|
|
Chromium Code Reviews|
Created:
4 years, 1 month ago by Kai Ninomiya Modified:
4 years, 1 month ago CC:
chromium-reviews, piman+watch_chromium.org Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
Descriptioncommand buffer: audit validation of ES3 commands (part 3)
Add some validation, and switch the gating from 'unsafe_es3_apis_enabled()' to
'feature_info_->IsWebGL2OrES3Context()' on the newly audited commands.
BUG=654787
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Committed: https://crrev.com/11c1b392ed36430a40e36a1886e6c672137e468c
Cr-Commit-Position: refs/heads/master@{#429059}
Patch Set 1 #
Total comments: 2
Patch Set 2 : resolve a problem thanks to feedback #
Messages
Total messages: 33 (24 generated)
Description was changed from ========== command buffer: audit validation of ES3 commands (part 3) Add some validation, and switch the gating from 'unsafe_es3_apis_enabled()' to 'feature_info_->IsWebGL2OrES3Context' on the newly audited commands. BUG=654787 ========== to ========== command buffer: audit validation of ES3 commands (part 3) Add some validation, and switch the gating from 'unsafe_es3_apis_enabled()' to 'feature_info_->IsWebGL2OrES3Context' on the newly audited commands. BUG=654787 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel ==========
The CQ bit was checked by kainino@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: mac_optional_gpu_tests_rel on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_optional_gpu_...)
The CQ bit was checked by kainino@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by kainino@chromium.org
https://codereview.chromium.org/2470623002/diff/1/gpu/command_buffer/service/... File gpu/command_buffer/service/gles2_cmd_decoder.cc (right): https://codereview.chromium.org/2470623002/diff/1/gpu/command_buffer/service/... gpu/command_buffer/service/gles2_cmd_decoder.cc:17349: // TODO(kainino): should add a test for this code if it's kept Need to resolve this before committing.
The CQ bit was checked by kainino@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Description was changed from ========== command buffer: audit validation of ES3 commands (part 3) Add some validation, and switch the gating from 'unsafe_es3_apis_enabled()' to 'feature_info_->IsWebGL2OrES3Context' on the newly audited commands. BUG=654787 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel ========== to ========== command buffer: audit validation of ES3 commands (part 3) Add some validation, and switch the gating from 'unsafe_es3_apis_enabled()' to 'feature_info_->IsWebGL2OrES3Context()' on the newly audited commands. BUG=654787 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel ==========
piman@chromium.org changed reviewers: + piman@chromium.org
https://codereview.chromium.org/2470623002/diff/1/gpu/command_buffer/service/... File gpu/command_buffer/service/gles2_cmd_decoder.cc (right): https://codereview.chromium.org/2470623002/diff/1/gpu/command_buffer/service/... gpu/command_buffer/service/gles2_cmd_decoder.cc:17351: samples.size(), static_cast<size_t>(result->GetNumResults())); Drive-by: you don't want to read result->GetNumResults(), it's not set yet (set on l.17364) and even if it was set, it would be a security issue. |result| resides in shared memory, which is writable by the client. The (untrusted) client could race and modify this value between when it's set and when it's read here, meaning we would use a totally untrusted value. You can use num_values instead. But then again, samples.size() == num_values in the GL_SAMPLES case, so this logic is not needed. The code on l.17332 made sure the result contains space for num_values entries.
On 2016/11/01 02:38:15, piman wrote: > https://codereview.chromium.org/2470623002/diff/1/gpu/command_buffer/service/... > File gpu/command_buffer/service/gles2_cmd_decoder.cc (right): > > https://codereview.chromium.org/2470623002/diff/1/gpu/command_buffer/service/... > gpu/command_buffer/service/gles2_cmd_decoder.cc:17351: samples.size(), > static_cast<size_t>(result->GetNumResults())); > Drive-by: you don't want to read result->GetNumResults(), it's not set yet (set > on l.17364) and even if it was set, it would be a security issue. > > |result| resides in shared memory, which is writable by the client. The > (untrusted) client could race and modify this value between when it's set and > when it's read here, meaning we would use a totally untrusted value. > > You can use num_values instead. But then again, samples.size() == num_values in > the GL_SAMPLES case, so this logic is not needed. > The code on l.17332 made sure the result contains space for num_values entries. Thanks piman! That resolves my question of whether it was needed.
The CQ bit was unchecked by kainino@chromium.org
The CQ bit was checked by kainino@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by kainino@chromium.org
The CQ bit was checked by kainino@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
lgtm
kainino@chromium.org changed reviewers: + zmo@chromium.org
zmo, PTAL as well
On 2016/11/01 17:59:14, Kai Ninomiya wrote: > zmo, PTAL as well lgtm
The CQ bit was checked by kainino@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Message was sent while issue was closed.
Description was changed from ========== command buffer: audit validation of ES3 commands (part 3) Add some validation, and switch the gating from 'unsafe_es3_apis_enabled()' to 'feature_info_->IsWebGL2OrES3Context()' on the newly audited commands. BUG=654787 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel ========== to ========== command buffer: audit validation of ES3 commands (part 3) Add some validation, and switch the gating from 'unsafe_es3_apis_enabled()' to 'feature_info_->IsWebGL2OrES3Context()' on the newly audited commands. BUG=654787 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel ==========
Message was sent while issue was closed.
Committed patchset #2 (id:20001)
Message was sent while issue was closed.
Description was changed from ========== command buffer: audit validation of ES3 commands (part 3) Add some validation, and switch the gating from 'unsafe_es3_apis_enabled()' to 'feature_info_->IsWebGL2OrES3Context()' on the newly audited commands. BUG=654787 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel ========== to ========== command buffer: audit validation of ES3 commands (part 3) Add some validation, and switch the gating from 'unsafe_es3_apis_enabled()' to 'feature_info_->IsWebGL2OrES3Context()' on the newly audited commands. BUG=654787 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Committed: https://crrev.com/11c1b392ed36430a40e36a1886e6c672137e468c Cr-Commit-Position: refs/heads/master@{#429059} ==========
Message was sent while issue was closed.
Patchset 2 (id:??) landed as https://crrev.com/11c1b392ed36430a40e36a1886e6c672137e468c Cr-Commit-Position: refs/heads/master@{#429059} |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
