Issue metadata
Sign in to add a comment
|
Security: SEGV on unknown address 0x601ffe000c90 in SkNx_sse.h
Reported by
sweetv...@gmail.com,
Mar 24 2017
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Please check the ASAN output. It seems an integer overflow bug which can be corrupted variable 'x'.
SRC : /third_party/skia/src/opts/SkRasterPipeline_opts.h:514
STAGE_CTX(load_a8, const uint8_t**) {
auto ptr = *ctx + x;
r = g = b = 0.0f;
a = SkNf_from_byte(load(tail, ptr));
}
I modified the source code to check variable's value.
STAGE_CTX(load_a8, const uint8_t**) {
auto ptr = *ctx + x;
SkDebugf("%x", x); // dbg
SkDebugf("%x", *ctx); //dbg
SkDebugf("%x", ptr); //dbg
r = g = b = 0.0f;
a = SkNf_from_byte(load(tail, ptr));
}
And I built the filter_fuzz_stub and executed it. (32bit)
./filter_fuzz_stub ./poc.fil
...
...
...
...
[0325/002437.173010:INFO:SkRasterPipeline_opts.h(516)] 7ffe <- x
[0325/002437.173041:INFO:SkRasterPipeline_opts.h(518)] f290896e <- *ctx
[0325/002437.173057:INFO:SkRasterPipeline_opts.h(519)] f291096c <- ptr
[0325/002437.173088:INFO:SkRasterPipeline_opts.h(516)] 7fff <- x
[0325/002437.173122:INFO:SkRasterPipeline_opts.h(518)] f290896f <- *ctx
[0325/002437.173139:INFO:SkRasterPipeline_opts.h(519)] f291096e <- ptr
[0325/002437.173157:INFO:SkRasterPipeline_opts.h(516)] 3fff8000 <- x
[0325/002437.173194:INFO:SkRasterPipeline_opts.h(518)] f2908970 <- *ctx
[0325/002437.173210:INFO:SkRasterPipeline_opts.h(519)] 32900970 <- ptr
ASAN:DEADLYSIGNAL
=================================================================
==88014==ERROR: AddressSanitizer: SEGV on unknown address 0x2652012e (pc 0x0840f01c bp 0xffe84ba8 sp 0xffe84ae0 T0)
==88014==The signal is caused by a READ memory access.
#0 0x840f01b in load<unsigned char> third_party/skia/src/opts/SkRasterPipeline_opts.h:162:18
#1 0x840f01b in load_a8_kernel third_party/skia/src/opts/SkRasterPipeline_opts.h:522
#2 0x840f01b in load_a8(unsigned int, void**, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>) third_party/skia/src/opts/SkRasterPipeline_opts.h:514
#3 0x84078e4 in next third_party/skia/src/opts/SkRasterPipeline_opts.h:80:5
#4 0x84078e4 in move_src_dst(unsigned int, void**, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>) third_party/skia/src/opts/SkRasterPipeline_opts.h:376
#5 0x840e4b8 in next third_party/skia/src/opts/SkRasterPipeline_opts.h:80:5
#6 0x840e4b8 in constant_color(unsigned int, void**, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>) third_party/skia/src/opts/SkRasterPipeline_opts.h:438
#7 0x8405a4a in (anonymous namespace)::run_program(void**, unsigned int, unsigned int) third_party/skia/src/opts/SkRasterPipeline_opts.h:1200:13
#8 0x83dfa03 in sse2::run_pipeline(unsigned int, unsigned int, SkRasterPipeline::Stage const*, int) third_party/skia/src/opts/SkRasterPipeline_opts.h:1244:13
#9 0x84ae530 in SkRasterPipeline::run(unsigned int, unsigned int) const third_party/skia/src/core/SkRasterPipeline.cpp:30:9
#10 0x8c41fc6 in SkRasterPipelineBlitter::blitH(int, int, int) third_party/skia/src/core/SkRasterPipelineBlitter.cpp:246:7
#11 0x851c805 in vertline third_party/skia/src/core/SkScan_Hairline.cpp:30:18
#12 0x851c805 in SkScan::HairLineRgn(SkPoint const*, int, SkRegion const*, SkBlitter*) third_party/skia/src/core/SkScan_Hairline.cpp:139
#13 0x85259b9 in hair_quad third_party/skia/src/core/SkScan_Hairline.cpp:240:5
#14 0x85259b9 in hairquad third_party/skia/src/core/SkScan_Hairline.cpp:288
#15 0x85259b9 in void hair_path<(SkPaint::Cap)1>(SkPath const&, SkRasterClip const&, SkBlitter*, void (*)(SkPoint const*, int, SkRegion const*, SkBlitter*)) third_party/skia/src/core/SkScan_Hairline.cpp:557
#16 0x8523970 in SkScan::HairRoundPath(SkPath const&, SkRasterClip const&, SkBlitter*) third_party/skia/src/core/SkScan_Hairline.cpp:622:5
#17 0x83673a1 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const third_party/skia/src/core/SkDraw.cpp:1070:5
#18 0x8368086 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1163:11
#19 0x8d26885 in drawPath third_party/skia/src/core/SkDraw.h:59:15
#20 0x8d26885 in SkLayerRasterizer::onRasterize(SkPath const&, SkMatrix const&, SkIRect const*, SkMask*, SkMask::CreateMode) const third_party/skia/src/effects/SkLayerRasterizer.cpp:140
#21 0x84afd37 in SkRasterizer::rasterize(SkPath const&, SkMatrix const&, SkIRect const*, SkMaskFilter*, SkMask*, SkMask::CreateMode) const third_party/skia/src/core/SkRasterizer.cpp:33:18
#22 0x8367fad in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1148:37
#23 0x83651b1 in drawPath third_party/skia/src/core/SkDraw.h:54:15
#24 0x83651b1 in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const third_party/skia/src/core/SkDraw.cpp:798
#25 0x8aadff1 in drawRect third_party/skia/src/core/SkDraw.h:40:15
#26 0x8aadff1 in SkBitmapDevice::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:209
#27 0x82120ed in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2080:27
#28 0x820bbad in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1767:11
#29 0x8da6276 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:64:13
#30 0x838f177 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:216:40
#31 0x8ab1c65 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:404:49
#32 0x8201b54 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1349:25
#33 0x81fc441 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1240:19
#34 0x821e1d0 in ~AutoDrawLooper third_party/skia/src/core/SkCanvas.cpp:506:22
#35 0x821e1d0 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2364
#36 0x820e112 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1884:11
#37 0x8144c49 in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:46:13
#38 0x8144c49 in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:65
#39 0x8144c49 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:84
#40 0xf6bd2636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV third_party/skia/src/opts/SkRasterPipeline_opts.h:162:18 in load<unsigned char>
==87467==ABORTING
Also, you can reproduce the crash by using filter_fuzz_stub in 'asan-linux-release-459386.zip'.
./filter_fuzz_stub ./poc.fil
[0325/022813.582854:INFO:filter_fuzz_stub.cc(59)] Test case: ./poc.fil
[0325/022813.583531:INFO:filter_fuzz_stub.cc(36)] Valid stream detected.
ASAN:DEADLYSIGNAL
=================================================================
==59561==ERROR: AddressSanitizer: SEGV on unknown address 0x601ffe000c90 (pc 0x00000072ba3e bp 0x7ffc0bb0e070 sp 0x7ffc0bb0e010 T0)
==59561==The signal is caused by a READ memory access.
#0 0x72ba3d in Load third_party/skia/src/core/../opts/SkNx_sse.h:433:51
#1 0x72ba3d in load<unsigned char> third_party/skia/src/opts/SkRasterPipeline_opts.h:163
#2 0x72ba3d in load_a8_kernel third_party/skia/src/opts/SkRasterPipeline_opts.h:517
#3 0x72ba3d in load_a8(unsigned long, void**, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>, (anonymous namespace)::SkNx<4, float>) third_party/skia/src/opts/SkRasterPipeline_opts.h:514
#4 0x706cbe in run_program third_party/skia/src/opts/SkRasterPipeline_opts.h:1195:13
#5 0x706cbe in sse2::run_pipeline(unsigned long, unsigned long, SkRasterPipeline::Stage const*, int) third_party/skia/src/opts/SkRasterPipeline_opts.h:1239
#6 0x7f5e30 in vertline third_party/skia/src/core/SkScan_Hairline.cpp:30:18
#7 0x7f5e30 in SkScan::HairLineRgn(SkPoint const*, int, SkRegion const*, SkBlitter*) third_party/skia/src/core/SkScan_Hairline.cpp:139
#8 0x7fd4a9 in hair_quad third_party/skia/src/core/SkScan_Hairline.cpp:240:5
#9 0x7fd4a9 in hairquad third_party/skia/src/core/SkScan_Hairline.cpp:288
#10 0x7fd4a9 in void hair_path<(SkPaint::Cap)1>(SkPath const&, SkRasterClip const&, SkBlitter*, void (*)(SkPoint const*, int, SkRegion const*, SkBlitter*)) third_party/skia/src/core/SkScan_Hairline.cpp:557
#11 0x6a157c in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const third_party/skia/src/core/SkDraw.cpp:1070:5
#12 0x6a213b in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1163:11
#13 0xe46bfa in drawPath third_party/skia/src/core/SkDraw.h:59:15
#14 0xe46bfa in SkLayerRasterizer::onRasterize(SkPath const&, SkMatrix const&, SkIRect const*, SkMask*, SkMask::CreateMode) const third_party/skia/src/effects/SkLayerRasterizer.cpp:140
#15 0x78ea3a in SkRasterizer::rasterize(SkPath const&, SkMatrix const&, SkIRect const*, SkMaskFilter*, SkMask*, SkMask::CreateMode) const third_party/skia/src/core/SkRasterizer.cpp:33:18
#16 0x6a208a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1148:37
#17 0x69f842 in drawPath third_party/skia/src/core/SkDraw.h:54:15
#18 0x69f842 in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const third_party/skia/src/core/SkDraw.cpp:798
#19 0xc5dfdc in drawRect third_party/skia/src/core/SkDraw.h:40:15
#20 0xc5dfdc in SkBitmapDevice::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:209
#21 0x58158a in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2085:27
#22 0xeaf828 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:64:13
#23 0x6be30c in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:216:40
#24 0xc613fd in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:404:49
#25 0x574094 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1349:25
#26 0x56fa1c in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1240:19
#27 0x58a939 in ~AutoDrawLooper third_party/skia/src/core/SkCanvas.cpp:506:22
#28 0x58a939 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2369
#29 0x4fb733 in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:46:13
#30 0x4fb733 in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:65
#31 0x4fb733 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:84
#32 0x7f86f852c82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV third_party/skia/src/core/../opts/SkNx_sse.h:433:51 in Load
==59561==ABORTING
VERSION
Chrome Version: asan-linux-release-459386
Operating System:
- Ubuntu 16.04.1 LTS 64bit (Server)
- Linux ubuntu 4.4.0-65-generic #86-Ubuntu SMP Thu Feb 23 17:49:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
REPRODUCTION CASE
- ./filter_fuzz_stub ./poc.fil
,
Mar 25 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5114758220218368
,
Mar 27 2017
,
Mar 27 2017
,
Mar 27 2017
,
Mar 29 2017
Clusterfuzz seems to reproduce it here: https://clusterfuzz.com/v2/testcase-detail/5114758220218368?noredirect=1 mtklein@, are you the right person to resolve this crash? Thank you.
,
Mar 29 2017
Yeah, I think I can get it to the right person. Looks like we're reading off the end (not sure which end) of a mask buffer when drawing a vertical line. My guess is the source of the bug is somewhere up above vertline(). It's possible but not super likely to be lower than that. #1: I wouldn't think there's anything wrong with x... these values look plausible without it necessarily being corrupted or overflowed. The last one does look pretty big.
,
Apr 1 2017
ClusterFuzz has detected this issue as fixed in range 461151:461182. Detailed report: https://clusterfuzz.com/testcase?key=5114758220218368 Job Type: linux_asan_filter_fuzz_stub Crash Type: UNKNOWN READ Crash Address: 0x608ffe003950 Crash State: load_a8 sse2::run_pipeline SkScan::HairLineRgn Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=450943:450980 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=461151:461182 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97FEt2vUOPH1e5uSXDOJxJGRkknNX94Xdrf5hfNK6vwk14o_KKNVlvQTo9_6yimRO7nUd80s6kqUDV5mn_vjisJI4K0ALcC2UVtqOzShU4zIjUKAjA-uzmGywX1ZZOr5KDlLvC_LSBq-PZ1tvK5VLoZHd7YuJsLNJ50IVQZGQrJ6lwJ412ZyCDD1ZEQDz4wRfjdRhbmrjdlUw3wuvhsPsqaamLBVrRF4ruCdp4VW9n0LCWx4D9uvNHyu2Pl_5QJlWFG83n2_bLXhqppAcWbog-F5aVXfWU6GehCq6qIfWxDM6kZk2pmyP2m08Mc-ycIQHekhESqMIkCrK-9FKpL-ZoxuswjtAfO1_7IPBTdtUIuAiwdo5_hm4OfsGKgOy_SxeIfKQX3O73xsThFS95q0O8lCSXFzA?testcase_id=5114758220218368 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 1 2017
ClusterFuzz testcase 5114758220218368 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 1 2017
,
Apr 11 2017
hi mtklein@ - looks like Clusterfuzz thinks this is fixed. Do you know of any changes made as a result of this report?
,
Apr 11 2017
Nope.
,
Apr 11 2017
,
Apr 18 2017
,
Apr 28 2017
,
Apr 29 2017
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 2 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 5 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 5 2017
,
May 25 2017
,
Jul 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 22 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Mar 24 2017