+jam - can you take a look please? Tentatively putting this under the MUS component

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

M53 is branching this week and will be promoted to Beta in July.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.

M53 is branched today (2785) and will be promoted to Beta this month.Your bug is labelled as Beta ReleaseBlock, pls make sure to land and merge the fix to M53 branch 2785 by 5:00 PM PST on Friday 07/22 (sooner the better so it gets chance to bake in M53 dev releases it self). Thank you.

jam: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

M53 beta launch is coming soon.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Monday (07/18/16). Thank you.

M53 beta launch is next week.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Friday (07/22/16). Thank you.

Not sure why I got assigned? The blamelist doesn't show any cls from me.

I assigned you as someone who might know more about base::Pickle - feel free to bounce it to someone more appropriate.

CCing the OWNERS of base/ at this point, because if this bug isn't addressed the release will be blocked.

I don't think this is a Pickle problem. It's the IPC message that has uninit data.

Guessing https://codereview.chromium.org/2002303002/ might be related. Removing folks not involved.

It could also be due to Skia. Adding some Skia folks FYI.

->sugoi to triage, for SkImageFilter serialization.

I'm afraid sheriffbot's label changes were a hiccup - this is still a blocker for Friday's M53. 

Assigning to someone still in the skia team.

Yes this is an SkImageFilter with uninitialized data in it being written to IPC.

Notes from investigation:

This test case contains an SVG root element with a "filter" attribute pointing to an filter containing an feImage. For security reasons, this filter should not be sent over IPC, since feImage may contain arbitrary SVG commands resulting in arbitrary SkPicture contents, which is not security-hardened. The browser process should be ignoring anything it receives in that form. It might be that it's writing uninit data, which is copied (making MSAN complain) but then ignored by the browser process, but that's just a guess.

The Skia changes in that range look innocuous.

My guess is that this test started failing due to https://chromium.googlesource.com/chromium/src/+/7a0f0e2eb0abdd68fb377d5b789682acfe10757d, which aliased "-webkit-filter" and "filter", and changed filters on SVG root elements to take the HTML filter path (the former "-webkit-filter", not the SVG filter path.

It would be helpful if we could re-run ClusterFuzz with "filter" in the test replaced with "-webkit-filter", in order to bisect if there was an actual regression here, or if the problem was pre-existing.

This bug has been reported by M53 Beta blocker. Please try to resolve this by  5:00 PM PDT Monday (07/25) for M53 Beta release next week. 

It looks like the uninit data is actually in SkPath. Skia fix up for review at https://codereview.chromium.org/2173853003.

Note: I don't think this is actually much of a security risk, since we ignore all SkPictures inside SkPictureImageFilter when deserializing on the browser side. Even if we didn't, these particular member variables are ignored by SkPath when fIsOval and fIsRRect are false. MSan is only noticing because the IPC code explicitly checks that all bytes are initialized (MSAN_CHECK_MEM_IS_INITIALIZED in Pickle::WriteBytesCommon).

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/9c1d45d986f3c58593fde0fd62ab22e056dd3881

commit 9c1d45d986f3c58593fde0fd62ab22e056dd3881
Author: senorblanco <senorblanco@chromium.org>
Date: Fri Jul 22 20:51:42 2016

Always init SkPathRef variables.

BUG= 623195 
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2173853003

Review-Url: https://codereview.chromium.org/2173853003

[modify] https://crrev.com/9c1d45d986f3c58593fde0fd62ab22e056dd3881/include/core/SkPathRef.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/db52a181cf4d1417afea908ebe69605157b3f9d4

commit db52a181cf4d1417afea908ebe69605157b3f9d4
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Fri Jul 22 23:30:22 2016

Roll src/third_party/skia/ a1ce21639..0e72e9ee3 (5 commits).

https://chromium.googlesource.com/skia.git/+log/a1ce2163906e..0e72e9ee3b02

$ git log a1ce21639..0e72e9ee3 --date=short --no-merges --format='%ad %ae %s'
2016-07-22 egdaniel Remove asserts on scissor size in Vulkan
2016-07-22 mtklein Have SkRasterPipelineBlitter take over for 565 when it can.
2016-07-22 msarett Convert XYZ values from PNGs to D50
2016-07-22 herb In the current code, tiling and bilerp sampling are strongly tied together. They can be separated by taking advantage of observation that translating a sample point into filter points in the bilerp stage the filter points will be at most 0.5 outside the tile. This allows simplified repositioning for the various tiling modes; clamp and mirror use min and max while repeat has max -> 0 and 0-> max. This allows bilerp to simply treat the filter points that fall off the tile. This allows tiling and bilerp sampling to be totally separate.
2016-07-22 senorblanco Always init SkPathRef variables.

BUG= 623195 

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_blink_rel
TBR=jcgregorio@google.com

Review-Url: https://codereview.chromium.org/2176873002
Cr-Commit-Position: refs/heads/master@{#407297}

[modify] https://crrev.com/db52a181cf4d1417afea908ebe69605157b3f9d4/DEPS

ClusterFuzz has detected this issue as fixed in range 407290:407311.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5386836021346304

Fuzzer: miaubiz_svg_fuzzer
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  base::Pickle::WriteData
  IPC::ParamTraits<sk_sp<SkImageFilter> >::Write
  IPC::ParamTraits<cc::FilterOperation>::Write
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=400746:400775
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=407290:407311

Minimized Testcase (2.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97P7TEht7D2J8FwoOpm5itnI5Wigia5rfAToVG_IPvjm_D41vqHd5uziSP8bRwr-3ck5DCI2R5rEznPshZVKf1dkgPXGBjgCwZ1MIbilpB4KbSJjmT-XWPrXzcGyWuDjl344s24jb_W_0CRs66syzaKvOYpmA?testcase_id=5386836021346304

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

+ awhalley@, seems to be baked in canary and verified by clusterfuzz. Can we take this in for M53?

Yep, good for M53.

Approving merge to M53 branch 2785. Please merge latest by tomorrow, Friday 5:00 PM PT so we can take this change in for next week Beta release. Thank you.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/e1382cec1ca908d78d713aa25c06565987ce8e0d

commit e1382cec1ca908d78d713aa25c06565987ce8e0d
Author: senorblanco <senorblanco@chromium.org>
Date: Thu Aug 11 19:23:08 2016

Always init SkPathRef variables.

[Cherry-pick of 9c1d45d986f3c58593fde0fd62ab22e056dd3881 to m53 branch.]

BUG= 623195 
NOTREECHECKS=true
NOTRY=true
NOPRESUBMIT=true
TBR=bsalomon@google.com

Review-Url: https://codereview.chromium.org/2235363002

[modify] https://crrev.com/e1382cec1ca908d78d713aa25c06565987ce8e0d/include/core/SkPathRef.h

Per comment #44, this is already merged to M53. Please remove "Merge-Approved-53" label if nothing is pending for M53. Thank you.

Sorry, the panel did not consider this bug to be exploitable.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot