Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack Exhaustion in WGSL Frontend #5757

Open
MageWeiG opened this issue May 30, 2024 · 16 comments · May be fixed by #6885
Open

Stack Exhaustion in WGSL Frontend #5757

MageWeiG opened this issue May 30, 2024 · 16 comments · May be fixed by #6885
Assignees
Labels
area: naga front-end lang: WGSL WebGPU Shading Language naga Shader Translator type: bug Something isn't working

Comments

@MageWeiG
Copy link

MageWeiG commented May 30, 2024

[edit by @jimblandy: This has been reported as CVE-2024-36761.]

When I was using oss-fuzz to test the fuzzer wgsl_parser in my project, I found a stack overflow vulnerability that could trigger a crash by typing enough '(' into the fuzzer.
The crash information is as follows:

=================================================================
==132416==ERROR: AddressSanitizer: stack-overflow on address 0x7fffadaa5ee0 (pc 0x555b4f7ab900 bp 0x7fffadaa64f0 sp 0x7fffadaa5ee0 T0)
    #0 0x555b4f7ab900 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdfb95f1d26727453 /src/wgpu/naga/src/front/wgsl/parse/mod.rs
    #1 0x555b4f79f7f4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h66c0fcfdc30242ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:827:33
    #2 0x555b4f79f7f4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h07c27e2bbcec7139 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #3 0x555b4f7a39d0 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1ad4b0db731fddaf /src/wgpu/naga/src/front/wgsl/parse/mod.rs:814:25
    #4 0x555b4f7a39d0 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5c45e4063eb5f655 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #5 0x555b4f7a7bc4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::h111b4739c2a0ae77 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:803:17
    #6 0x555b4f7a7bc4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hc5c8f4d9459bbd82 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #7 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::equality_expression::h33d0d8cf0e8fbcb6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:794:9
    #8 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1a4180951f20a413 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:923:49
    #9 0x555b4f7a5049 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5f17ceea535d3071 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #10 0x555b4f7aa769 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h009cb1660fd1d197 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:914:41
    #11 0x555b4f7aa769 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdd8fd162d8ed00ff /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #12 0x555b4f7a2409 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h55d826ced51e0164 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:904:33
    #13 0x555b4f7a2409 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h35ddc307bce0ceb0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #14 0x555b4f7a65f9 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1ab282502cd47b27 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:896:25
    #15 0x555b4f7a65f9 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h6e55776d754ff865 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #16 0x555b4f7a91b9 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::h6c989bb92b53e79c /src/wgpu/naga/src/front/wgsl/parse/mod.rs:888:17
    #17 0x555b4f7a91b9 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hd580949c24cf7bb8 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #18 0x555b4f7cf542 in naga::front::wgsl::parse::Parser::general_expression_with_span::hcc90cbee76e0cc50 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:880:22
    #19 0x555b4f7cf542 in naga::front::wgsl::parse::Parser::general_expression::h24c377b05d599ba6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:869:9
    #20 0x555b4f7c429b in naga::front::wgsl::parse::Parser::primary_expression::h746864ee7f9c87ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:618:28
    #21 0x555b4f7cdba8 in naga::front::wgsl::parse::Parser::singular_expression::h5c3de80f367a39e0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:781:28
    #22 0x555b4f7ca423 in naga::front::wgsl::parse::Parser::unary_expression::h684e82ebbf0571d6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:766:18
    #23 0x555b4f7a0e04 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::ha1ecfa7432ce2a18 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:852:62
    #24 0x555b4f7a0e04 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h11097d75ca1d4c90 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #25 0x555b4f7abd37 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h0b29f2891687a004 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:838:41
    #26 0x555b4f7abd37 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdfb95f1d26727453 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #27 0x555b4f79f7f4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h66c0fcfdc30242ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:827:33
    #28 0x555b4f79f7f4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h07c27e2bbcec7139 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #29 0x555b4f7a39d0 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1ad4b0db731fddaf /src/wgpu/naga/src/front/wgsl/parse/mod.rs:814:25
    #30 0x555b4f7a39d0 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5c45e4063eb5f655 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #31 0x555b4f7a7bc4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::h111b4739c2a0ae77 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:803:17
    #32 0x555b4f7a7bc4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hc5c8f4d9459bbd82 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #33 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::equality_expression::h33d0d8cf0e8fbcb6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:794:9
    #34 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1a4180951f20a413 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:923:49
    #35 0x555b4f7a5049 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5f17ceea535d3071 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #36 0x555b4f7aa769 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h009cb1660fd1d197 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:914:41
    #37 0x555b4f7aa769 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdd8fd162d8ed00ff /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #38 0x555b4f7a2409 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h55d826ced51e0164 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:904:33
    #39 0x555b4f7a2409 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h35ddc307bce0ceb0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #40 0x555b4f7a65f9 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1ab282502cd47b27 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:896:25
    #41 0x555b4f7a65f9 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h6e55776d754ff865 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #42 0x555b4f7a91b9 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::h6c989bb92b53e79c /src/wgpu/naga/src/front/wgsl/parse/mod.rs:888:17
    #43 0x555b4f7a91b9 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hd580949c24cf7bb8 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #44 0x555b4f7cf542 in naga::front::wgsl::parse::Parser::general_expression_with_span::hcc90cbee76e0cc50 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:880:22
    #45 0x555b4f7cf542 in naga::front::wgsl::parse::Parser::general_expression::h24c377b05d599ba6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:869:9
    #46 0x555b4f7c429b in naga::front::wgsl::parse::Parser::primary_expression::h746864ee7f9c87ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:618:28
    #47 0x555b4f7cdba8 in naga::front::wgsl::parse::Parser::singular_expression::h5c3de80f367a39e0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:781:28
    #48 0x555b4f7ca423 in naga::front::wgsl::parse::Parser::unary_expression::h684e82ebbf0571d6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:766:18
    #49 0x555b4f7a0e04 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::ha1ecfa7432ce2a18 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:852:62
    #50 0x555b4f7a0e04 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h11097d75ca1d4c90 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #51 0x555b4f7abd37 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h0b29f2891687a004 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:838:41
    #52 0x555b4f7abd37 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdfb95f1d26727453 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #53 0x555b4f79f7f4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h66c0fcfdc30242ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:827:33
    #54 0x555b4f79f7f4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h07c27e2bbcec7139 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #55 0x555b4f7a39d0 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1ad4b0db731fddaf /src/wgpu/naga/src/front/wgsl/parse/mod.rs:814:25
    #56 0x555b4f7a39d0 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5c45e4063eb5f655 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #57 0x555b4f7a7bc4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::h111b4739c2a0ae77 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:803:17
    #58 0x555b4f7a7bc4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hc5c8f4d9459bbd82 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #59 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::equality_expression::h33d0d8cf0e8fbcb6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:794:9
    #60 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1a4180951f20a413 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:923:49
    #61 0x555b4f7a5049 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5f17ceea535d3071 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #62 0x555b4f7aa769 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h009cb1660fd1d197 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:914:41
    #63 0x555b4f7aa769 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdd8fd162d8ed00ff /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #64 0x555b4f7a2409 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h55d826ced51e0164 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:904:33
    #65 0x555b4f7a2409 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h35ddc307bce0ceb0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #66 0x555b4f7a65f9 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1ab282502cd47b27 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:896:25
    #67 0x555b4f7a65f9 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h6e55776d754ff865 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #68 0x555b4f7a91b9 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::h6c989bb92b53e79c /src/wgpu/naga/src/front/wgsl/parse/mod.rs:888:17
    #69 0x555b4f7a91b9 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hd580949c24cf7bb8 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #70 0x555b4f7cf542 in naga::front::wgsl::parse::Parser::general_expression_with_span::hcc90cbee76e0cc50 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:880:22
    #71 0x555b4f7cf542 in naga::front::wgsl::parse::Parser::general_expression::h24c377b05d599ba6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:869:9
    #72 0x555b4f7c429b in naga::front::wgsl::parse::Parser::primary_expression::h746864ee7f9c87ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:618:28
    #73 0x555b4f7cdba8 in naga::front::wgsl::parse::Parser::singular_expression::h5c3de80f367a39e0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:781:28
    #74 0x555b4f7ca423 in naga::front::wgsl::parse::Parser::unary_expression::h684e82ebbf0571d6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:766:18
    #75 0x555b4f7a0e04 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::ha1ecfa7432ce2a18 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:852:62
    #76 0x555b4f7a0e04 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h11097d75ca1d4c90 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #77 0x555b4f7abd37 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h0b29f2891687a004 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:838:41
    #78 0x555b4f7abd37 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdfb95f1d26727453 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #79 0x555b4f79f7f4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h66c0fcfdc30242ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:827:33
    #80 0x555b4f79f7f4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h07c27e2bbcec7139 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #81 0x555b4f7a39d0 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1ad4b0db731fddaf /src/wgpu/naga/src/front/wgsl/parse/mod.rs:814:25
    #82 0x555b4f7a39d0 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5c45e4063eb5f655 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #83 0x555b4f7a7bc4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::h111b4739c2a0ae77 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:803:17
    #84 0x555b4f7a7bc4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hc5c8f4d9459bbd82 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #85 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::equality_expression::h33d0d8cf0e8fbcb6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:794:9
    #86 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1a4180951f20a413 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:923:49
    #87 0x555b4f7a5049 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5f17ceea535d3071 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #88 0x555b4f7aa769 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h009cb1660fd1d197 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:914:41
    #89 0x555b4f7aa769 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdd8fd162d8ed00ff /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #90 0x555b4f7a2409 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h55d826ced51e0164 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:904:33
    #91 0x555b4f7a2409 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h35ddc307bce0ceb0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #92 0x555b4f7a65f9 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1ab282502cd47b27 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:896:25
    #93 0x555b4f7a65f9 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h6e55776d754ff865 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #94 0x555b4f7a91b9 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::h6c989bb92b53e79c /src/wgpu/naga/src/front/wgsl/parse/mod.rs:888:17
    #95 0x555b4f7a91b9 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hd580949c24cf7bb8 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #96 0x555b4f7cf542 in naga::front::wgsl::parse::Parser::general_expression_with_span::hcc90cbee76e0cc50 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:880:22
    #97 0x555b4f7cf542 in naga::front::wgsl::parse::Parser::general_expression::h24c377b05d599ba6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:869:9
    #98 0x555b4f7c429b in naga::front::wgsl::parse::Parser::primary_expression::h746864ee7f9c87ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:618:28
    #99 0x555b4f7cdba8 in naga::front::wgsl::parse::Parser::singular_expression::h5c3de80f367a39e0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:781:28
    #100 0x555b4f7ca423 in naga::front::wgsl::parse::Parser::unary_expression::h684e82ebbf0571d6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:766:18
   ... ...
    #411 0x555b4f7cf542 in naga::front::wgsl::parse::Parser::general_expression::h24c377b05d599ba6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:869:9
    #412 0x555b4f7c429b in naga::front::wgsl::parse::Parser::primary_expression::h746864ee7f9c87ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:618:28
    #413 0x555b4f7cdba8 in naga::front::wgsl::parse::Parser::singular_expression::h5c3de80f367a39e0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:781:28
    #414 0x555b4f7ca423 in naga::front::wgsl::parse::Parser::unary_expression::h684e82ebbf0571d6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:766:18
    #415 0x555b4f7a0e04 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::ha1ecfa7432ce2a18 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:852:62
    #416 0x555b4f7a0e04 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h11097d75ca1d4c90 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #417 0x555b4f7abd37 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h0b29f2891687a004 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:838:41
    #418 0x555b4f7abd37 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdfb95f1d26727453 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #419 0x555b4f79f7f4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h66c0fcfdc30242ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:827:33
    #420 0x555b4f79f7f4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h07c27e2bbcec7139 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #421 0x555b4f7a39d0 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1ad4b0db731fddaf /src/wgpu/naga/src/front/wgsl/parse/mod.rs:814:25
    #422 0x555b4f7a39d0 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5c45e4063eb5f655 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #423 0x555b4f7a7bc4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::h111b4739c2a0ae77 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:803:17
    #424 0x555b4f7a7bc4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hc5c8f4d9459bbd82 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #425 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::equality_expression::h33d0d8cf0e8fbcb6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:794:9
    #426 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1a4180951f20a413 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:923:49
    #427 0x555b4f7a5049 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5f17ceea535d3071 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #428 0x555b4f7aa769 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h009cb1660fd1d197 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:914:41
    #429 0x555b4f7aa769 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdd8fd162d8ed00ff /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #430 0x555b4f7a2409 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h55d826ced51e0164 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:904:33
    #431 0x555b4f7a2409 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h35ddc307bce0ceb0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #432 0x555b4f7a65f9 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1ab282502cd47b27 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:896:25
    #433 0x555b4f7a65f9 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h6e55776d754ff865 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #434 0x555b4f7a91b9 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::h6c989bb92b53e79c /src/wgpu/naga/src/front/wgsl/parse/mod.rs:888:17
    #435 0x555b4f7a91b9 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hd580949c24cf7bb8 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #436 0x555b4f7cf542 in naga::front::wgsl::parse::Parser::general_expression_with_span::hcc90cbee76e0cc50 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:880:22
    #437 0x555b4f7cf542 in naga::front::wgsl::parse::Parser::general_expression::h24c377b05d599ba6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:869:9
    #438 0x555b4f7c429b in naga::front::wgsl::parse::Parser::primary_expression::h746864ee7f9c87ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:618:28
    #439 0x555b4f7cdba8 in naga::front::wgsl::parse::Parser::singular_expression::h5c3de80f367a39e0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:781:28
    #440 0x555b4f7ca423 in naga::front::wgsl::parse::Parser::unary_expression::h684e82ebbf0571d6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:766:18
    #441 0x555b4f7a0e04 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::ha1ecfa7432ce2a18 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:852:62
    #442 0x555b4f7a0e04 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h11097d75ca1d4c90 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #443 0x555b4f7abd37 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h0b29f2891687a004 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:838:41
    #444 0x555b4f7abd37 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdfb95f1d26727453 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #445 0x555b4f79f7f4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h66c0fcfdc30242ae /src/wgpu/naga/src/front/wgsl/parse/mod.rs:827:33
    #446 0x555b4f79f7f4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h07c27e2bbcec7139 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #447 0x555b4f7a39d0 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1ad4b0db731fddaf /src/wgpu/naga/src/front/wgsl/parse/mod.rs:814:25
    #448 0x555b4f7a39d0 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5c45e4063eb5f655 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #449 0x555b4f7a7bc4 in naga::front::wgsl::parse::Parser::equality_expression::_$u7b$$u7b$closure$u7d$$u7d$::h111b4739c2a0ae77 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:803:17
    #450 0x555b4f7a7bc4 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hc5c8f4d9459bbd82 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #451 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::equality_expression::h33d0d8cf0e8fbcb6 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:794:9
    #452 0x555b4f7a5049 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1a4180951f20a413 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:923:49
    #453 0x555b4f7a5049 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h5f17ceea535d3071 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #454 0x555b4f7aa769 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h009cb1660fd1d197 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:914:41
    #455 0x555b4f7aa769 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdd8fd162d8ed00ff /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31
    #456 0x555b4f7a2409 in naga::front::wgsl::parse::Parser::general_expression_with_span::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h55d826ced51e0164 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:904:33
    #457 0x555b4f7a2409 in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::h35ddc307bce0ceb0 /src/wgpu/naga/src/front/wgsl/parse/mod.rs:69:31

SUMMARY: AddressSanitizer: stack-overflow /src/wgpu/naga/src/front/wgsl/parse/mod.rs in naga::front::wgsl::parse::ExpressionContext::parse_binary_op::hdfb95f1d26727453
==132416==ABORTING

Attached is the test sample.
crash.zip

@jimblandy
Copy link
Member

@MageWeiG Thank you for filing this.

Why isn't the Rust stack sentinel catching this overflow?

@jimblandy
Copy link
Member

How does Naga behave if you feed it the sample without ASAN turned on?

Given that Rust enables stack probes by default on all tier 1 platforms, I suspect that ASAN is just catching the problem right before Rust would do so anyway.

@jimblandy
Copy link
Member

Here's what I get:

$ unzip crash.zip
Archive:  crash.zip
  inflating: crash                   
$ mv crash crash.wgsl
$ naga crash.wgsl
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.09s
     Running `/home/jimb/rust/wgpu/target/debug/naga crash.wgsl`

thread 'main' has overflowed its stack
fatal runtime error: stack overflow
Aborted (core dumped)
$ 

@jimblandy
Copy link
Member

jimblandy commented May 30, 2024

I'm confident this is not exploitable.

  • It's always been my understanding that Rust checks for stack overflow, because overflows are exploitable.

  • I can reproduce the reporter's crash when I build with ASAN and feed Naga the given test case.

  • Doing the same without ASAN gives a Rust stack probe abort, as shown in my previous comment. Here is the code in the standard library that prints this message:

        // If the faulting address is within the guard page, then we print a
        // message saying so and abort.
        if start <= addr && addr < end {
            rtprintpanic!(
                "\nthread '{}' has overflowed its stack\n",
                thread::current().name().unwrap_or("<unknown>")
            );
            rtabort!("stack overflow");
  • To be absolutely sure, I wrote a C program that blows its stack. It crashes with a segmentation fault, not the message above.

However, it is a bug that Naga blows its stack: it should return an error. It's just not a vulnerability.

@SludgePhD
Copy link
Contributor

SludgePhD commented May 30, 2024

It's always been my understanding that Rust checks for stack overflow, because overflows are exploitable.

This is correct. The vulnerability is at worst a DoS.

EDIT: (this is only the case with standalone Rust executables, when linking this into C code the story is different)

@dangrazh
Copy link

dangrazh commented Jan 1, 2025

This issue is still open as a critical security vulnerability with a rating of 9.8 out of 10 as per https://nvd.nist.gov/vuln/detail/CVE-2024-36761. This prevents using anything wgpu based in a corporate context where libraries are scanned against open vulnerabilities on nvd.nist.gov.

Is there a way you can either correct the CVSS (Version 3) rating of this CVE or fix issue #5759 please? As we stand today, this issue prevents usage of Rust for UI development in large corporations which do rely on nvd.nist.gov.

Thanks!

@cwfitzgerald
Copy link
Member

I have no idea how we would even do this to change the vulnerability on nist. This would only affect untrusted shaders.

@cwfitzgerald cwfitzgerald reopened this Jan 2, 2025
@github-project-automation github-project-automation bot moved this from Done to In Progress in WebGPU for Firefox Jan 2, 2025
@dangrazh
Copy link

dangrazh commented Jan 4, 2025

Regarding the vulnerability rating, I did some digging on the nist nvd side and found the following:

I am more than happy to submit the request, but to do so I need to better understand the nature of the exposure, in particular the "Attack Vector", "Attack Complexity" and "Privileges Required" dimensions.

Currently the vulnerability is rated as AV: Network (i.e. remote executable), AC: Low (quote from CVSS Calculator "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.") and PR: None. Is this really an accurate assessment of the situation? This would mean that anybody with a network connection to a system running naga, without any privileges on that system would be able to exploit the vulnerability with repeatable results. From what I understand from the comments in this issue, that does not seem to be the case?

@jimblandy
Copy link
Member

The severity doesn't make sense. I'll take care of requesting a rescore.

@jimblandy
Copy link
Member

@dangrazh From playing with the calculator, it seems like the "confidentiality" and "integrity" impact of this bug is minimal. Changing those to "None" lowers the rating to 7.5.

I'm not sure that is going to reassure anyone. This is not a hard bug to fix, it's just dumb. So maybe the best course is just to go ahead and fix it, even though it's not actually putting anyone at risk.

@dangrazh
Copy link

dangrazh commented Jan 6, 2025

@jimblandy I would agree, if it is a relatively simple bug to fix, fixing the bug and closing the CVE based on that is certainly the best course of action. Thanks for getting back on this one!

@jimblandy
Copy link
Member

jimblandy commented Jan 7, 2025

For the record, I've filed a request with the National Vulnerability Database to have this reclassified:

Subject: CVE-2024-36761 has no impact on Confidentiality or Integrity

CVE-2024-36761 has a CVSS base score of 9.8. However, because the exploit in question is caught by Rust's stack overflow checks and results in a clean shutdown of the process, the exploit cannot be used to expose user information or damage the integrity of the program. Lowering the "Confidentiality Impact" and "Integrity Impact" to "None" is appropriate. This would lower the CVSS 3.1 rating to 7.5.

The weakness enumeration of of CWE-787, "Out-of-bounds Write", is also misleading. In the standard configuration, Rust includes stack overflow checks, causing the program to abort before any out-of-bounds memory is modified.

Although it's true that simply running Naga does not open one up to network attacks, I didn't challenge the "Network" attack vector because, in the case of Firefox, we do actually pass untrusted data from the network to Naga. This would also be true of someone running some sort of shader playground or some web app that let people write their own shaders.

@dveditz
Copy link

dveditz commented Jan 7, 2025

* It's always been my understanding that Rust checks for stack overflow, because overflows are exploitable.

I encourage the term "stack exhaustion" because the other term is commonly misinterpreted as "stack BUFFER overflow" -- a different kettle of fish entirely.

* To be absolutely sure, I wrote a C program that blows its stack. It crashes with a segmentation fault, not the message above.

On Windows it would result in EXCEPTION_STACK_OVERFLOW and is not exploitable. In rare cases stack exhaustion it might be exploitable if the program (or even Windows APIs, in some cases) catches the exception and mishandles it: https://www.blackhat.com/presentations/bh-usa-07/Dowd_McDonald_and_Mehta/Whitepaper/bh-usa-07-dowd_mcdonald_and_mehta.pdf

@dveditz
Copy link

dveditz commented Jan 7, 2025

@jimblandy I think it's even lower than 7.5.

  • user interaction is required ("convincing a user to click on a link" to go to the attack page)
  • confidentiality and integrity are "none" as you said.
  • availability impact is low because it's not sustained

This brings it down to 4.3: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L&version=3.1

Still seems too high to me, but CVSS is structured for sites and services and isn't great for client programs.

@jimblandy
Copy link
Member

Okay, I missed the "user interaction" bit. Thanks for the clarification about "availability".

@cwfitzgerald cwfitzgerald changed the title A stack overflow vulnerability was found Stack Exhaustion in WGSL Frontend Jan 7, 2025
@cwfitzgerald cwfitzgerald added type: bug Something isn't working naga Shader Translator area: naga front-end lang: WGSL WebGPU Shading Language labels Jan 7, 2025
@dveditz
Copy link

dveditz commented Jan 8, 2025

Although it's true that simply running Naga does not open one up to network attacks, I didn't challenge the "Network" attack vector because, in the case of Firefox, we do actually pass untrusted data from the network to Naga.

That raises a fair point. It's possible for the severity of a CVE in a library to be different from the severity of that flaw when embedded in an application that uses it incorrectly, unsafely, or even just differently than expected. Newer versions of CVSS try to represent that by having an additional "Environmental" score. wgpu used in a game application that only supplied their own tested shaders would be essentially unaffected by #5757, whereas Firefox and Servo using it to expose the "WebGPU" API to web pages do have to worry about it.

Arguably wgpu was created primarily to implement the WebGPU API, and that API was specified assuming untrustworthy web input. From that POV discounting the Network attack vector in the library itself would be unexpected. That will, however, overstate the severity of bugs from the POV of self-contained applications. They should calculate their own modified environmental CVSS score. For example, setting the Modified Attack Vector to Physical ("physical" access required to hack the compiled program?) gives you an environmental score of 2.1 (Low)—which is still too high for that situation IMHO! In a browser, setting the "Availability Requirement" to "Low" (a browser doesn't have to be a DDOS resistant server) results in an environmental score of 3.6 (Low) compared to the base score of 4.3 (Medium)

Or you could decide the library is primarily for self-contained graphics applications and rate flaws accordingly, and downstream browsers would have to report their advisories with an up-rated Environmental score representing the fact that now the Network is an attack vector.

Of course I think you should take the browser-centric POV because showing the high end of the range will make it less likely people will ignore announcements without a second look, and sheer numbers of affected users. But whichever approach you take, you should document that operating perspective in your future SECURITY.md policy

@jamienicol jamienicol self-assigned this Jan 9, 2025
jamienicol added a commit to jamienicol/wgpu that referenced this issue Jan 9, 2025
It's currently trivial to write a shader that causes the wgsl parser
to recurse too deeply and overflow the stack. This patch makes the
parser return an error when recursing too deeply, before the stack
overflows.

It makes use of a new function Parser::track_recursion(). This
increments a counter returning an error if the value is too high,
before calling the user-provided function and returning its return
value after decrementing the counter again.

Any recursively-called functions can simply be modified to call
track_recursion(), providing their previous contents in a closure as
the argument. All instances of recursion during parsing call through
either Parser::statement(), Parser::unary_expression(), or
Parser::type_decl(), so only these functions have been updated as
described in order to keep the patch as unobtrusive as possible.

A value of 256 has been chosen as the recursion limit, but can be
later tweaked if required. This avoids the stack overflow in the
testcase attached to issue gfx-rs#5757.
jamienicol added a commit to jamienicol/wgpu that referenced this issue Jan 22, 2025
It's currently trivial to write a shader that causes the wgsl parser
to recurse too deeply and overflow the stack. This patch makes the
parser return an error when recursing too deeply, before the stack
overflows.

It makes use of a new function Parser::track_recursion(). This
increments a counter returning an error if the value is too high,
before calling the user-provided function and returning its return
value after decrementing the counter again.

Any recursively-called functions can simply be modified to call
track_recursion(), providing their previous contents in a closure as
the argument. All instances of recursion during parsing call through
either Parser::statement(), Parser::unary_expression(), or
Parser::type_decl(), so only these functions have been updated as
described in order to keep the patch as unobtrusive as possible.

A value of 256 has been chosen as the recursion limit, but can be
later tweaked if required. This avoids the stack overflow in the
testcase attached to issue gfx-rs#5757.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area: naga front-end lang: WGSL WebGPU Shading Language naga Shader Translator type: bug Something isn't working
Projects
Status: In Progress
Development

Successfully merging a pull request may close this issue.

7 participants