Security: use-of-uninitialized-value in sse2::blit_row_s32a_opaque (filter_fuzz_stub) |
||||||||||||||||
Issue descriptionThis was found by skia_image_filter_proto_fuzzer (filter_proto_fuzzer). I don't think this is the same bug as https://bugs.chromium.org/p/chromium/issues/detail?id=793285 but I'm not 100% sure as I am relatively unfamiliar with skia internals. I tested with a HEAD build of chrome that the other other bug is fixed, but I am still able to reproduce this bug with in a HEAD build of filter_fuzz_stub. I apologize if I am incorrect and this bug is a duplicate. REPRODUCTION CASE 1. Build filter_fuzz_stub using the following options: enable_nacl = false ffmpeg_branding = "ChromeOS" is_msan = true pdf_enable_xfa = true proprietary_codecs = true use_libfuzzer = true use_goma = true is_debug = false optimize_for_fuzzing = true 2. Run it on the attached input (ffs-sse2-blit32-msan): $ ./out/msan/filter_fuzz_stub ffs-sse2-blit32-msan [1212/182003.595372:INFO:filter_fuzz_stub.cc(61)] Test case: ffs-sse2-blit32-msan [1212/182003.650835:INFO:filter_fuzz_stub.cc(38)] Valid stream detected. Uninitialized bytes in __msan_check_mem_is_initialized at offset 0 inside [0x70d000000000, 96) ==90902==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x9e9450 in sse2::blit_row_s32a_opaque(unsigned int*, unsigned int const*, int, unsigned int) third_party/skia/src/opts/SkBlitRow_opts.h:83:5 #1 0x116f9c7 in Sprite_D32_S32::blitRect(int, int, int, int) third_party/skia/src/core/SkSpriteBlitter_ARGB32.cpp:46:13 #2 0xb1b06c in SkScan::FillIRect(SkIRect const&, SkRegion const*, SkBlitter*) third_party/skia/src/core/SkScan.cpp #3 0x9679e5 in SkDraw::drawSprite(SkBitmap const&, int, int, SkPaint const&) const third_party/skia/src/core/SkDraw.cpp:1325:13 #4 0x10103c9 in SkBitmapDevice::drawSprite(SkBitmap const&, int, int, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:353:18 #5 0x1011dae in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:435:19 #6 0x8c64e0 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25 #7 0x8bdc42 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19 #8 0x8c9392 in AutoDrawLooper::~AutoDrawLooper() third_party/skia/src/core/SkCanvas.cpp:495:22 #9 0x8e16a9 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2308:1 #10 0x8d5469 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11 #11 0x495fcf in (anonymous namespace)::RunTestCase(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13 #12 0x493b1c in (anonymous namespace)::ReadAndRunTestCase(char const*, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67:3 #13 0x493386 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87:10 #14 0x7fd2b0d2cf44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287 #15 0x423f69 in _start (/usr/local/google/home/metzman/chromium1/src/out/msan/filter_fuzz_stub+0x423f69) Uninitialized value was created by a heap allocation #0 0x44962d in __interceptor_malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cc:879:3 #1 0x166e0f6 in base::UncheckedMalloc(unsigned long, void**) base/process/memory_linux.cc:104:13 #2 0x89a390 in sk_malloc_nothrow(unsigned long) skia/ext/SkMemory_new_handler.cpp:75:19 #3 0x9b07a7 in SkMallocPixelRef::MakeUsing(void* (*)(unsigned long), SkImageInfo const&, unsigned long) third_party/skia/src/core/SkMallocPixelRef.cpp:57:18 #4 0x9b0b01 in SkMallocPixelRef::MakeAllocate(SkImageInfo const&, unsigned long) third_party/skia/src/core/SkMallocPixelRef.cpp:69:12 #5 0x89e70c in SkBitmap::tryAllocPixels(SkImageInfo const&, unsigned long) third_party/skia/src/core/SkBitmap.cpp:254:28 #6 0x124acf0 in SkMatrixConvolutionImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkMatrixConvolutionImageFilter.cpp:359:14 #7 0x99a3ed in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:213:40 #8 0x101195f in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:421:33 #9 0x8c64e0 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25 #10 0x8bdc42 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19 #11 0x8c9392 in AutoDrawLooper::~AutoDrawLooper() third_party/skia/src/core/SkCanvas.cpp:495:22 #12 0x8e16a9 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2308:1 #13 0x8d5469 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11 #14 0x495fcf in (anonymous namespace)::RunTestCase(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13 #15 0x493b1c in (anonymous namespace)::ReadAndRunTestCase(char const*, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67:3 #16 0x493386 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87:10 #17 0x7fd2b0d2cf44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287 SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/skia/src/opts/SkBlitRow_opts.h:83:5 in sse2::blit_row_s32a_opaque(unsigned int*, unsigned int const*, int, unsigned int) Exiting
