New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jun 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in SkArithmeticImageFilter::Make

Reported by look.wan...@gmail.com, May 22 2017

Issue description

VERSION
Operating System: Ubuntu 16.04.2 LTS 



VULNERABILITY DETAILS

1) build latest code of filter_fuzz_stub with following gn flags:
is_msan = true
is_debug = false
(ninja -C buildir skia:filter_fuzz_stub)

2) Run filter_fuzz_stub with attached file:
./filter_fuzz_stub  poc

==12272==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0xf64d4c  (/home/test/work/chromium/src/skia/out/filter_fuzz_stub+0xf64d4c)
    #1 0x107a4df  (/home/test/work/chromium/src/skia/out/filter_fuzz_stub+0x107a4df)
    #2 0x945337  (/home/test/work/chromium/src/skia/out/filter_fuzz_stub+0x945337)
    #3 0x778a85  (/home/test/work/chromium/src/skia/out/filter_fuzz_stub+0x778a85)
    #4 0x492bb9  (/home/test/work/chromium/src/skia/out/filter_fuzz_stub+0x492bb9)
    #5 0x7fa8a77fc82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x424803  (/home/test/work/chromium/src/skia/out/filter_fuzz_stub+0x424803)

  Uninitialized value was created by an allocation of 'arith' in the stack frame of function '_ZN26SkXfermodeImageFilter_Base10CreateProcER12SkReadBuffer'
    #0 0x1079850  (/home/test/work/chromium/src/skia/out/filter_fuzz_stub+0x1079850)

SUMMARY: MemorySanitizer: use-of-uninitialized-value (/home/test/work/chromium/src/skia/out/filter_fuzz_stub+0xf64d4c) 
Exiting

 
poc
72 bytes View Download
Project Member

Comment 1 by ClusterFuzz, May 22 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5651544547786752
Project Member

Comment 2 by ClusterFuzz, May 22 2017

Labels: Security_Severity-Medium
Summary: Use-of-uninitialized-value in SkArithmeticImageFilter::Make (was: Security: Use of uninitialized value on stack)
Detailed report: https://clusterfuzz.com/testcase?key=5651544547786752

Job Type: linux_msan_filter_fuzz_stub
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  SkArithmeticImageFilter::Make
  SkXfermodeImageFilter_Base::CreateProc
  SkValidatingReadBuffer::readFlattenable
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=423391:423439

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5651544547786752


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.

Comment 3 by wfh@chromium.org, May 22 2017

Components: Internals>Skia
Labels: Pri-2
Owner: reed@google.com
Status: Assigned (was: Unconfirmed)
reed - this does seem to point at your refactor of SkXfermodeImageFilter in https://skia-review.googlesource.com/c/2584/ - could you take a look?
Project Member

Comment 4 by sheriffbot@chromium.org, May 23 2017

Labels: -Pri-2 Pri-1

Comment 5 by kenrb@chromium.org, May 24 2017

Labels: Security_Impact-Stable OS-All
The CF report says this impacts Head, but it bisects to a regression range that would imply Stable. I don't quite know what to make of that, so labeling conservatively.
Project Member

Comment 6 by sheriffbot@chromium.org, May 25 2017

Labels: M-59
Project Member

Comment 7 by sheriffbot@chromium.org, Jun 6 2017

reed: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by ClusterFuzz, Jun 13 2017

ClusterFuzz has detected this issue as fixed in range 478364:478645.

Detailed report: https://clusterfuzz.com/testcase?key=5651544547786752

Job Type: linux_msan_filter_fuzz_stub
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  SkArithmeticImageFilter::Make
  SkXfermodeImageFilter_Base::CreateProc
  SkValidatingReadBuffer::readFlattenable
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=423391:423439
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=478364:478645

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5651544547786752


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Jun 13 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5651544547786752 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by sheriffbot@chromium.org, Jun 13 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -M-59 M-61
Labels: reward-NA
Project Member

Comment 13 by sheriffbot@chromium.org, Aug 5 2017

Labels: Merge-Request-61
Project Member

Comment 14 by sheriffbot@chromium.org, Aug 5 2017

Labels: -Merge-Request-61 Merge-Review-61 Hotlist-Merge-Review
This bug requires manual review: M61 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
+ awhalley@ (Security TPM) for M61 merge review.
Labels: -Hotlist-Merge-Review -Merge-Review-61 Hotlist-Merge-
Fix range is in 61, no need for merge.
Labels: Release-0-M61
Labels: CVE-2017-5119
Since there is a cve for this ,why "reward-NA"?
Project Member

Comment 20 by sheriffbot@chromium.org, Sep 19 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sorry for the delay in replying. It was marked as reward-na as we didn't make a fix in response to the report, it looks like the issue was fixed by some other, unrelated change.  Arguably it probably shouldn't have had a CVE allocated :-|
Cc: kjlubick@chromium.org kjlubick@google.com
Labels: CVE_description-submitted

Sign in to add a comment