New issue
Advanced search Search tips

Issue 793637 link

Starred by 1 user
Status: Verified
Owner:
reed@google.com
Closed: Dec 2017
Cc:
kjlubick@chromium.org
kjlubick@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: MSAN detects use of unitialized value in makeWithLocalMatrix (using filter_fuzz_stub)

Project Member Reported by metzman@chromium.org, Dec 10 2017 
This bug was found by skia_image_filter_proto_fuzzer (filter_proto_fuzzer).


REPRODUCTION CASE
1. Build filter_fuzz_stub using the following options:
enable_nacl = false
ffmpeg_branding = "ChromeOS"
is_msan = true
pdf_enable_xfa = true
proprietary_codecs = true
use_libfuzzer = true
use_goma = true
is_debug = false
optimize_for_fuzzing = true

2. Run it on the attached input (ffs-local-matrix):

metzman@metzman:~/chromium1/src$ ./out/msan/filter_fuzz_stub real-crashes/ffs-local-matrix                                                                                                                         
[1209/191707.681410:INFO:filter_fuzz_stub.cc(61)] Test case: real-crashes/ffs-local-matrix
==191471==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0xbbe489 in SkShader::makeWithLocalMatrix(SkMatrix const&) const third_party/skia/src/shaders/SkLocalMatrixShader.cpp:99:9
    #1 0xbbdf92 in SkLocalMatrixShader::CreateProc(SkReadBuffer&) third_party/skia/src/shaders/SkLocalMatrixShader.cpp:34:24
    #2 0xa8bc84 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:448:15
    #3 0xa304b0 in sk_sp<SkShaderBase> SkReadBuffer::readFlattenable<SkShaderBase>() third_party/skia/src/core/SkReadBuffer.h:149:35
    #4 0xa295dc in SkReadBuffer::readShader() third_party/skia/src/core/SkReadBuffer.h:157:49
    #5 0xba241e in SkColorFilterShader::CreateProc(SkReadBuffer&) third_party/skia/src/shaders/SkColorFilterShader.cpp:29:26
    #6 0xa8bc84 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:448:15
    #7 0xa304b0 in sk_sp<SkShaderBase> SkReadBuffer::readFlattenable<SkShaderBase>() third_party/skia/src/core/SkReadBuffer.h:149:35
    #8 0xa295dc in SkReadBuffer::readShader() third_party/skia/src/core/SkReadBuffer.h:157:49
    #9 0xba241e in SkColorFilterShader::CreateProc(SkReadBuffer&) third_party/skia/src/shaders/SkColorFilterShader.cpp:29:26
    #10 0xa8bc84 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:448:15
    #11 0xa304b0 in sk_sp<SkShaderBase> SkReadBuffer::readFlattenable<SkShaderBase>() third_party/skia/src/core/SkReadBuffer.h:149:35
    #12 0xa295dc in SkReadBuffer::readShader() third_party/skia/src/core/SkReadBuffer.h:157:49
    #13 0xba241e in SkColorFilterShader::CreateProc(SkReadBuffer&) third_party/skia/src/shaders/SkColorFilterShader.cpp:29:26
    #14 0xa8bc84 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:448:15
    #15 0xa304b0 in sk_sp<SkShaderBase> SkReadBuffer::readFlattenable<SkShaderBase>() third_party/skia/src/core/SkReadBuffer.h:149:35
    #16 0xa295dc in SkReadBuffer::readShader() third_party/skia/src/core/SkReadBuffer.h:157:49
    #17 0xa29056 in SkPaint::unflatten(SkReadBuffer&) third_party/skia/src/core/SkPaint.cpp:1943:32
    #18 0x1296337 in SkPaintImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkPaintImageFilter.cpp:30:12
    #19 0xa8bc84 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:448:15
    #20 0x983407 in SkFlattenable::Deserialize(SkFlattenable::Type, void const*, unsigned long, SkDeserialProcs const*) third_party/skia/src/core/SkFlattenable.cpp:145:40
    #21 0x9837d0 in SkValidatingDeserializeImageFilter(void const*, unsigned long) third_party/skia/src/core/SkFlattenableSerialization.cpp:22:17
    #22 0x495b55 in (anonymous namespace)::RunTestCase(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:33:38
    #23 0x493b1c in (anonymous namespace)::ReadAndRunTestCase(char const*, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67:3
    #24 0x493386 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87:10
    #25 0x7ff6bdb9af44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #26 0x423f69 in _start (/usr/local/google/home/metzman/chromium1/src/out/msan/filter_fuzz_stub+0x423f69)

  Uninitialized value was created by an allocation of 'proxy' in the stack frame of function '_ZNK8SkShader19makeWithLocalMatrixERK8SkMatrix'
    #0 0xbbe010 in SkShader::makeWithLocalMatrix(SkMatrix const&) const third_party/skia/src/shaders/SkLocalMatrixShader.cpp:89

SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/skia/src/shaders/SkLocalMatrixShader.cpp:99:9 in SkShader::makeWithLocalMatrix(SkMatrix const&) const
Exiting
ffs-local-matrix
620 bytes View Download
Project Member

Comment 1 by ClusterFuzz, Dec 10 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6145500779905024.
Project Member

Comment 2 by ClusterFuzz, Dec 10 2017

Labels: Security_Severity-Medium Security_Impact-Head
Detailed report: https://clusterfuzz.com/testcase?key=6145500779905024

Job Type: linux_msan_filter_fuzz_stub
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  SkShader::makeWithLocalMatrix
  SkLocalMatrixShader::CreateProc
  SkReadBuffer::readFlattenable
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=522280:522310

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6145500779905024

See https://github.com/google/clusterfuzz-tools for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.
Project Member

Comment 3 by ClusterFuzz, Dec 10 2017

Labels: Test-Predator-Auto-Owner
Owner: reed@google.com
Status: Assigned (was: Unconfirmed)
Automatically assigning owner based on suspected regression changelist https://skia.googlesource.com/skia/+/fadbfcd4aba676d44dfb08de1a83143a1c63b95c (upgrade SkReadBuffer to always validate).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 10 2017

Labels: M-64
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 10 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Dec 10 2017

Labels: Pri-1
Project Member

Comment 7 by sheriffbot@chromium.org, Dec 11 2017

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 8 by candr...@chromium.org, Dec 12 2017 

Please add affected OSs.
Project Member

Comment 9 by ClusterFuzz, Dec 12 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6145500779905024 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by sheriffbot@chromium.org, Dec 13 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 11 by metzman@chromium.org, Jan 2 2018

Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
I found this bug on Linux, but I think all platforms but iOS are affected.

Comment 12 by metzman@chromium.org, Jan 22 2018

Cc: kjlubick@chromium.org kjlubick@google.com
Project Member

Comment 13 by sheriffbot@chromium.org, Mar 21 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 14 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Beta -M-64 M-65 Security_Impact-Stable

Comment 15 by awhalley@google.com, Mar 31 2018

Labels: -ReleaseBlock-Stable

Sign in to add a comment