New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 120648 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

UNKNOWN in SkARGB32_Blitter::blitV

Reported by aohe...@gmail.com, Mar 28 2012

Issue description

VULNERABILITY DETAILS
A renderer crash happens at an unknown address when the attached page is opened. The address moves with ASLR, at least one of the arguments seems to affect it, and there is a large numeric argument in one call suggesting an integer error.

VERSION
Chrome Version: 17.0.963.83 stable, 19.0.1083.0 dev
Operating System: Linux (Debian 6.0.4, x86_64)

REPRODUCTION CASE
$ google-chrome blit.html

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:

==28626== ERROR: AddressSanitizer crashed on unknown address 0x7f61a55f2a10 (pc 0x7f60b8363e62 sp 0x7fffcf18d900 bp 0x7fffcf18d910 T0)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7f60b8363e62 in SkARGB32_Blitter::blitV(int, int, int, unsigned char) ???:0
    #1 0x7f60b82aac67 in vline(int, int, int, int, SkBlitter*, int) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #2 0x7f60b82a6c0f in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #3 0x7f60b82a66dd in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #4 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #5 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #6 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #7 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #8 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #9 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #10 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #11 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #12 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #13 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #14 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #15 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #16 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #17 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #18 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #19 0x7f60b82a66c5 in do_anti_hairline(int, int, int, int, SkIRect const*, SkBlitter*) third_party/skia/src/core/SkScan_Antihair.cpp:0
    #20 0x7f60b82a6394 in SkScan::AntiHairLineRgn(SkPoint const&, SkPoint const&, SkRegion const*, SkBlitter*) ???:0
    #21 0x7f60b82ae21f in hairquad(SkPoint const*, SkRegion const*, SkBlitter*, int, void (*)(SkPoint const&, SkPoint const&, SkRegion const*, SkBlitter*)) third_party/skia/src/core/SkScan_Hairline.cpp:0
    #22 0x7f60b82ae1fc in hairquad(SkPoint const*, SkRegion const*, SkBlitter*, int, void (*)(SkPoint const&, SkPoint const&, SkRegion const*, SkBlitter*)) third_party/skia/src/core/SkScan_Hairline.cpp:0
    #23 0x7f60b82ae1fc in hairquad(SkPoint const*, SkRegion const*, SkBlitter*, int, void (*)(SkPoint const&, SkPoint const&, SkRegion const*, SkBlitter*)) third_party/skia/src/core/SkScan_Hairline.cpp:0
    #24 0x7f60b82ae1fc in hairquad(SkPoint const*, SkRegion const*, SkBlitter*, int, void (*)(SkPoint const&, SkPoint const&, SkRegion const*, SkBlitter*)) third_party/skia/src/core/SkScan_Hairline.cpp:0
    #25 0x7f60b82ae1fc in hairquad(SkPoint const*, SkRegion const*, SkBlitter*, int, void (*)(SkPoint const&, SkPoint const&, SkRegion const*, SkBlitter*)) third_party/skia/src/core/SkScan_Hairline.cpp:0
    #26 0x7f60b82ae1fc in hairquad(SkPoint const*, SkRegion const*, SkBlitter*, int, void (*)(SkPoint const&, SkPoint const&, SkRegion const*, SkBlitter*)) third_party/skia/src/core/SkScan_Hairline.cpp:0
    #27 0x7f60b82acaeb in hair_path(SkPath const&, SkRasterClip const&, SkBlitter*, void (*)(SkPoint const&, SkPoint const&, SkRegion const*, SkBlitter*)) third_party/skia/src/core/SkScan_Hairline.cpp:0
    #28 0x7f60b8236bba in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const ???:0
    #29 0x7f60b8225dc5 in SkCanvas::drawPath(SkPath const&, SkPaint const&) ???:0
    #30 0x7f60b9105dc2 in WebCore::GraphicsContext::strokePath(WebCore::Path const&) ???:0
    #31 0x7f60b8dcd91c in WebCore::CanvasRenderingContext2D::stroke() ???:0
    #32 0x7f60ba80a2ba in WebCore::CanvasRenderingContext2DInternal::strokeCallback(v8::Arguments const&) out/Release/obj/gen/webkit/bindings/V8DerivedSources17.cpp:0
    #33 0x7f60b7682946 in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0
    #34 0x7f608200618e
    #35 0x7f60820344a4
    #36 0x7f6082023dc7
    #37 0x7f6082011357
    #38 0x7f60b76ee654 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) v8/src/execution.cc:0
    #39 0x7f60b7618a73 in v8::Script::Run() ???:0
    #40 0x7f60b9347804 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>) ???:0
    #41 0x7f60b9346995 in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) ???:0
    #42 0x7f60b92f3576 in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) ???:0
    #43 0x7f60b88638ec in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) ???:0
    #44 0x7f60b885f0f5 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) ???:0
    #45 0x7f60b8e354e4 in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) ???:0
    #46 0x7f60b8e34f71 in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) ???:0
    #47 0x7f60b8e2952d in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() ???:0
    #48 0x7f60b8e298a0 in WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) ???:0
    #49 0x7f60b8e28b26 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) ???:0
    #50 0x7f60b8e2a654 in WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) ???:0
    #51 0x7f60bc909c2c in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter*) ???:0
    #52 0x7f60b98a18d1 in WebCore::DocumentWriter::endIfNotLoadingMainResource() ???:0
    #53 0x7f60b98d7d99 in WebCore::FrameLoader::finishedLoading() ???:0
    #54 0x7f60b9900611 in WebCore::MainResourceLoader::didFinishLoading(double) ???:0
    #55 0x7f60bb0d94e2 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) ???:0
    #56 0x7f60b80fe00b in ResourceDispatcher::OnRequestComplete(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&) ???:0
    #57 0x7f60b80fee8b in bool ResourceMsg_RequestComplete::Dispatch<ResourceDispatcher, ResourceDispatcher, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&)>(IPC::Message const*, ResourceDispatcher*, ResourceDispatcher*, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::TimeTicks const&)) ???:0
    #58 0x7f60b80fb7ed in ResourceDispatcher::DispatchMessage(IPC::Message const&) ???:0
    #59 0x7f60b80f9ac1 in ResourceDispatcher::OnMessageReceived(IPC::Message const&) ???:0
    #60 0x7f60b7ff494f in ChildThread::OnMessageReceived(IPC::Message const&) ???:0
    #61 0x7f60b6d1b7e3 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ???:0
    #62 0x7f60b6c09a26 in MessageLoop::RunTask(base::PendingTask const&) ???:0
    #63 0x7f60b6c0a286 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ???:0
Stats: 3M malloced (5M for red zones) by 15209 calls
Stats: 0M realloced by 44 calls
Stats: 2M freed by 7323 calls
Stats: 0M really freed by 0 calls
Stats: 48M (12296 full pages) mmaped in 12 calls
  mmaps   by size class: 8:16383; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256; 15:128; 16:64; 17:32; 18:16; 19:8;
  mallocs by size class: 8:13793; 9:653; 10:398; 11:203; 12:38; 13:41; 14:57; 15:8; 16:9; 17:5; 18:2; 19:2;
  frees   by size class: 8:6472; 9:334; 10:310; 11:103; 12:16; 13:30; 14:45; 15:4; 16:2; 17:4; 18:2; 19:1;
  rfrees  by size class:
Stats: malloc large: 9 small slow: 68

 
blit.html
222 bytes View Download

Comment 1 by kcc@chromium.org, Mar 28 2012

Cc: glider@chromium.org
first guess: stack overflow. asan uses way more stack that regular run. 
may simply need to increase the thread's stack size. 

Comment 2 by kcc@chromium.org, Mar 28 2012

Nope. No relation to stack. Looks more like a completely wild dereference. 
Summary: UNKNOWN in SkARGB32_Blitter::blitV
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=31757765

Uploader: inferno@chromium.org

Crash Type: UNKNOWN
Crash Address: 0x7f38734e5a10
Crash State:
  - crash stack -
  SkARGB32_Blitter::blitV
  vline
  do_anti_hairline
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=109205:109251

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96RhzG9Ernh-XJ6dJ-6rGHooMrbanFarllYzD_0pDJtJ3xqtH0dJ4eQjxgnewxgpITBNhpPGnRWPN0GC9s7fXXV93xhgYjqgUjg_XyGn3NSeJEYmBnh5FE9RQvtZuRAq60JAZrXkUHzL8eHxMyNQe1R9b8cfg
<script>
C = document.createElement("canvas");
A = C.getContext("2d");
C.height = 400;
P = 3.14159265;
A.translate(100,300);
A.arc(0,0,170141183460469231731687303715884105724,P*2,0,0);
A.stroke();
</script>
Cc: reed@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals SecImpacts-Stable SecImpacts-Beta Mstone-18 Stability-AddressSanitizer OS-All
Owner: epoger@chromium.org
Status: Assigned
Elliot, this seems to have regressed in Skia: r2620:r2633. Can you please help to triage this.

Comment 5 by reed@chromium.org, Mar 29 2012

skia rev. 2632 looks to be done explicitly to handle NaN values in paths, which the arc code in #3 might create. I will test that case now in tip-of-tree, to see its current behavior.

Comment 6 by kareng@google.com, Mar 30 2012

Labels: -Mstone-18 Mstone-20

Comment 7 by kareng@google.com, Mar 30 2012

Labels: MovedFrom18
Labels: -Mstone-20 -MovedFrom18 Mstone-18
Reverting wrong marking of security bugs by release management.
Labels: SecSeverity-Medium
Cc: epoger@chromium.org
Owner: reed@chromium.org
Assigning over to Mike.  He is going to download some prebuilt ASAN binaries from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html and see if he can reproduce the bug.

Comment 11 by reed@chromium.org, Mar 30 2012

Speculative fix in Skia-rev. 3558
Cc: epoger@google.com

Comment 13 by reed@chromium.org, Mar 30 2012

repro case from #3 as a file, attached...
bigarc.html
218 bytes View Download

Comment 14 by reed@chromium.org, Mar 30 2012

Cc: bsalomon@chromium.org
I was able to repro using tip-of-tree (debug build) by loading bigarc.html, and disabling gpu canvas (which is now on by default, and which doesn't have this bug).

--disable-accelerated-2d-canvas

Comment 15 by epoger@google.com, Mar 30 2012

Owner: epoger@chromium.org
Thanks for the fix in http://code.google.com/p/skia/source/detail?r=3558 , Mike!

Mike is going to be out of town next week, so I am taking ownership... on Monday, I will confirm that this has indeed been fixed in the latest canary build, and then request permission to merge the fix into M18.

Comment 16 by epoger@google.com, Apr 2 2012

The fix was just now rolled into Chrome within this Skia DEPS roll: http://crrev.com/130175

Comment 17 by epoger@google.com, Apr 2 2012

Baseline for comparison once the above fix goes into a test build...

I downloaded asan-linux-release-130133 from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html
and ran it on my remote Linux instance (no GPU).  When I opened blit.html from comment #1, I saw an ASAN stack trace similar to that pasted in comment #1.

more details in the attachment...
repros-in-130133.txt
7.8 KB View Download
Labels: -Restrict-View-SecurityTeam -Mstone-18 Restrict-View-SecurityNotify Mstone-19 Merge-Approved reward-topanel
Status: FixUnreleased
Thanks for being so on top of all these Skia issues, Elliot. You're awesome.
We can look to merge this to Chrome 19 once the change survives a canary (or perhaps M20 dev channel)

Comment 19 by aohe...@gmail.com, Apr 2 2012

Fix looks good here. 130186 had no issues with the files which triggered this earlier.
Project Member

Comment 20 by ClusterFuzz, Apr 3 2012

ClusterFuzz has detected this issue as fixed in range 130154:130180.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=31757765

Uploader: inferno@chromium.org

Crash Type: UNKNOWN
Crash Address: 0x7f38734e5a10
Crash State:
  - crash stack -
  SkARGB32_Blitter::blitV
  vline
  do_anti_hairline
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=109205:109251
Fixed: https://cluster-fuzz.appspot.com/revisions?range=130154:130180

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96RhzG9Ernh-XJ6dJ-6rGHooMrbanFarllYzD_0pDJtJ3xqtH0dJ4eQjxgnewxgpITBNhpPGnRWPN0GC9s7fXXV93xhgYjqgUjg_XyGn3NSeJEYmBnh5FE9RQvtZuRAq60JAZrXkUHzL8eHxMyNQe1R9b8cfg

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 21 by epoger@google.com, Apr 3 2012

Cc: scarybea...@gmail.com
Works for me too... I downloaded asan-linux-release-130180 from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html
and ran it on my remote Linux instance (no GPU).  When I opened blit.html from comment #1, I did not get any errors at all.

This bug is now marked as M19/Merge-Approved, so I will go ahead and prepare an M19 patch...

But don't we also want an M18 patch?
Cc: cevans@chromium.org
I'd think we do want an M18 patch. Will the diff be as small as it was for M19? Thanks!
@epoger: the usual "safe" way forward is:
- Let the Skia change roll into a canary to make sure nothing terrible is broken.
- Merge it to a dev channel for wider baking / testing.
- Merge back to stable finally if all is well.

Comment 24 by epoger@google.com, Apr 4 2012

Labels: -Merge-Approved Merge-Merged
Fix merged into Skia's chrome/1084 branch as http://code.google.com/p/skia/source/detail?r=3604

Using a local M19-branch ASAN build on Mac, I have confirmed that I DID see the failure before the above merge, and I DO NOT see the failure after the above merge.

[Be sure to use the --disable-accelerated-2d-canvas command-line argument , or else the bug will not reproduce on most systems.]

Do we have precompiled M19-branch ASAN build binaries somewhere so that we can confirm that the next official release build contains the fix?  I don't see any M19 builds at https://commondatastorage.googleapis.com/chromium-browser-asan/index.html ...

[Reminder: We still need to attempt a patch into M18, once we are happy with the M19 patch.]
Labels: -Mstone-19 -Merge-Merged Mstone-18 Merge-Approved
Adding flags to make sure we revisit this for M18.

Comment 26 by epoger@google.com, Apr 5 2012

Labels: -Merge-Approved Merge-Requested
Somebody let me know if/when it's time to merge it into M18... (once it's marked as Merge-Approved, I will do so)

Comment 27 by epoger@google.com, Apr 13 2012

Cc: -epoger@chromium.org
Owner: scarybea...@gmail.com
Assigning to scarybeasts for now... please assign back to me when it's time for me to merge the fix ( http://code.google.com/p/skia/source/detail?r=3558 ) into M18.
Labels: -Merge-Requested Merge-Approved
(We'll leave it Merge-Approved because all security fixes are approved and we search on the label when it's merge time.... I will let you know when it is merge time, thanks so much!)
Labels: -Mstone-18 -Merge-Approved Mstone-19 Merge-Merged
There are no more M18 merge opportunities so this goes into M19 (already merged, yay). There's only a couple of weeks to wait until M19 hits stable.
Labels: -reward-topanel reward-500 reward-unpaid
Thanks Aki. This involves canvas so the OOB content is plausibly recoverable.
$500
Labels: reward-decline
Reward to be upped to $1337 and donated to http://www.betterplace.org/en/projects/2001-school-project-welkite-i-in-ethiopia-east-africa
Labels: CVE-2011-3088

Comment 33 by cdn@chromium.org, May 15 2012

Status: Fixed
Updating status to Fixed on security bugs which were fixed when m19 went to stable.
Labels: -reward-unpaid
Project Member

Comment 35 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 36 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -SecImpacts-Stable -SecImpacts-Beta -Stability-AddressSanitizer -Mstone-19 -SecSeverity-Medium M-19 Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Cr-Internals Performance-Memory-AddressSanitizer Type-Bug-Security
Project Member

Comment 37 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 38 by bugdroid1@chromium.org, Mar 14 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 40 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 41 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 42 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 43 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 44 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 45 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 46 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment