Skia should not serialize codec backed images. |
||||||
Issue descriptionWhile looking at SkImageFilter serialization, I stumbled onto SkImageSource, which is an SkImage backed filter. This filter can be present on cc::FilterOperation for a cc::Layer and serialized as a part of cc::CompositorFrame to the browser process. During serialization, skia internally serializes the encoded data for the image, and on de-serialization backs it with a SkCodecImageGenerator which can decode the image using a skia decoder. AFAICT, the only user of SkImageSource in blink that could use a codec backed image is SVGFEImage which should never be added to the FilterOperation on a cc::Layer. But to ensure security, we should disable serialization of encoded images in skia in the renderer. This is already done with SkPictures, for cases like SkPictureImageFilter and I think a similar approach should be taken with SkImages.
,
Sep 26 2017
Is there a reason to suspect SkImageSource/SkCodecImageGenerator/Skia codecs in general are insecure? If this scenario cannot occur in practice, is there a way to assert instead? senorblanco@/reed@ are prolly more familiar with the cross-process embedded picture serialization ban (IIRC it had to do with our confidence in SkPicture fuzzing coverage), but I'm not sure the same motivation is applicable to SkImage(Source).
,
Sep 26 2017
I think in general, we don't do any image decoding in a trusted process.
,
Sep 26 2017
I would like to really understand this situation. From a naive perspective, codecs are just code that we can control/test/fuzz/fix just like Skia itself (and command-buffer and all of the new deserialization code being written). Why do we think decoding is so risky that we cannot use it -vs- the risk of not making our other code robust? On a different front, I was under the impression that we were exploring worker processes to perform decoding into shared memory. Is that still on the table?
,
Sep 27 2017
As for why we disallow decoding in a privileged process, I think palmer@ would be able to answer that better. We do have utility processes in Chrome used for image decoding in general. But did you mean worker processes in the context of out-of-process raster? The plan there is to pre-decode everything in the renderer and only serialize decodes, similar to how cc does most pre-decoding today. There are a few cases where images are still buried deep inside skia data structures, which we are working on making visible in cc. My point here was that within the current system, we have opaque SkImageFilters on CompositorFrames that are serialized cross-process, and there are no security checks to ensure that we are not serializing images in these filters to the browser and performing the decode there. Since the serialization is going through skia, there should at least be a a way to assert that it does not include encoded images.
,
Sep 27 2017
I don't think I understand all the moving parts in play here. It sounds like khushalsagar wants a static assertion that we won't run (a) certain decoder(s) in a privileged process, and that we already have such assertions for some?
,
Sep 27 2017
We disable serialization of SkPictures in the renderer (https://cs.chromium.org/chromium/src/third_party/skia/src/effects/SkPictureImageFilter.cpp?l=85), but we don't have a similar limitation for SkImages (https://cs.chromium.org/chromium/src/third_party/skia/src/effects/SkImageSource.cpp?l=78). Which means its possible to have an encoded image serialized to the browser, and eventually decoded there using an SkCodec.
,
Sep 27 2017
#7: I see. Yeah, it would definitely be good to have a guarantee against that happening. As a general security principle, we don't want to deserialize any inputs from a complex grammar in any privileged process.
,
Sep 27 2017
Skia has a SkPixelSerializer callback class that can be passed to methods like SkPicture::serialize and SkImage::encodeToData. Chrome/blink can pass in a subclass of this that will allow them to restrict any image formats they wish (e.g. encoded). It is fine-grained, meaning it can selectively allow/restrict some formats and not others, and it can decide to either abort a given image's serialization, or transform it into a different form.
,
Sep 27 2017
Patch up for review: https://chromium-review.googlesource.com/c/chromium/src/+/688656.
,
Oct 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/116159dfe170dcc2cf6f3b2a04a292130f6b79e2 commit 116159dfe170dcc2cf6f3b2a04a292130f6b79e2 Author: Khushal <khushalsagar@chromium.org> Date: Thu Oct 05 01:54:51 2017 cc/ipc: Disallow codec backed SkImageFilters on CompositorFrames. CompositorFrames can have opaque SkImageFilters which internally may contain codec backed images. No cc client should be using such filters. Assert this during filter serialization. R=enne@chromium.org, reed@chromium.org Bug: 768511 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel Change-Id: I222cf4f7189e879537c19d723bf57b739aa9ad57 Reviewed-on: https://chromium-review.googlesource.com/688656 Commit-Queue: Khushal <khushalsagar@chromium.org> Reviewed-by: Florin Malita <fmalita@chromium.org> Reviewed-by: Mike Reed <reed@chromium.org> Reviewed-by: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#506619} [modify] https://crrev.com/116159dfe170dcc2cf6f3b2a04a292130f6b79e2/cc/ipc/cc_param_traits.cc [modify] https://crrev.com/116159dfe170dcc2cf6f3b2a04a292130f6b79e2/cc/ipc/cc_param_traits.h [modify] https://crrev.com/116159dfe170dcc2cf6f3b2a04a292130f6b79e2/skia/BUILD.gn [modify] https://crrev.com/116159dfe170dcc2cf6f3b2a04a292130f6b79e2/skia/ext/skia_utils_base.cc [modify] https://crrev.com/116159dfe170dcc2cf6f3b2a04a292130f6b79e2/skia/ext/skia_utils_base.h [add] https://crrev.com/116159dfe170dcc2cf6f3b2a04a292130f6b79e2/skia/ext/skia_utils_base_unittest.cc [modify] https://crrev.com/116159dfe170dcc2cf6f3b2a04a292130f6b79e2/skia/public/interfaces/image_filter_struct_traits.h
,
Oct 5 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by khushals...@chromium.org
, Sep 25 2017