Security: global-buffer-overflow in MakeComposeFilter (filter_fuzz_stub) |
|||||||||
Issue description
This bug was found by skia_image_filter_proto_fuzzer (filter_proto_fuzzer).
REPRODUCTION CASE
1. Build filter_fuzz_stub using the following options:
enable_nacl = false
ffmpeg_branding = "ChromeOS"
is_asan = true
pdf_enable_xfa = true
proprietary_codecs = true
use_libfuzzer = true
use_goma = true
is_debug = false
optimize_for_fuzzing = true
2. Run it on the attached input (ffs-buffer-overflow):
$ ./out/skia/filter_fuzz_stub real-crashes/ffs-buffer-overflow
[1209/192657.469606:INFO:filter_fuzz_stub.cc(61)] Test case: real-crashes/ffs-buffer-overflow
=================================================================
==193536==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001b594e0 at pc 0x00000097039b bp 0x7ffea08de610 sp 0x7ffea08de608
READ of size 8 at 0x000001b594e0 thread T0
#0 0x97039a in SkColorFilter::MakeComposeFilter(sk_sp<SkColorFilter>, sk_sp<SkColorFilter>) third_party/skia/src/core/SkColorFilter.cpp:192:31
#1 0x96fa45 in SkComposeColorFilter::CreateProc(SkReadBuffer&) third_party/skia/src/core/SkColorFilter.cpp:179:12
#2 0xb0d414 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:448:15
#3 0xa80435 in readFlattenable<SkColorFilter> third_party/skia/src/core/SkReadBuffer.h:149:35
#4 0xa80435 in readColorFilter third_party/skia/src/core/SkReadBuffer.h:151
#5 0xa80435 in SkPaint::unflatten(SkReadBuffer&) third_party/skia/src/core/SkPaint.cpp:1945
#6 0xdc528f in SkPaintImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkPaintImageFilter.cpp:30:12
#7 0xb0d414 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:448:15
#8 0xa07110 in readFlattenable<SkImageFilter> third_party/skia/src/core/SkReadBuffer.h:149:35
#9 0xa07110 in readImageFilter third_party/skia/src/core/SkReadBuffer.h:153
#10 0xa07110 in SkImageFilter::Common::unflatten(SkReadBuffer&, int) third_party/skia/src/core/SkImageFilter.cpp:130
#11 0xe32490 in SkDisplacementMapEffect::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkDisplacementMapEffect.cpp:149:5
#12 0xb0d414 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:448:15
#13 0xa07110 in readFlattenable<SkImageFilter> third_party/skia/src/core/SkReadBuffer.h:149:35
#14 0xa07110 in readImageFilter third_party/skia/src/core/SkReadBuffer.h:153
#15 0xa07110 in SkImageFilter::Common::unflatten(SkReadBuffer&, int) third_party/skia/src/core/SkImageFilter.cpp:130
#16 0xe32490 in SkDisplacementMapEffect::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkDisplacementMapEffect.cpp:149:5
#17 0xb0d414 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:448:15
#18 0xa07110 in readFlattenable<SkImageFilter> third_party/skia/src/core/SkReadBuffer.h:149:35
#19 0xa07110 in readImageFilter third_party/skia/src/core/SkReadBuffer.h:153
#20 0xa07110 in SkImageFilter::Common::unflatten(SkReadBuffer&, int) third_party/skia/src/core/SkImageFilter.cpp:130
#21 0xde46fd in SkComposeImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkComposeImageFilter.cpp:85:5
#22 0xb0d414 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:448:15
#23 0xa013e1 in SkFlattenable::Deserialize(SkFlattenable::Type, void const*, unsigned long, SkDeserialProcs const*) third_party/skia/src/core/SkFlattenable.cpp:145:40
#24 0xa016a9 in SkValidatingDeserializeImageFilter(void const*, unsigned long) third_party/skia/src/core/SkFlattenableSerialization.cpp:22:17
#25 0x5d03c0 in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:33:38
#26 0x5d03c0 in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
#27 0x5d03c0 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87
#28 0x7fb4280a3f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
0x000001b594e0 is located 32 bytes to the left of global variable 'vtable for SkLumaColorFilter' defined in '../../third_party/skia/src/effects/SkLumaColorFilter.cpp' (0x1b59500) of size 144
0x000001b594e0 is located 24 bytes to the right of global variable 'vtable for SkLayerRasterizer' defined in '../../third_party/skia/src/effects/SkLayerRasterizer.cpp' (0x1b59480) of size 72
SUMMARY: AddressSanitizer: global-buffer-overflow third_party/skia/src/core/SkColorFilter.cpp:192:31 in SkColorFilter::MakeComposeFilter(sk_sp<SkColorFilter>, sk_sp<SkColorFilter>)
Shadow bytes around the buggy address:
0x000080363240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080363250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080363260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080363270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080363280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080363290: 00 00 00 00 00 00 00 00 00 f9 f9 f9[f9]f9 f9 f9
0x0000803632a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000803632b0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000803632c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x0000803632d0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000803632e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==193536==ABORTING
,
Dec 10 2017
Detailed report: https://clusterfuzz.com/testcase?key=4961136972922880 Job Type: linux_asan_filter_fuzz_stub Crash Type: Global-buffer-overflow READ 8 Crash Address: 0x000001b594e0 Crash State: SkColorFilter::MakeComposeFilter SkComposeColorFilter::CreateProc SkReadBuffer::readFlattenable Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=522280:522288 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4961136972922880 See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 10 2017
Automatically assigning owner based on suspected regression changelist https://skia.googlesource.com/skia/+/fadbfcd4aba676d44dfb08de1a83143a1c63b95c (upgrade SkReadBuffer to always validate). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Dec 11 2017
The following revision refers to this bug: https://skia.googlesource.com/skia/+/58a3fcd4b3a2f7210586f4ec74dde8ac2b231e0f commit 58a3fcd4b3a2f7210586f4ec74dde8ac2b231e0f Author: Mike Reed <reed@google.com> Date: Mon Dec 11 18:50:00 2017 add virtual to confirm flattenable type meant to replace https://skia-review.googlesource.com/c/skia/+/83381 Bug:793639 Change-Id: I972dc80725bf5ce5be24769aafa23269735e089c Reviewed-on: https://skia-review.googlesource.com/83444 Reviewed-by: Florin Malita <fmalita@chromium.org> Reviewed-by: Mike Klein <mtklein@chromium.org> Commit-Queue: Mike Klein <mtklein@chromium.org> [modify] https://crrev.com/58a3fcd4b3a2f7210586f4ec74dde8ac2b231e0f/include/core/SkFlattenable.h [modify] https://crrev.com/58a3fcd4b3a2f7210586f4ec74dde8ac2b231e0f/tests/FlattenableCustomFactory.cpp [modify] https://crrev.com/58a3fcd4b3a2f7210586f4ec74dde8ac2b231e0f/src/core/SkReadBuffer.cpp
,
Dec 11 2017
,
Dec 12 2017
ClusterFuzz testcase 4961136972922880 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 13 2017
,
Jan 22 2018
,
Mar 21 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, Dec 10 2017