Heap-buffer-overflow WRITE in memcpy_texture
Submitted by Abhishek Arya
Assigned to mes..@..op.org
Description
I am running into this when launching chrome built with AddressSanitizer memory debugging tool on Ubuntu Saucy.
=================================================================
==3110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000018101 at pc 0x4897f6 bp 0x7fff8f1918e0 sp 0x7fff8f191098
WRITE of size 4 at 0x603000018101 thread T0 (content_shell)
#0 0x4897f5 in __interceptor_memcpy /usr/local/google/work/chromium/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:374
#1 (closed) 0x7f3481c6a9f5 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:51
#2 (closed) 0x7f3481c6a9f5 in memcpy_texture /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:960
#3 (closed) 0x7f3481c6fd84 in _mesa_texstore_memcpy /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:3855
#4 (closed) 0x7f3481c6fd84 in _mesa_texstore /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:3874
#5 (closed) 0x7f3481c70051 in store_texsubimage /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/texstore.c:4022
#6 (closed) 0x7f348169f179 in st_TexSubImage /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/state_tracker/st_cb_texture.c:789
#7 (closed) 0x7f348169fc02 in st_TexImage /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/state_tracker/st_cb_texture.c:813
#8 (closed) 0x7f3481c5e8eb in teximage /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/teximage.c:3166
#9 (closed) 0x7f3481c5fb5f in _mesa_TexImage2D /build/buildd/mesa-9.2.1/build/dri/src/mesa/libdricore/../../../../../src/mesa/main/teximage.c:3205
#10 (closed) 0x85ca65e in gfx::(anonymous namespace)::CustomTexImage2D(unsigned int, int, int, int, int, int, unsigned int, unsigned int, void const*) /b/build/slave/ASAN_Release/build/src/out/Release/../../ui/gl/gl_gl_api_implementation.cc:131
#11 (closed) 0x85faba4 in gfx::GLApiBase::glTexImage2DFn(unsigned int, int, int, int, int, int, unsigned int, unsigned int, void const*) /b/build/slave/ASAN_Release/build/src/out/Release/gen/ui/gl/gl_bindings_autogen_gl.cc:3283
#12 (closed) 0x84fa97e in gpu::gles2::TextureManager::CreateDefaultAndBlackTextures(unsigned int, unsigned int*) /b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/texture_manager.cc:922
#13 (closed) 0x84f975e in gpu::gles2::TextureManager::Initialize() /b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/texture_manager.cc:881
#14 0x83c6f4a in gpu::gles2::ContextGroup::Initialize(gpu::gles2::GLES2Decoder*, gpu::gles2::DisallowedFeatures const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/context_group.cc:240
#15 (closed) 0x83f3500 in gpu::gles2::GLES2DecoderImpl::Initialize(scoped_refptrgfx::GLSurface const&, scoped_refptrgfx::GLContext const&, bool, gfx::Size const&, gpu::gles2::DisallowedFeatures const&, std::vector<int, std::allocator<int>
> const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../gpu/command_buffer/service/gles2_cmd_decoder.cc:2257
#16 0x7fd1a2e in content::GpuCommandBufferStub::OnInitialize(base::FileDescriptor, IPC::Message*) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_command_buffer_stub.cc:499
#17 (closed) 0x7fe1018 in DispatchToMethod<content::GpuCommandBufferStub, void (content::GpuCommandBufferStub::)(base::FileDescriptor, IPC::Message ), base::FileDescriptor, IPC::Message &> /b/build/slave/ASAN_Release/build/src/out/Release/../../base/tuple.h:803
#18 0x7fe1018 in bool IPC::SyncMessageSchema<Tuple1base::FileDescriptor, Tuple2<bool&, gpu::Capabilities&> >::DispatchDelayReplyWithSendParams<content::GpuCommandBufferStub, void (content::GpuCommandBufferStub::)(base::FileDescriptor, IPC::Message)>(bool, Tuple1base::FileDescriptor const&, IPC::Message const*, content::GpuCommandBufferStub*, void (content::GpuCommandBufferStub::)(base::FileDescriptor, IPC::Message)) /b/build/slave/ASAN_Release/build/src/out/Release/../../ipc/ipc_message_utils.h:845
#19 (closed) 0x7fce175 in DispatchDelayReply<content::GpuCommandBufferStub, void (content::GpuCommandBufferStub::)(base::FileDescriptor, IPC::Message )> /b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_messages.h:507
#20 (closed) 0x7fce175 in content::GpuCommandBufferStub::OnMessageReceived(IPC::Message const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_command_buffer_stub.cc:188
#21 (closed) 0x7f8a613 in content::MessageRouter::RouteMessage(IPC::Message const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/message_router.cc:49
#22 (closed) 0x7fb741f in content::GpuChannel::HandleMessage() /b/build/slave/ASAN_Release/build/src/out/Release/../../content/common/gpu/gpu_channel.cc:753
#23 (closed) 0x68df68 in Run /b/build/slave/ASAN_Release/build/src/out/Release/../../base/callback.h:401
#24 (closed) 0x68df68 in base::MessageLoop::RunTask(base::PendingTask const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:447
#25 0x690554 in DeferOrRunPendingTask /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:459
#26 (closed) 0x690554 in base::MessageLoop::DoWork() /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:573
#27 (closed) 0x69a46c in base::MessagePumpDefault::Run(base::MessagePump::Delegate) /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_pump_default.cc:32
#28 (closed) 0x68cbab in base::MessageLoop::RunHandler() /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:397
#29 (closed) 0x6c7584 in base::RunLoop::Run() /b/build/slave/ASAN_Release/build/src/out/Release/../../base/run_loop.cc:49
#30 (closed) 0x68aea2 in base::MessageLoop::Run() /b/build/slave/ASAN_Release/build/src/out/Release/../../base/message_loop/message_loop.cc:290
#31 (closed) 0x6d8b8fe in content::GpuMain(content::MainFunctionParams const&) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/gpu/gpu_main.cc:343
#32 (closed) 0x5ef614 in content::RunNamedProcessTypeMain(std::string const&, content::MainFunctionParams const&, content::ContentMainDelegate) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/app/content_main_runner.cc:474
#33 (closed) 0x5f0ea7 in content::ContentMainRunnerImpl::Run() /b/build/slave/ASAN_Release/build/src/out/Release/../../content/app/content_main_runner.cc:794
#34 (closed) 0x5ed6af in content::ContentMain(int, char const**, content::ContentMainDelegate*) /b/build/slave/ASAN_Release/build/src/out/Release/../../content/app/content_main.cc:35
#35 (closed) 0x4b3c87 in main /b/build/slave/ASAN_Release/build/src/out/Release/../../content/shell/app/shell_main.cc:35
#36 (closed) 0x7f348cc6cde4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
#37 (closed) 0x4b3aec in _start (/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-asan_linux-release/revisions/asan-linux-release-254392/content_shell+0x4b3aec)
0x603000018101 is located 0 bytes to the right of 1-byte region [0x603000018100,0x603000018101) allocated by thread T0 (content_shell) here: #0 0x49c478 in __interceptor_posix_memalign /usr/local/google/work/chromium/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:132 #1 (closed) 0x7f34821920fc in os_malloc_aligned /build/buildd/mesa-9.2.1/build/dri/src/gallium/drivers/llvmpipe/../../../../../../src/gallium/auxiliary/os/os_memory_stdc.h:58 #2 (closed) 0x7f34821920fc in alloc_image_data /build/buildd/mesa-9.2.1/build/dri/src/gallium/drivers/llvmpipe/../../../../../../src/gallium/drivers/llvmpipe/lp_texture.c:777
SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/google/work/chromium/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:374 __interceptor_memcpy Shadow bytes around the buggy address: 0x0c067fffafd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffafe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffaff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffb000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffb010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c067fffb020:[01]fa fa fa fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c067fffb030: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd 0x0c067fffb040: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa 0x0c067fffb050: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd 0x0c067fffb060: fa fa 00 00 00 00 fa fa fd fd fd fa fa fa fd fd 0x0c067fffb070: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==3110==ABORTING [3093:3093:0305/220856:13103432475:ERROR:command_buffer_proxy_impl.cc(160)] Could not send GpuCommandBufferMsg_Initialize.