https://bugs.freedesktop.org/show_bug.cgi?id=75814
Priority: medium
Bug ID: 75814
Assignee: mesa-dev@lists.freedesktop.org
Summary: Heap-buffer-overflow WRITE in memcpy_texture
Severity: normal
Classification: Unclassified
OS: All
Reporter: infe...@chromium.org
Hardware: Other
Status: NEW
Version: unspecified
Component: Other
Product: Mesa
I am running into this when launching chrome built with AddressSanitizer memory
debugging tool on Ubuntu Saucy.
=================================================================
==3110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000018101
at pc 0x4897f6 bp 0x7fff8f1918e0 sp 0x7fff8f191098
WRITE of size 4 at 0x603000018101 thread T0 (content_shell)
#0 0x4897f5 in __interceptor_memcpy
/usr/local/google/work/chromium/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:374
#1 0x7f3481c6a9f5 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:51
#2 0x7f3481c6a9f5 in memcpy_texture
/build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:960
#3 0x7f3481c6fd84 in _mesa_texstore_memcpy
/build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:3855
#4 0x7f3481c6fd84 in _mesa_texstore
/build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:3874
#5 0x7f3481c70051 in store_texsubimage
/build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:4022
#6 0x7f348169f179 in st_TexSubImage
/build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/state_tracker/st_cb_texture.c:789
#7 0x7f348169fc02 in st_TexImage
/build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/state_tracker/st_cb_texture.c:813
#8 0x7f3481c5e8eb in teximage
/build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/teximage.c:3166
#9 0x7f3481c5fb5f in _mesa_TexImage2D
/build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/teximage.c:3205
#10 0x85ca65e in gfx::(anonymous namespace)::CustomTexImage2D(unsigned int,
int, int, int, int, int, unsigned int, unsigned int, void const*)
/b/build/slave/ASAN_Release/build/src/out/Release/../../ui/gl/gl_gl_api_implementation.cc:131
#11 0x85faba4 in gfx::GLApiBase::glTexImage2DFn(unsigned int, int, int,
int, int, int, unsigned int, unsigned int, void const*)
/b/build/slave/ASAN_Release/build/src/out/Release/gen/ui/gl/gl_bindings_autogen_gl.cc:3283
#12 0x84fa97e in
gpu::gles2::TextureManager::CreateDefaultAndBlackTextures(unsigned int,
unsigned int*)
/b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/texture_manager.cc:922
#13 0x84f975e in gpu::gles2::TextureManager::Initialize()
/b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/texture_manager.cc:881
#14 0x83c6f4a in
gpu::gles2::ContextGroup::Initialize(gpu::gles2::GLES2Decoder*,
gpu::gles2::DisallowedFeatures const&)
/b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/context_group.cc:240
#15 0x83f3500 in
gpu::gles2::GLES2DecoderImpl::Initialize(scoped_refptr<gfx::GLSurface> const&,
scoped_refptr<gfx::GLContext> const&, bool, gfx::Size const&,
gpu::gles2::DisallowedFeatures const&, std::vector<int, std::allocator<int> >
const&)
/b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:2257
#16 0x7fd1a2e in
content::GpuCommandBufferStub::OnInitialize(base::FileDescriptor,
IPC::Message*)
/b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_command_buffer_stub.cc:499
#17 0x7fe1018 in DispatchToMethod<content::GpuCommandBufferStub, void
(content::GpuCommandBufferStub::*)(base::FileDescriptor, IPC::Message *),
base::FileDescriptor, IPC::Message &>
/b/build/slave/ASAN_Release/build/src/out/Release/../../base/tuple.h:803
#18 0x7fe1018 in bool IPC::SyncMessageSchema<Tuple1<base::FileDescriptor>,
Tuple2<bool&, gpu::Capabilities&>
>::DispatchDelayReplyWithSendParams<content::GpuCommandBufferStub, void
(content::GpuCommandBufferStub::*)(base::FileDescriptor, IPC::Message*)>(bool,
Tuple1<base::FileDescriptor> const&, IPC::Message const*,
content::GpuCommandBufferStub*, void
(content::GpuCommandBufferStub::*)(base::FileDescriptor, IPC::Message*))
/b/build/slave/ASAN_Release/build/src/out/Release/../../ipc/ipc_message_utils.h:845
#19 0x7fce175 in DispatchDelayReply<content::GpuCommandBufferStub, void
(content::GpuCommandBufferStub::*)(base::FileDescriptor, IPC::Message *)>
/b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_messages.h:507
#20 0x7fce175 in
content::GpuCommandBufferStub::OnMessageReceived(IPC::Message const&)
/b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_command_buffer_stub.cc:188
#21 0x7f8a613 in content::MessageRouter::RouteMessage(IPC::Message const&)
/b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/message_router.cc:49
#22 0x7fb741f in content::GpuChannel::HandleMessage()
/b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_channel.cc:753
#23 0x68df68 in Run
/b/build/slave/ASAN_Release/build/src/out/Release/../../base/callback.h:401
#24 0x68df68 in base::MessageLoop::RunTask(base::PendingTask const&)
/b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:447
#25 0x690554 in DeferOrRunPendingTask
/b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:459
#26 0x690554 in base::MessageLoop::DoWork()
/b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:573
#27 0x69a46c in base::MessagePumpDefault::Run(base::MessagePump::Delegate*)
/b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_pump_default.cc:32
#28 0x68cbab in base::MessageLoop::RunHandler()
/b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:397
#29 0x6c7584 in base::RunLoop::Run()
/b/build/slave/ASAN_Release/build/src/out/Release/../../base/run_loop.cc:49
#30 0x68aea2 in base::MessageLoop::Run()
/b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:290
#31 0x6d8b8fe in content::GpuMain(content::MainFunctionParams const&)
/b/build/slave/ASAN_Release/build/src/out/Release/../../content/gpu/gpu_main.cc:343
#32 0x5ef614 in content::RunNamedProcessTypeMain(std::string const&,
content::MainFunctionParams const&, content::ContentMainDelegate*)
/b/build/slave/ASAN_Release/build/src/out/Release/../../content/app/content_main_runner.cc:474
#33 0x5f0ea7 in content::ContentMainRunnerImpl::Run()
/b/build/slave/ASAN_Release/build/src/out/Release/../../content/app/content_main_runner.cc:794
#34 0x5ed6af in content::ContentMain(int, char const**,
content::ContentMainDelegate*)
/b/build/slave/ASAN_Release/build/src/out/Release/../../content/app/content_main.cc:35
#35 0x4b3c87 in main
/b/build/slave/ASAN_Release/build/src/out/Release/../../content/shell/app/shell_main.cc:35
#36 0x7f348cc6cde4 in __libc_start_main
/build/buildd/eglibc-2.17/csu/libc-start.c:260
#37 0x4b3aec in _start
(/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-asan_linux-release/revisions/asan-linux-release-254392/content_shell+0x4b3aec)
0x603000018101 is located 0 bytes to the right of 1-byte region
[0x603000018100,0x603000018101)
allocated by thread T0 (content_shell) here:
#0 0x49c478 in __interceptor_posix_memalign
/usr/local/google/work/chromium/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:132
#1 0x7f34821920fc in os_malloc_aligned
/build/buildd/mesa-9.2.1/build/dri/src/gallium/drivers/llvmpipe/../../../../../../src/gallium/auxiliary/os/os_memory_stdc.h:58
#2 0x7f34821920fc in alloc_image_data
/build/buildd/mesa-9.2.1/build/dri/src/gallium/drivers/llvmpipe/../../../../../../src/gallium/drivers/llvmpipe/lp_texture.c:777
SUMMARY: AddressSanitizer: heap-buffer-overflow
/usr/local/google/work/chromium/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:374
__interceptor_memcpy
Shadow bytes around the buggy address:
0x0c067fffafd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffafe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffaff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffb000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffb010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fffb020:[01]fa fa fa fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fffb030: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd
0x0c067fffb040: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
0x0c067fffb050: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
0x0c067fffb060: fa fa 00 00 00 00 fa fa fd fd fd fa fa fa fd fd
0x0c067fffb070: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==3110==ABORTING
[3093:3093:0305/220856:13103432475:ERROR:command_buffer_proxy_impl.cc(160)]
Could not send GpuCommandBufferMsg_Initialize.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev
