New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Jul 15
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: heap-buffer-overflow read in filter_fuzz_stub
Reported by look.wan...@gmail.com, Jul 11 Back to list


VERSION
Chrome Version: asan-linux-stable-59.0.3071.115
Operating System: Ubuntu 16.04.2 LTS

REPRODUCTION CASE
run ./filter_fuzz_stub poc

[0711/095854.505541:INFO:filter_fuzz_stub.cc(59)] Test case: /tmp/poc
[0711/095854.513525:INFO:filter_fuzz_stub.cc(36)] Valid stream detected.
=================================================================
==11306==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000cb8 at pc 0x00000073ac90 bp 0x7ffe5517e6f0 sp 0x7ffe5517e6e8
READ of size 8 at 0x611000000cb8 thread T0
    #0 0x73ac8f in SkPathRef::Iter::next(SkPoint*) third_party/skia/src/core/SkPathRef.cpp:692:20
    #1 0x721e53 in next third_party/skia/include/core/SkPath.h:1061:36
    #2 0x721e53 in SkPath::addPath(SkPath const&, SkMatrix const&, SkPath::AddPathMode) third_party/skia/src/core/SkPath.cpp:1522
    #3 0x721b03 in SkPath::addPath(SkPath const&, float, float, SkPath::AddPathMode) third_party/skia/src/core/SkPath.cpp:1510:11
    #4 0xd292e7 in SkPath1DPathEffect::next(SkPath*, float, SkPathMeasure&) const third_party/skia/src/effects/Sk1DPathEffect.cpp:175:22
    #5 0xd288d5 in filterPath third_party/skia/src/effects/Sk1DPathEffect.cpp:22:36
    #6 0xd288d5 in SkPath1DPathEffect::filterPath(SkPath*, SkPath const&, SkStrokeRec*, SkRect const*) const third_party/skia/src/effects/Sk1DPathEffect.cpp:70
    #7 0x7114d1 in SkPaint::getFillPath(SkPath const&, SkPath*, SkRect const*, float) const third_party/skia/src/core/SkPaint.cpp:1969:37
    #8 0xd703a4 in getFillPath third_party/skia/include/core/SkPaint.h:454:22

 
poc
472 bytes View Download
Cc: mtklein@chromium.org
Components: Internals>Skia
Labels: Security_Severity-High Security_Impact-Stable OS-Linux Pri-1
Owner: bunge...@chromium.org
Status: Assigned
bungeman: could you please help triage? Thanks!
Project Member Comment 2 by sheriffbot@chromium.org, Jul 11
Labels: M-59
Cc: bunge...@chromium.org
Owner: reed@chromium.org
Project Member Comment 4 by bugdroid1@chromium.org, Jul 12
The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/52e4fd98b5c6b296e4598f3243a891bc76715590

commit 52e4fd98b5c6b296e4598f3243a891bc76715590
Author: Ben Wagner <bungeman@google.com>
Date: Wed Jul 12 02:40:35 2017

Check first deserialized verb of path is a move.

SkPathRef::Iter::next and several other bits of code depend on the first
verb of a path always being a move. Contructors and builders currently
enforce this, so the deserializer must do so also.

BUG= chromium:740789 

Change-Id: Iad0f6fc6d2b2fe40064c674fa7dd1612c120bb8f
Reviewed-on: https://skia-review.googlesource.com/22216
Commit-Queue: Ben Wagner <bungeman@google.com>
Reviewed-by: Mike Reed <reed@google.com>

[modify] https://crrev.com/52e4fd98b5c6b296e4598f3243a891bc76715590/src/core/SkPathRef.cpp

Project Member Comment 5 by bugdroid1@chromium.org, Jul 12
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/55770ba5393da70bdde69f7f30dd9f31a3d576ff

commit 55770ba5393da70bdde69f7f30dd9f31a3d576ff
Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org>
Date: Wed Jul 12 04:16:00 2017

Roll src/third_party/skia/ 51b2f1b64..d96ed9d0d (2 commits)

https://skia.googlesource.com/skia.git/+log/51b2f1b64c4d..d96ed9d0def2

$ git log 51b2f1b64..d96ed9d0d --date=short --no-merges --format='%ad %ae %s'
2017-07-11 herb Experimental blur code.
2017-07-11 bungeman Check first deserialized verb of path is a move.

Created with:
  roll-dep src/third_party/skia
BUG= 740789 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel
TBR=ethannicholas@chromium.org

Change-Id: Ieacea59c9b71b45e1ab7ac21194f69d5bc37e131
Reviewed-on: https://chromium-review.googlesource.com/567813
Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org>
Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#485847}
[modify] https://crrev.com/55770ba5393da70bdde69f7f30dd9f31a3d576ff/DEPS

Cc: -bunge...@chromium.org reed@chromium.org
Labels: Merge-Request-60 Mer
Owner: bunge...@chromium.org
Requesting merge of Skia change https://skia.googlesource.com/skia/+/52e4fd98b5c6b296e4598f3243a891bc76715590 to Skia's chrome/m60 branch.

This issue was filed against m59, but it appears there will be no more m59 releases, so not requesting m59.
Project Member Comment 7 by sheriffbot@chromium.org, Jul 14
Labels: -Merge-Request-60 Hotlist-Merge-Review Merge-Review-60
This bug requires manual review: We are only 10 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Has the fix already landed in Canary or Dev? Has this been verified?
Project Member Comment 9 by sheriffbot@chromium.org, Jul 15
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 10 by sheriffbot@chromium.org, Jul 16
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
> Has the fix already landed in Canary or Dev?
Been in Canary since last Thursday.

> Has this been verified?
The original report was reproduced before making any changes. The change (from comment #4) was applied and observed to fix the asan failure. The test case from the original report now runs correctly at tip of tree.

The change itself is fairly limited and simply enforces a validity pre-condition when deserializing paths.
Cc: awhalley@chromium.org
Labels: -Merge-Review-60 Merge-Approved-60
Thanks for confirming. +awhalley
Approving merge to M60. 
Project Member Comment 13 by bugdroid1@chromium.org, Jul 17
Labels: merge-merged-m60
The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/a20ae70af542208b06c21413f13c4c86269c0b84

commit a20ae70af542208b06c21413f13c4c86269c0b84
Author: Ben Wagner <bungeman@google.com>
Date: Mon Jul 17 19:42:41 2017

Check first deserialized verb of path is a move.

SkPathRef::Iter::next and several other bits of code depend on the first
verb of a path always being a move. Contructors and builders currently
enforce this, so the deserializer must do so also.

BUG= chromium:740789 

Reviewed-on: https://skia-review.googlesource.com/22216
Commit-Queue: Ben Wagner <bungeman@google.com>
Reviewed-by: Mike Reed <reed@google.com>

Change-Id: I1b02b35ac9f741057c026c241cf17cab04f0d239
Cherry-pick: 52e4fd98b5c6b296e4598f3243a891bc76715590
Approval:  https://crbug.com/740789#c12 
Reviewed-on: https://skia-review.googlesource.com/24123
Reviewed-by: Ben Wagner <bungeman@google.com>

[modify] https://crrev.com/a20ae70af542208b06c21413f13c4c86269c0b84/src/core/SkPathRef.cpp

Labels: -Merge-Approved-60
Labels: -M-59 -Mer M-60 Release-0-M60
Labels: reward-topanel
Labels: CVE-2017-5097
Labels: -Security_Severity-High Security_Severity-Medium
Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Hi look.wangluke@ - the VRP panel decided to award $1,000 for this report - many thanks!
cool. thx
Labels: -reward-unpaid reward-inprocess
Project Member Comment 23 by sheriffbot@chromium.org, Oct 22
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment