New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

OOB read in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays

Project Member Reported by infe...@chromium.org, Sep 7 2011

Issue description


Testcase (run from LayoutTests/fast/canvas/webgl)
<script src="../../js/resources/js-test-pre.js"></script>

><script src="resources/webgl-test.js"></script>
><div id="console"><script>
var context = create3DContext();
var program = loadStandardProgram(context);

context.useProgram(program);
shouldGenerateGLError(context, context.INVALID_OPERATION, "context.drawArrays(context.TRIANGLES, 0, 200)");
shouldGenerateGLError(context, context.INVALID_OPERATION, "context.drawArrays(context.TRIANGLES, 0, 0x7fffffff)");
</script>

>


/mnt/scratch0/chrome/src/out/Release/DumpRenderTree 

ASAN:SIGILL
=================================================================
HINT: if your stack trace looks short or garbled, use ASAN_OPTIONS=fast_unwind=0
==19757== ERROR: AddressSanitizer heap-buffer-overflow on address 0x00007f4d118b4d0c at pc 0x7f4d0864050d bp 0x7fff92a53070 sp 0x7fff92a51740
READ of size 4 at 0x00007f4d118b4d0c thread T0
    #0 0x7f4d0864050d in run_vp third_party/mesa/MesaLib/src/mesa/tnl/t_vb_program.c:0
    #1 0x7f4d0861df73 in _tnl_run_pipeline 
    #2 0x7f4d0861d45e in _tnl_draw_prims 
    #3 0x7f4d0861a5ee in _tnl_vbo_draw_prims 
    #4 0x7f4d086b9c52 in flush_vertex third_party/mesa/MesaLib/src/mesa/vbo/vbo_split_inplace.c:0
    #5 0x7f4d086b8f77 in vbo_split_inplace 
    #6 0x7f4d0861b4d9 in _tnl_draw_prims 
    #7 0x7f4d0861a5ee in _tnl_vbo_draw_prims 
    #8 0x7f4d08692088 in vbo_exec_DrawArrays third_party/mesa/MesaLib/src/mesa/vbo/vbo_exec_array.c:0
    #9 0x341f9ca in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays(unsigned int, gpu::gles2::DrawArrays const&) 
    #10 0x34161a3 in gpu::gles2::GLES2DecoderImpl::DoCommand(unsigned int, unsigned int, void const*) 
    #11 0x3400b1f in gpu::CommandParser::ProcessCommand() 
    #12 0x33d0add in gpu::GpuScheduler::PutChanged() 
    #13 0x338c082 in webkit::gpu::GLInProcessContext::PumpCommands() 
    #14 0x33b2df6 in gpu::CommandBufferService::FlushSync(int, int) 
    #15 0x4007667 in gpu::CommandBufferHelper::Finish() 
    #16 0x3b27749 in gpu::gles2::GLES2Implementation::WaitForCmd() 
    #17 0x3b27c2b in gpu::gles2::GLES2Implementation::GetGLError() 
    #18 0x2d9295e in WebCore::WebGLRenderingContextInternal::getErrorCallback(v8::Arguments const&) out/Release/obj/gen/webkit/bindings/V8DerivedSources19.cpp:0
    #19 0xacd704 in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0
    #20 0xe8d4635e14e in 
0x00007f4d118b4d0c is located 12 bytes to the right of 3200-byte region [0x00007f4d118b4080,0x00007f4d118b4d00)
allocated by thread T0 here:
    #1 0x7f4d083f276f in _mesa_realloc 
    #2 0x7f4d082f4951 in _mesa_buffer_data third_party/mesa/MesaLib/src/mesa/main/bufferobj.c:0
    #3 0x7f4d082f6e8b in _mesa_BufferDataARB 
    #4 0x343a7da in gpu::gles2::GLES2DecoderImpl::SimulateAttrib0(unsigned int) 
    #5 0x341f965 in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays(unsigned int, gpu::gles2::DrawArrays const&) 
    #6 0x34161a3 in gpu::gles2::GLES2DecoderImpl::DoCommand(unsigned int, unsigned int, void const*) 
    #7 0x3400b1f in gpu::CommandParser::ProcessCommand() 
    #8 0x33d0add in gpu::GpuScheduler::PutChanged() 
    #9 0x338c082 in webkit::gpu::GLInProcessContext::PumpCommands() 
    #10 0x33b2df6 in gpu::CommandBufferService::FlushSync(int, int) 
    #11 0x4007667 in gpu::CommandBufferHelper::Finish() 
    #12 0x3b27749 in gpu::gles2::GLES2Implementation::WaitForCmd() 
    #13 0x3b27c2b in gpu::gles2::GLES2Implementation::GetGLError() 
    #14 0x2d9295e in WebCore::WebGLRenderingContextInternal::getErrorCallback(v8::Arguments const&) out/Release/obj/gen/webkit/bindings/V8DerivedSources19.cpp:0
    #15 0xacd704 in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0
    #16 0xe8d4635e14e in 
    #17 0xe8d46384ade in 
    #18 0xe8d46381eb0 in 
    #19 0xe8d46378b67 in 
    #20 0xe8d463636e1 in 
==19757== ABORTING
Shadow byte and word:
  0x00001fe9a23169a1: fa
  0x00001fe9a23169a0: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x00001fe9a2316980: 00 00 00 00 00 00 00 00
  0x00001fe9a2316988: 00 00 00 00 00 00 00 00
  0x00001fe9a2316990: 00 00 00 00 00 00 00 00
  0x00001fe9a2316998: 00 00 00 00 00 00 00 00
=>0x00001fe9a23169a0: fa fa fa fa fa fa fa fa
  0x00001fe9a23169a8: fa fa fa fa fa fa fa fa
  0x00001fe9a23169b0: fa fa fa fa fa fa fa fa
  0x00001fe9a23169b8: fa fa fa fa fa fa fa fa
  0x00001fe9a23169c0: fa fa fa fa fa fa fa fa
	base::debug::StackTrace::StackTrace() [0x89b556]
	base::(anonymous namespace)::StackDumpSignalHandler() [0x8689ef]
	0x7f4d165e9af0
	0x7f4d165e9a75
	0x7f4d165ed5c0
	asan_report_error() [0x4745a1b]
	0x7f4d174db8f0
	run_vp [0x7f4d0864050d]
	_tnl_run_pipeline [0x7f4d0861df73]
	_tnl_draw_prims [0x7f4d0861d45e]
	_tnl_vbo_draw_prims [0x7f4d0861a5ee]
	flush_vertex [0x7f4d086b9c52]
	vbo_split_inplace [0x7f4d086b8f77]
	_tnl_draw_prims [0x7f4d0861b4d9]
	_tnl_vbo_draw_prims [0x7f4d0861a5ee]
	vbo_exec_DrawArrays [0x7f4d08692088]
	gpu::gles2::GLES2DecoderImpl::HandleDrawArrays() [0x341f9ca]
	gpu::gles2::GLES2DecoderImpl::DoCommand() [0x34161a3]
	gpu::CommandParser::ProcessCommand() [0x3400b1f]
	gpu::GpuScheduler::PutChanged() [0x33d0add]
	webkit::gpu::GLInProcessContext::PumpCommands() [0x338c082]
	gpu::CommandBufferService::FlushSync() [0x33b2df6]
	gpu::CommandBufferHelper::Finish() [0x4007667]
	gpu::gles2::GLES2Implementation::WaitForCmd() [0x3b27749]
	gpu::gles2::GLES2Implementation::GetGLError() [0x3b27c2b]
	WebCore::WebGLRenderingContextInternal::getErrorCallback() [0x2d9295e]
	v8::internal::Builtin_HandleApiCall() [0xacd704]
	0xe8d4635e14e

 
This was found in my fuzzing+ASAN+ClusterFuzz

Bot CLUSTER_FUZZ_399 on platform LINUX
Chromium Revision : 99705
Webkit Revision : 94540

Comment 2 by kbr@chromium.org, Sep 8 2011

Cc: kbr@chromium.org
Owner: gman@chromium.org
For some reason this draw call is slipping past the validation performed in the implementation of DrawArrays. Gregg, would you mind taking this? Assign it back to me if you are too busy.

Comment 3 by mal@google.com, Sep 8 2011

Labels: Stability-CodeYellow

Comment 4 by gman@chromium.org, Sep 8 2011

Status: Started

Comment 5 by gman@chromium.org, Sep 9 2011

So just FYI,

The bug was 2 fold (fixed now). The test was testing non enabled attrib 0. The attrib 0 simulation code had 2 bugs

#1 There was math overflow (count * sizeof(Vec4)) where count = 0x7FFFFFFF
#2 There was no check that BufferData did not run out of memory

The issue though is I can't add a test to the official WebGL conformance tests because real OpenGL ES might not fail on that case (except drawing 0x7FFFFFFF /3 of even zero sized anything is probably going to DOS the GPU)

FF has the same bug. I filed a bug for them 

I also checked in an un-official test here:
https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/extra/simulated-attrib-0-bug-test.html

The test won't file but running with ASAN on OSMesa should trigger ASAN's checking on buggy impls.


Does this affect m14 ? 

Comment 7 by gman@chromium.org, Sep 9 2011

Yes it effects M14. It's been in there since M9 :-(  Thanks to the guys that hooked up ASAN they found it.
Project Member

Comment 8 by bugdroid1@chromium.org, Sep 9 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100384

------------------------------------------------------------------------
r100384 | gman@chromium.org | Fri Sep 09 03:28:08 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100384&r2=100383&pathrev=100384
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100384&r2=100383&pathrev=100384

Fix bug in SimulateAttrib0 that did not check for out of memory.

It also did not correctly check for math overflow. Also fixed
similar bugs in SimulateFixedAttribs

TEST=unit tests
BUG= 95625 

R=apatrick@chromium.org


Review URL: http://codereview.chromium.org/7845017
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Is this a risky merge to m14 ?  Given code yellow, we should merge this to both m14, m15.

Comment 10 by gman@chromium.org, Sep 9 2011

No, there's very little risk IMO. 
What are the branch numbers?
m14 is 835 and m15 is 874.
Project Member

Comment 12 by bugdroid1@chromium.org, Sep 9 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100411

------------------------------------------------------------------------
r100411 | nsylvain@chromium.org | Fri Sep 09 09:37:34 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100411&r2=100410&pathrev=100411
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100411&r2=100410&pathrev=100411

Revert 100384 - Fix bug in SimulateAttrib0 that did not check for out of memory.

It also did not correctly check for math overflow. Also fixed
similar bugs in SimulateFixedAttribs

TEST=unit tests
BUG= 95625 

R=apatrick@chromium.org


Review URL: http://codereview.chromium.org/7845017

TBR=gman@chromium.org
Review URL: http://codereview.chromium.org/7857037
------------------------------------------------------------------------

Comment 13 by kbr@chromium.org, Sep 9 2011

Status: Started
Per comment on http://codereview.chromium.org/7845017/ this was rolled out on trunk. Reopening.

Comment 14 by gman@chromium.org, Sep 9 2011

I've already got a fix for this. Will check in in a few mins
Project Member

Comment 15 by bugdroid1@chromium.org, Sep 9 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100453

------------------------------------------------------------------------
r100453 | gman@chromium.org | Fri Sep 09 11:56:02 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100453&r2=100452&pathrev=100453
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100453&r2=100452&pathrev=100453

Revert "Revert 100384 - Fix bug in SimulateAttrib0 that did not check for out of memory."

TEST=unit tests and run on linux touch (where bug was)
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7841067
------------------------------------------------------------------------
Project Member

Comment 16 by bugdroid1@chromium.org, Sep 9 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100473

------------------------------------------------------------------------
r100473 | dpapad@chromium.org | Fri Sep 09 13:02:37 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100473&r2=100472&pathrev=100473
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100473&r2=100472&pathrev=100473

Revert 100453 - Revert "Revert 100384 - Fix bug in SimulateAttrib0 that did not check for out of memory."

TEST=unit tests and run on linux touch (where bug was)
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7841067

TBR=gman@chromium.org
Review URL: http://codereview.chromium.org/7866006
------------------------------------------------------------------------
Project Member

Comment 17 by bugdroid1@chromium.org, Sep 9 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100494

------------------------------------------------------------------------
r100494 | gman@chromium.org | Fri Sep 09 14:08:34 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100494&r2=100493&pathrev=100494
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100494&r2=100493&pathrev=100494

Revert "Revert 100453 - Revert "Revert 100384 - Fix bug in SimulateAttrib0.""

The bug was a unsigned->signed conversion issue. Clang truncates, gcc/vc overflow

TEST=unit tests
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7863007
------------------------------------------------------------------------
Project Member

Comment 18 by bugdroid1@chromium.org, Sep 9 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100498

------------------------------------------------------------------------
r100498 | dmichael@chromium.org | Fri Sep 09 14:24:47 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100498&r2=100497&pathrev=100498
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100498&r2=100497&pathrev=100498

Revert 100494 - Revert "Revert 100453 - Revert "Revert 100384 - Fix bug in SimulateAttrib0.""

The bug was a unsigned->signed conversion issue. Clang truncates, gcc/vc overflow

TEST=unit tests
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7863007

TBR=gman@chromium.org
Review URL: http://codereview.chromium.org/7796015
------------------------------------------------------------------------
Project Member

Comment 19 by bugdroid1@chromium.org, Sep 9 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100507

------------------------------------------------------------------------
r100507 | gman@chromium.org | Fri Sep 09 14:48:30 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100507&r2=100506&pathrev=100507
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100507&r2=100506&pathrev=100507

Revert "Revert 100494 - Fix bug in SimulateAttrib0."""

TEST=none
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7796016
------------------------------------------------------------------------
Is the fix in ?

Comment 21 by gman@chromium.org, Sep 11 2011

yes, and merged to both branches. 
Project Member

Comment 22 by bugdroid1@chromium.org, Sep 11 2011

Labels: merge-merged-835
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100616

------------------------------------------------------------------------
r100616 | gman@chromium.org | Sat Sep 10 20:56:54 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/835/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100616&r2=100615&pathrev=100616
 M http://src.chromium.org/viewvc/chrome/branches/835/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100616&r2=100615&pathrev=100616

Merge 100507 - Revert "Revert 100494 - Fix bug in SimulateAttrib0."""

TEST=none
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7796016

TBR=gman@chromium.org
Review URL: http://codereview.chromium.org/7862024
------------------------------------------------------------------------
Project Member

Comment 23 by bugdroid1@chromium.org, Sep 11 2011

Labels: merge-merged-874
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100617

------------------------------------------------------------------------
r100617 | gman@chromium.org | Sat Sep 10 21:00:57 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/874/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100617&r2=100616&pathrev=100617
 M http://src.chromium.org/viewvc/chrome/branches/874/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100617&r2=100616&pathrev=100617

Merge 100507 - Revert "Revert 100494 - Fix bug in SimulateAttrib0."""

TEST=none
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7796016

TBR=gman@chromium.org
Review URL: http://codereview.chromium.org/7862025
------------------------------------------------------------------------
Labels: -Merge-Approved Merge-Merged
Status: FixUnreleased
Thanks a lot.
Labels: CVE-2011-2858
Labels: SecImpacts-Stable
Batch update.

Comment 27 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 28 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 29 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-Medium -Mstone-14 -Stability-AddressSanitizer -Feature-GPU-WebGL -SecImpacts-Stable Cr-Content Cr-Internals-GPU-WebGL Security-Severity-Medium Performance-Memory-AddressSanitizer Security-Impact-Stable Type-Bug-Security M-14
Project Member

Comment 30 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 31 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 33 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 34 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 35 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 36 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 37 by bugdroid1@chromium.org, Apr 10 2013

Labels: -Cr-Internals-GPU-WebGL Cr-Blink-WebGL
Labels: ClusterFuzz
Project Member

Comment 39 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 40 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment