Security: Heap Buffer Overflow (Read) in PlanGauss::Gauss::blur (using filter_fuzz_stub) |
||||||||
Issue description
VULNERABILITY DETAILS
To trigger the overflow you will probably need to wait 5 minutes, though I've seen it take as long as 7 minutes.
(I assume that it will not be reproducible on CF because of this).
I tried to improve the POC to take less time, but it is quite hard to edit serialized skia filters and the speed of this POC makes it hard to change using tools so I haven't had any luck with this.
The crash was found by AFL and ASAN using a seed corpus built by skia_image_filter_proto_fuzzer (filter_proto_fuzzer).
REPRODUCTION CASE
1. Build filter_fuzz_stub using the following options
enable_nacl = false
ffmpeg_branding = "ChromeOS"
is_asan = true
pdf_enable_xfa = true
proprietary_codecs = true
use_libfuzzer = true
use_goma = true
is_debug = false
optimize_for_fuzzing = true
2. Run it on the attached testcase (ffs-manual-min2)
$ ./out/skasan/filter_fuzz_stub ffs-manual-min2
[0119/120942.730217:INFO:filter_fuzz_stub.cc(61)] Test case: ffs-manual-min2
[0119/120942.730742:INFO:filter_fuzz_stub.cc(38)] Valid stream detected.
=================================================================
==261045==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff4a7d51800 at pc 0x0000014a5a97 bp 0x7ffd90a89110 sp 0x7ffd90a89108
READ of size 1 at 0x7ff4a7d51800 thread T0
#0 0x14a5a96 in PlanGauss::Gauss::blur(unsigned char const*, int, unsigned char const*, unsigned char*, int, unsigned char*) const third_party/skia/src/core/SkMaskBlurFilter.cpp:408:40
#1 0x1493693 in SkMaskBlurFilter::blur(SkMask const&, SkMask*) const third_party/skia/src/core/SkMaskBlurFilter.cpp:1282:20
#2 0x148a7b1 in SkBlurMask::BoxBlur(SkMask*, SkMask const&, float, SkBlurStyle, SkBlurQuality, SkIPoint*, bool) third_party/skia/src/effects/SkBlurMask.cpp:596:25
#3 0x150f71d in SkEmbossMaskFilter::filterMask(SkMask*, SkMask const&, SkMatrix const&, SkIPoint*) const third_party/skia/src/effects/SkEmbossMaskFilter.cpp:64:10
#4 0xf4c2e1 in SkDraw::drawDevMask(SkMask const&, SkPaint const&) const third_party/skia/src/core/SkDraw.cpp:847:32
#5 0xf4f5bc in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1119:19
#6 0xf4a42d in drawPath third_party/skia/src/core/SkDraw.h:56:15
#7 0xf4a42d in draw_rect_as_path third_party/skia/src/core/SkDraw.cpp:733
#8 0xf4a42d in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const third_party/skia/src/core/SkDraw.cpp:760
#9 0xecc86c in drawRect third_party/skia/src/core/SkDraw.h:42:15
#10 0xecc86c in SkBitmapDevice::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:198
#11 0xead4d2 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2021:27
#12 0xea17dd in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1710:11
#13 0x15269a0 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13
#14 0xfcffcd in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:212:40
#15 0xed11c6 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:424:33
#16 0xe95ee1 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25
#17 0xe8c62a in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19
#18 0xe99275 in AutoDrawLooper::~AutoDrawLooper() third_party/skia/src/core/SkCanvas.cpp:495:22
#19 0xeb4f69 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2308:1
#20 0xea7196 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11
#21 0x8865e8 in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13
#22 0x8865e8 in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
#23 0x8865e8 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87
#24 0x7ff6685fb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
0x7ff4a7d51800 is located 0 bytes to the right of 2650824704-byte region [0x7ff409d4b800,0x7ff4a7d51800)
allocated by thread T0 here:
#0 0x882ac2 in operator new[](unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:95:3
#1 0xfb69d3 in SkArenaAlloc::ensureSpace(unsigned int, unsigned int) third_party/skia/src/core/SkArenaAlloc.cpp:141:22
#2 0x149244f in allocObject third_party/skia/src/core/SkArenaAlloc.h:165:19
#3 0x149244f in commonArrayAlloc<unsigned char> third_party/skia/src/core/SkArenaAlloc.h:181
#4 0x149244f in makeArrayDefault<unsigned char> third_party/skia/src/core/SkArenaAlloc.h:118
#5 0x149244f in SkMaskBlurFilter::blur(SkMask const&, SkMask*) const third_party/skia/src/core/SkMaskBlurFilter.cpp:1243
#6 0x148a7b1 in SkBlurMask::BoxBlur(SkMask*, SkMask const&, float, SkBlurStyle, SkBlurQuality, SkIPoint*, bool) third_party/skia/src/effects/SkBlurMask.cpp:596:25
#7 0x150f71d in SkEmbossMaskFilter::filterMask(SkMask*, SkMask const&, SkMatrix const&, SkIPoint*) const third_party/skia/src/effects/SkEmbossMaskFilter.cpp:64:10
#8 0xf4c2e1 in SkDraw::drawDevMask(SkMask const&, SkPaint const&) const third_party/skia/src/core/SkDraw.cpp:847:32
#9 0xf4f5bc in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1119:19
#10 0xf4a42d in drawPath third_party/skia/src/core/SkDraw.h:56:15
#11 0xf4a42d in draw_rect_as_path third_party/skia/src/core/SkDraw.cpp:733
#12 0xf4a42d in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const third_party/skia/src/core/SkDraw.cpp:760
#13 0xecc86c in drawRect third_party/skia/src/core/SkDraw.h:42:15
#14 0xecc86c in SkBitmapDevice::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:198
#15 0xead4d2 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2021:27
#16 0xea17dd in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1710:11
#17 0x15269a0 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13
#18 0xfcffcd in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:212:40
#19 0xed11c6 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:424:33
#20 0xe95ee1 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25
#21 0xe8c62a in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19
#22 0xe99275 in AutoDrawLooper::~AutoDrawLooper() third_party/skia/src/core/SkCanvas.cpp:495:22
#23 0xeb4f69 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2308:1
#24 0xea7196 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11
#25 0x8865e8 in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13
#26 0x8865e8 in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
#27 0x8865e8 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87
#28 0x7ff6685fb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/skia/src/core/SkMaskBlurFilter.cpp:408:40 in PlanGauss::Gauss::blur(unsigned char const*, int, unsigned char const*, unsigned char*, int, unsigned char*) const
Shadow bytes around the buggy address:
0x0fff14fa22b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff14fa22c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff14fa22d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff14fa22e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff14fa22f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff14fa2300:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff14fa2310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff14fa2320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff14fa2330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff14fa2340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff14fa2350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==261045==ABORTING
,
Jan 20 2018
#1 I'll ask herb@ since it looks like he has done fixes for this file before. I'll also try this on ClusterFuzz, maybe its only slow on my machine because I'm fuzzing. herb@ could you please take a look at this? Please let me know or reassign if someone else should look at this.
,
Jan 20 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5427878870384640.
,
Jan 20 2018
,
Jan 22 2018
,
Feb 5 2018
I compiled Skia+ASAN at TOT and the testcase finished in .5s with no error. Does the test case need to be updated?
,
Feb 5 2018
I guess the crash has been unintentionally fixed. When I run it locally filter_fuzz_stub considers the testcase valid, so its not like a deserialization change is hiding the bug. I'll reopen if I find it again.
,
Feb 5 2018
,
Feb 6 2018
I did a git bisect this morning - The crash stopped after https://skia-review.googlesource.com/c/skia/+/96860 Of note, that was for a different heap overflow found by fuzzer.skia.org AND it was fixed the same day this bug was filed.
,
Feb 6 2018
Ok. Good to hear. Thanks for looking into this.
,
Feb 8 2018
,
May 15 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by nparker@chromium.org
, Jan 20 2018