New issue
Advanced search Search tips

Issue 793285 link

Starred by 3 users

Issue metadata

Status: Verified
Owner:
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in sse41::blit_row_s32a_opaque

Project Member Reported by ClusterFuzz, Dec 8 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5000116217053184

Fuzzer: attekett_surku_fuzzer
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sse41::blit_row_s32a_opaque
  Sprite_D32_S32::blitRect
  SkScan::FillIRect
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=519805:519843

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5000116217053184

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Dec 8 2017

Labels: M-64
Project Member

Comment 2 by sheriffbot@chromium.org, Dec 8 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Dec 8 2017

Labels: Pri-1
Components: Internals>Skia
A few Skia rolls in the regression range, and one change (crrev.com/519831) that causes Chrome to use Skia differently.
Owner: herb@google.com
I believe this first came in as  Issue 789812 , and the regressing CL was reverted. Now that it has relanded, the bug is back.

Comment 6 by herb@google.com, Dec 8 2017

This seems to be a wholly different bug. I will reproduce it locally. 

The CL https://skia-review.googlesource.com/79401 fixed the original bug.
Project Member

Comment 7 by sheriffbot@chromium.org, Dec 9 2017

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 8 by sheriffbot@chromium.org, Dec 9 2017

Status: Assigned (was: Untriaged)
Project Member

Comment 9 by bugdroid1@chromium.org, Dec 12 2017

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/72b4e07e44353892b5972379d6e98c7334e8fe14

commit 72b4e07e44353892b5972379d6e98c7334e8fe14
Author: Herb Derby <herb@google.com>
Date: Tue Dec 12 22:03:39 2017

Handle small sigma in one direction

Because GPU/CPU must interoperate, the border calculation
code adds transparent black border pixels for sigmas
that produce a window of 1. This is a very rare case
and seems to only happen in fuzzers. In this case
cleare everything to black before bluring.

BUG= chromium:793285 

Change-Id: I2b56f9ad88304abaa2669c9c9ef69b5443ba4333
Reviewed-on: https://skia-review.googlesource.com/83562
Reviewed-by: Florin Malita <fmalita@chromium.org>
Commit-Queue: Herb Derby <herb@google.com>

[modify] https://crrev.com/72b4e07e44353892b5972379d6e98c7334e8fe14/src/core/SkBlurImageFilter.cpp

Project Member

Comment 10 by bugdroid1@chromium.org, Dec 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/142124b87c6b43005c38d9789e2aa668825b4a9c

commit 142124b87c6b43005c38d9789e2aa668825b4a9c
Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org>
Date: Wed Dec 13 00:56:47 2017

Roll src/third_party/skia/ aeff9eaa1..106e17aa3 (3 commits)

https://skia.googlesource.com/skia.git/+log/aeff9eaa1903..106e17aa38c9

$ git log aeff9eaa1..106e17aa3 --date=short --no-merges --format='%ad %ae %s'
2017-12-12 mtklein JUMPER_IS_AVX2 -> JUMPER_IS_HSW
2017-12-12 rmistry Store skiaserve binary in GS from Release Android compile bots
2017-12-11 herb Handle small sigma in one direction

Created with:
  roll-dep src/third_party/skia
BUG= 793285 


The AutoRoll server is located here: https://autoroll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
TBR=liyuqian@chromium.org

Change-Id: I63b183b3cf074966faf9f803ef04b0465bb343af
Reviewed-on: https://chromium-review.googlesource.com/823249
Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org>
Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523633}
[modify] https://crrev.com/142124b87c6b43005c38d9789e2aa668825b4a9c/DEPS

Project Member

Comment 11 by ClusterFuzz, Dec 13 2017

ClusterFuzz has detected this issue as fixed in range 523623:523651.

Detailed report: https://clusterfuzz.com/testcase?key=5000116217053184

Fuzzer: attekett_surku_fuzzer
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sse41::blit_row_s32a_opaque
  Sprite_D32_S32::blitRect
  SkScan::FillIRect
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=519805:519843
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=523623:523651

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5000116217053184

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 12 by herb@google.com, Dec 13 2017

Status: Fixed (was: Assigned)
Project Member

Comment 13 by ClusterFuzz, Dec 13 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5000116217053184 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 14 by sheriffbot@chromium.org, Dec 14 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 15 by sheriffbot@chromium.org, Dec 16 2017

Labels: Merge-Request-64
Project Member

Comment 16 by sheriffbot@chromium.org, Dec 16 2017

Labels: -Merge-Request-64 Hotlist-Merge-Review Merge-Review-64
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
 Issue 794523  has been merged into this issue.
Cc: awhalley@chromium.org
Labels: -Merge-Review-64 Merge-Approved-64
+awhalley@ - Approving merge to M64. Branch:3282

Comment 19 by herb@google.com, Jan 2 2018

Owner: awhalley@chromium.org
The flag flip that triggered this bug was on Dec. 5th. This is not a problem in M64, only in M65. And it is already fixed in M65.
Labels: -Hotlist-Merge-Review -Security_Impact-Beta -ReleaseBlock-Stable -M-64 -Merge-Approved-64 Security_Impact-Head M-65
Thanks!
Labels: -reward-topanel reward-0
(found by internal fuzzers within window)
Project Member

Comment 22 by sheriffbot@chromium.org, Mar 22 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 23 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Head Security_Impact-Stable

Sign in to add a comment