75814 – Heap-buffer-overflow WRITE in memcpy_texture

Bug 75814 - Heap-buffer-overflow WRITE in memcpy_texture

Summary: Heap-buffer-overflow WRITE in memcpy_texture

Status:	RESOLVED MOVED

Alias:	None

Product:	Mesa
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	mesa-dev
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-03-05 22:12 UTC by Abhishek Arya
Modified:	2019-09-18 20:17 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Abhishek Arya 2014-03-05 22:12:44 UTC

I am running into this when launching chrome built with AddressSanitizer memory debugging tool on Ubuntu Saucy.

=================================================================
==3110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000018101 at pc 0x4897f6 bp 0x7fff8f1918e0 sp 0x7fff8f191098
WRITE of size 4 at 0x603000018101 thread T0 (content_shell)
    #0 0x4897f5 in __interceptor_memcpy /usr/local/google/work/chromium/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:374
    #1 0x7f3481c6a9f5 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:51
    #2 0x7f3481c6a9f5 in memcpy_texture /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:960
    #3 0x7f3481c6fd84 in _mesa_texstore_memcpy /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:3855
    #4 0x7f3481c6fd84 in _mesa_texstore /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:3874
    #5 0x7f3481c70051 in store_texsubimage /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:4022
    #6 0x7f348169f179 in st_TexSubImage /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/state_tracker/st_cb_texture.c:789
    #7 0x7f348169fc02 in st_TexImage /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/state_tracker/st_cb_texture.c:813
    #8 0x7f3481c5e8eb in teximage /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/teximage.c:3166
    #9 0x7f3481c5fb5f in _mesa_TexImage2D /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/teximage.c:3205
    #10 0x85ca65e in gfx::(anonymous namespace)::CustomTexImage2D(unsigned int, int, int, int, int, int, unsigned int, unsigned int, void const*) /b/build/slave/ASAN_Release/build/src/out/Release/../../ui/gl/gl_gl_api_implementation.cc:131
    #11 0x85faba4 in gfx::GLApiBase::glTexImage2DFn(unsigned int, int, int, int, int, int, unsigned int, unsigned int, void const*) /b/build/slave/ASAN_Release/build/src/out/Release/gen/ui/gl/gl_bindings_autogen_gl.cc:3283
    #12 0x84fa97e in gpu::gles2::TextureManager::CreateDefaultAndBlackTextures(unsigned int, unsigned int*) /b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/texture_manager.cc:922
    #13 0x84f975e in gpu::gles2::TextureManager::Initialize() /b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/texture_manager.cc:881
    #14 0x83c6f4a in gpu::gles2::ContextGroup::Initialize(gpu::gles2::GLES2Decoder*, gpu::gles2::DisallowedFeatures const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/context_group.cc:240
    #15 0x83f3500 in gpu::gles2::GLES2DecoderImpl::Initialize(scoped_refptr<gfx::GLSurface> const&, scoped_refptr<gfx::GLContext> const&, bool, gfx::Size const&, gpu::gles2::DisallowedFeatures const&, std::vector<int, std::allocator<int> > const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:2257
    #16 0x7fd1a2e in content::GpuCommandBufferStub::OnInitialize(base::FileDescriptor, IPC::Message*) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_command_buffer_stub.cc:499
    #17 0x7fe1018 in DispatchToMethod<content::GpuCommandBufferStub, void (content::GpuCommandBufferStub::*)(base::FileDescriptor, IPC::Message *), base::FileDescriptor, IPC::Message &> /b/build/slave/ASAN_Release/build/src/out/Release/../../base/tuple.h:803
    #18 0x7fe1018 in bool IPC::SyncMessageSchema<Tuple1<base::FileDescriptor>, Tuple2<bool&, gpu::Capabilities&> >::DispatchDelayReplyWithSendParams<content::GpuCommandBufferStub, void (content::GpuCommandBufferStub::*)(base::FileDescriptor, IPC::Message*)>(bool, Tuple1<base::FileDescriptor> const&, IPC::Message const*, content::GpuCommandBufferStub*, void (content::GpuCommandBufferStub::*)(base::FileDescriptor, IPC::Message*)) /b/build/slave/ASAN_Release/build/src/out/Release/../../ipc/ipc_message_utils.h:845
    #19 0x7fce175 in DispatchDelayReply<content::GpuCommandBufferStub, void (content::GpuCommandBufferStub::*)(base::FileDescriptor, IPC::Message *)> /b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_messages.h:507
    #20 0x7fce175 in content::GpuCommandBufferStub::OnMessageReceived(IPC::Message const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_command_buffer_stub.cc:188
    #21 0x7f8a613 in content::MessageRouter::RouteMessage(IPC::Message const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/message_router.cc:49
    #22 0x7fb741f in content::GpuChannel::HandleMessage() /b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_channel.cc:753
    #23 0x68df68 in Run /b/build/slave/ASAN_Release/build/src/out/Release/../../base/callback.h:401
    #24 0x68df68 in base::MessageLoop::RunTask(base::PendingTask const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:447
    #25 0x690554 in DeferOrRunPendingTask /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:459
    #26 0x690554 in base::MessageLoop::DoWork() /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:573
    #27 0x69a46c in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_pump_default.cc:32
    #28 0x68cbab in base::MessageLoop::RunHandler() /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:397
    #29 0x6c7584 in base::RunLoop::Run() /b/build/slave/ASAN_Release/build/src/out/Release/../../base/run_loop.cc:49
    #30 0x68aea2 in base::MessageLoop::Run() /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:290
    #31 0x6d8b8fe in content::GpuMain(content::MainFunctionParams const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/gpu/gpu_main.cc:343
    #32 0x5ef614 in content::RunNamedProcessTypeMain(std::string const&, content::MainFunctionParams const&, content::ContentMainDelegate*) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/app/content_main_runner.cc:474
    #33 0x5f0ea7 in content::ContentMainRunnerImpl::Run() /b/build/slave/ASAN_Release/build/src/out/Release/../../content/app/content_main_runner.cc:794
    #34 0x5ed6af in content::ContentMain(int, char const**, content::ContentMainDelegate*) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/app/content_main.cc:35
    #35 0x4b3c87 in main /b/build/slave/ASAN_Release/build/src/out/Release/../../content/shell/app/shell_main.cc:35
    #36 0x7f348cc6cde4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
    #37 0x4b3aec in _start (/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-asan_linux-release/revisions/asan-linux-release-254392/content_shell+0x4b3aec)

