New issue
Advanced search Search tips
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in void SkMatrixConvolutionImageFilter::filterPixels<ClampPixelFetcher, false>

Reported by attek...@gmail.com, Sep 26 2014

Issue description



Tested on:

OS: Ubuntu 12.04

Chromium	39.0.2170.0 (Developer Build) 
Revision	6128c200e138d3d7c52aae5e01d0af36a48b1706-refs/heads/master@{#296715}


The repro-file is inside tar.gz package because Chrome crashes every time I try to attach the file. Also Ubuntu nautilus will crash with a null-pointer crash if you try to access the folder where the file is. 

ASAN-report:

==6564==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000093af0 at pc 0x7fb8ead1e16d bp 0x7fb8aecfb530 sp 0x7fb8aecfb528
READ of size 4 at 0x602000093af0 thread T7 (CompositorRaste)
    #0 0x7fb8ead1e16c in void SkMatrixConvolutionImageFilter::filterPixels<ClampPixelFetcher, false>(SkBitmap const&, SkBitmap*, SkIRect const&, SkIRect const&) const /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/effects/SkMatrixConvolutionImageFilter.cpp:197
    #1 0x7fb8ead1a1e4 in SkMatrixConvolutionImageFilter::onFilterImage(SkImageFilter::Proxy*, SkBitmap const&, SkImageFilter::Context const&, SkBitmap*, SkIPoint*) const /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/effects/SkMatrixConvolutionImageFilter.cpp:328
    #2 0x7fb8ea9b8720 in SkImageFilter::filterImage(SkImageFilter::Proxy*, SkBitmap const&, SkImageFilter::Context const&, SkBitmap*, SkIPoint*) const /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkImageFilter.cpp:186
    #3 0x7fb8eace0e6e in SkColorFilterImageFilter::onFilterImage(SkImageFilter::Proxy*, SkBitmap const&, SkImageFilter::Context const&, SkBitmap*, SkIPoint*) const /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/effects/SkColorFilterImageFilter.cpp:114
    #4 0x7fb8ea9b8720 in SkImageFilter::filterImage(SkImageFilter::Proxy*, SkBitmap const&, SkImageFilter::Context const&, SkBitmap*, SkIPoint*) const /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkImageFilter.cpp:186
    #5 0x7fb8ea9866a5 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:1227
    #6 0x7fb8ea982fdb in SkCanvas::internalRestore() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:1009
    #7 0x7fb8ea985f27 in SkCanvas::restore() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:979
.
.
.
0x602000093af1 is located 0 bytes to the right of 1-byte region [0x602000093af0,0x602000093af1)
allocated by thread T0 (chrome) here:
    #0 0x7fb8e8b10c6b in operator new[](unsigned long) ??:0
    #1 0x7fb8ead181ad in SkMatrixConvolutionImageFilter::SkMatrixConvolutionImageFilter(SkTSize<int> const&, float const*, float, float, SkIPoint const&, SkMatrixConvolutionImageFilter::TileMode, bool, SkImageFilter*, SkImageFilter::CropRect const*, unsigned int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/effects/SkMatrixConvolutionImageFilter.cpp:39
    #2 0x7fb8ead192ac in SkMatrixConvolutionImageFilter::Create(SkTSize<int> const&, float const*, float, float, SkIPoint const&, SkMatrixConvolutionImageFilter::TileMode, bool, SkImageFilter*, SkImageFilter::CropRect const*, unsigned int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/include/effects/SkMatrixConvolutionImageFilter.h:65
    #3 0x7fb8f3bc4498 in blink::FEConvolveMatrix::createImageFilter(blink::SkiaImageFilterBuilder*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/filters/FEConvolveMatrix.cpp:534
    #4 0x7fb8ebd3037e in blink::FilterEffect::createImageFilterWithoutValidation(blink::SkiaImageFilterBuilder*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/filters/FilterEffect.cpp:548
    #5 0x7fb8ebd057c9 in blink::SkiaImageFilterBuilder::build(blink::FilterEffect*, blink::ColorSpace, bool) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/filters/SkiaImageFilterBuilder.cpp:71
.
.
.


 
repro-file.tar.gz
16.0 KB Download
Labels: Cr-Internals-Skia
Owner: reed@chromium.org
Status: Assigned
Project Member

Comment 2 by ClusterFuzz, Sep 26 2014

ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6708652560875520

Comment 3 by attek...@gmail.com, Sep 26 2014

Btw, if this is figured to be a skia issue in chrome, I want to report this separately to whoever is responsible for Ubuntu nautilus.
Project Member

Comment 4 by ClusterFuzz, Sep 26 2014

Summary: Heap-buffer-overflow in void SkMatrixConvolutionImageFilter::filterPixels<ClampPixelFetcher, false> (was: Heap-buffer-overflow in SkMatrixConvolutionImageFilter::filterPixels)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6708652560875520

Uploader: rsesek@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60900018bb70
Crash State:
  void SkMatrixConvolutionImageFilter::filterPixels<ClampPixelFetcher, false>
  SkMatrixConvolutionImageFilter::onFilterImage
  SkImageFilter::filterImage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=291444:291576

Minimized Testcase (0.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94V9L2OH6IIfonVTVA2rG_KAlDtRnN5UijJF-sRoBcEOFvEjcGF1yb_TCA2q7Frk7ML3DAQl_EyzyvJsuRz21KQCYxsXRBIQrziAlJWgpgyt8Pf5JrhaTuFeWPIXl25e8gSja_7K4tAC6lCglAUu9AWO0OiCg


Comment 5 by rsesek@chromium.org, Sep 26 2014

Labels: M-39 ReleaseBlock-Stable Pri-1 Security_Severity-High Security_Impact-Head Stability-Memory-AddressSanitizer

Comment 6 by rsesek@chromium.org, Sep 26 2014

attekett: This issue does appear limited to Skia. Unless Nautilus also uses Skia internally, it would appear to be a separate bug for that product.

Comment 7 by reed@chromium.org, Sep 26 2014

Cc: reed@google.com
Owner: senorblanco@chromium.org
Status: Started

Comment 9 by attek...@gmail.com, Sep 26 2014

Let me know when I can report this to guys from Ubuntu. I hate it when my whole file manager crashes for a file. :)
Project Member

Comment 10 by ClusterFuzz, Sep 26 2014

Labels: ReleaseBlock-Beta
This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz
Labels: reward-topanel
Stephen, does this impact Stable ? Is yes change Security_Impact-Head to Security_Impact-Stable.
Project Member

Comment 13 by ClusterFuzz, Sep 29 2014

Labels: -Security_Impact-Head Security_Impact-Beta
Labels: -Security_Impact-Beta Security_Impact-Stable
inferno: Yes, it does affect Stable (m37).
Labels: -ReleaseBlock-Beta OS-Linux
We need all beta blockers closed by Friday at the latest.  Mike, will that be viable?
Status: Fixed
The fix landed in Skia at https://chromium.googlesource.com/skia/+/3a49520696b2eca69e57884657d23fd2402ccfd1 and rolled into Chrome at r297189. I was just waiting on some bake time before requesting merge.

Comment 17 by amin...@google.com, Sep 30 2014

Labels: Merge-TBD
Is there a merge required here?
Project Member

Comment 18 by ClusterFuzz, Sep 30 2014

Labels: -Restrict-View-SecurityTeam Merge-Triage M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Project Member

Comment 19 by ClusterFuzz, Sep 30 2014

ClusterFuzz has detected this issue as fixed in range 296715:297214.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6708652560875520

Uploader: rsesek@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60900018bb70
Crash State:
  void SkMatrixConvolutionImageFilter::filterPixels<ClampPixelFetcher, false>
  SkMatrixConvolutionImageFilter::onFilterImage
  SkImageFilter::filterImage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=291444:291576
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=296715:297214

Minimized Testcase (0.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94V9L2OH6IIfonVTVA2rG_KAlDtRnN5UijJF-sRoBcEOFvEjcGF1yb_TCA2q7Frk7ML3DAQl_EyzyvJsuRz21KQCYxsXRBIQrziAlJWgpgyt8Pf5JrhaTuFeWPIXl25e8gSja_7K4tAC6lCglAUu9AWO0OiCg

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Labels: -Merge-Triage Merge-Requested
Requesting merge to M38.
Labels: -Merge-TBD
Labels: -Merge-Requested Merge-Approved
Approved for 38.
Labels: -Merge-Approved Merge-Merged
Landed on Skia's chrome/m38_2125 branch as https://skia.googlesource.com/skia/+/f14866df6ca3ecce221916fa0c061af49385a863.
Labels: -Merge-Merged -M-38 Merge-Requested
Requesting merge to M39.
Labels: -Merge-Requested Merge-Approved
merge approved for m39 branch 2171
Labels: -Merge-Approved Merge-Merged
Merge to Skia's chrome/m39 branch as https://skia.googlesource.com/skia/+/aafcb54f27d30c63602a0a0232f0b9fc8b310d19.
Labels: Release-0-M39
Cc: pdr@chromium.org
Labels: -reward-topanel reward-unpaid reward-2000 CVE-2014-7904
Thanks for the report! This one qualified for a $2000 reward.
attekett,
Was this reported to ubuntu? I see it crashes nautilus in fedora as well.

Comment 31 by attek...@gmail.com, Nov 20 2014


Not this one yet. I have tried to report bundle of security bugs from librsvg to gnome3 bugzilla. Those reports have been inactive for almost two months. If they don't even respond to security bugs, I would guess reporting null-pointers would be useless. :(
I can chase upstream if you want, let me know if there is an upstream bug. My gnome bz address is huzaifas@redhat.com
Labels: -reward-unpaid reward-inprogress
Payment in progress
Labels: -reward-inprogress reward-inprocess
Project Member

Comment 35 by ClusterFuzz, Jan 6 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 36 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 37 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment