Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in sse41::blit_row_s32a_opaque |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5418725849432064 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sse41::blit_row_s32a_opaque Sprite_D32_S32::blitRect SkScan::FillIRect Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=410031:410187 Minimized Testcase (0.47 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Z7_gF2RTYIVSggEM9-A_gSegAkVaOTIRLn7Hq8Q-ua62AgjQfDPB4dGOsEJqtwB47UC-U7Sk4-KYiddSEtDcKqR3uE8yw6QxTOihCBa8LP1L55InnVYX5svNsDlH2iA2wvakghwi6tK8gKlFZ9VMK6CiPtQ?testcase_id=5418725849432064 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 15 2016
,
Sep 15 2016
,
Sep 15 2016
Hello Mike, Robert, Could you please help find an appropriate owner for this security ticket? I'm not sure who knows the most about this area of Skia stack. It's also not immediately obvious looking at the regression range given in this report. Thank you very much!
,
Sep 16 2016
,
Sep 28 2016
Friendly ping, this a stable blocker for M54, please try to have a fix in by the first week of October so it can be patched.
,
Sep 29 2016
reed: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 10 2016
,
Oct 11 2016
Friendly ping from Security Sheriff: could you please take a look and re-assign if needed?
,
Oct 11 2016
,
Oct 11 2016
Per #8 moving to M55, sheriffbot will always add RBS if Security_Impact-Beta exists for medium/high severity issues.
,
Oct 13 2016
reed: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 26 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Oct 31 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Nov 7 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you! Also due to Thanksgiving holidays in US, please make sure all fixes are ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16.
,
Nov 7 2016
,
Nov 14 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you! Also due to Thanksgiving holidays in US, please make sure fix is ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16 (sooner the better).
,
Nov 14 2016
I think reed & robertphillips have looked. I can't find anything obvious or changes in this area in the right time frame to have introduced it... +mtklein as well
,
Nov 14 2016
This function operates conditionally based on the values of its inputs, specifically the alpha values of the source pixels. It operates correctly for all 256 values of those alphas.
Sometimes Chrome calls us with uninitialized data, and this happens to be the first place that uninitialized data is branched on. This is harmless, but boy, doesn't it sound like a bug in Chrome that they're passing Skia uninitialized data?
We got tired of being blamed for and assigned this sort of bug, so I added an MSAN hook to assert that all inputs are initialized. You can see this at the top of the stack:
#0 0x7f666b85b9c8 in sk_msan_assert_initialized third_party/skia/src/core/SkMSAN.h:24:9
#1 0x7f666b85b9c8 in sse41::blit_row_s32a_opaque(unsigned int*, unsigned int const*, int, unsigned int) third_party/skia/src/opts/SkBlitRow_opts.h:43
When sk_msan_assert_initialized fails it shows up as #0 on the stack. When it fails it means a precondition for using Skia has not been met. We would really like Chrome to initialize all its pixels, if only so people stop filing this sort of bug on us. This is not a Skia bug and nobody on the Skia team can fix it.
,
Feb 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 23 2017
ClusterFuzz has detected this issue as fixed in range 451968:452017. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5418725849432064 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sse41::blit_row_s32a_opaque Sprite_D32_S32::blitRect SkScan::FillIRect Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=410031:410187 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=451968:452017 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96Z7_gF2RTYIVSggEM9-A_gSegAkVaOTIRLn7Hq8Q-ua62AgjQfDPB4dGOsEJqtwB47UC-U7Sk4-KYiddSEtDcKqR3uE8yw6QxTOihCBa8LP1L55InnVYX5svNsDlH2iA2wvakghwi6tK8gKlFZ9VMK6CiPtQ?testcase_id=5418725849432064 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 23 2017
Issue 695536 has been merged into this issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Sep 15 2016