,
Dec 13 2017
Detailed report: https://clusterfuzz.com/testcase?key=4674089410363392 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sse2::blit_row_s32a_opaque Sprite_D32_S32::blitRect SkScan::FillIRect Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=386914:386987 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4674089410363392 See https://github.com/google/clusterfuzz-tools for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Dec 13 2017
,
Dec 13 2017
,
Dec 13 2017
,
Dec 14 2017
This stack does not directly indicate my previous bug, but it could be if a prior filter in the image filter pipeline was for blurring. That being said, my previous bug is now fixed. Can this test be re-run to see if this bug is fixed? If it is not fixed, then this is probably something different.
,
Dec 14 2017
I redid the task "Fixed". The bug is still marked as "Fixed: No" so the bug is not a duplicate as it still appears.
,
Dec 14 2017
,
Dec 14 2017
Automatically adding ccs based on suspected regression changelists: Remove SK_VERY_LEGACY_CREATE_TYPEFACE. by bungeman@google.com - https://chromium.googlesource.com/skia/+/ed2edabd07086bbf60df17ca0bf52d8ba49f2273 If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Dec 15 2017
,
Dec 15 2017
Detailed report: https://clusterfuzz.com/testcase?key=4674089410363392 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sse2::blit_row_s32a_opaque Sprite_D32_S32::blitRect SkScan::FillIRect Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=386914:386987 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4674089410363392 See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 27 2017
bungeman: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 5 2018
More likely to be https://chromium.googlesource.com/skia/+/dada4dd9cf03e42369ca5b38086dba77f01a68e6 if the regression range from comment #11 is correct. Looks like SkMatrixConvolutionImageFilter doesn't always fully initialize something?
,
Jan 8 2018
,
Jan 17 2018
,
Jan 22 2018
,
Jan 23 2018
robertphillips: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 23 2018
Issue oss-fuzz:5625 has been merged into this issue.
,
Jan 24 2018
The following revision refers to this bug: https://skia.googlesource.com/skia/+/dc3d7fcbb816c8b06c0ab7e6a0aa333c96c8aeef commit dc3d7fcbb816c8b06c0ab7e6a0aa333c96c8aeef Author: Robert Phillips <robertphillips@google.com> Date: Wed Jan 24 20:13:49 2018 Add check for bad enum in SkMatrixConvolutionImageFilter's CreateProc Bug: chromium:794402 , chromium:799775 Change-Id: Ifbc9714b0095c8f4ca44d444bc48514dc90d7f4d Reviewed-on: https://skia-review.googlesource.com/99203 Commit-Queue: Robert Phillips <robertphillips@google.com> Reviewed-by: Mike Reed <reed@google.com> [modify] https://crrev.com/dc3d7fcbb816c8b06c0ab7e6a0aa333c96c8aeef/src/effects/SkMatrixConvolutionImageFilter.cpp
,
Jan 25 2018
ClusterFuzz has detected this issue as fixed in range 531767:531771. Detailed report: https://clusterfuzz.com/testcase?key=4674089410363392 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sse2::blit_row_s32a_opaque Sprite_D32_S32::blitRect SkScan::FillIRect Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=386914:386987 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=531767:531771 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4674089410363392 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 25 2018
ClusterFuzz testcase 4674089410363392 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 8 2018
,
Mar 6 2018
,
Apr 17 2018
,
May 3 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||
Comment 1 by ClusterFuzz
, Dec 13 2017