Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 688987 Security: Heap Buffer OverFlow Vulnerability in Skia
Starred by 3 users Reported by kushal89...@gmail.com, Feb 6 Back to list
Status: Fixed
Owner:
Closed: Feb 18
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
VULNERABILITY DETAILS

Heap Buffer Overflow Vulnerability triggered in Skia. 

Analysis done on LINUX System, Only the reporting was done on Windows System.

PoC has been tested on several latest Chrome Linux "asan" builds as of Feb 6 2:28AM PST. 

Build links have been shared in the Step 1 of the "Reproduction Case" section.

VERSION
Chrome Version: Latest Linux "asan" release builds.

Operating System: Ubuntu

REPRODUCTION CASE

1. Download chrome "asan" build from https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release-v8-arm%2Fasan-v8-arm-linux-release-448209.zip?generation=1486369017083714&alt=media
											OR

1. Download chrome "asan" build from https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release%2Fasan-linux-beta-57.0.2987.21.zip?generation=1486245228572145&alt=media
											OR

1. Download chrome "asan" build from https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release%2Fasan-linux-release-448206.zip?generation=1486365824856220&alt=media

2. Unzip the downloaded "asan" builds.

3. Change directory to filter_fuzz_stub location.

4. Run the filter_fuzz_stub binary against the PoC.fil testcase file.

5. Check the crash details in the terminal window.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

Binary crashes due to trigger of Heap Buffer Overflow Vulnerability.

See ASAN Output Below: -

==29217==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4000354 at pc 0x085b1674 bp 0xffa33b18 sp 0xffa33b10
READ of size 4 at 0xf4000354 thread T0
    #0 0x85b1673 in findScanline third_party/skia/src/core/SkRegionPriv.h:156:26
    #1 0x85b1673 in SkRegion::contains(int, int) const third_party/skia/src/core/SkRegion.cpp:322
    #2 0x900c4af in SkAlphaThresholdFilterImpl::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkAlphaThresholdFilter.cpp:237:25
    #3 0x843266b in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:216:40
    #4 0x8c42fed in SkBitmapDevice::drawSpecial(SkDraw const&, SkSpecialImage*, int, int, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:401:49
    #5 0x822af27 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2420:27
    #6 0x8218c36 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1933:11
    #7 0x813b499 in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:46:13
    #8 0x813b499 in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:65
    #9 0x813b499 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:84
    #10 0xf69307ad in __libc_start_main /build/glibc-xt1eTb/glibc-2.21/csu/libc-start.c:289

0xf4000354 is located 0 bytes to the right of 20-byte region [0xf4000340,0xf4000354)
allocated by thread T0 here:
    #0 0x810eff6 in __interceptor_malloc (/home/h4ck3r/Desktop/linux-release-v8-arm-asan-v8-arm-linux-release/asan-v8-arm-linux-release-448209/filter_fuzz_stub+0x810eff6)
    #1 0x81bd28c in sk_malloc_throw(unsigned int) skia/ext/SkMemory_new_handler.cpp:64:66
    #2 0x85b9c4f in Alloc third_party/skia/src/core/SkRegionPriv.h:70:35
    #3 0x85b9c4f in Alloc third_party/skia/src/core/SkRegionPriv.h:83
    #4 0x85b9c4f in allocateRuns third_party/skia/src/core/SkRegion.cpp:103
    #5 0x85b9c4f in SkRegion::readFromMemory(void const*, unsigned int) third_party/skia/src/core/SkRegion.cpp:1142
    #6 0x864acd5 in SkValidatingReadBuffer::readRegion(SkRegion*) third_party/skia/src/core/SkValidatingReadBuffer.cpp:167:24
    #7 0x9009057 in SkAlphaThresholdFilterImpl::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkAlphaThresholdFilter.cpp:82:12
    #8 0x864d0a8 in SkValidatingReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkValidatingReadBuffer.cpp:289:11
    #9 0x8428b47 in SkValidatingDeserializeFlattenable third_party/skia/src/core/SkFlattenableSerialization.cpp:26:19
    #10 0x8428b47 in SkValidatingDeserializeImageFilter(void const*, unsigned int) third_party/skia/src/core/SkFlattenableSerialization.cpp:30
    #11 0x813b154 in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:31:38
    #12 0x813b154 in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:65
    #13 0x813b154 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:84
    #14 0xf69307ad in __libc_start_main /build/glibc-xt1eTb/glibc-2.21/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/skia/src/core/SkRegionPriv.h:156:26 in findScanline
Shadow bytes around the buggy address:
  0x3e800010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e800020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e800030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e800040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e800050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e800060: fa fa fd fd fd fd fa fa 00 00[04]fa fa fa fd fd
  0x3e800070: fd fd fa fa 00 00 00 07 fa fa 00 00 00 00 fa fa
  0x3e800080: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x3e800090: fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa 00 00
  0x3e8000a0: 04 fa fa fa 00 00 04 fa fa fa 00 00 04 fa fa fa
  0x3e8000b0: 00 00 04 fa fa fa 00 00 04 fa fa fa 00 00 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29217==ABORTING

 
PoC.fil
136 bytes Download
Just checked after filing the report that a new "asan" build(#448219) was released few minutes back.

I would like to confirm that the issue still exists in the latest build.

Thanks & Regards,
~ Kushal.
Cc: reed@google.com
Components: Internals>Skia
Labels: Security_Severity-High Security_Impact-Beta OS-Chrome
Cc: mbarbe...@chromium.org
mbarbella@, how to add skia poc to cluster-fuzz?
Upload the test case using the linux_asan_filter_fuzz_stub job type.
Project Member Comment 5 by sheriffbot@chromium.org, Feb 7
Labels: M-57
Project Member Comment 6 by sheriffbot@chromium.org, Feb 7
Labels: ReleaseBlock-Stable
Project Member Comment 7 by sheriffbot@chromium.org, Feb 7
Labels: Pri-1
Project Member Comment 8 by clusterf...@chromium.org, Feb 7
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5539042797289472
Owner: reed@chromium.org
Status: Assigned
reed@, could you help triage this issue? Thanks!
Project Member Comment 10 by clusterf...@chromium.org, Feb 7
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5539042797289472

Job Type: linux_asan_filter_fuzz_stub
Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60a000000954
Crash State:
  SkRegion::contains
  SkAlphaThresholdFilterImpl::onFilterImage
  SkImageFilter::filterImage
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub&range=363565:363834

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94uzYDuNtyaABK7OzWcOC7krQvI5a_i5YGvjvTF69oNRRPAE7A4eE8YUanO06NXgYYf38wF277n6WMb9Ebwki3ELcd-iFE5XSwcbLGmdHDJM4iHV-pxiPI_5BSgMLnL94BKXzyyWWSyDO3M5rVebXKeaYOc1LPL1Itr1W00KZKcitwWgI78nS-nL_0aK80_fLWWixXSHAA7jTqg8nr_HeXuPAyrsy8I_zMVgzodvMSvG-vZPip4vZrbwFLkUBvZBwqkc5m75tdQ-h1s2Al3Ar4YQojZubwqLrtwKiB_S2OUBTg5KOz63wrmZDwvKsUqvyPxjSJSWVwS4nGVa5ECEtHHsZKiHrknle_HI7w1NDJDif1MqclEXGdkk0MHig_8zFmIzVZNwie9kbJx6lCCpgaQY0QSlw?testcase_id=5539042797289472


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The recommended severity is different from what was assigned to the bug. Please double check the accuracy of the assigned severity.

Cc: senorblanco@chromium.org
+cc senorblanco@, possibly caused by https://chromium.googlesource.com/skia.git/+/c41e7e14f4a0076d277870502168ed870e558dfc  ? 
Hello xzhou@chromium.org, reed@chromium.org, jialiul@chromium.org, @mbarbella, Google Security Team, 

Good Morning.

I was thinking of how I could help in fixing this vulnerability quickly and I came across a similar previously fixed issue in  crbug.com/609260 .

I could be wrong but, I think the fix applied at that time(almost 9 months back) might have been incomplete which led to the current vulnerability. No offense meant to the person/team who fixed the issue then.

Hope this small bit of information helps in the current triage phase.

Thanks & Regards,
~ Kushal Shah.
Cc: halcanary@chromium.org
I suspect the SkRegion flattening code has always had this vulnerability, and that it was exposed by https://chromium.googlesource.com/skia.git/+/0745653a677f405bb683b7f7a71b56a7e0dc7921.

Note that this is vulnerability is unlikely to be web-exposed, since SkAlphaThresholdFilter is not web-exposed (AFAIK). It's only seen in filter_fuzz_stub since it fuzzes all image filters, not just the ones which are web-exposed.
@senorblanco,

Good Afternoon.

AFAIK SkAlphaThresholdFilter is a skia effect filter under the parent SkImageFilter that creates an image filter on a region(SkRegion) of a drawing and could be used for web-purposes also for a given input image/drawing similar to other Skia ImageFilter Effects.

Could you provide any reference/documentation that explicitly states that "SkAlphaThresholdFilter is not web-exposed". 


Thanks & Regards,
~ Kushal Shah.
No reply on c#14.

Nevertheless, the vulnerability still exists and is similar to previously fixed  crbug.com/609260  and once again needs a permanent fix.

Thanks & Regards,
~ Kushal Shah.
Labels: -ReleaseBlock-Stable
Removing ReleaseBlock-Stable per comment #13. Please re-apply if SkAlphaThresholdFilter does turn out to be web-exposed.
Project Member Comment 17 by sheriffbot@chromium.org, Feb 14
Labels: ReleaseBlock-Stable
Labels: -Security_Severity-High Security_Severity-Critical
Going to keep the re-applied ReleaseBlock-Stable for now (thanks sheriffbot!). We're going to assume that anything found via filter_fuzz_stub is web accessible, but I've started a thread to confirm if this is the case or not. 
Project Member Comment 19 by sheriffbot@chromium.org, Feb 15
Labels: -Pri-1 Pri-0
Cc: -reed@google.com
Owner: reed@google.com
Any confirmation on the web exposure in Chrome?  And Pri-0??  Code here has not changed in years, seems this is something that has been in existence.

Mike & Hal pls help investigate.
Cc: halcanary@google.com
Cc: kjlubick@chromium.org
+Kevin FYI as we'd like to investigate fuzzing regions in Skia
Labels: -Pri-0 -Security_Severity-Critical -OS-Chrome Security_Severity-High OS-All Pri-1
We weren't assuming that these are web accessible, but rather accessible from a compromised renderer. Reducing severity/priority to be in line with how we usually treat sandbox escapes. It would still be good to get some insight from skia devs more familiar with this, in case that's not correct.
A friendly reminder that M57 Stable is launch is coming VERY soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
Labels: Merge-Request-57
Status: Started
As soon as the next skia-chromium deps roll lands, you can verify that 251bf3e089 fixes the asan error and we can cherry-pick this to chrome/m57: https://review.skia.org/8694 .
Project Member Comment 28 by sheriffbot@chromium.org, Feb 18
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 29 by bugdroid1@chromium.org, Feb 18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d86925891e54a45759226daaa919c6fd50c0e715

commit d86925891e54a45759226daaa919c6fd50c0e715
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Sat Feb 18 17:11:35 2017

Roll src/third_party/skia/ 7fc4a2d2f..f71828f7e (3 commits).

https://skia.googlesource.com/skia.git/+log/7fc4a2d2f0eb..f71828f7e4f4

$ git log 7fc4a2d2f..f71828f7e --date=short --no-merges --format='%ad %ae %s'
2017-02-18 reed all DM to include from src/xml
2017-02-16 halcanary SkRegion deserialization more robust
2017-02-17 mtklein SkJumper: aarch64 and armv7

Created with:
  roll-dep src/third_party/skia
BUG= 688987 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
TBR=bungeman@google.com

Review-Url: https://codereview.chromium.org/2704883002
Cr-Commit-Position: refs/heads/master@{#451469}

[modify] https://crrev.com/d86925891e54a45759226daaa919c6fd50c0e715/DEPS

Project Member Comment 30 by clusterf...@chromium.org, Feb 19
Project Member Comment 31 by sheriffbot@chromium.org, Feb 19
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 32 by sheriffbot@chromium.org, Feb 19
Labels: -Merge-Request-57 Hotlist-Merge-Review Merge-Review-57
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Note that we're only after the "SkRegion deserialization more robust" change, if this can be cherrypicked into a M57 branch, rather than a full DEPS roll.
awhalley@, https://review.skia.org/8694 is a cherry-pick to Skia's chrome/m57 branch.
Labels: -ReleaseBlock-Stable reward-topanel
halcanary@ - ah yes - sorry! Thanks!
Project Member Comment 37 by bugdroid1@chromium.org, Feb 21
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7b0df7db9fdc7ca5f972059cf0236f4886b4c884

commit 7b0df7db9fdc7ca5f972059cf0236f4886b4c884
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Tue Feb 21 00:36:16 2017

Roll src/third_party/skia/ a3091099f..edee1ae9e (2 commits).

https://skia.googlesource.com/skia.git/+log/a3091099fa19..edee1ae9e3b8

$ git log a3091099f..edee1ae9e --date=short --no-merges --format='%ad %ae %s'
2017-02-20 kjlubick Write SkRegion fuzzer
2017-02-19 robertphillips Remove asTextureRef from SkSpecialImage & update effects accordingly (take 2)

Created with:
  roll-dep src/third_party/skia
BUG= 688987 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
TBR=bsalomon@google.com

Review-Url: https://codereview.chromium.org/2703253004
Cr-Commit-Position: refs/heads/master@{#451676}

[modify] https://crrev.com/7b0df7db9fdc7ca5f972059cf0236f4886b4c884/DEPS

Cc: awhalley@chromium.org
+awhalley@ for M57 merge review.
This is already in M57 per #34 - the commit in 37 is adding a fuzzer (wooo! More fuzzers! Thanks kjlubick@)
Labels: -Hotlist-Merge-Review -Merge-Review-57
awhalley@, that CL has not landed, since I'm waiting on merge approval.
Labels: Merge-Request-57
Project Member Comment 43 by sheriffbot@chromium.org, Feb 25
Labels: -Merge-Request-57 Hotlist-Merge-Review Merge-Review-57
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
 awhalley@, is this change good to take it in for M57?
govind@ - yep!
Labels: -Merge-Review-57 Merge-Approved-57
OK, approving merge to M57 branch 2987 based on comment #44 and #45. Please merge before 5:00 PM PT, Monday (02/27) so we can take it for next week beta release. Thank you.
Per comment #47, this is already merged to M57. If nothing is pending for M57, please remove "Merge-Approved-57" label. Thank you.
Labels: -Merge-Approved-57
Removing "Merge-Approved-57" label based on comment #47 and #48. Assuming nothing is pending for M57.
Hello @xzhou, @reed, @jialiul, @mbarbella, @senorblanco, @hcm, @halcanary, @awhalley, @govind, Google Security Team, 

Good Evening.

Firstly I would like to thank you for fixing this vulnerability so quickly, I sincerely appreciate it.

I would like to kindly request you to use 'Kushal Arvind Shah of Fortinet's FortiGuard Labs' as the credit information in the Chrome Security Release.

Also I would like to request for any update on the CVE-ID and Reward for the same.

Eagerly awaiting your reply in earnest.

Thanking You,

Yours Sincerely,
Kushal Arvind Shah.
Fortinet's FortiGuard Labs.
Labels: -reward-topanel reward-unpaid reward-1000
Labels: -Security_Severity-High Security_Severity-Medium
Hello,

Thanks for the inquiry. The panel has awarded $1,000 for this report, downgrading it to a medium severity since it appears to be a READ only. Please let me know if you can demonstrate the ability to write to memory and we can reconsider.

We consider bugs for CVEs when we write release notes for a new Chrome release.  Though note that this bug is currently marked as impacting a beta release, and therefore wouldn't be eligible for a CVE. Can you demonstrate this bug working on a shipping stable version of Chrome?  

Thanks!

awhalley
Labels: -reward-unpaid reward-inprocess
Hello awhalley,

Firstly I would like to thank you for the generous bounty.

Secondly, I checked the PoC on the stable shipping release of chrome and I am able to reproduce the vulnerability.

The current shipping stable version of Google Chrome available for download 
is 56.0.2924.87 and the same version "asan" build is affected by this vulnerability.

Following are the steps I took to confirm the same: -

1) Download the stable version of chrome from the link : https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release%2Fasan-linux-stable-56.0.2924.87.zip?generation=1486082469441404&alt=media

2) Unzip the downloaded chrome stable "asan" build.

3) Change directory to filter_fuzz_stub location.

4) Run the PoC.fil against the filter_fuzz_stub binary.

5) Check the crash details in the terminal window.

=================================================================
==23864==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000002c4 at pc 0x0000006a7205 bp 0x7fff0fe513a0 sp 0x7fff0fe51398
READ of size 4 at 0x6030000002c4 thread T0
    #0 0x6a7204  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x6a7204)
    #1 0xc6347a  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0xc6347a)
    #2 0x5cc0f7  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x5cc0f7)
    #3 0xa67288  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0xa67288)
    #4 0x574511  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x574511)
    #5 0x4f5c1a  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x4f5c1a)
    #6 0x7f6191cb4abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)

0x6030000002c4 is located 0 bytes to the right of 20-byte region [0x6030000002b0,0x6030000002c4)
allocated by thread T0 here:
    #0 0x4c8e7c  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x4c8e7c)
    #1 0x52ea2d  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x52ea2d)
    #2 0x6ac468  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x6ac468)
    #3 0x701d71  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x701d71)
    #4 0xc606b2  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0xc606b2)
    #5 0x70339c  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x70339c)
    #6 0x5c733e  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x5c733e)
    #7 0x4f5a59  (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x4f5a59)
    #8 0x7f6191cb4abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/h4ck3r/Downloads/asan-linux-stable-56.0.2924.87/filter_fuzz_stub+0x6a7204) 
Shadow bytes around the buggy address:
  0x0c067fff8000: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8010: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x0c067fff8020: fd fd fd fd fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8030: fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa 00 00
  0x0c067fff8040: 04 fa fa fa 00 00 04 fa fa fa 00 00 04 fa fa fa
=>0x0c067fff8050: 00 00 04 fa fa fa 00 00[04]fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23864==ABORTING

Thus, this bug is impacting a stable release as well and I would like to therefore request a CVE-ID for the same. 

Also I understand that the release notes for a new Chrome release contain the CVE-ID and credit information and I am happy to wait for the same. BUT, I would like to request you to use "Kushal Arvind Shah of Fortinet's FortiGuard Labs" for this bug.

Eagerly awaiting your reply in earnest.


Thanking You,

Yours Sincerely,
Kushal Arvind Shah.
Fortinet's FortiGuard Labs.
Labels: -Security_Impact-Beta Security_Impact-Stable
Thank you for the update! I've changed the label so this bug will be allocated a CVE in due course.  Cheers.
Labels: Release-0-57
Labels: -Release-0-57 Release-0-M57
Labels: CVE-2017-5044
Hello @awhalley, Google Security Team,

Any update on the reward? I haven't received any update from Google Finance Team.

Eagerly awaiting your response in earnest.

Thanking You,

Yours Sincerely,
Kushal Arvind Shah.
Fortinet's FortiGuard Labs.
Project Member Comment 60 by sheriffbot@chromium.org, May 28
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment