New issue
Advanced search Search tips
Starred by 1 user
Status: Verified
Owner:
Closed: Jun 8
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Use-of-uninitialized-value in SkShader::MakeColorShader
Reported by look.wan...@gmail.com, May 30 Back to list
VERSION
Operating System: Ubuntu 16.04.2 LTS 


VULNERABILITY DETAILS

1) build latest code of filter_fuzz_stub with following gn flags:
is_msan = true
is_debug = false
(ninja -C buildir skia:filter_fuzz_stub)

2) Run filter_fuzz_stub with attached file:
filter_fuzz_stub /tmp/poc
[0530/213258.352016:INFO:filter_fuzz_stub.cc(60)] Test case: /tmp/poc
==20817==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0xeb45b4  (/home/test/work/chromium/src/skia/aflout/filter_fuzz_stub+0xeb45b4)
    #1 0xeb3f5e  (/home/test/work/chromium/src/skia/aflout/filter_fuzz_stub+0xeb3f5e)
    #2 0x9e3bd1  (/home/test/work/chromium/src/skia/aflout/filter_fuzz_stub+0x9e3bd1)
    #3 0x8943c2  (/home/test/work/chromium/src/skia/aflout/filter_fuzz_stub+0x8943c2)
    #4 0x120424b  (/home/test/work/chromium/src/skia/aflout/filter_fuzz_stub+0x120424b)
    #5 0x9e3bd1  (/home/test/work/chromium/src/skia/aflout/filter_fuzz_stub+0x9e3bd1)
    #6 0x7cbcea  (/home/test/work/chromium/src/skia/aflout/filter_fuzz_stub+0x7cbcea)
    #7 0x492e1c  (/home/test/work/chromium/src/skia/aflout/filter_fuzz_stub+0x492e1c)
    #8 0x7f51790e682f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x42478b  (/home/test/work/chromium/src/skia/aflout/filter_fuzz_stub+0x42478b)

  Uninitialized value was created by an allocation of 'color' in the stack frame of function '_ZN14SkColor4Shader10CreateProcER12SkReadBuffer'
    #0 0xeb3dc0  (/home/test/work/chromium/src/skia/aflout/filter_fuzz_stub+0xeb3dc0)


3)
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkColorShader.cpp?l=136

    SkColor4f color;
    buffer.readColor4f(&color);

Maybe struct "SkColor4f" should have a "constructor" function.
 
poc
112 bytes View Download
Project Member Comment 1 by clusterf...@chromium.org, May 30
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4858492795224064
Project Member Comment 2 by clusterf...@chromium.org, May 30
Labels: Security_Severity-Medium
Summary: Use-of-uninitialized-value in SkShader::MakeColorShader (was: Security: Use-of-uninitialized-value on stack)
Detailed report: https://clusterfuzz.com/testcase?key=4858492795224064

Job Type: linux_msan_filter_fuzz_stub
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  SkShader::MakeColorShader
  SkColor4Shader::CreateProc
  SkValidatingReadBuffer::readFlattenable
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=420859:421045

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4858492795224064


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.

Components: Internals>Skia
Project Member Comment 4 by sheriffbot@chromium.org, May 31
Labels: Pri-1
Cc: brianosman@google.com
Labels: Security_Impact-Stable OS-All
Owner: mtklein@chromium.org
Status: Assigned
brianosman, mtklein: Could either of you take a look? Seems to go back to https://codereview.chromium.org/2334123003.


Project Member Comment 6 by sheriffbot@chromium.org, Jun 6
Labels: M-59
Project Member Comment 7 by bugdroid1@chromium.org, Jun 7
The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/2e425ebd95dd97f788f7f8a3b8529d77d69b4f61

commit 2e425ebd95dd97f788f7f8a3b8529d77d69b4f61
Author: Brian Osman <brianosman@google.com>
Date: Wed Jun 07 14:21:19 2017

Fix use of uninitialized value in SkColor4Shader::CreateProc

Bug:  chromium:727678 
Change-Id: I4c59d9222d47b866b3c30408322ec456f304aa53
Reviewed-on: https://skia-review.googlesource.com/18938
Commit-Queue: Brian Osman <brianosman@google.com>
Commit-Queue: Mike Klein <mtklein@chromium.org>
Reviewed-by: Mike Klein <mtklein@chromium.org>

[modify] https://crrev.com/2e425ebd95dd97f788f7f8a3b8529d77d69b4f61/src/core/SkValidatingReadBuffer.cpp

Project Member Comment 8 by clusterf...@chromium.org, Jun 8
ClusterFuzz has detected this issue as fixed in range 477664:477684.

Detailed report: https://clusterfuzz.com/testcase?key=4858492795224064

Job Type: linux_msan_filter_fuzz_stub
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  SkShader::MakeColorShader
  SkColor4Shader::CreateProc
  SkValidatingReadBuffer::readFlattenable
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=420859:421045
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=477664:477684

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4858492795224064


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member Comment 9 by clusterf...@chromium.org, Jun 8
Labels: ClusterFuzz-Verified
Status: Verified
ClusterFuzz testcase 4858492795224064 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member Comment 10 by sheriffbot@chromium.org, Jun 8
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -M-59 M-60 Merge-Request-60
Project Member Comment 13 by sheriffbot@chromium.org, Jun 12
Labels: -Merge-Request-60 Hotlist-Merge-Review Merge-Review-60
This bug requires manual review: M60 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-60 Merge-Approved-60
Approved for merge into M60
Project Member Comment 15 by sheriffbot@chromium.org, Jun 16
Cc: bustamante@google.com awhalley@google.com
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 16 by bugdroid1@chromium.org, Jun 16
Labels: merge-merged-m60
The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/bce1a989e7bb1b5cc907b64ca5e9d103f8c3b56f

commit bce1a989e7bb1b5cc907b64ca5e9d103f8c3b56f
Author: Mike Reed <reed@google.com>
Date: Fri Jun 16 16:17:05 2017

Fix use of uninitialized value in SkColor4Shader::CreateProc

cherry-picking fix 2e425ebd95dd97f788f7f8a3b8529d77d69b4f61

No-Tree-Checks: true
No-Try: true
No-Presubmit: true
Bug:  chromium:727678 
Change-Id: I4c59d9222d47b866b3c30408322ec456f304aa53
Reviewed-On: https://skia-review.googlesource.com/18938
Commit-Queue: Brian Osman <brianosman@google.com>
Commit-Queue: Mike Klein <mtklein@chromium.org>
Reviewed-By: Mike Klein <mtklein@chromium.org>
Reviewed-on: https://skia-review.googlesource.com/20147
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: Mike Reed <reed@google.com>

[modify] https://crrev.com/bce1a989e7bb1b5cc907b64ca5e9d103f8c3b56f/src/core/SkValidatingReadBuffer.cpp

Project Member Comment 17 by sheriffbot@chromium.org, Jun 19
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Approved-60
Labels: -reward-topanel reward-unpaid reward-1000
And $1,000 for this one! Thanks!
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M60
Labels: CVE-2017-5102
Project Member Comment 24 by sheriffbot@chromium.org, Sep 14
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment