Issue metadata
Sign in to add a comment
|
Security: Signed Integer Overflow Vulnerability in Skia
Reported by
kushal89...@gmail.com,
Oct 3 2017
|
||||||||||||||||||||||
Issue description
VERSION
Operating System: Ubuntu 17.04
VULNERABILITY DETAILS
1) Build/Compile latest code of filter_fuzz_stub with following gn flags:
is_msan = true
is_debug = false
is_ubsan = true
msan_track_origins = 2
(ninja -C out/Default skia:filter_fuzz_stub)
2) Run filter_fuzz_stub with attached PoC file:
/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub /home/h4ck3r/Desktop/PoC.fil
[1002/175603.215516:INFO:filter_fuzz_stub.cc(61)] Test case: /home/h4ck3r/Desktop/PoC.fil
[1002/175603.218051:INFO:filter_fuzz_stub.cc(38)] Valid stream detected.
../../third_party/skia/include/core/SkRect.h:76:39: runtime error: signed integer overflow: 2147483520 - -2147483520 cannot be represented in type 'int'
#0 0x57b653 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x57b653)
#1 0x6d4430 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x6d4430)
#2 0x68fa98 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x68fa98)
#3 0x6983a7 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x6983a7)
#4 0x10910a3 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x10910a3)
#5 0x68fa98 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x68fa98)
#6 0xdf9b59 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0xdf9b59)
#7 0x5a6a7b (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x5a6a7b)
#8 0x59cf10 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x59cf10)
#9 0x5aae11 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x5aae11)
#10 0x5c9639 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x5c9639)
#11 0x5b93bc (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x5b93bc)
#12 0x493fc4 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x493fc4)
#13 0x7f25f5e963f0 (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
#14 0x425287 (/home/h4ck3r/Desktop/chromium_oct2_new/src/out/Default/filter_fuzz_stub+0x425287)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../third_party/skia/include/core/SkRect.h:76:39 in
[1002/175603.310452:INFO:filter_fuzz_stub.cc(50)] Filter DAG rendered successfully
#EOF
,
Oct 3 2017
Detailed report: https://clusterfuzz.com/testcase?key=6027532699959296 Job Type: linux_ubsan_filter_fuzz_stub Crash Type: Integer-overflow Crash Address: Crash State: SkIRect::width size SkMatrixImageFilter::onFilterImage Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_filter_fuzz_stub&range=493136:493198 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6027532699959296 See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 3 2017
mtklein@ could you please take a look, or help with getting this assigned to the right person? Can this integer overflow lead to OOB accesses later (it doesn't crash on an ASan build)? skia regression range: https://skia.googlesource.com/skia/+log/69fd008199989c5a5a96f992dcaa4089b63f490f..5eb8fc585e9b3c9ccc82b0921986e1020ddaff23?pretty=fuller&n=10000 Note that an integer overflow on its own does not necessarily indicate a security vulnerability. Keeping security labels out of caution and giving this a low for now.
,
Oct 4 2017
,
Oct 12 2017
Hi there, taking a look now. If ASAN builds are happy, this is likely not going to lead to an OOB access. Usually in a situation like this some later stage of the code clamps into a valid range before accessing memory.
,
Oct 12 2017
Short story is, no major problem here. The overflow results in us creating a size value with negative width and height, which we then catch as meaningless and abort that particular draw cleanly. I think we probably don't need to do anything here unless we've got some other particular interest that I'm not seeing in the issue log.
,
Oct 19 2017
ClusterFuzz testcase 6027532699959296 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
,
Oct 20 2017
,
Dec 8 2017
ClusterFuzz has detected this issue as fixed in range 522600:522654. Detailed report: https://clusterfuzz.com/testcase?key=6027532699959296 Job Type: linux_ubsan_filter_fuzz_stub Crash Type: Integer-overflow Crash Address: Crash State: SkIRect::width size SkMatrixImageFilter::onFilterImage Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_filter_fuzz_stub&range=493136:493198 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_filter_fuzz_stub&range=522600:522654 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6027532699959296 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 19 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 22 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Oct 3 2017