0x603000018101 is located 0 bytes to the right of 1-byte region [0x603000018100,0x603000018101)
allocated by thread T0 (content_shell) here:
    #0 0x49c478 in __interceptor_posix_memalign /usr/local/google/work/chromium/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:132
    #1 0x7f34821920fc in os_malloc_aligned /build/buildd/mesa-9.2.1/build/dri/src/gallium/drivers/llvmpipe/../../../../../../src/gallium/auxiliary/os/os_memory_stdc.h:58
    #2 0x7f34821920fc in alloc_image_data /build/buildd/mesa-9.2.1/build/dri/src/gallium/drivers/llvmpipe/../../../../../../src/gallium/drivers/llvmpipe/lp_texture.c:777

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/google/work/chromium/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:374 __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c067fffafd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffafe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fffb020:[01]fa fa fa fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fffb030: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd
  0x0c067fffb040: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
  0x0c067fffb050: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fffb060: fa fa 00 00 00 00 fa fa fd fd fd fa fa fa fd fd
  0x0c067fffb070: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==3110==ABORTING
[3093:3093:0305/220856:13103432475:ERROR:command_buffer_proxy_impl.cc(160)] Could not send GpuCommandBufferMsg_Initialize.

Comment 1 GitLab Migration User 2019-09-18 20:17:27 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/mesa/mesa/issues/905.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.