Security: use-of-uninitialized-value in getType (filter_fuzz_stub) |
|||||||||
Issue descriptionThis bug looks similar to issue 800389 but I think they are different problems (as in they will be fixed separately) with the same underlying cause (the matrix type is not set when the matrix is too small). I suspect they can't actually be exploited but I'm not sure. It was found using libFuzzer and MSAN with kjlubick@'s fuzzing patches for skia on a seed corpus built by skia_image_filter_proto_fuzzer 1. Build filter_fuzz_stub using the following options: enable_nacl = false ffmpeg_branding = "ChromeOS" is_msan = true pdf_enable_xfa = true proprietary_codecs = true use_libfuzzer = true use_goma = true is_debug = false optimize_for_fuzzing = true 2. Run it on the attached testcase (ffs-getType-isIdentity): [0122/194021.261817:INFO:filter_fuzz_stub.cc(61)] Test case: ffs-getType-isIdentity ==215796==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x1366cb7 in getType third_party/skia/include/core/SkMatrix.h:128:13 #1 0x1366cb7 in isIdentity third_party/skia/include/core/SkMatrix.h:144 #2 0x1366cb7 in invert third_party/skia/include/core/SkMatrix.h:1166 #3 0x1366cb7 in Sk2DPathEffect third_party/skia/src/effects/Sk2DPathEffect.cpp:18 #4 0x1366cb7 in SkPath2DPathEffect third_party/skia/src/effects/Sk2DPathEffect.cpp:135 #5 0x1366cb7 in Make third_party/skia/include/effects/Sk2DPathEffect.h:88 #6 0x1366cb7 in SkPath2DPathEffect::CreateProc(SkReadBuffer&) third_party/skia/src/effects/Sk2DPathEffect.cpp:143 #7 0xb75249 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:407:15 #8 0xa653a0 in SkFlattenable::Deserialize(SkFlattenable::Type, void const*, unsigned long, SkDeserialProcs const*) third_party/skia/src/core/SkFlattenable.cpp:163:40 #9 0xa682ba in Deserialize third_party/skia/include/core/SkImageFilter.h:241:5 #10 0xa682ba in SkValidatingDeserializeImageFilter(void const*, unsigned long) third_party/skia/src/core/SkFlattenableSerialization.cpp:22 #11 0x49659a in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:33:38 #12 0x49659a in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67 #13 0x49659a in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87 #14 0x7fe24bddc2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #15 0x424fd9 in _start (/usr/local/google/home/metzman/chromium1/src/out/skmsan/filter_fuzz_stub+0x424fd9) Uninitialized value was stored to memory at #0 0x4444cb in __msan_memcpy /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cc:1520:3 #1 0x1366a50 in Sk2DPathEffect third_party/skia/src/effects/Sk2DPathEffect.cpp:16:55 #2 0x1366a50 in SkPath2DPathEffect third_party/skia/src/effects/Sk2DPathEffect.cpp:135 #3 0x1366a50 in Make third_party/skia/include/effects/Sk2DPathEffect.h:88 #4 0x1366a50 in SkPath2DPathEffect::CreateProc(SkReadBuffer&) third_party/skia/src/effects/Sk2DPathEffect.cpp:143 #5 0xb75249 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:407:15 #6 0xa653a0 in SkFlattenable::Deserialize(SkFlattenable::Type, void const*, unsigned long, SkDeserialProcs const*) third_party/skia/src/core/SkFlattenable.cpp:163:40 #7 0xa682ba in Deserialize third_party/skia/include/core/SkImageFilter.h:241:5 #8 0xa682ba in SkValidatingDeserializeImageFilter(void const*, unsigned long) third_party/skia/src/core/SkFlattenableSerialization.cpp:22 #9 0x49659a in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:33:38 #10 0x49659a in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67 #11 0x49659a in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87 #12 0x7fe24bddc2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) Uninitialized value was created by an allocation of 'matrix' in the stack frame of function '_ZN18SkPath2DPathEffect10CreateProcER12SkReadBuffer' #0 0x13668a0 in SkPath2DPathEffect::CreateProc(SkReadBuffer&) third_party/skia/src/effects/Sk2DPathEffect.cpp:138 SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/skia/include/core/SkMatrix.h:128:13 in getType Exiting
,
Jan 23 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6373636977197056.
,
Jan 23 2018
,
Jan 23 2018
Detailed report: https://clusterfuzz.com/testcase?key=6373636977197056 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: SkPath2DPathEffect::CreateProc SkReadBuffer::readFlattenable SkFlattenable::Deserialize Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=522280:522310 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6373636977197056 See https://github.com/google/clusterfuzz-tools for more information. The recommended severity is different from what was assigned to the bug. Please double check the accuracy of the assigned severity.
,
Jan 23 2018
Automatically assigning owner based on suspected regression changelist https://skia.googlesource.com/skia/+/fadbfcd4aba676d44dfb08de1a83143a1c63b95c (upgrade SkReadBuffer to always validate). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jan 23 2018
,
Jan 23 2018
The following revision refers to this bug: https://skia.googlesource.com/skia/+/574b06f7038f32680919b72ca7a3ef95584184db commit 574b06f7038f32680919b72ca7a3ef95584184db Author: Mike Reed <reed@google.com> Date: Tue Jan 23 20:19:10 2018 init out-param on buffer failure Bug:804651 Change-Id: Ia3c71e2fbe35b55bf27075e6a11ec8c5bd3fb40f Reviewed-on: https://skia-review.googlesource.com/98663 Reviewed-by: Robert Phillips <robertphillips@google.com> Commit-Queue: Mike Reed <reed@google.com> [modify] https://crrev.com/574b06f7038f32680919b72ca7a3ef95584184db/src/core/SkReadBuffer.cpp
,
Jan 24 2018
ClusterFuzz has detected this issue as fixed in range 531432:531434. Detailed report: https://clusterfuzz.com/testcase?key=6373636977197056 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: SkPath2DPathEffect::CreateProc SkReadBuffer::readFlattenable SkFlattenable::Deserialize Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=522280:522310 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=531432:531434 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6373636977197056 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 24 2018
ClusterFuzz testcase 6373636977197056 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 5 2018
,
Feb 8 2018
,
May 2 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by metzman@chromium.org
, Jan 23 2018