New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Jun 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 492263: UNKNOWN in SkSweepGradient::SweepGradientContext::shadeSpan

Reported by cloudfuz...@gmail.com, May 26 2015

Issue description

VULNERABILITY DETAILS
The attached testcase crashes the 64-bit of filter_fuzz_stub as follows:

=================================================================
==31860==ERROR: AddressSanitizer: SEGV on unknown address 0x62120001b900 (pc 0x000000a7c290 bp 0x7fff0dda1970 sp 0x7fff0dda18c0 T0)
    #0 0xa7c28f in SkSweepGradient::SweepGradientContext::shadeSpan(int, int, unsigned int*, int) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/effects/gradients/SkSweepGradient.cpp:128
    #1 0x83edab in SkARGB32_Shader_Blitter::blitRect(int, int, int, int) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkBlitter_ARGB32.cpp:448
    #2 0x63d341 in SkScan::FillIRect(SkIRect const&, SkRegion const*, SkBlitter*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkScan.cpp:43
    #3 0x63daf5 in SkScan::FillRect(SkRect const&, SkRegion const*, SkBlitter*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkScan.cpp:61
    #4 0x63e230 in SkScan::FillRect(SkRect const&, SkRasterClip const&, SkBlitter*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkScan.cpp:103
    #5 0x57a583 in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkDraw.cpp:875
    #6 0x7f06d9 in SkBitmapDevice::drawRect(SkDraw const&, SkRect const&, SkPaint const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkBitmapDevice.cpp:189
    #7 0x550a4f in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:1856
    #8 0xa4e13b in SkRectShaderImageFilter::onFilterImage(SkImageFilter::Proxy*, SkBitmap const&, SkImageFilter::Context const&, SkBitmap*, SkIPoint*) const /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/effects/SkRectShaderImageFilter.cpp:74
    #9 0x5964a9 in SkImageFilter::filterImage(SkImageFilter::Proxy*, SkBitmap const&, SkImageFilter::Context const&, SkBitmap*, SkIPoint*) const /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkImageFilter.cpp:189
    #10 0x546929 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, bool) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:1233
    #11 0x5430ab in SkCanvas::internalRestore() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:1098
    #12 0x548fc8 in AutoDrawLooper::~AutoDrawLooper() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:402
    #13 0x547740 in SkCanvas::internalDrawBitmap(SkBitmap const&, SkMatrix const&, SkPaint const*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:1208
    #14 0x55441e in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:2039
    #15 0x54a3d5 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:1753
    #16 0x4c9806 in RunTestCase /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:47
    #17 0x4c8bb9 in ReadAndRunTestCase /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:66
    #18 0x4c8713 in main /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:85
    #19 0x7fc16c658ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/nils/MonkeyChrome/asan-symbolized-linux-release-331246/filter_fuzz_stub+0xa7c28f)
==31860==ABORTING

VERSION
Chrome Version: asan-symbolized-linux-release-331246
Operating System: Linux

REPRODUCTION CASE
Attached as repro.fil
 

Comment 1 by cloudfuz...@gmail.com, May 26 2015

Testcase
repro.fil
164 bytes Download

Comment 2 by ClusterFuzz, May 26 2015

Project Member
ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5749760426770432

Comment 3 by ClusterFuzz, May 26 2015

Project Member
Summary: UNKNOWN in SkSweepGradient::SweepGradientContext::shadeSpan (was: Security: SEGV on unknown address in SkSweepGradient::SweepGradientContext::shadeSpan)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5749760426770432

Uploader: mbarbella@google.com
Job Type: Linux_asan_filter_fuzz_stub

Crash Type: UNKNOWN
Crash Address: 0x62120001b900
Crash State:
  SkSweepGradient::SweepGradientContext::shadeSpan
  SkARGB32_Shader_Blitter::blitRect
  SkScan::FillIRect
  

Minimized Testcase (0.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95R8HcrLewy9GFSj-FsBtPppyEvSP1TIy9O2SzYrF1ELNhuQPKtkjH8mNziL1TDi2kynW7Sq5jUuZtuFSC_sbDNDNAD2NYc3BFxXSqWRFW0ZQaptn2n9i6iVmO1ceLq11BzVnmsqJEKj5z1HFbAY3B8czF6Zw

Comment 4 by ClusterFuzz, May 26 2015

Project Member
Labels: Security_Impact-Stable Stability-Memory-AddressSanitizer
Status: Available

Comment 5 by nparker@chromium.org, May 29 2015

Cc: reed@chromium.org mbarbe...@chromium.org sugoi@chromium.org robertphillips@chromium.org
Labels: Security_Severity-High
Owner: reed@chromium.org
Status: Assigned
reed@ -- Can you take a look, or find someone who can?  Thanks.

mbarbella@ -- What's the best approach when clusterfuzz says "AddressSanitizer can not provide additional info?"  The report seems vague.

cc'ing those with related CLs.

Comment 6 by mbarbe...@chromium.org, May 29 2015

It means that the access didn't land at an address that ASan is tracking (and the report is from ASan itself). Probably an OOB access that's so far off that it didn't land in a redzone.

You can try running with larger redzones (ASAN_OPTIONS=redzone=XXXX), but in general there's not a good way to squeeze extra information out of ASan in the case of a wild read or write.

Comment 7 by ClusterFuzz, May 30 2015

Project Member
Labels: M-43 Pri-1

Comment 8 by nparker@chromium.org, Jun 1 2015

Labels: Cr-Internals-Skia

Comment 9 by ClusterFuzz, Jun 13 2015

Project Member
Labels: Nag
reed@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 10 by bugdroid1@chromium.org, Jun 19 2015

Project Member
The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/20eee3f047f56b7715b311313b2998daaaf08a96

commit 20eee3f047f56b7715b311313b2998daaaf08a96
Author: robertphillips <robertphillips@google.com>
Date: Fri Jun 19 12:14:26 2015

Added check for ill-conditioned invert

sk_inv_determinant has a guard that the determinant can't get too big so this CL only checks if the determinant gets too small.

BUG= 492263 

Review URL: https://codereview.chromium.org/1188433011

[modify] http://crrev.com/20eee3f047f56b7715b311313b2998daaaf08a96/include/core/SkMatrix.h
[modify] http://crrev.com/20eee3f047f56b7715b311313b2998daaaf08a96/src/core/SkMatrix.cpp
[modify] http://crrev.com/20eee3f047f56b7715b311313b2998daaaf08a96/tests/MatrixTest.cpp

Comment 11 by infe...@chromium.org, Jun 21 2015

Status: Fixed

Comment 12 by ClusterFuzz, Jun 21 2015

Project Member
Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify M-44 M-45
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz

Comment 13 by ClusterFuzz, Jun 22 2015

Project Member
ClusterFuzz has detected this issue as fixed in range 335153:335500.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5749760426770432

Uploader: mbarbella@google.com
Job Type: Linux_asan_filter_fuzz_stub

Crash Type: UNKNOWN
Crash Address: 0x62120001b900
Crash State:
  SkSweepGradient::SweepGradientContext::shadeSpan
  SkARGB32_Shader_Blitter::blitRect
  SkScan::FillIRect
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub&range=335153:335500

Minimized Testcase (0.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95R8HcrLewy9GFSj-FsBtPppyEvSP1TIy9O2SzYrF1ELNhuQPKtkjH8mNziL1TDi2kynW7Sq5jUuZtuFSC_sbDNDNAD2NYc3BFxXSqWRFW0ZQaptn2n9i6iVmO1ceLq11BzVnmsqJEKj5z1HFbAY3B8czF6Zw

If you suspect that the result above is incorrect,try re-doing that job on the test case report page.

Comment 14 by timwillis@google.com, Jul 8 2015

Cc: timwillis@chromium.org
Labels: -Nag -Merge-Triage Merge-Request-44
This doesn't look like it's in the M44 skia branch, so requesting a merge to M44 just to make sure it is.

Merge-Request to M44 (branch 2403).

Comment 15 by pennymac@google.com, Jul 8 2015

Labels: -Merge-Request-44 Merge-Review-44 Hotlist-Merge-Review
[Automated comment] Less than 2 weeks to go before stable on M44, manual review required.

Comment 16 by robertphillips@chromium.org, Jul 8 2015

The CL in question (https://codereview.chromium.org/1188433011 Added check for ill-conditioned invert) should be pretty safe to cherry pick.

Comment 17 by pennymac@google.com, Jul 10 2015

Labels: -Merge-Review-44 -Hotlist-Merge-Review Merge-Approved-44
Approved for merge to m44 (2403) skia branch.  Please get the merge done before end of business PST Monday.

Comment 18 by bugdroid1@chromium.org, Jul 13 2015

Project Member
Labels: merge-merged-m44
The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/1c7bee66e0c3fd4fdbe021f34364786e18f94d6d

commit 1c7bee66e0c3fd4fdbe021f34364786e18f94d6d
Author: Robert Phillips <robertphillips@google.com>
Date: Mon Jul 13 21:23:33 2015

M44 cherry pick of: Added check for ill-conditioned invert

sk_inv_determinant has a guard that the determinant can't get too big so this CL only checks if the determinant gets too small.

BUG= 492263 

Review URL: https://codereview.chromium.org/1188433011
NOTREECHECKS=true
NOTRY=true
NOPRESUBMIT=true
TBR=bsalomon@google.com, reed@google.com

Review URL: https://codereview.chromium.org/1235863005 .

[modify] http://crrev.com/1c7bee66e0c3fd4fdbe021f34364786e18f94d6d/include/core/SkMatrix.h
[modify] http://crrev.com/1c7bee66e0c3fd4fdbe021f34364786e18f94d6d/src/core/SkMatrix.cpp
[modify] http://crrev.com/1c7bee66e0c3fd4fdbe021f34364786e18f94d6d/tests/MatrixTest.cpp

Comment 19 by mbarbe...@chromium.org, Jul 16 2015

Labels: reward-topanel

Comment 20 by laforge@google.com, Aug 28 2015

Labels: -Merge-Approved-44
Clearing approvals older than 60 days

Comment 21 by timwillis@google.com, Aug 31 2015

Labels: -M-43 Release-0-M45
Making sure that this is captured in the M45 release notes, even though it landed and shipped earlier.

Comment 22 by timwillis@google.com, Aug 31 2015

Labels: -reward-topanel reward-5000 reward-unpaid CVE-2015-1294
Congrats - $5000 for this report! You should receive the payment in 2-3 weeks from today.

Comment 23 by timwillis@google.com, Sep 4 2015

Labels: -reward-unpaid reward-inprocess

Comment 24 by timwillis@google.com, Sep 10 2015

Labels: -reward-inprocess
Processing via our e-payment system takes ~7 days, but the reward should be on its way to you. Thanks again for your help!

Comment 25 by ClusterFuzz, Sep 27 2015

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 26 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 27 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 28 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 29 by metzman@chromium.org, Jan 22 2018

Cc: kjlubick@chromium.org kjlubick@google.com

Comment 30 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment