New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: heap overflow write in filter_fuzz_stub(x86)

Reported by look.wan...@gmail.com, Jul 26 2017

Issue description

VERSION
Chrome Version: latest build of filter_fuzz_stub(x86)
(args.gn:
is_debug = false
target_cpu = "x86"
)  

Operating System: Ubuntu 16.04.2 LTS



REPRODUCTION CASE

1)Run "./filter_fuzz_stub poc" (May take a few seconds due to a large malloc):
[0727/003145.072534:INFO:filter_fuzz_stub.cc(37)] Valid stream detected.
tcmalloc: large alloc 1752543232 bytes == 0x5fbe1000 @  0x84927e6 0x8349191 0x8348aba 0x833be5f 0x832e8b7 0x82836c9 0x8102ecf 0x80f7715 0x80f7be0 0x82869c7 0x812978f 0x80f7b56 0x80f6e59 0x8217a3e 0x80ddadd 0x80dc374 0x829adf8 0x80feb36 0x80ffff5 0x8221e6d 0x80feb36 0x82187ba 0x80da5f8 0x80d93a5 0x80dfdf5 0x80dca2a 0x80511bf 0xf75de637
Segmentation fault (core dumped)

(Debug build:
Massive size passed to malloc: 4294967295
Massive size passed to malloc: 4294967295
Massive size passed to malloc: 4294967295
tcmalloc: large alloc 1752543232 bytes == 0x5e438000 @  0xf66985fb 0xf6694bf7 0xf6699ca3 0xf6695afe 0xf66998c8 0xf66cfb2e 0xf664b7aa 0xf664b197 0xf664a7da 0xf6955976 0xf6953fce 0xf6c1b9c0 0xf6c39dde 0xf6957979 0xf68e6841 0xf68e71db 0xf68eb45c 0xf6c40a96 0xf6a12b80 0xf68e70c0 0xf68430e3 0xf68e5157 0xf684302c 0xf683f6f4 0xf687e3f2 0xf687bde0 0xf6c68efd 0xf692f539 0xf693186a 0xf686e054 0xf692f539
Segmentation fault (core dumped)
)

2)Under asan-v8-arm-linux-release-489609, "./filter_fuzz_stub poc" will output as follows:
==22922:22922==WARNING: AddressSanitizer failed to allocate 0xffffffff bytes
==22922:22922==AddressSanitizer's allocator is terminating the process instead of returning 0
==22922:22922==If you don't like this behavior set allocator_may_return_null=1
==22922:22922==AddressSanitizer CHECK failed: /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
    #0 0x8116384 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/test/work/asan-v8-arm-linux-release-489609/filter_fuzz_stub+0x8116384)
    #1 0x8128ae3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/test/work/asan-v8-arm-linux-release-489609/filter_fuzz_stub+0x8128ae3)
    #2 0x811a04e in __sanitizer::ReportAllocatorCannotReturnNull() (/home/test/work/asan-v8-arm-linux-release-489609/filter_fuzz_stub+0x811a04e)
    #3 0x811a0c4 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() (/home/test/work/asan-v8-arm-linux-release-489609/filter_fuzz_stub+0x811a0c4)
    #4 0x80696e8 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/home/test/work/asan-v8-arm-linux-release-489609/filter_fuzz_stub+0x80696e8)
    #5 0x8067e48 in __asan::asan_memalign(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) (/home/test/work/asan-v8-arm-linux-release-489609/filter_fuzz_stub+0x8067e48)
    #6 0x8138fc1 in operator new[](unsigned int) (/home/test/work/asan-v8-arm-linux-release-489609/filter_fuzz_stub+0x8138fc1)
    #7 0x9095a5a in make_unique_default<unsigned int []> third_party/skia/src/core/SkMakeUnique.h:23:31
    #8 0x9095a5a in SkMaskBlurFilter::SkMaskBlurFilter(double, double) third_party/skia/src/core/SkMaskBlurFilter.cpp:68
    #9 0x9058b25 in SkBlurMask::BoxBlur(SkMask*, SkMask const&, float, SkBlurStyle, SkBlurQuality, SkIPoint*, bool) third_party/skia/src/effects/SkBlurMask.cpp:592:22

("set allocator_may_return_null=1" doesn't work here)

Return value of bufferSize is too large, so asan exited due a failed "new":

SkMaskBlurFilter::SkMaskBlurFilter(double sigmaW, double sigmaH)
    : fInfoW{sigmaW}, fInfoH{sigmaH}
    , fBuffer0{skstd::make_unique_default<uint32_t[]>(bufferSize(0))}
    , fBuffer1{skstd::make_unique_default<uint32_t[]>(bufferSize(1))}
    , fBuffer2{skstd::make_unique_default<uint32_t[]>(bufferSize(2))} {
}

Remember, a failed "new" doesn't crash in either x86 release build or x86 debug build.

 

Root Cause:

https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkMaskBlurFilter.cpp?l=103
dst->fImage = SkMask::AllocImage(dstW * dstH); // int overflow happens





About fix:

We should call function "computeImageSize" first to decide whether to proceed.
Like this:
size_t dstSize = dst.computeImageSize();
if (0 == dstSize) {
    return false;   // too big to allocate, abort
}


PS:
Seems bug is imported by this commit 2 weeks ago:
https://skia.googlesource.com/skia.git/+/771ae9682f25ea23de32f85be0d3239ad5acec30
Latest stable build of chrome(x86) should have this vulnerability.


 
poc
520 bytes View Download

Comment 1 by vakh@chromium.org, Jul 26 2017

Components: Internals>Skia
Owner: reed@google.com
Status: Assigned (was: Unconfirmed)
Thanks for the report.
Project Member

Comment 2 by ClusterFuzz, Jul 26 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6353864403189760.

Comment 3 by vakh@chromium.org, Jul 26 2017

Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows

Comment 4 by vakh@chromium.org, Jul 26 2017

Cc: herb@chromium.org
Owner: reed@chromium.org

Comment 5 by vakh@chromium.org, Aug 1 2017

Cc: -herb@chromium.org herb@google.com
Labels: Security_Severity-High Security_Impact-Stable M-61 Pri-1
Marking sev high out of an abundance of caution, unclear if the path can be hit outside of the fuzzer.

Comment 7 by hcm@chromium.org, Aug 8 2017

Cc: -herb@google.com hcm@chromium.org reed@google.com
Owner: herb@google.com
Herb is coming back and has been working to rewrite code in this space, let's have him take a look in another couple days.
Here is a new poc which doesn't trigger a failed "new" in"SkMaskBlurFilter".
Due to a large alloc of(1752543232 bytes), it might take several seconds to crash  debug build of filter_fuzz_stub .

poc-749147-1
520 bytes View Download
Project Member

Comment 9 by sheriffbot@chromium.org, Aug 10 2017

herb: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by herb@google.com, Aug 14 2017

Can you please include a stack trace for the crash in #8?
Stack trace(run x86-debug build of filter_fuzz_stub in gdb):
[0815/102956.959308:INFO:filter_fuzz_stub.cc(60)] Test case: /home/test/Downloads/poc-749147-1
[0815/102957.121020:INFO:filter_fuzz_stub.cc(37)] Valid stream detected.
tcmalloc: large alloc 1752543232 bytes == 0x5dc19000 @  0xf6f7205b 0xf6f6e657 0xf6f73703 0xf6f6f55e 0xf6f73328 0xf6fa958e 0xf6f2522a 0xf6f24c17 0xf6f2425a 0xf722f386 0xf722d9de 0xf74ed0e0 0xf750b3be 0xf7231389 0xf71bf8e1 0xf71c027b 0xf71c44fc 0xf75120c6 0xf72ec990 0xf71c0160 0xf711cfb3 0xf71be1f7 0xf711cefc 0xf71195c4 0xf7159982 0xf7156169 0xf753b33d 0xf7208f49 0xf720b27a 0xf7148054 0xf7208f49

Program received signal SIGSEGV, Segmentation fault.
0xf722eab4 in SkMaskBlurFilter::blurOneScan (this=0xffff7678, info=..., src=0x5dc19010 "", srcStride=1, 
    srcEnd=0x5dc1f884 "", dst=0xc63a220c <error: Cannot access memory at address 0xc63a220c>, dstStride=65540, 
    dstEnd=0x5dc18020 "\020") at ../../third_party/skia/src/core/SkMaskBlurFilter.cpp:224
224	        *dst = SkTo<uint8_t>((info.scaledWeight() * sum2 + half) >> 32);
(gdb) bt
#0  0xf722eab4 in SkMaskBlurFilter::blurOneScan (this=0xffff7678, info=..., src=0x5dc19010 "", srcStride=1, 
    srcEnd=0x5dc1f884 "", dst=0xc63a220c <error: Cannot access memory at address 0xc63a220c>, dstStride=65540, 
    dstEnd=0x5dc18020 "\020") at ../../third_party/skia/src/core/SkMaskBlurFilter.cpp:224
#1  0xf722dcd9 in SkMaskBlurFilter::blur (this=0xffff7678, src=..., dst=0xffff7cd8)
    at ../../third_party/skia/src/core/SkMaskBlurFilter.cpp:125
#2  0xf74ed0e0 in SkBlurMask::BoxBlur (dst=0xffff7cd8, src=..., sigma=6880, style=kInner_SkBlurStyle, 
    quality=kLow_SkBlurQuality, margin=0x0, force_quality=false) at ../../third_party/skia/src/effects/SkBlurMask.cpp:596
#3  0xf750b3be in SkEmbossMaskFilter::filterMask (this=0x81afa10, dst=0xffff7cd8, src=..., matrix=..., margin=0x0)
    at ../../third_party/skia/src/effects/SkEmbossMaskFilter.cpp:64
#4  0xf7231389 in SkMaskFilter::filterPath (this=0x81afa10, devPath=..., matrix=..., clip=..., blitter=0xffff7e88, 
    style=SkStrokeRec::kFill_InitStyle) at ../../third_party/skia/src/core/SkMaskFilter.cpp:269
#5  0xf71bf8e1 in SkDraw::drawDevPath (this=0xffff8ea0, devPath=..., paint=..., drawCoverage=false, customBlitter=0x0, 
    doFill=true) at ../../third_party/skia/src/core/SkDraw.cpp:983
#6  0xf71c027b in SkDraw::drawPath (this=0xffff8ea0, origSrcPath=..., origPaint=..., prePathMatrix=0x50ff8001, 
    pathIsMutable=false, drawCoverage=false, customBlitter=0x0) at ../../third_party/skia/src/core/SkDraw.cpp:1121
#7  0xf71c44fc in SkDraw::drawPath (this=0xffff8ea0, path=..., paint=..., customBlitter=0x0)
    at ../../third_party/skia/src/core/SkDraw.h:61
#8  0xf75120c6 in SkLayerRasterizer::onRasterize (this=0x81adac0, path=..., matrix=..., clipBounds=0xffff8f98, 
    mask=0xffff9050, mode=SkMask::kComputeBoundsAndRenderImage_CreateMode)
    at ../../third_party/skia/src/effects/SkLayerRasterizer.cpp:140
#9  0xf72ec990 in SkRasterizer::rasterize (this=0x81adac0, fillPath=..., matrix=..., clipBounds=0xffff8f98, 
    filter=0x81afed0, mask=0xffff9050, mode=SkMask::kComputeBoundsAndRenderImage_CreateMode)
    at ../../third_party/skia/src/core/SkRasterizer.cpp:33
#10 0xf71c0160 in SkDraw::drawPath (this=0xffff9388, origSrcPath=..., origPaint=..., prePathMatrix=0x50ff8001, 
    pathIsMutable=true, drawCoverage=false, customBlitter=0x0) at ../../third_party/skia/src/core/SkDraw.cpp:1106
#11 0xf711cfb3 in SkDraw::drawPath (this=0xffff9388, path=..., paint=..., prePathMatrix=0x0, pathIsMutable=true)
    at ../../third_party/skia/src/core/SkDraw.h:56
#12 0xf71be1f7 in SkDraw::drawRect (this=0xffffa1b8, prePaintRect=..., paint=..., paintMatrix=0x0, postPaintRect=0x0)
    at ../../third_party/skia/src/core/SkDraw.cpp:756
---Type <return> to continue, or q <return> to quit---
#13 0xf711cefc in SkDraw::drawRect (this=0xffffa1b8, rect=..., paint=...) at ../../third_party/skia/src/core/SkDraw.h:42
#14 0xf71195c4 in SkBitmapDevice::drawRect (this=0x818c010, r=..., paint=...)
    at ../../third_party/skia/src/core/SkBitmapDevice.cpp:195
#15 0xf7159982 in SkCanvas::onDrawRect (this=0x81b7410, r=..., paint=...)
    at ../../third_party/skia/src/core/SkCanvas.cpp:2030
#16 0xf7156169 in SkCanvas::drawRect (this=0x81b7410, r=..., paint=...)
    at ../../third_party/skia/src/core/SkCanvas.cpp:1711
#17 0xf753b33d in SkPaintImageFilter::onFilterImage (this=0x81d1f10, source=0x81ced30, ctx=..., offset=0xffffab90)
    at ../../third_party/skia/src/effects/SkPaintImageFilter.cpp:65
#18 0xf7208f49 in SkImageFilter::filterImage (this=0x81d1f10, src=0x81ced30, context=..., offset=0xffffab90)
    at ../../third_party/skia/src/core/SkImageFilter.cpp:212
#19 0xf720b27a in SkImageFilter::filterInput (this=0x81bbd10, index=0, src=0x81ced30, ctx=..., offset=0xffffab90)
    at ../../third_party/skia/src/core/SkImageFilter.cpp:508
#20 0xf7148054 in SkBlurImageFilterImpl::onFilterImage (this=0x81bbd10, source=0x81ced30, ctx=..., offset=0xffffb0b8)
    at ../../third_party/skia/src/core/SkBlurImageFilter.cpp:157
#21 0xf7208f49 in SkImageFilter::filterImage (this=0x81bbd10, src=0x81ced30, context=..., offset=0xffffb0b8)
    at ../../third_party/skia/src/core/SkImageFilter.cpp:212
#22 0xf711a911 in SkBitmapDevice::drawSpecial (this=0x818d690, src=0x81ced30, x=-3, y=-1596, origPaint=..., clipImage=
    0x0, clipMatrix=...) at ../../third_party/skia/src/core/SkBitmapDevice.cpp:421
#23 0xf7152517 in SkCanvas::internalDrawDevice (this=0xffffbc48, srcDev=0x818db10, x=-3, y=-1596, paint=0x81accd0, 
    clipImage=0x0, clipMatrix=...) at ../../third_party/skia/src/core/SkCanvas.cpp:1314
#24 0xf714f8a6 in SkCanvas::internalRestore (this=0xffffbc48) at ../../third_party/skia/src/core/SkCanvas.cpp:1202
#25 0xf71637bd in AutoDrawLooper::~AutoDrawLooper (this=0xffffb598) at ../../third_party/skia/src/core/SkCanvas.cpp:496
#26 0xf715baf4 in SkCanvas::onDrawBitmap (this=0xffffbc48, bitmap=..., x=0, y=0, paint=0xffffb980)
    at ../../third_party/skia/src/core/SkCanvas.cpp:2309
#27 0xf7157b67 in SkCanvas::drawBitmap (this=0xffffbc48, bitmap=..., dx=0, dy=0, paint=0xffffb980)
    at ../../third_party/skia/src/core/SkCanvas.cpp:1832
#28 0x0804e0cf in (anonymous namespace)::RunTestCase (ipc_filter_message=..., bitmap=..., canvas=0xffffbc48)
    at ../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:47
#29 0x0804d799 in (anonymous namespace)::ReadAndRunTestCase (filename=0xffffd0ad "/home/test/Downloads/poc-749147-1", 
    bitmap=..., canvas=0xffffbc48) at ../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:66
#30 0x0804d4ca in main (argc=2, argv=0xffffce74) at ../../skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:85

Project Member

Comment 12 by bugdroid1@chromium.org, Aug 16 2017

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/683d84baed9e6b453f6660c1a21e0fe5dc35e7bb

commit 683d84baed9e6b453f6660c1a21e0fe5dc35e7bb
Author: Herb Derby <herb@google.com>
Date: Wed Aug 16 15:32:46 2017

Use SkSafeMath to calculate memory sizes.

BUG= chromium:749147 

Change-Id: I07d18e089be1138ad83bfde392c7daf2d01d388c
Reviewed-on: https://skia-review.googlesource.com/34747
Commit-Queue: Herb Derby <herb@google.com>
Reviewed-by: Mike Klein <mtklein@chromium.org>

[modify] https://crrev.com/683d84baed9e6b453f6660c1a21e0fe5dc35e7bb/src/core/SkMaskBlurFilter.cpp

Project Member

Comment 13 by bugdroid1@chromium.org, Aug 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f2f4a2349401279a935bf2a71f6f0c47d571f12b

commit f2f4a2349401279a935bf2a71f6f0c47d571f12b
Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org>
Date: Wed Aug 16 19:44:39 2017

Roll src/third_party/skia/ 7f23543d1..cf75b00ff (6 commits)

https://skia.googlesource.com/skia.git/+log/7f23543d1d27..cf75b00ff0b5

$ git log 7f23543d1..cf75b00ff --date=short --no-merges --format='%ad %ae %s'
2017-08-16 bsalomon Make ref manipulation public on surface proxies.
2017-08-16 rmistry Create new set of SVGs
2017-08-16 bungeman Replace SkFAIL with SK_ABORT.
2017-08-16 djsollen Cleanup tracing macros for use by the Android framework
2017-08-15 herb Use SkSafeMath to calculate memory sizes.
2017-08-16 brianosman Record all trace event data inline, with variable sized entries

Created with:
  roll-dep src/third_party/skia
BUG= 749147 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel
TBR=bsalomon@chromium.org

Change-Id: Ic58a69986559a8999998144054130d521f9bb76b
Reviewed-on: https://chromium-review.googlesource.com/617270
Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org>
Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#494904}
[modify] https://crrev.com/f2f4a2349401279a935bf2a71f6f0c47d571f12b/DEPS

Comment 14 by herb@google.com, Aug 16 2017

Status: WontFix (was: Assigned)
I am unable to reproduce this on x86 or x64 with either poc or poc-749147-1. 
"Due to a large alloc of(1752543232 bytes), it might take several seconds to crash  debug build of filter_fuzz_stub"

It take several seconds (maybe 20s) to crash.

Comment 16 by herb@google.com, Aug 17 2017

It ran for half an hour and finished.
Tested under Under asan-v8-arm-linux-release-489609(the lateset version when I reported)
[0817/112353.722663:INFO:filter_fuzz_stub.cc(60)] Test case: /tmp/poc-749147-2
[0817/112353.797018:INFO:filter_fuzz_stub.cc(37)] Valid stream detected.
=================================================================
==1331:1331==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf1839852 at pc 0x09097b07 bp 0xff92e7c8 sp 0xff92e7c0
WRITE of size 1 at 0xf1839852 thread T0
    #0 0x9097b06 in SkMaskBlurFilter::blurOneScan(SkMaskBlurFilter::FilterInfo, unsigned char const*, unsigned int, unsigned char const*, unsigned char*, unsigned int, unsigned char*) const third_party/skia/src/core/SkMaskBlurFilter.cpp:224:14
    #1 0x909662e in SkMaskBlurFilter::blur(SkMask const&, SkMask*) const third_party/skia/src/core/SkMaskBlurFilter.cpp:125:19
    #2 0x9058b9d in SkBlurMask::BoxBlur(SkMask*, SkMask const&, float, SkBlurStyle, SkBlurQuality, SkIPoint*, bool) third_party/skia/src/effects/SkBlurMask.cpp:596:25
    #3 0x8c87beb in SkEmbossMaskFilter::filterMask(SkMask*, SkMask const&, SkMatrix const&, SkIPoint*) const third_party/skia/src/effects/SkEmbossMaskFilter.cpp:64:10
    #4 0x830bb23 in SkMaskFilter::filterPath(SkPath const&, SkMatrix const&, SkRasterClip const&, SkBlitter*, SkStrokeRec::InitStyle) const third_party/skia/src/core/SkMaskFilter.cpp:269:16
    #5 0x82d06c2 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const third_party/skia/src/core/SkDraw.cpp:983:36

poc-749147-2
520 bytes View Download
You can take a look at that new poc "poc-749147-2 "
BTW, the above fix can cause a zero address access
Can confirm the vulnerability now? Any more problems?
Under Under asan-v8-arm-linux-release-494485(2017-08-15 21:59:29):
test@test-SVE1512S8C:~/work/asan-v8-arm-linux-release-494485$ ./filter_fuzz_stub /tmp/poc-749147-2
[0819/011218.722109:INFO:filter_fuzz_stub.cc(60)] Test case: /tmp/poc-749147-2
[0819/011218.749635:INFO:filter_fuzz_stub.cc(37)] Valid stream detected.
=================================================================
==8914==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf1839852 at pc 0x09107b47 bp 0xfffb8008 sp 0xfffb8000
WRITE of size 1 at 0xf1839852 thread T0
    #0 0x9107b46 in SkMaskBlurFilter::blurOneScan(SkMaskBlurFilter::FilterInfo, unsigned char const*, unsigned int, unsigned char const*, unsigned char*, unsigned int, unsigned char*) const third_party/skia/src/core/SkMaskBlurFilter.cpp:224:14
    #1 0x910666e in SkMaskBlurFilter::blur(SkMask const&, SkMask*) const third_party/skia/src/core/SkMaskBlurFilter.cpp:125:19
    #2 0x90c68dd in SkBlurMask::BoxBlur(SkMask*, SkMask const&, float, SkBlurStyle, SkBlurQuality, SkIPoint*, bool) third_party/skia/src/effects/SkBlurMask.cpp:596:25
    #3 0x8cf47bb in SkEmbossMaskFilter::filterMask(SkMask*, SkMask const&, SkMatrix const&, SkIPoint*) const third_party/skia/src/effects/SkEmbossMaskFilter.cpp:64:10
    #4 0x830e9f3 in SkMaskFilter::filterPath(SkPath const&, SkMatrix const&, SkRasterClip const&, SkBlitter*, SkStrokeRec::InitStyle) const third_party/skia/src/core/SkMaskFilter.cpp:269:16
    #5 0x82d36f2 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const third_party/skia/src/core/SkDraw.cpp:983:36
    #6 0x82d452f in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1121:11
    #7 0x8d02632 in drawPath third_party/skia/src/core/SkDraw.h:61:15
    #8 0x8d02632 in SkLayerRasterizer::onRasterize(SkPath const&, SkMatrix const&, SkIRect const*, SkMask*, SkMask::CreateMode) const third_party/skia/src/effects/SkLayerRasterizer.cpp:140
    #9 0x83b5e67 in SkRasterizer::rasterize(SkPath const&, SkMatrix const&, SkIRect const*, SkMaskFilter*, SkMask*, SkMask::CreateMode) const third_party/skia/src/core/SkRasterizer.cpp:33:18
    #10 0x82d4453 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1106:37

Comment 22 by herb@google.com, Aug 22 2017

Status: Assigned (was: WontFix)
Using poc-749147-2, I did get the nullptr deref you spoke of in c19. The other stacktraces you show seem to be a different bug. Can you please open a new bug for those stack traces. A fix for the nullptr problem is coming.
Before your fix in c13, it's a a heap overflow write vulnerability;
It's not a different bug:
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkMaskBlurFilter.cpp?l=132

 size_t toAlloc = safe.mul(dstW, dstH);
    if (!safe) {
        // There is no border offset because we are not drawing.
        return {0, 0}; 
       // after the fix,  return here. So dst->fImage is null( to be used later and cause the nullptr deref)
    }
   // before the fix , there was a overflow in "(tmpW * tmpH)" and heap overflow write happened in followint "this->blurOneScan" 
    dst->fImage = SkMask::AllocImage(toAlloc);

asan-v8-arm-linux-release-494485(2017-08-15 21:59:29) may be the last version before the fix(https://skia-review.googlesource.com/34747)
It can prove the heap overflow write vulnerability, do you run it with poc-749147-2?

Under the lastest asan-v8-arm version, it's just a nullptr deref (then no need to open a new bug issue)

Comment 26 by herb@google.com, Aug 22 2017

Thanks for checking again Look. I have a CL in flight that will fix the nullptr problem.

Comment 27 by herb@google.com, Aug 22 2017

Cc: herb@chromium.org
Project Member

Comment 28 by bugdroid1@chromium.org, Aug 22 2017

Project Member

Comment 29 by bugdroid1@chromium.org, Aug 23 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5114173e1b339bae715535ad4b2015d3f7aedb56

commit 5114173e1b339bae715535ad4b2015d3f7aedb56
Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org>
Date: Wed Aug 23 00:30:32 2017

Roll src/third_party/skia/ 267641a90..a184ac7e0 (5 commits)

https://skia.googlesource.com/skia.git/+log/267641a90cb1..a184ac7e0cdb

$ git log 267641a90..a184ac7e0 --date=short --no-merges --format='%ad %ae %s'
2017-08-22 bsalomon Revert "Revert "Revert "Add GrTextureOp and use to implement SkGpuDevice::drawImage[Rect]() when possible"""
2017-08-22 herb Fix poor handling of nullptr for new blur code
2017-08-22 enne Don't validate() in ~SkPathRef
2017-08-22 brianosman Add GrPrepareCallback, always run at the start of flush
2017-08-22 scroggo Make haveDecodedRow return void

Created with:
  roll-dep src/third_party/skia
BUG= 749147 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel
TBR=jcgregorio@chromium.org

Change-Id: I3c535e2c947d75d30affe0569f30097dfdb9f035
Reviewed-on: https://chromium-review.googlesource.com/627634
Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org>
Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#496523}
[modify] https://crrev.com/5114173e1b339bae715535ad4b2015d3f7aedb56/DEPS

Comment 30 by herb@google.com, Aug 23 2017

Status: Fixed (was: Assigned)
Project Member

Comment 31 by sheriffbot@chromium.org, Aug 24 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-5000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
And $5,000 for this one - thanks as ever!
Labels: -reward-unpaid reward-inprocess
Labels: -M-61 M-62
Project Member

Comment 37 by sheriffbot@chromium.org, Sep 15 2017

Labels: Merge-Request-62
Project Member

Comment 38 by sheriffbot@chromium.org, Sep 15 2017

Labels: -Merge-Request-62 Merge-Review-62 Hotlist-Merge-Review
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Hotlist-Merge-Review -Merge-Review-62
Labels: Release-0-M62
Labels: CVE-2017-5125
Project Member

Comment 42 by sheriffbot@chromium.org, Nov 30 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: kjlubick@chromium.org kjlubick@google.com
Labels: CVE_description-submitted

Sign in to add a comment