. You can bindBuffer to PIXEL_UNPACK_BUFFER first, then deleteBuffer. Because buffer is used in a non-current VAO, it's not actually deleted and the binding at PIXEL_UNPACK_BUFFER is still valid. Later at bindVertexArray, the buffer should be deleted and binding at PIXEL_UNPACK_BUFFER should become 0. I don't think that happens today.
,
Dec 20
If you bindBuffer to PIXEL_UNPACK_BUFFER first, then the binding is zeroed out when you deleteBuffer, so there's no issue.
,
Dec 20
Testing a potential fix: https://chromium-review.googlesource.com/c/chromium/src/+/1388032 This prevents bindBuffer from working after you have called deleteBuffer, even if the buffer wasn't deleted due to being referenced elsewhere.
,
Dec 21
,
Dec 21
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Dec 21
Detailed report: https://clusterfuzz.com/testcase?key=4894545002889216 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000020 Crash State: gpu::ImplementationBase::SetBucketContents gpu::gles2::GLES2Implementation::CompressedTexSubImage2D blink::V8WebGL2RenderingContext::CompressedTexSubImage2DMethodCallback Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=495501:495712 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4894545002889216 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
,
Dec 21
Detailed report: https://clusterfuzz.com/testcase?key=5180621365968896 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000020 Crash State: gpu::ImplementationBase::SetBucketContents gpu::gles2::GLES2Implementation::CompressedTexSubImage2D blink::V8WebGL2RenderingContext::CompressedTexSubImage2DMethodCallback Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=495551:495784 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5180621365968896 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
,
Dec 21
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5394466865517b38f95c074e43efddde95875d6b commit 5394466865517b38f95c074e43efddde95875d6b Author: James Darpinian <jdarpinian@chromium.org> Date: Fri Dec 21 05:30:26 2018 WebGL: Check object deletion flag Bug: 916924 , 739604 Change-Id: I36f6280226e3c03ed8ae89bd9ff59a82631a9a21 Reviewed-on: https://chromium-review.googlesource.com/c/1388032 Reviewed-by: Zhenyao Mo <zmo@chromium.org> Commit-Queue: James Darpinian <jdarpinian@chromium.org> Cr-Commit-Position: refs/heads/master@{#618464} [modify] https://crrev.com/5394466865517b38f95c074e43efddde95875d6b/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.cc
,
Dec 21
,
Dec 21
,
Dec 21
ClusterFuzz has detected this issue as fixed in range 618463:618464. Detailed report: https://clusterfuzz.com/testcase?key=4894545002889216 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000020 Crash State: gpu::ImplementationBase::SetBucketContents gpu::gles2::GLES2Implementation::CompressedTexSubImage2D blink::V8WebGL2RenderingContext::CompressedTexSubImage2DMethodCallback Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=495501:495712 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=618463:618464 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4894545002889216 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 21
,
Dec 21
This bug requires manual review: M72 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: govind@(Android), kariahda@(iOS), djmm@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 21
Approved for 72. Branch:3626
,
Dec 21
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/99488969407932b90aab9a881cbf71246f48dd6b commit 99488969407932b90aab9a881cbf71246f48dd6b Author: James Darpinian <jdarpinian@chromium.org> Date: Fri Dec 21 22:00:16 2018 WebGL: Check object deletion flag Bug: 916924 , 739604 Change-Id: I36f6280226e3c03ed8ae89bd9ff59a82631a9a21 Reviewed-on: https://chromium-review.googlesource.com/c/1388032 Reviewed-by: Zhenyao Mo <zmo@chromium.org> Commit-Queue: James Darpinian <jdarpinian@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#618464}(cherry picked from commit 5394466865517b38f95c074e43efddde95875d6b) Reviewed-on: https://chromium-review.googlesource.com/c/1388563 Reviewed-by: James Darpinian <jdarpinian@chromium.org> Cr-Commit-Position: refs/branch-heads/3626@{#508} Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437} [modify] https://crrev.com/99488969407932b90aab9a881cbf71246f48dd6b/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.cc
,
Dec 21
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/99488969407932b90aab9a881cbf71246f48dd6b Commit: 99488969407932b90aab9a881cbf71246f48dd6b Author: jdarpinian@chromium.org Commiter: jdarpinian@chromium.org Date: 2018-12-21 22:00:16 +0000 UTC WebGL: Check object deletion flag Bug: 916924 , 739604 Change-Id: I36f6280226e3c03ed8ae89bd9ff59a82631a9a21 Reviewed-on: https://chromium-review.googlesource.com/c/1388032 Reviewed-by: Zhenyao Mo <zmo@chromium.org> Commit-Queue: James Darpinian <jdarpinian@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#618464}(cherry picked from commit 5394466865517b38f95c074e43efddde95875d6b) Reviewed-on: https://chromium-review.googlesource.com/c/1388563 Reviewed-by: James Darpinian <jdarpinian@chromium.org> Cr-Commit-Position: refs/branch-heads/3626@{#508} Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
,
Dec 22
Waiting for merge approval for 71.
,
Dec 22
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 23
,
Dec 23
ClusterFuzz has detected this issue as fixed in range 618463:618464. Detailed report: https://clusterfuzz.com/testcase?key=5180621365968896 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000020 Crash State: gpu::ImplementationBase::SetBucketContents gpu::gles2::GLES2Implementation::CompressedTexSubImage2D blink::V8WebGL2RenderingContext::CompressedTexSubImage2DMethodCallback Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=495551:495784 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=618463:618464 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5180621365968896 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 23
ClusterFuzz testcase 5180621365968896 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 2
+ awhalley@ (Security TPM) for M71 merge review (Note: At the moment there is no plan for M71 respin for Desktop).
,
Jan 2
We can consider for a 71 merge after the 72 one has made it out to beta.
,
Jan 7
,
Jan 9
Hi - I'm afraid the VRP panel declined to reward for this bug, as they deemed it not to be exploitable. Cheers! |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Dec 20