Security: use-of-unitialized-value in getType (SkMatrix.h:128) in filter_fuzz_stub |
||||||||||||||||
Issue description
This was found by AFL and MSAN using a seed corpus built by skia_image_filter_proto_fuzzer (filter_proto_fuzzer).
REPRODUCTION CASE
1. Build filter_fuzz_stub using the following options:
enable_nacl = false
ffmpeg_branding = "ChromeOS"
is_msan = true
pdf_enable_xfa = true
proprietary_codecs = true
use_libfuzzer = true
use_goma = true
is_debug = false
optimize_for_fuzzing = true
2. Run it on the attatched testcase (ffs-getType):
[0109/095758.691104:INFO:filter_fuzz_stub.cc(61)] Test case: ffs-getType
==66711==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0xa82798 in getType third_party/skia/include/core/SkMatrix.h:128:13
#1 0xa82798 in SkLocalMatrixImageFilter::Make(SkMatrix const&, sk_sp<SkImageFilter>) third_party/skia/src/core/SkLocalMatrixImageFilter.cpp:20
#2 0xa82bc2 in SkLocalMatrixImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/core/SkLocalMatrixImageFilter.cpp:39:12
#3 0xb741f9 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:407:15
#4 0xa665d0 in SkFlattenable::Deserialize(SkFlattenable::Type, void const*, unsigned long, SkDeserialProcs const*) third_party/skia/src/core/SkFlattenable.cpp:145:40
#5 0xa6679a in Deserialize third_party/skia/include/core/SkImageFilter.h:241:5
#6 0xa6679a in SkValidatingDeserializeImageFilter(void const*, unsigned long) third_party/skia/src/core/SkFlattenableSerialization.cpp:22
#7 0x49599e in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:33:38
#8 0x49599e in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
#9 0x49599e in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87
#10 0x7f1ec62a6f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
#11 0x4243c9 in _start (/usr/local/google/home/metzman/chromium1/src/out/skmsan/filter_fuzz_stub+0x4243c9)
Uninitialized value was created by an allocation of 'lm' in the stack frame of function '_ZN24SkLocalMatrixImageFilter10CreateProcER12SkReadBuffer'
#0 0xa82880 in SkLocalMatrixImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/core/SkLocalMatrixImageFilter.cpp:35
SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/skia/include/core/SkMatrix.h:128:13 in getType
Exiting
,
Jan 9 2018
,
Jan 9 2018
Detailed report: https://clusterfuzz.com/testcase?key=5218576222126080 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: SkLocalMatrixImageFilter::Make SkLocalMatrixImageFilter::CreateProc SkReadBuffer::readFlattenable Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=385519:385614 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5218576222126080 See https://github.com/google/clusterfuzz-tools for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Jan 9 2018
+Skia folks, can you please follow up. Thanks!
,
Jan 10 2018
,
Jan 10 2018
,
Jan 12 2018
,
Jan 20 2018
ClusterFuzz has detected this issue as fixed in range 530569:530573. Detailed report: https://clusterfuzz.com/testcase?key=5218576222126080 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: SkLocalMatrixImageFilter::Make SkLocalMatrixImageFilter::CreateProc SkReadBuffer::readFlattenable Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=385519:385614 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=530569:530573 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5218576222126080 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 20 2018
ClusterFuzz testcase 5218576222126080 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 21 2018
I don't think this is actually fixed. I believe the testcase no longer causes a crash because the image filter contains a PaintImageFilter that no longer deserializes correctly so the entire image filter is invalid, even though the PaintImageFilter isn't actually important for the crash.
,
Jan 21 2018
Looks like I was correct about this.
Attached is a currently crashing poc.
Below is the stacktrace from the current poc:
$./out/skmsan/filter_fuzz_stub ffs-localmatrix
[0121/141100.673691:INFO:filter_fuzz_stub.cc(61)] Test case: ffs-localmatrix
==179679==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0xa84568 in getType third_party/skia/include/core/SkMatrix.h:128:13
#1 0xa84568 in SkLocalMatrixImageFilter::Make(SkMatrix const&, sk_sp<SkImageFilter>) third_party/skia/src/core/SkLocalMatrixImageFilter.cpp:20
#2 0xa84992 in SkLocalMatrixImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/core/SkLocalMatrixImageFilter.cpp:39:12
#3 0xb75f09 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:407:15
#4 0xa657d0 in SkFlattenable::Deserialize(SkFlattenable::Type, void const*, unsigned long, SkDeserialProcs const*) third_party/skia/src/core/SkFlattenable.cpp:163:40
#5 0xa686ea in Deserialize third_party/skia/include/core/SkImageFilter.h:241:5
#6 0xa686ea in SkValidatingDeserializeImageFilter(void const*, unsigned long) third_party/skia/src/core/SkFlattenableSerialization.cpp:22
#7 0x49659a in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:33:38
#8 0x49659a in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
#9 0x49659a in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87
#10 0x7fd965df12b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#11 0x424fd9 in _start (/usr/local/google/home/metzman/chromium1/src/out/skmsan/filter_fuzz_stub+0x424fd9)
Uninitialized value was created by an allocation of 'lm' in the stack frame of function '_ZN24SkLocalMatrixImageFilter10CreateProcER12SkReadBuffer'
#0 0xa84650 in SkLocalMatrixImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/core/SkLocalMatrixImageFilter.cpp:35
SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/skia/include/core/SkMatrix.h:128:13 in getType
Exiting
,
Jan 21 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4801373601529856.
,
Jan 21 2018
Detailed report: https://clusterfuzz.com/testcase?key=4801373601529856 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: SkLocalMatrixImageFilter::Make SkLocalMatrixImageFilter::CreateProc SkReadBuffer::readFlattenable Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=385519:385614 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4801373601529856 See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 22 2018
,
Jan 24 2018
ClusterFuzz has detected this issue as fixed in range 531432:531434. Detailed report: https://clusterfuzz.com/testcase?key=4801373601529856 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: SkLocalMatrixImageFilter::Make SkLocalMatrixImageFilter::CreateProc SkReadBuffer::readFlattenable Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=385519:385614 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=531432:531434 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4801373601529856 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 24 2018
Most likely this was: https://skia-review.googlesource.com/c/skia/+/98663 (init out-param on buffer failure)
,
Jan 24 2018
,
Feb 8 2018
,
Mar 6 2018
,
Apr 17 2018
,
May 2 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 9 2018