New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 445810 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in SkImageFilter::Common::unflatten

Reported by cloudfuz...@gmail.com, Jan 1 2015

Issue description

VULNERABILITY DETAILS
This bug exists in the deserialisation routines for SKImageFilter, which can be triggered on the host process from a renderer through IPC (For example as part of an SwapCompositorFrame message). The filter_fuzz_stub binary can be used to reproduce the crash using the attached testcase (repro.fil).

An integer overflow vulnerability exists in SkAutoSTArray::reset:

fArray = (T*) sk_malloc_throw(count * sizeof(T));

This may result in the allocation of an insufficiently sized buffer. This can for example be trigger through SkImageFilter::Common::allocInputs.

ASAN output:

[0101/141438:INFO:filter_fuzz_stub.cc(59)] Test case: submission4/repro.fil
=================================================================
==11105==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf44009f0 at pc 0x081bef06 bp 0xffa7efd8 sp 0xffa7efd0
WRITE of size 4 at 0xf44009f0 thread T0
    #0 0x81bef05 in SkImageFilter::Common::unflatten(SkReadBuffer&, int) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkImageFilter.cpp:89
    #1 0x858bdb1 in SkMergeImageFilter::CreateProc(SkReadBuffer&) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/effects/SkMergeImageFilter.cpp:112
    #2 0x82945ca in SkValidatingReadBuffer::readFlattenable(SkFlattenable::Type) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkValidatingReadBuffer.cpp:247
    #3 0x81b9986 in SkValidatingDeserializeFlattenable(void const*, unsigned int, SkFlattenable::Type) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkFlattenableSerialization.cpp:26
    #4 0x80f173f in RunTestCase /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:30
    #5 0x80f1131 in ReadAndRunTestCase /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:65
    #6 0x80f0cb4 in main /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:81
    #7 0xf6ddfa82 in __libc_start_main ??:?

0xf44009f1 is located 0 bytes to the right of 1-byte region [0xf44009f0,0xf44009f1)
allocated by thread T0 here:
    #0 0x80d1ebb in __interceptor_malloc ??:?
    #1 0x86338ab in sk_malloc_throw(unsigned int) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/ext/SkMemory_new_handler.cpp:50
    #2 0x81be9ce in SkAutoSTArray<2, SkImageFilter*>::reset(int) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/include/core/SkTemplates.h:295
    #3 0x81be8c9 in SkImageFilter::Common::allocInputs(int) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkImageFilter.cpp:67
    #4 0x81bedd2 in SkImageFilter::Common::unflatten(SkReadBuffer&, int) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkImageFilter.cpp:86
    #5 0x858bdb1 in SkMergeImageFilter::CreateProc(SkReadBuffer&) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/effects/SkMergeImageFilter.cpp:112
    #6 0x82945ca in SkValidatingReadBuffer::readFlattenable(SkFlattenable::Type) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkValidatingReadBuffer.cpp:247
    #7 0x81b9986 in SkValidatingDeserializeFlattenable(void const*, unsigned int, SkFlattenable::Type) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkFlattenableSerialization.cpp:26
    #8 0x80f173f in RunTestCase /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:30
    #9 0x80f1131 in ReadAndRunTestCase /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:65
    #10 0x80f0cb4 in main /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:81
    #11 0xf6ddfa82 in __libc_start_main ??:?

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x3e8800e0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x3e8800f0: fa fa 00 fa fa fa 00 fa fa fa 04 fa fa fa 04 fa
  0x3e880100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e880110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e880120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e880130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
  0x3e880140: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x3e880150: fa fa fd fd fa fa fd fd fa fa 00 05 fa fa 00 04
  0x3e880160: fa fa 00 05 fa fa 00 07 fa fa 04 fa fa fa 00 fa
  0x3e880170: fa fa 04 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x3e880180: fa fa 00 fa fa fa 04 fa fa fa 00 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11105==ABORTING


VERSION
Chrome Version: asan-symbolized-v8-arm-linux-release-309788

REPRODUCTION CASE
Attached as repro.fil. Use 32-bit build of filter_fuzz_stub to reproduce.
 
repro.fil
36 bytes Download
Cc: mbarbe...@chromium.org senorblanco@chromium.org bsalomon@chromium.org reed@chromium.org
Labels: reward-topanel Cr-Internals-Skia OS-All Pri-1
Owner: sugoi@chromium.org
Status: Assigned
Wow! Super nice knockout CloudFuzzer@. We were missing fuzzing the 32-bit filter fuzz binary. Starting fuzzing now, but you probably did it nicely already :)

Sugoi@, I enabled your fuzzer on newly created 32-bit job type linux_asan_filter_fuzz_stub_32bit.
Project Member

Comment 2 by ClusterFuzz, Jan 1 2015

ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6335076752162816
Project Member

Comment 3 by ClusterFuzz, Jan 1 2015

Summary: Heap-buffer-overflow in SkImageFilter::Common::unflatten (was: Security: heap-buffer-overflow in SkImageFilter::Common::unflatten)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6335076752162816

Uploader: aarya@google.com
Job Type: Linux_asan_filter_fuzz_stub_32bit

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0xf5102ab0
Crash State:
  SkImageFilter::Common::unflatten
  SkMergeImageFilter::CreateProc
  SkValidatingReadBuffer::readFlattenable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=284373:284382

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95KINenjNPobXXfEikF-sNF4oKNGf9i2HNTwrCuP7pEf6Bebdi_8jox2j2daNyMiK4ynuB55A5fAA8cITUjPg-LtI5jQIQyoifAPpDv5ehwek4V9-SPhzi-6X1tWgB8HjNLETTQ4hekyPlYm8Ea6ELl37poxw


Project Member

Comment 4 by ClusterFuzz, Jan 1 2015

Labels: Security_Impact-Stable Stability-Memory-AddressSanitizer
Project Member

Comment 5 by ClusterFuzz, Jan 2 2015

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5411215487533056

Fuzzer: Sugoi_filter_fuzzer
Job Type: Linux_asan_filter_fuzz_stub_32bit

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0xf5000e38
Crash State:
  SkImageFilter::Common::~Common
  SkMergeImageFilter::CreateProc
  SkValidatingReadBuffer::readFlattenable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=284373:284382

Minimized Testcase (0.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XG_7T1yTvJ6697FpckdIwwMtB013Lu0PJUQTC3m2eocZC-qtazgMIGaOAkMxeoNtTOADMQ4zXByfuACXZPxZFcFYYE5ZQooeGFKCo-m7TrQr4Ep5O0-2szna903kQj2od4-gMLlNOjEr10_TPQKZbLeKHTA

Filer: inferno

Comment 6 by f...@chromium.org, Jan 4 2015

Labels: Security_Severity-High M-39
Labels: -M-39 M-40
No more M39 patches, moving to M40.

Comment 8 by sugoi@chromium.org, Jan 7 2015

This is running out of memory trying to allocate over a billion inputs at src/core/SkImageFilter.cpp:86

Comment 9 by reed@chromium.org, Jan 7 2015

Hmmm. running out of memory is fine (safe crash). I wonder if we just didn't allocate as much as we thought.

Could we have overflowed the computation of size here?

void SkImageFilter::Common::allocInputs(int count) {
    const size_t size = count * sizeof(SkImageFilter*);
    fInputs.reset(count);
    sk_bzero(fInputs.get(), size);
}

If size somehow was too small, then the reset() call could succeed, but not be big enough for all of count...
Yes, that's what's happening, just sent out a cl for review:
https://codereview.chromium.org/831583004/
Status: Fixed
cl has landed, marking as fixed.
Project Member

Comment 12 by ClusterFuzz, Jan 7 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage M-39 M-41 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz
Project Member

Comment 13 by ClusterFuzz, Jan 8 2015

ClusterFuzz has detected this issue as fixed in range 310277:310430.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6335076752162816

Uploader: aarya@google.com
Job Type: Linux_asan_filter_fuzz_stub_32bit

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0xf5102ab0
Crash State:
  SkImageFilter::Common::unflatten
  SkMergeImageFilter::CreateProc
  SkValidatingReadBuffer::readFlattenable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=284373:284382
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=310277:310430

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95KINenjNPobXXfEikF-sNF4oKNGf9i2HNTwrCuP7pEf6Bebdi_8jox2j2daNyMiK4ynuB55A5fAA8cITUjPg-LtI5jQIQyoifAPpDv5ehwek4V9-SPhzi-6X1tWgB8HjNLETTQ4hekyPlYm8Ea6ELl37poxw

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member

Comment 14 by ClusterFuzz, Jan 8 2015

ClusterFuzz has detected this issue as fixed in range 310277:310430.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5411215487533056

Fuzzer: Sugoi_filter_fuzzer
Job Type: Linux_asan_filter_fuzz_stub_32bit

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0xf5000e38
Crash State:
  SkImageFilter::Common::~Common
  SkMergeImageFilter::CreateProc
  SkValidatingReadBuffer::readFlattenable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=284373:284382
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=310277:310430

Minimized Testcase (0.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XG_7T1yTvJ6697FpckdIwwMtB013Lu0PJUQTC3m2eocZC-qtazgMIGaOAkMxeoNtTOADMQ4zXByfuACXZPxZFcFYYE5ZQooeGFKCo-m7TrQr4Ep5O0-2szna903kQj2od4-gMLlNOjEr10_TPQKZbLeKHTA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Labels: -Merge-Triage -M-39 -M-41 Merge-Requested
Labels: -Merge-Requested Merge-Review Hotlist-Merge-Review
[Automated comment] No bugdroid (commit) comments found, couldn't auto-approve, needs manual review.

Comment 17 by dxie@chromium.org, Jan 30 2015

Labels: -Merge-Review Merge-Approved
Cc: timwillis@chromium.org
Labels: M-41
Did this end up on M40? If not, can someone confirm that this is *definitely* in M41?

Comment 19 by sugoi@chromium.org, Feb 23 2015

It was not in m40. It is already in M41.

Comment 20 by aarya@google.com, Feb 23 2015

Labels: -Merge-Approved -Hotlist-Merge-Review Release-0-M41
Labels: -reward-topanel reward-5000 reward-unpaid CVE-2015-1214
Congratulations - $5000 for this report.
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Processing via our e-payment system can take up to six weeks, but the reward should be on its way to you. Thanks again for your help!
Project Member

Comment 24 by ClusterFuzz, Apr 15 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 26 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Cc: kjlubick@chromium.org kjlubick@google.com
Labels: CVE_description-submitted

Sign in to add a comment