New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 124652 link

Starred by 0 users

Issue metadata

Status: Verified
Owner:
Email to this user bounced
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect

Project Member Reported by infe...@chromium.org, Apr 23 2012

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=39364318

Fuzzer: Inferno_twister

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7f32d0cc2b88
Crash State:
  - crash stack -
  SkDashPathEffect::SkDashPathEffect
  WebCore::GraphicsContext::setLineDash
  WebCore::SVGRenderSupport::applyStrokeStyleToContext
  

Minimized Testcase (0.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Q7EE6yZLPMH9UFZ0oRVxy4JnTr-VV_0NMnGKLosnb0ombmOUiinhMm3I2r85dQBxtb0Y3YYCcOkd1wNeSaZGQ-pdKsv1OcQhANxPHltVxub5Zy5POKiySwBuoRDPfmdPLlU3_FbxOvedIy6EYH2fmud-awA
 
 Issue 124651  has been merged into this issue.
Cc: reed@chromium.org
Owner: epoger@chromium.org
Status: Assigned
Elliot, Mike, can you please help to triage.

Comment 3 by epoger@chromium.org, Apr 23 2012

Owner: epoger@google.com

Comment 4 by epoger@google.com, Apr 23 2012

I was able to reproduce this on my remote Linux instance.

I downloaded asan-symbolized-linux-release-133430.zip from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html and ran it:

./asan-symbolized-linux-release-133430/chrome --no-first-run --single-process --disable-gpu-plugin --disable-gpu-rendering --disable-accelerated-compositing --disable-webgl --disable-accelerated-2d-canvas

and when I viewed the attached test case, I got the attached ASAN error log.
fuzz-crbug-124652.svg
739 bytes View Download
asan-error-log.txt
14.1 KB View Download
Elliot, you can always get the entire stack with symbols and clickable line numbers using CF report https://cluster-fuzz.appspot.com/testcase?key=39364318 in c#0.

Comment 6 by epoger@google.com, Apr 23 2012

Right... and that stack trace is much nicer than the one I get. :-) But I also like to make sure that I can actually reproduce the error locally.

Next step: seeing if I can reproduce this in a debug build.  I'm going to put an SkASSERT near http://code.google.com/codesearch#OAMlx_jo-ck/src/third_party/skia/src/effects/SkDashPathEffect.cpp&l=22 and see if we are walking past the end of intervals[]...

Comment 7 by epoger@google.com, Apr 24 2012

Turns out that I didn't even need to add any asserts...

When I view the test case in a tip-of-tree debug build (still on Linux), I see this:

[12057:12080:3556013926080:FATAL:SkDashPathEffect.cpp(62)] third_party/skia/src/effects/SkDashPathEffect.cpp:62: failed assertion "phase >= 0 && phase < len"

Backtrace:
	base::debug::StackTrace::StackTrace() [0x7f77699560da]
	logging::LogMessage::~LogMessage() [0x7f77699848fb]
	SkDebugf_FileLine() [0x7f776a6ab8cf]
	SkDashPathEffect::SkDashPathEffect() [0x7f776a701499]
	WebCore::GraphicsContext::setLineDash() [0x7f776aeab644]
	WebCore::SVGRenderSupport::applyStrokeStyleToContext() [0x7f776ba1074b]
	WebCore::BoundingRectStrokeStyleApplier::strokeStyle() [0x7f776bb322a9]
	WebCore::Path::strokeBoundingRect() [0x7f776aeb3191]
	WebCore::RenderSVGShape::inflateWithStrokeAndMarkerBounds() [0x7f776bb31ed1]
	WebCore::RenderSVGShape::updateCachedBoundaries() [0x7f776bb31d80]
	WebCore::RenderSVGShape::layout() [0x7f776bb309ef]
	WebCore::SVGRenderSupport::layoutChildren() [0x7f776ba0fc33]
	WebCore::RenderSVGContainer::layout() [0x7f776bb6b244]
	WebCore::SVGRenderSupport::layoutChildren() [0x7f776ba0fc33]
	WebCore::RenderSVGRoot::layout() [0x7f776ba043ec]
	WebCore::RenderObject::layoutIfNeeded() [0x7f776b57e723]
	WebCore::RenderBlock::layoutInlineChildren() [0x7f776b5e9443]
	WebCore::RenderBlock::layoutBlock() [0x7f776b5a77eb]
	WebCore::RenderBlock::layout() [0x7f776b5a6f0f]
	WebCore::RenderBlock::layoutBlockChild() [0x7f776b5aab49]
	WebCore::RenderBlock::layoutBlockChildren() [0x7f776b5aa764]
	WebCore::RenderBlock::layoutBlock() [0x7f776b5a7809]
	WebCore::RenderBlock::layout() [0x7f776b5a6f0f]
	WebCore::RenderBlock::layoutBlockChild() [0x7f776b5aab49]
	WebCore::RenderBlock::layoutBlockChildren() [0x7f776b5aa764]
	WebCore::RenderBlock::layoutBlock() [0x7f776b5a7809]
	WebCore::RenderBlock::layout() [0x7f776b5a6f0f]
	WebCore::RenderBlock::layoutBlockChild() [0x7f776b5aab49]
	WebCore::RenderBlock::layoutBlockChildren() [0x7f776b5aa764]
	WebCore::RenderBlock::layoutBlock() [0x7f776b5a7809]
	WebCore::RenderBlock::layout() [0x7f776b5a6f0f]
	WebCore::RenderView::layout() [0x7f776b704aa7]
	WebCore::FrameView::layout() [0x7f776b324e84]
	WebCore::Document::implicitClose() [0x7f776a950a42]
	WebCore::FrameLoader::checkCallImplicitClose() [0x7f776b270473]
	WebCore::FrameLoader::checkCompleted() [0x7f776b270213]
	WebCore::FrameLoader::finishedParsing() [0x7f776b26ff5f]
	WebCore::Document::finishedParsing() [0x7f776a95908e]
	WebCore::XMLDocumentParser::end() [0x7f776b399f2d]
	WebCore::XMLDocumentParser::finish() [0x7f776b399f66]
	WebCore::DocumentWriter::end() [0x7f776b264f79]
	WebCore::DocumentLoader::finishedLoading() [0x7f776b255f04]
	WebCore::MainResourceLoader::didFinishLoading() [0x7f776b28cfcf]
	WebCore::ResourceLoader::didFinishLoading() [0x7f776b29fb5b]
	WebCore::ResourceHandleInternal::didFinishLoading() [0x7f776ce06c40]
	webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest() [0x7f776bd710d4]
	ResourceDispatcher::OnRequestComplete() [0x7f776a51b22c]
	DispatchToMethod<>() [0x7f776a51e6f7]
	ResourceMsg_RequestComplete::Dispatch<>() [0x7f776a51dab2]
	ResourceDispatcher::DispatchMessage() [0x7f776a51bc93]
	ResourceDispatcher::OnMessageReceived() [0x7f776a51a8ab]
	ChildThread::OnMessageReceived() [0x7f776a407478]
	IPC::ChannelProxy::Context::OnDispatchMessage() [0x7f7769a4003e]
	base::internal::RunnableAdapter<>::Run() [0x7f7769a43227]
	base::internal::InvokeHelper<>::MakeItSo() [0x7f7769a42ded]
	base::internal::Invoker<>::Run() [0x7f7769a427ac]
	base::Callback<>::Run() [0x7f7768e39f6f]
	MessageLoop::RunTask() [0x7f7769989a08]
	MessageLoop::DeferOrRunPendingTask() [0x7f7769989b1f]
	MessageLoop::DoWork() [0x7f776998a313]
	base::MessagePumpDefault::Run() [0x7f7769991fc0]
	MessageLoop::RunInternal() [0x7f77699896cf]

Trace/breakpoint trap (core dumped)

Comment 8 by epoger@google.com, Apr 24 2012

The assertion failure is happening the very first time that SkDashPathEffect::SkDashPathEffect() is called, in http://code.google.com/p/skia/source/browse/trunk/src/effects/SkDashPathEffect.cpp ...

Method parameters are:
  intervals[] = {837099584, 33450}
  count = 2
  phase = -10
  scaleToFit = false

Then...
- line 48 : phase = -phase
  (gdb) p phase
  $4 = 10
  (gdb) p len
  $5 = 837133056
- line 52 : phase = len - phase
  (gdb) p phase
  $6 = 837133056
  (gdb) p len
  $7 = 837133056
- line 62: we fail the assert (phase < len)

It looks like float precision loss is killing us.

Comment 9 by epoger@google.com, Apr 24 2012

Cc: epoger@google.com
Owner: reed@chromium.org
It's easier to debug just Skia code than Chrome, so I have created a Skia unittest that exercises this same code path: https://codereview.appspot.com/6123045/

Assigning over to Mike... Mike, please make that Skia test pass, and then send me the change that fixes it.

Comment 10 by reed@chromium.org, Apr 24 2012

possible fix in skia rev. 3761

Comment 11 by epoger@google.com, Apr 25 2012

Owner: epoger@google.com
Cool, Mike's fix in http://code.google.com/p/skia/source/detail?r=3761 made my new Skia unittest pass.

Assigning to myself to:
1. manually patch http://code.google.com/p/skia/source/detail?r=3761 into my local Chrome build and confirm that it fixes the bug
2. do a Skia DEPS roll to get that fix committed to trunk, so we can test it there
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Pure awesomeness!!!!

Comment 13 by epoger@google.com, Apr 25 2012

Manual patch of http://code.google.com/p/skia/source/detail?r=3761 does indeed fix the assert in my local debug build.

DEPS roll of the fix into chrome-trunk is underway at https://chromiumcodereview.appspot.com/10224003/ ('Roll Skia DEPS to 3761').

Once that lands, I will:
1. check the next ASAN build to make sure that the ASAN error (not the assert!) is indeed resolved
2. let it "bake" in M20
3. merge into M19
4. let it "bake" in M19
5. merge into M18
Project Member

Comment 14 by ClusterFuzz, Apr 26 2012

ClusterFuzz has detected this issue as fixed in range 133928:133996.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=39364318

Fuzzer: Inferno_twister

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7f32d0cc2b88
Crash State:
  - crash stack -
  SkDashPathEffect::SkDashPathEffect
  WebCore::GraphicsContext::setLineDash
  WebCore::SVGRenderSupport::applyStrokeStyleToContext
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=133928:133996

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97Q7EE6yZLPMH9UFZ0oRVxy4JnTr-VV_0NMnGKLosnb0ombmOUiinhMm3I2r85dQBxtb0Y3YYCcOkd1wNeSaZGQ-pdKsv1OcQhANxPHltVxub5Zy5POKiySwBuoRDPfmdPLlU3_FbxOvedIy6EYH2fmud-awA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 15 by epoger@google.com, Apr 26 2012

I'll save myself the trouble of manually checking the latest ASAN build, and instead just believe ClusterFuzz when it says it's fixed.

So, I will wait until Monday for any bugs to pop up from this in M20... barring that, I will merge into M19 Monday morning.
Labels: -Mstone-18 Mstone-19
Great! Assuming we're confident in the stability of the fix, we can get it into M19 stable if we merge it Monday.

Comment 17 by epoger@google.com, Apr 30 2012

Labels: -Merge-Approved Merge-Merged
Merged into M19 as http://code.google.com/p/skia/source/detail?r=3798

Looking at http://chrome-master2.mtv.corp.google.com/official_builds/ , the most recent M18 build is 19.0.1084.39; once a newer binary appears there, I will confirm that the bug was present in .39 but absent in the newest build.

Comment 18 by epoger@google.com, May 4 2012

Status: Verified
Confirmed fixed in 19.0.1084.41.

I downloaded the following two builds from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html and opened fuzz-crbug-124652.svg from comment 4...

asan-linux-beta-19.0.1084.36 : still got the ASAN error
asan-linux-beta-19.0.1084.41 : did not get the ASAN error

Labels: CVE-2011-3100
Project Member

Comment 20 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -Type-Security -SecSeverity-Medium -SecImpacts-Stable -Mstone-19 -SecImpacts-Beta -Stability-AddressSanitizer Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Type-Bug-Security M-19 Performance-Memory-AddressSanitizer
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 26 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 27 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 28 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Project Member

Comment 30 by ClusterFuzz, Feb 6 2014

Labels: -Restrict-View-EditIssue
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 31 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 32 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 33 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment