New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Mar 20
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Heap-buffer-overflow in AAHairlineOp::onPrepareDraws

Reported by zhanjias...@gmail.com, Mar 12

Issue description

Heap-buffer-overflow in AAHairlineOp::onPrepareDraws

VULNERABILITY DETAILS
https://cs.chromium.org/chromium/src/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp?type=cs&l=1003

1000	        sk_sp<const GrBuffer> quadsIndexBuffer = get_quads_index_buffer(target->resourceProvider());
1001	
1002	        size_t vertexStride = sizeof(BezierVertex);
1003	        int vertexCount = kQuadNumVertices * quadCount + kQuadNumVertices * conicCount;
1004	        void *vertices = target->makeVertexSpace(vertexStride, vertexCount,
1005	                                                 &vertexBuffer, &firstVertex);
1006	
1007	        if (!vertices || !quadsIndexBuffer) {
1008	            SkDebugf("Could not allocate vertices\n");
1009	            return;
1010	        }
1011	
1012	        // Setup vertices
1013	        BezierVertex* bezVerts = reinterpret_cast<BezierVertex*>(vertices);
1014	
1015	        int unsubdivQuadCnt = quads.count() / 3;
1016	        for (int i = 0; i < unsubdivQuadCnt; ++i) {
1017	            SkASSERT(qSubdivs[i] >= 0);
1018	            add_quads(&quads[3*i], qSubdivs[i], toDevice, toSrc, &bezVerts);
1019	        }

In line 1003, an integer overflow will happened when quadCount is larger than 0xffffffff/5.

VERSION
Chrome Version: 
Version 65.0.3325.146 (Official Build) (64-bit)
Version 65.0.3325.146 (Developer Build) (64-bit)
Operating System:
Ubuntu 16.04.4 LTS

REPRODUCTION CASE
run chrome with poc.html and wait it 30 seconds.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
~/Downloads/asan-linux-stable-65.0.3325.146$ ./chrome http://localhost/chromium/skia/poc.html
ATTENTION: default value of option force_s3tc_enable overridden by environment.
[5998:5998:0312/123056.437285:ERROR:sandbox_linux.cc(375)] InitializeSandbox() called with multiple threads in process gpu-process.
=================================================================
==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1ce4203828 at pc 0x556112e07b65 bp 0x7ffe52c8fff0 sp 0x7ffe52c8ffe8
WRITE of size 4 at 0x7f1ce4203828 thread T0 (chrome)
    #0 0x556112e07b64  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe213b64)
    #1 0x556112e06a10  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe212a10)
    #2 0x556112e069ac  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe2129ac)
    #3 0x556112e069ac  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe2129ac)
    #4 0x556112e069ac  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe2129ac)
    #5 0x556112e04324  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe210324)
    #6 0x556112d929d5  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe19e9d5)
    #7 0x556112d48d09  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe154d09)
    #8 0x556112d251c0  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe1311c0)
    #9 0x556112d246f4  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe1306f4)
    #10 0x556112d259e7  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe1319e7)
    #11 0x556112d11e12  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe11de12)
    #12 0x5561131b7981  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe5c3981)
    #13 0x55611abe04e3  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x15fec4e3)
    #14 0x55611abd066a  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x15fdc66a)
    #15 0x55611ab81c86  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x15f8dc86)
    #16 0x55611ab7c2ae  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x15f882ae)
    #17 0x55611ab7b233  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x15f87233)
    #18 0x55611cbf9857  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x18005857)
    #19 0x55611668e7b9  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x11a9a7b9)
    #20 0x5561155a28f9  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x109ae8f9)
    #21 0x5561155a1920  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x109ad920)
    #22 0x55611578bf66  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x10b97f66)
    #23 0x5561157a07f1  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x10bac7f1)
    #24 0x556112465ccb  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xd871ccb)
    #25 0x5561115ce47f  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xc9da47f)
    #26 0x5561115ccc8e  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xc9d8c8e)
    #27 0x556112465ccb  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xd871ccb)
    #28 0x5561115dbfdd  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xc9e7fdd)
    #29 0x556112465ccb  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xd871ccb)
    #30 0x5561124c5c85  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xd8d1c85)
    #31 0x5561124c761c  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xd8d361c)
    #32 0x5561124ce6b3  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xd8da6b3)
    #33 0x556112546be1  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xd952be1)
    #34 0x55611fca9bee  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x1b0b5bee)
    #35 0x556111a5c586  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xce68586)
    #36 0x556111a5f888  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xce6b888)
    #37 0x556111a83669  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xce8f669)
    #38 0x556111a5bda4  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xce67da4)
    #39 0x55610bf26985  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x7332985)
    #40 0x7f1d1674182f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

0x7f1ce4203828 is located 40 bytes to the right of 536870912-byte region [0x7f1cc4203800,0x7f1ce4203800)
allocated by thread T0 (chrome) here:
    #0 0x55610bef94ca  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x73054ca)
    #1 0x5561127c458d  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xdbd058d)
    #2 0x556112d2b3c0  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe1373c0)
    #3 0x556112d2a7e0  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe1367e0)
    #4 0x556112d2c855  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe138855)
    #5 0x556112e04216  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe210216)
    #6 0x556112d929d5  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe19e9d5)
    #7 0x556112d48d09  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe154d09)
    #8 0x556112d251c0  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe1311c0)
    #9 0x556112d246f4  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe1306f4)
    #10 0x556112d259e7  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe1319e7)
    #11 0x556112d11e12  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe11de12)
    #12 0x5561131b7981  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe5c3981)
    #13 0x55611abe04e3  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x15fec4e3)
    #14 0x55611abd066a  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x15fdc66a)
    #15 0x55611ab81c86  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x15f8dc86)
    #16 0x55611ab7c2ae  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x15f882ae)
    #17 0x55611ab7b233  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x15f87233)
    #18 0x55611cbf9857  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x18005857)
    #19 0x55611668e7b9  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x11a9a7b9)
    #20 0x5561155a28f9  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x109ae8f9)
    #21 0x5561155a1920  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x109ad920)
    #22 0x55611578bf66  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x10b97f66)
    #23 0x5561157a07f1  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0x10bac7f1)
    #24 0x556112465ccb  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xd871ccb)
    #25 0x5561115ce47f  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xc9da47f)
    #26 0x5561115ccc8e  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xc9d8c8e)
    #27 0x556112465ccb  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xd871ccb)
    #28 0x5561115dbfdd  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xc9e7fdd)
    #29 0x556112465ccb  (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xd871ccb)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/szj/Downloads/asan-linux-stable-65.0.3325.146/chrome+0xe213b64) 
Shadow bytes around the buggy address:
  0x0fe41c8386b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe41c8386c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe41c8386d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe41c8386e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe41c8386f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe41c838700: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
  0x0fe41c838710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe41c838720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe41c838730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe41c838740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe41c838750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1==ABORTING


 
poc.html
419 bytes View Download
Project Member

Comment 1 by ClusterFuzz, Mar 12

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4753998218002432.
Components: Internals>Skia
Labels: Security_Severity-High Security_Impact-Stable OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Owner: bsalomon@chromium.org
Status: Assigned (was: Unconfirmed)
bsalomon: Would you mind taking a look at this or helping us find another owner?
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 13

Labels: M-65
Project Member

Comment 4 by sheriffbot@chromium.org, Mar 13

Labels: Pri-1
Project Member

Comment 5 by bugdroid1@chromium.org, Mar 13

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/296de50b4c2e31f94b8c3fafae8fcd7bcfb00e0b

commit 296de50b4c2e31f94b8c3fafae8fcd7bcfb00e0b
Author: Brian Salomon <bsalomon@google.com>
Date: Tue Mar 13 17:42:32 2018

Fix possible overflows in hair line path renderer vertex counts

Bug:  chromium:820913 
Change-Id: I77f9b40cf6173369a4a1b943d71734c305893e09
Reviewed-on: https://skia-review.googlesource.com/114140
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: Brian Salomon <bsalomon@google.com>

[modify] https://crrev.com/296de50b4c2e31f94b8c3fafae8fcd7bcfb00e0b/src/gpu/ops/GrAAHairLinePathRenderer.cpp

bsalomon: Does the CL from #5 fix this, or is there remaining work to be done?
Status: Fixed (was: Assigned)
Do we need to cherry pick this?
Project Member

Comment 9 by sheriffbot@chromium.org, Mar 21

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
We should probably merge this into M66 at least.
Labels: Merge-Request-66
Project Member

Comment 12 by sheriffbot@chromium.org, Mar 21

Labels: -Merge-Request-66 Merge-Review-66 Hotlist-Merge-Review
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Has this been verified in canary?
Project Member

Comment 14 by ClusterFuzz, Mar 21

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4604834700066816.
I manually verified the crash in asan-linux-release-541902 (from before the CL in #5), and the crash did not occur in asan-linux-release-544583 (from after the CL).

I've re-uploaded the test case to clusterfuzz with a greatly increased timeout to let clusterfuzz try to verify it as well.
Labels: -Hotlist-Merge-Review -Merge-Review-66 Merge-Approved-66
Labels: -Merge-Approved-66 Merge-Merged
Cherry-picked back to M66 here: https://skia-review.googlesource.com/c/skia/+/116184

Do we want to go back to M65 as well?
Labels: Merge-Request-65
Hmm yeah, probably, since this is Severity-High. The fix is small and seems safe. It wouldn't hurt to merge into M65 in case it can get picked up in a respin. Adding merge request label.
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 23

Labels: merge-merged-m66
The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/884c480d8aa569dbe21b44719ee5ff355f2518b1

commit 884c480d8aa569dbe21b44719ee5ff355f2518b1
Author: Brian Salomon <bsalomon@google.com>
Date: Fri Mar 23 16:57:51 2018

[M65 Cherry Pick] Fix possible overflows in hair line path renderer vertex counts

No-Tree-Checks: true
No-Try: true
No-Presubmit: true
Bug:  chromium:820913 
Change-Id: I77f9b40cf6173369a4a1b943d71734c305893e09
Reviewed-On: https://skia-review.googlesource.com/114140
Reviewed-By: Brian Osman <brianosman@google.com>
Commit-Queue: Brian Salomon <bsalomon@google.com>
Reviewed-on: https://skia-review.googlesource.com/116184
Reviewed-by: Brian Salomon <bsalomon@google.com>

[modify] https://crrev.com/884c480d8aa569dbe21b44719ee5ff355f2518b1/src/gpu/ops/GrAAHairLinePathRenderer.cpp

Cc: awhalley@chromium.org
+awhalley@ (Security TPM) for M65 merge review. