New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 609260: Security: heap-buffer-overflow in SkRegion::RunHead::findScanline

Reported by cloudfuz...@gmail.com, May 4 2016

Issue description

VULNERABILITY DETAILS
The latest 32-bit asan build of filter_fuzz_stub crashes as follows with the attached input:

=================================================================
==30079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf48003b4 at pc 0x082ebb67 bp 0xffa39c38 sp 0xffa39c30
READ of size 4 at 0xf48003b4 thread T0
    #0 0x82ebb66 in SkRegion::RunHead::findScanline(int) const /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkRegionPriv.h:156
    #1 0x82eb93f in SkRegion::contains(int, int) const /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkRegion.cpp:321 (discriminator 1)
    #2 0x88f2ee0 in SkAlphaThresholdFilterImpl::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/effects/SkAlphaThresholdFilter.cpp:231 (discriminator 2)
    #3 0x823c4d8 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkImageFilter.cpp:212 (discriminator 1)
    #4 0x8208e16 in SkBaseDevice::drawSpriteWithFilter(SkDraw const&, SkBitmap const&, int, int, SkPaint const&) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkDevice.cpp:426 (discriminator 2)
    #5 0x81e959f in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:2370
    #6 0x81e25b6 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkCanvas.cpp:1968
    #7 0x8124580 in (anonymous namespace)::RunTestCase(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, SkBitmap&, SkCanvas*) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:47
    #8 0x8123751 in (anonymous namespace)::ReadAndRunTestCase(char const*, SkBitmap&, SkCanvas*) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:66
    #9 0x8123266 in main /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:85
    #10 0xf6c5d73d in __libc_start_main ??:?

0xf48003b4 is located 0 bytes to the right of 20-byte region [0xf48003a0,0xf48003b4)
allocated by thread T0 here:
    #0 0x80f90b3 in __interceptor_malloc ??:?
    #1 0x8b37f5b in sk_malloc_throw(unsigned int) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/ext/SkMemory_new_handler.cpp:58
    #2 0x82ea0a8 in SkRegion::RunHead::Alloc(int) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkRegionPriv.h:70 (discriminator 1)
    #3 0x82e9ecb in SkRegion::RunHead::Alloc(int, int, int) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkRegionPriv.h:83 (discriminator 1)
    #4 0x82e9e4d in SkRegion::allocateRuns(int, int, int) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkRegion.cpp:103
    #5 0x82ef3e2 in SkRegion::readFromMemory(void const*, unsigned int) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkRegion.cpp:1140
    #6 0x8355aac in SkValidatingReadBuffer::readRegion(SkRegion*) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkValidatingReadBuffer.cpp:153 (discriminator 2)
    #7 0x88f1cb6 in SkAlphaThresholdFilterImpl::CreateProc(SkReadBuffer&) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/effects/SkAlphaThresholdFilter.cpp:78
    #8 0x8356b68 in SkValidatingReadBuffer::readFlattenable(SkFlattenable::Type) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkValidatingReadBuffer.cpp:275
    #9 0x823231a in SkValidatingDeserializeFlattenable(void const*, unsigned int, SkFlattenable::Type) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../third_party/skia/src/core/SkFlattenableSerialization.cpp:26
    #10 0x81243de in (anonymous namespace)::RunTestCase(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, SkBitmap&, SkCanvas*) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:31 (discriminator 1)
    #11 0x8123751 in (anonymous namespace)::ReadAndRunTestCase(char const*, SkBitmap&, SkCanvas*) /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:66
    #12 0x8123266 in main /mnt/data/b/build/slave/ASan_Release__32-bit_x86_with_V8-ARM__symbolized_/build/src/out/Release/../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:85
    #13 0xf6c5d73d in __libc_start_main ??:?

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/nils/MonkeyChrome/asan-symbolized-v8-arm-linux-release-391505/filter_fuzz_stub+0x82ebb66)
Shadow bytes around the buggy address:
  0x3e900020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e900030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e900040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e900050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e900060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
=>0x3e900070: fd fd fa fa 00 00[04]fa fa fa fd fd fd fd fa fa
  0x3e900080: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00
  0x3e900090: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x3e9000a0: 00 00 fa fa 00 00 04 fa fa fa 00 00 04 fa fa fa
  0x3e9000b0: 00 00 04 fa fa fa 00 00 04 fa fa fa 00 00 04 fa
  0x3e9000c0: fa fa 00 00 04 fa fa fa 00 00 04 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30079==ABORTING

VERSION
Chrome Version: asan-symbolized-v8-arm-linux-release-391505
Operating System: Linux

REPRODUCTION CASE
Attached as test.fil
 
test.fil
108 bytes Download

Comment 1 by ClusterFuzz, May 4 2016

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4568082806210560

Comment 2 by ClusterFuzz, May 5 2016

Project Member
Labels: Security_Impact-Stable Stability-Memory-AddressSanitizer
Status: Available (was: Unconfirmed)

Comment 3 by f...@chromium.org, May 6 2016

Components: Internals>Skia
Labels: Security_Severity-Medium

Comment 4 by f...@chromium.org, May 6 2016

Owner: senorblanco@chromium.org
Status: Assigned (was: Available)
senorblanco@, can you please take a look? could this have been caused by https://chromium.googlesource.com/skia.git/+/c41e7e14f4a0076d277870502168ed870e558dfc?

Comment 5 by f...@chromium.org, May 6 2016

Labels: M-50

Comment 6 by sheriffbot@chromium.org, May 6 2016

Project Member
Labels: Pri-1

Comment 7 by senorblanco@chromium.org, May 6 2016

Cc: robertphillips@chromium.org reed@google.com
If I were a betting man, I'd put money on that not being my change. But the fix looks simple enough, so I'll give it a shot.

Comment 9 by bugdroid1@chromium.org, May 6 2016

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3aac6086196e2dc147a046285caed61c30603a8c

commit 3aac6086196e2dc147a046285caed61c30603a8c
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Fri May 06 16:52:13 2016

Roll src/third_party/skia/ 8ca7da80f..675576f02 (9 commits).

https://chromium.googlesource.com/skia.git/+log/8ca7da80fa32..675576f023c8

$ git log 8ca7da80f..675576f02 --date=short --no-merges --format='%ad %ae %s'
2016-05-06 senorblanco Detect an invalid intervalCount in SkRegion during deserialiation.
2016-05-06 halcanary SkAdvancedTypefaceMetrics: fail cleanly.
2016-05-06 halcanary https://groups.google.com/forum/#!topic/skia-discuss/2F2she2nQMg
2016-05-06 robertphillips Revert of Retract GrRenderTarget a bit within SkGpuDevice (patchset #2 id:20001 of https://codereview.chromium.org/1956473002/ )
2016-05-06 halcanary SkAdvancedTypefaceMetrics: improve robustness
2016-05-06 bsalomon Take SkStrokeRec::InitStyle rather than SkPaint::Style in mask filter and DrawMask GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1955633002
2016-05-06 msarett Compile SkForceLinking on CMake
2016-05-06 robertphillips Simplify SkGpuBlurUtils::GaussianBlur method
2016-05-06 robertphillips Revert of Disable layer hoisting for non-8888 canvases (patchset #2 id:20001 of https://codereview.chromium.org/1957433002/ )

BUG= 609260 ,567031,567031

CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
TBR=jvanverth@google.com

Review-Url: https://codereview.chromium.org/1959693002
Cr-Commit-Position: refs/heads/master@{#392077}

[modify] https://crrev.com/3aac6086196e2dc147a046285caed61c30603a8c/DEPS

Comment 10 by ClusterFuzz, May 8 2016

Project Member
ClusterFuzz has detected this issue as fixed in range 392043:392266.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4568082806210560

Uploader: mbarbella@google.com
Job Type: linux_asan_filter_fuzz_stub_32bit
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0xf49001d4
Crash State:
  SkRegion::contains
  SkAlphaThresholdFilterImpl::onFilterImage
  SkImageFilter::filterImage
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=363565:363834
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=392043:392266

Minimized Testcase (0.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95TT5EVB4x2fOe489JgHZ5NiaZhOJb62hmTkJ2ja8WxWCAr4MlP20Uo0LfCIg0igQBQT5qTHh9eYHCV49mPiQWUsm8kJKGoBxTuXSHxVWlJqjLa7kI3Sq1nM3d9H0AwLBrt1aoSzge7XhFuAvT8tiHGLcCbkg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 11 by f...@chromium.org, May 9 2016

Status: Fixed (was: Assigned)
thank you for the quick fix!

Comment 12 by ClusterFuzz, May 9 2016

Project Member
Labels: Merge-Triage M-51
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Comment 13 by sheriffbot@chromium.org, May 9 2016

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 14 by timwillis@google.com, May 24 2016

Cc: timwillis@chromium.org
Labels: reward-topanel
Can we land this change to M51 prior to 4pm pacific today? If not, let's consider it for a patch release.

Comment 15 by timwillis@google.com, May 24 2016

Labels: Merge-Request-51

Comment 16 by timwillis@google.com, May 24 2016

Labels: -Merge-Triage

Comment 17 by tin...@google.com, May 24 2016

Labels: -Merge-Request-51 Merge-Review-51 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Comment 18 by gov...@chromium.org, May 25 2016

Is this applicable to any specific OS or All?

Also before we approve merge to M51, Could you please confirm whether this change is baked/verified in Canary and safe to merge?

Comment 19 by timwillis@google.com, May 27 2016

Fix has baked since 6 May and was on M52 prior to branch point. This should go with M51.

Krishna - Please approve merge for M51 / 2704.

Comment 20 by gov...@chromium.org, May 27 2016

Labels: -Merge-Review-51 Merge-Approved-51
Approving merge to M51 branch 2704 based on comment #19. Please merge ASAP (Merge has to be in by 1:00 PM PST on Tuesday, 05/31 in order to make it to next week Stable cut). Thank you.

Comment 21 by sheriffbot@chromium.org, May 31 2016

Project Member
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 22 by bugdroid1@chromium.org, May 31 2016

Project Member
Labels: merge-merged-m51
The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/e181e8b6235ec8f5d7f1ba49001a534c64f6974a

commit e181e8b6235ec8f5d7f1ba49001a534c64f6974a
Author: senorblanco <senorblanco@chromium.org>
Date: Tue May 31 14:47:50 2016

Detect an invalid intervalCount in SkRegion during deserialiation.

[Cherry-pick from 675576f023c8fa10cdb0c18bc0a6c214e0bab069 to M51 branch.]

TBR=robertphillips@google.com
BUG= 609260 
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1961463003

Original Review-Url: https://codereview.chromium.org/1961463003
NOTREECHECKS=true
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2027643002

[modify] https://crrev.com/e181e8b6235ec8f5d7f1ba49001a534c64f6974a/src/core/SkRegion.cpp

Comment 23 by senorblanco@chromium.org, May 31 2016

Comment 24 by timwillis@google.com, May 31 2016

Labels: Release-1-M51

Comment 25 by sheriffbot@chromium.org, Jun 3 2016

Project Member
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 26 by senorblanco@chromium.org, Jun 6 2016

Labels: -Merge-Approved-51

Comment 27 by timwillis@google.com, Jun 6 2016

Labels: -reward-topanel CVE-2016-1702 reward-1000 reward-unpaid
$1000 here cloudfuzzer - the panel was unsure how this would be useful this type of info leak would be and if it could lead to a later write. 

I'll punch this into the payment system shortly.

Comment 28 by timwillis@google.com, Jun 8 2016

Labels: -reward-unpaid reward-inprocess

Comment 29 by sheriffbot@chromium.org, Aug 15 2016

Project Member
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 30 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 31 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 32 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 33 by metzman@chromium.org, Jan 22 2018

Cc: kjlubick@chromium.org kjlubick@google.com

Comment 34 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment