New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit 15 days ago
Closed: Sep 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 95625: OOB read in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays

Reported by infe...@chromium.org, Sep 7 2011 Project Member

Issue description

Testcase (run from LayoutTests/fast/canvas/webgl)
<script src="../../js/resources/js-test-pre.js"></script>

><script src="resources/webgl-test.js"></script>
><div id="console"><script>
var context = create3DContext();
var program = loadStandardProgram(context);

context.useProgram(program);
shouldGenerateGLError(context, context.INVALID_OPERATION, "context.drawArrays(context.TRIANGLES, 0, 200)");
shouldGenerateGLError(context, context.INVALID_OPERATION, "context.drawArrays(context.TRIANGLES, 0, 0x7fffffff)");
</script>

>


/mnt/scratch0/chrome/src/out/Release/DumpRenderTree 

ASAN:SIGILL
=================================================================
HINT: if your stack trace looks short or garbled, use ASAN_OPTIONS=fast_unwind=0
==19757== ERROR: AddressSanitizer heap-buffer-overflow on address 0x00007f4d118b4d0c at pc 0x7f4d0864050d bp 0x7fff92a53070 sp 0x7fff92a51740
READ of size 4 at 0x00007f4d118b4d0c thread T0
    #0 0x7f4d0864050d in run_vp third_party/mesa/MesaLib/src/mesa/tnl/t_vb_program.c:0
    #1 0x7f4d0861df73 in _tnl_run_pipeline 
    #2 0x7f4d0861d45e in _tnl_draw_prims 
    #3 0x7f4d0861a5ee in _tnl_vbo_draw_prims 
    #4 0x7f4d086b9c52 in flush_vertex third_party/mesa/MesaLib/src/mesa/vbo/vbo_split_inplace.c:0
    #5 0x7f4d086b8f77 in vbo_split_inplace 
    #6 0x7f4d0861b4d9 in _tnl_draw_prims 
    #7 0x7f4d0861a5ee in _tnl_vbo_draw_prims 
    #8 0x7f4d08692088 in vbo_exec_DrawArrays third_party/mesa/MesaLib/src/mesa/vbo/vbo_exec_array.c:0
    #9 0x341f9ca in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays(unsigned int, gpu::gles2::DrawArrays const&) 
    #10 0x34161a3 in gpu::gles2::GLES2DecoderImpl::DoCommand(unsigned int, unsigned int, void const*) 
    #11 0x3400b1f in gpu::CommandParser::ProcessCommand() 
    #12 0x33d0add in gpu::GpuScheduler::PutChanged() 
    #13 0x338c082 in webkit::gpu::GLInProcessContext::PumpCommands() 
    #14 0x33b2df6 in gpu::CommandBufferService::FlushSync(int, int) 
    #15 0x4007667 in gpu::CommandBufferHelper::Finish() 
    #16 0x3b27749 in gpu::gles2::GLES2Implementation::WaitForCmd() 
    #17 0x3b27c2b in gpu::gles2::GLES2Implementation::GetGLError() 
    #18 0x2d9295e in WebCore::WebGLRenderingContextInternal::getErrorCallback(v8::Arguments const&) out/Release/obj/gen/webkit/bindings/V8DerivedSources19.cpp:0
    #19 0xacd704 in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0
    #20 0xe8d4635e14e in 
0x00007f4d118b4d0c is located 12 bytes to the right of 3200-byte region [0x00007f4d118b4080,0x00007f4d118b4d00)
allocated by thread T0 here:
    #1 0x7f4d083f276f in _mesa_realloc 
    #2 0x7f4d082f4951 in _mesa_buffer_data third_party/mesa/MesaLib/src/mesa/main/bufferobj.c:0
    #3 0x7f4d082f6e8b in _mesa_BufferDataARB 
    #4 0x343a7da in gpu::gles2::GLES2DecoderImpl::SimulateAttrib0(unsigned int) 
    #5 0x341f965 in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays(unsigned int, gpu::gles2::DrawArrays const&) 
    #6 0x34161a3 in gpu::gles2::GLES2DecoderImpl::DoCommand(unsigned int, unsigned int, void const*) 
    #7 0x3400b1f in gpu::CommandParser::ProcessCommand() 
    #8 0x33d0add in gpu::GpuScheduler::PutChanged() 
    #9 0x338c082 in webkit::gpu::GLInProcessContext::PumpCommands() 
    #10 0x33b2df6 in gpu::CommandBufferService::FlushSync(int, int) 
    #11 0x4007667 in gpu::CommandBufferHelper::Finish() 
    #12 0x3b27749 in gpu::gles2::GLES2Implementation::WaitForCmd() 
    #13 0x3b27c2b in gpu::gles2::GLES2Implementation::GetGLError() 
    #14 0x2d9295e in WebCore::WebGLRenderingContextInternal::getErrorCallback(v8::Arguments const&) out/Release/obj/gen/webkit/bindings/V8DerivedSources19.cpp:0
    #15 0xacd704 in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0
    #16 0xe8d4635e14e in 
    #17 0xe8d46384ade in 
    #18 0xe8d46381eb0 in 
    #19 0xe8d46378b67 in 
    #20 0xe8d463636e1 in 
==19757== ABORTING
Shadow byte and word:
  0x00001fe9a23169a1: fa
  0x00001fe9a23169a0: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x00001fe9a2316980: 00 00 00 00 00 00 00 00
  0x00001fe9a2316988: 00 00 00 00 00 00 00 00
  0x00001fe9a2316990: 00 00 00 00 00 00 00 00
  0x00001fe9a2316998: 00 00 00 00 00 00 00 00
=>0x00001fe9a23169a0: fa fa fa fa fa fa fa fa
  0x00001fe9a23169a8: fa fa fa fa fa fa fa fa
  0x00001fe9a23169b0: fa fa fa fa fa fa fa fa
  0x00001fe9a23169b8: fa fa fa fa fa fa fa fa
  0x00001fe9a23169c0: fa fa fa fa fa fa fa fa
	base::debug::StackTrace::StackTrace() [0x89b556]
	base::(anonymous namespace)::StackDumpSignalHandler() [0x8689ef]
	0x7f4d165e9af0
	0x7f4d165e9a75
	0x7f4d165ed5c0
	asan_report_error() [0x4745a1b]
	0x7f4d174db8f0
	run_vp [0x7f4d0864050d]
	_tnl_run_pipeline [0x7f4d0861df73]
	_tnl_draw_prims [0x7f4d0861d45e]
	_tnl_vbo_draw_prims [0x7f4d0861a5ee]
	flush_vertex [0x7f4d086b9c52]
	vbo_split_inplace [0x7f4d086b8f77]
	_tnl_draw_prims [0x7f4d0861b4d9]
	_tnl_vbo_draw_prims [0x7f4d0861a5ee]
	vbo_exec_DrawArrays [0x7f4d08692088]
	gpu::gles2::GLES2DecoderImpl::HandleDrawArrays() [0x341f9ca]
	gpu::gles2::GLES2DecoderImpl::DoCommand() [0x34161a3]
	gpu::CommandParser::ProcessCommand() [0x3400b1f]
	gpu::GpuScheduler::PutChanged() [0x33d0add]
	webkit::gpu::GLInProcessContext::PumpCommands() [0x338c082]
	gpu::CommandBufferService::FlushSync() [0x33b2df6]
	gpu::CommandBufferHelper::Finish() [0x4007667]
	gpu::gles2::GLES2Implementation::WaitForCmd() [0x3b27749]
	gpu::gles2::GLES2Implementation::GetGLError() [0x3b27c2b]
	WebCore::WebGLRenderingContextInternal::getErrorCallback() [0x2d9295e]
	v8::internal::Builtin_HandleApiCall() [0xacd704]
	0xe8d4635e14e
 

Comment 1 by infe...@chromium.org, Sep 7 2011

This was found in my fuzzing+ASAN+ClusterFuzz

Bot CLUSTER_FUZZ_399 on platform LINUX
Chromium Revision : 99705
Webkit Revision : 94540

Comment 2 by kbr@chromium.org, Sep 8 2011

Cc: kbr@chromium.org
Owner: gman@chromium.org
For some reason this draw call is slipping past the validation performed in the implementation of DrawArrays. Gregg, would you mind taking this? Assign it back to me if you are too busy.

Comment 3 by mal@google.com, Sep 8 2011

Labels: Stability-CodeYellow

Comment 4 by gman@chromium.org, Sep 8 2011

Status: Started

Comment 5 by gman@chromium.org, Sep 9 2011

So just FYI,

The bug was 2 fold (fixed now). The test was testing non enabled attrib 0. The attrib 0 simulation code had 2 bugs

#1 There was math overflow (count * sizeof(Vec4)) where count = 0x7FFFFFFF
#2 There was no check that BufferData did not run out of memory

The issue though is I can't add a test to the official WebGL conformance tests because real OpenGL ES might not fail on that case (except drawing 0x7FFFFFFF /3 of even zero sized anything is probably going to DOS the GPU)

FF has the same bug. I filed a bug for them 

I also checked in an un-official test here:
https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/extra/simulated-attrib-0-bug-test.html

The test won't file but running with ASAN on OSMesa should trigger ASAN's checking on buggy impls.

Comment 6 by infe...@chromium.org, Sep 9 2011

Does this affect m14 ?

Comment 7 by gman@chromium.org, Sep 9 2011

Yes it effects M14. It's been in there since M9 :-(  Thanks to the guys that hooked up ASAN they found it.

Comment 8 by bugdroid1@chromium.org, Sep 9 2011

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100384

------------------------------------------------------------------------
r100384 | gman@chromium.org | Fri Sep 09 03:28:08 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100384&r2=100383&pathrev=100384
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100384&r2=100383&pathrev=100384

Fix bug in SimulateAttrib0 that did not check for out of memory.

It also did not correctly check for math overflow. Also fixed
similar bugs in SimulateFixedAttribs

TEST=unit tests
BUG= 95625 

R=apatrick@chromium.org


Review URL: http://codereview.chromium.org/7845017
------------------------------------------------------------------------

Comment 9 by infe...@chromium.org, Sep 9 2011

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Is this a risky merge to m14 ?  Given code yellow, we should merge this to both m14, m15.

Comment 10 by gman@chromium.org, Sep 9 2011

No, there's very little risk IMO. 
What are the branch numbers?

Comment 11 by infe...@chromium.org, Sep 9 2011

m14 is 835 and m15 is 874.

Comment 12 by bugdroid1@chromium.org, Sep 9 2011

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100411

------------------------------------------------------------------------
r100411 | nsylvain@chromium.org | Fri Sep 09 09:37:34 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100411&r2=100410&pathrev=100411
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100411&r2=100410&pathrev=100411

Revert 100384 - Fix bug in SimulateAttrib0 that did not check for out of memory.

It also did not correctly check for math overflow. Also fixed
similar bugs in SimulateFixedAttribs

TEST=unit tests
BUG= 95625 

R=apatrick@chromium.org


Review URL: http://codereview.chromium.org/7845017

TBR=gman@chromium.org
Review URL: http://codereview.chromium.org/7857037
------------------------------------------------------------------------

Comment 13 by kbr@chromium.org, Sep 9 2011

Status: Started
Per comment on http://codereview.chromium.org/7845017/ this was rolled out on trunk. Reopening.

Comment 14 by gman@chromium.org, Sep 9 2011

I've already got a fix for this. Will check in in a few mins

Comment 15 by bugdroid1@chromium.org, Sep 9 2011

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100453

------------------------------------------------------------------------
r100453 | gman@chromium.org | Fri Sep 09 11:56:02 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100453&r2=100452&pathrev=100453
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100453&r2=100452&pathrev=100453

Revert "Revert 100384 - Fix bug in SimulateAttrib0 that did not check for out of memory."

TEST=unit tests and run on linux touch (where bug was)
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7841067
------------------------------------------------------------------------

Comment 16 by bugdroid1@chromium.org, Sep 9 2011

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100473

------------------------------------------------------------------------
r100473 | dpapad@chromium.org | Fri Sep 09 13:02:37 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100473&r2=100472&pathrev=100473
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100473&r2=100472&pathrev=100473

Revert 100453 - Revert "Revert 100384 - Fix bug in SimulateAttrib0 that did not check for out of memory."

TEST=unit tests and run on linux touch (where bug was)
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7841067

TBR=gman@chromium.org
Review URL: http://codereview.chromium.org/7866006
------------------------------------------------------------------------

Comment 17 by bugdroid1@chromium.org, Sep 9 2011

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100494

------------------------------------------------------------------------
r100494 | gman@chromium.org | Fri Sep 09 14:08:34 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100494&r2=100493&pathrev=100494
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100494&r2=100493&pathrev=100494

Revert "Revert 100453 - Revert "Revert 100384 - Fix bug in SimulateAttrib0.""

The bug was a unsigned->signed conversion issue. Clang truncates, gcc/vc overflow

TEST=unit tests
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7863007
------------------------------------------------------------------------

Comment 18 by bugdroid1@chromium.org, Sep 9 2011

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100498

------------------------------------------------------------------------
r100498 | dmichael@chromium.org | Fri Sep 09 14:24:47 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100498&r2=100497&pathrev=100498
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100498&r2=100497&pathrev=100498

Revert 100494 - Revert "Revert 100453 - Revert "Revert 100384 - Fix bug in SimulateAttrib0.""

The bug was a unsigned->signed conversion issue. Clang truncates, gcc/vc overflow

TEST=unit tests
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7863007

TBR=gman@chromium.org
Review URL: http://codereview.chromium.org/7796015
------------------------------------------------------------------------

Comment 19 by bugdroid1@chromium.org, Sep 9 2011

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100507

------------------------------------------------------------------------
r100507 | gman@chromium.org | Fri Sep 09 14:48:30 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100507&r2=100506&pathrev=100507
 M http://src.chromium.org/viewvc/chrome/trunk/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100507&r2=100506&pathrev=100507

Revert "Revert 100494 - Fix bug in SimulateAttrib0."""

TEST=none
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7796016
------------------------------------------------------------------------

Comment 20 by infe...@chromium.org, Sep 10 2011

Is the fix in ?

Comment 21 by gman@chromium.org, Sep 11 2011

yes, and merged to both branches.

Comment 22 by bugdroid1@chromium.org, Sep 11 2011

Project Member
Labels: merge-merged-835
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100616

------------------------------------------------------------------------
r100616 | gman@chromium.org | Sat Sep 10 20:56:54 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/835/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100616&r2=100615&pathrev=100616
 M http://src.chromium.org/viewvc/chrome/branches/835/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100616&r2=100615&pathrev=100616

Merge 100507 - Revert "Revert 100494 - Fix bug in SimulateAttrib0."""

TEST=none
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7796016

TBR=gman@chromium.org
Review URL: http://codereview.chromium.org/7862024
------------------------------------------------------------------------

Comment 23 by bugdroid1@chromium.org, Sep 11 2011

Project Member
Labels: merge-merged-874
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=100617

------------------------------------------------------------------------
r100617 | gman@chromium.org | Sat Sep 10 21:00:57 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/874/src/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc?r1=100617&r2=100616&pathrev=100617
 M http://src.chromium.org/viewvc/chrome/branches/874/src/gpu/command_buffer/service/gles2_cmd_decoder.cc?r1=100617&r2=100616&pathrev=100617

Merge 100507 - Revert "Revert 100494 - Fix bug in SimulateAttrib0."""

TEST=none
BUG= 95625 
TBR=apatrick@chromium.org

Review URL: http://codereview.chromium.org/7796016

TBR=gman@chromium.org
Review URL: http://codereview.chromium.org/7862025
------------------------------------------------------------------------

Comment 24 by infe...@chromium.org, Sep 11 2011

Labels: -Merge-Approved Merge-Merged
Status: FixUnreleased
Thanks a lot.

Comment 25 by scarybea...@gmail.com, Sep 12 2011

Labels: CVE-2011-2858

Comment 26 by jsc...@chromium.org, Oct 5 2011

Labels: SecImpacts-Stable
Batch update.

Comment 27 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..

Comment 28 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 29 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -SecSeverity-Medium -Mstone-14 -Stability-AddressSanitizer -Feature-GPU-WebGL -SecImpacts-Stable Cr-Content Cr-Internals-GPU-WebGL Security-Severity-Medium Performance-Memory-AddressSanitizer Security-Impact-Stable Type-Bug-Security M-14

Comment 30 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 31 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 32 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 33 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 34 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-Medium Security_Severity-Medium

Comment 35 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 36 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 37 by bugdroid1@chromium.org, Apr 10 2013

Project Member
Labels: -Cr-Internals-GPU-WebGL Cr-Blink-WebGL

Comment 38 by infe...@chromium.org, May 14 2014

Labels: ClusterFuzz

Comment 39 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 40 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 41 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 42 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment