New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Verified
Owner:
Email to this user bounced
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Heap-buffer-overflow in SkDashPathEffect::SkDashPathEffect
Project Member Reported by infe...@chromium.org, Apr 23 2012 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=39364318

Fuzzer: Inferno_twister

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7f32d0cc2b88
Crash State:
  - crash stack -
  SkDashPathEffect::SkDashPathEffect
  WebCore::GraphicsContext::setLineDash
  WebCore::SVGRenderSupport::applyStrokeStyleToContext
  

Minimized Testcase (0.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Q7EE6yZLPMH9UFZ0oRVxy4JnTr-VV_0NMnGKLosnb0ombmOUiinhMm3I2r85dQBxtb0Y3YYCcOkd1wNeSaZGQ-pdKsv1OcQhANxPHltVxub5Zy5POKiySwBuoRDPfmdPLlU3_FbxOvedIy6EYH2fmud-awA
 
 Issue 124651  has been merged into this issue.
Cc: reed@chromium.org
Owner: epoger@chromium.org
Status: Assigned
Elliot, Mike, can you please help to triage.
Comment 3 by epoger@chromium.org, Apr 23 2012
Owner: epoger@google.com
Comment 4 by epoger@google.com, Apr 23 2012
I was able to reproduce this on my remote Linux instance.

I downloaded asan-symbolized-linux-release-133430.zip from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html and ran it:

./asan-symbolized-linux-release-133430/chrome --no-first-run --single-process --disable-gpu-plugin --disable-gpu-rendering --disable-accelerated-compositing --disable-webgl --disable-accelerated-2d-canvas

and when I viewed the attached test case, I got the attached ASAN error log.
fuzz-crbug-124652.svg
739 bytes View Download
asan-error-log.txt
14.1 KB View Download
Elliot, you can always get the entire stack with symbols and clickable line numbers using CF report https://cluster-fuzz.appspot.com/testcase?key=39364318 in c#0.
Comment 6 by epoger@google.com, Apr 23 2012
Right... and that stack trace is much nicer than the one I get. :-) But I also like to make sure that I can actually reproduce the error locally.

Next step: seeing if I can reproduce this in a debug build.  I'm going to put an SkASSERT near http://code.google.com/codesearch#OAMlx_jo-ck/src/third_party/skia/src/effects/SkDashPathEffect.cpp&l=22 and see if we are walking past the end of intervals[]...
Comment 7 by epoger@google.com, Apr 24 2012
Turns out that I didn't even need to add any asserts...

When I view the test case in a tip-of-tree debug build (still on Linux), I see this:

[12057:12080:3556013926080:FATAL:SkDashPathEffect.cpp(62)] third_party/skia/src/effects/SkDashPathEffect.cpp:62: failed assertion "phase >= 0 && phase < len"

Backtrace:
	base::debug::StackTrace::StackTrace() [0x7f77699560da]
	logging::LogMessage::~LogMessage() [0x7f77699848fb]
	SkDebugf_FileLine() [0x7f776a6ab8cf]
	SkDashPathEffect::SkDashPathEffect() [0x7f776a701499]
	WebCore::GraphicsContext::setLineDash() [0x7f776aeab644]
	WebCore::SVGRenderSupport::applyStrokeStyleToContext() [0x7f776ba1074b]
	WebCore::BoundingRectStrokeStyleApplier::strokeStyle() [0x7f776bb322a9]
	WebCore::Path::strokeBoundingRect() [0x7f776aeb3191]
	WebCore::RenderSVGShape::inflateWithStrokeAndMarkerBounds() [0x7f776bb31ed1]
	WebCore::RenderSVGShape::updateCachedBoundaries() [0x7f776bb31d80]
	WebCore::RenderSVGShape::layout() [0x7f776bb309ef]
	WebCore::SVGRenderSupport::layoutChildren() [0x7f776ba0fc33]
	WebCore::RenderSVGContainer::layout() [0x7f776bb6b244]
	WebCore::SVGRenderSupport::layoutChildren() [0x7f776ba0fc33]
	WebCore::RenderSVGRoot::layout() [0x7f776ba043ec]
	WebCore::RenderObject::layoutIfNeeded() [0x7f776b57e723]
	WebCore::RenderBlock::layoutInlineChildren() [0x7f776b5e9443]
	WebCore::RenderBlock::layoutBlock() [0x7f776b5a77eb]
	WebCore::RenderBlock::layout() [0x7f776b5a6f0f]
	WebCore::RenderBlock::layoutBlockChild() [0x7f776b5aab49]
	WebCore::RenderBlock::layoutBlockChildren() [0x7f776b5aa764]
	WebCore::RenderBlock::layoutBlock() [0x7f776b5a7809]
	WebCore::RenderBlock::layout() [0x7f776b5a6f0f]
	WebCore::RenderBlock::layoutBlockChild() [0x7f776b5aab49]
	WebCore::RenderBlock::layoutBlockChildren() [0x7f776b5aa764]
	WebCore::RenderBlock::layoutBlock() [0x7f776b5a7809]
	WebCore::RenderBlock::layout() [0x7f776b5a6f0f]
	WebCore::RenderBlock::layoutBlockChild() [0x7f776b5aab49]
	WebCore::RenderBlock::layoutBlockChildren() [0x7f776b5aa764]
	WebCore::RenderBlock::layoutBlock() [0x7f776b5a7809]
	WebCore::RenderBlock::layout() [0x7f776b5a6f0f]
	WebCore::RenderView::layout() [0x7f776b704aa7]
	WebCore::FrameView::layout() [0x7f776b324e84]
	WebCore::Document::implicitClose() [0x7f776a950a42]
	WebCore::FrameLoader::checkCallImplicitClose() [0x7f776b270473]
	WebCore::FrameLoader::checkCompleted() [0x7f776b270213]
	WebCore::FrameLoader::finishedParsing() [0x7f776b26ff5f]
	WebCore::Document::finishedParsing() [0x7f776a95908e]
	WebCore::XMLDocumentParser::end() [0x7f776b399f2d]
	WebCore::XMLDocumentParser::finish() [0x7f776b399f66]
	WebCore::DocumentWriter::end() [0x7f776b264f79]
	WebCore::DocumentLoader::finishedLoading() [0x7f776b255f04]
	WebCore::MainResourceLoader::didFinishLoading() [0x7f776b28cfcf]
	WebCore::ResourceLoader::didFinishLoading() [0x7f776b29fb5b]
	WebCore::ResourceHandleInternal::didFinishLoading() [0x7f776ce06c40]
	webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest() [0x7f776bd710d4]
	ResourceDispatcher::OnRequestComplete() [0x7f776a51b22c]
	DispatchToMethod<>() [0x7f776a51e6f7]
	ResourceMsg_RequestComplete::Dispatch<>() [0x7f776a51dab2]
	ResourceDispatcher::DispatchMessage() [0x7f776a51bc93]
	ResourceDispatcher::OnMessageReceived() [0x7f776a51a8ab]
	ChildThread::OnMessageReceived() [0x7f776a407478]
	IPC::ChannelProxy::Context::OnDispatchMessage() [0x7f7769a4003e]
	base::internal::RunnableAdapter<>::Run() [0x7f7769a43227]
	base::internal::InvokeHelper<>::MakeItSo() [0x7f7769a42ded]
	base::internal::Invoker<>::Run() [0x7f7769a427ac]
	base::Callback<>::Run() [0x7f7768e39f6f]
	MessageLoop::RunTask() [0x7f7769989a08]
	MessageLoop::DeferOrRunPendingTask() [0x7f7769989b1f]
	MessageLoop::DoWork() [0x7f776998a313]
	base::MessagePumpDefault::Run() [0x7f7769991fc0]
	MessageLoop::RunInternal() [0x7f77699896cf]

Trace/breakpoint trap (core dumped)

Comment 8 by epoger@google.com, Apr 24 2012
The assertion failure is happening the very first time that SkDashPathEffect::SkDashPathEffect() is called, in http://code.google.com/p/skia/source/browse/trunk/src/effects/SkDashPathEffect.cpp ...

Method parameters are:
  intervals[] = {837099584, 33450}
  count = 2
  phase = -10
  scaleToFit = false

Then...
- line 48 : phase = -phase
  (gdb) p phase
  $4 = 10
  (gdb) p len
  $5 = 837133056
- line 52 : phase = len - phase
  (gdb) p phase
  $6 = 837133056
  (gdb) p len
  $7 = 837133056
- line 62: we fail the assert (phase < len)

It looks like float precision loss is killing us.

Comment 9 by epoger@google.com, Apr 24 2012
Cc: epoger@google.com
Owner: reed@chromium.org
It's easier to debug just Skia code than Chrome, so I have created a Skia unittest that exercises this same code path: https://codereview.appspot.com/6123045/

Assigning over to Mike... Mike, please make that Skia test pass, and then send me the change that fixes it.
Comment 10 by reed@chromium.org, Apr 24 2012
possible fix in skia rev. 3761
Comment 11 by epoger@google.com, Apr 25 2012
Owner: epoger@google.com
Cool, Mike's fix in http://code.google.com/p/skia/source/detail?r=3761 made my new Skia unittest pass.

Assigning to myself to:
1. manually patch http://code.google.com/p/skia/source/detail?r=3761 into my local Chrome build and confirm that it fixes the bug
2. do a Skia DEPS roll to get that fix committed to trunk, so we can test it there
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Pure awesomeness!!!!
Comment 13 by epoger@google.com, Apr 25 2012
Manual patch of http://code.google.com/p/skia/source/detail?r=3761 does indeed fix the assert in my local debug build.

DEPS roll of the fix into chrome-trunk is underway at https://chromiumcodereview.appspot.com/10224003/ ('Roll Skia DEPS to 3761').

Once that lands, I will:
1. check the next ASAN build to make sure that the ASAN error (not the assert!) is indeed resolved
2. let it "bake" in M20
3. merge into M19
4. let it "bake" in M19
5. merge into M18
Project Member Comment 14 by clusterf...@chromium.org, Apr 26 2012
ClusterFuzz has detected this issue as fixed in range 133928:133996.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=39364318

Fuzzer: Inferno_twister

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7f32d0cc2b88
Crash State:
  - crash stack -
  SkDashPathEffect::SkDashPathEffect
  WebCore::GraphicsContext::setLineDash
  WebCore::SVGRenderSupport::applyStrokeStyleToContext
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=133928:133996

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97Q7EE6yZLPMH9UFZ0oRVxy4JnTr-VV_0NMnGKLosnb0ombmOUiinhMm3I2r85dQBxtb0Y3YYCcOkd1wNeSaZGQ-pdKsv1OcQhANxPHltVxub5Zy5POKiySwBuoRDPfmdPLlU3_FbxOvedIy6EYH2fmud-awA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Comment 15 by epoger@google.com, Apr 26 2012
I'll save myself the trouble of manually checking the latest ASAN build, and instead just believe ClusterFuzz when it says it's fixed.

So, I will wait until Monday for any bugs to pop up from this in M20... barring that, I will merge into M19 Monday morning.
Labels: -Mstone-18 Mstone-19
Great! Assuming we're confident in the stability of the fix, we can get it into M19 stable if we merge it Monday.
Comment 17 by epoger@google.com, Apr 30 2012
Labels: -Merge-Approved Merge-Merged
Merged into M19 as http://code.google.com/p/skia/source/detail?r=3798

Looking at http://chrome-master2.mtv.corp.google.com/official_builds/ , the most recent M18 build is 19.0.1084.39; once a newer binary appears there, I will confirm that the bug was present in .39 but absent in the newest build.
Comment 18 by epoger@google.com, May 4 2012
Status: Verified
Confirmed fixed in 19.0.1084.41.

I downloaded the following two builds from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html and opened fuzz-crbug-124652.svg from comment 4...

asan-linux-beta-19.0.1084.36 : still got the ASAN error
asan-linux-beta-19.0.1084.41 : did not get the ASAN error

Labels: CVE-2011-3100
Project Member Comment 20 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 21 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -Type-Security -SecSeverity-Medium -SecImpacts-Stable -Mstone-19 -SecImpacts-Beta -Stability-AddressSanitizer Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Type-Bug-Security M-19 Performance-Memory-AddressSanitizer
Project Member Comment 22 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 23 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 24 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 25 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 26 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 27 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 28 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Project Member Comment 30 by clusterf...@chromium.org, Feb 6 2014
Labels: -Restrict-View-EditIssue
Bulk update: removing view restriction from closed bugs.
Project Member Comment 31 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 32 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 33 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment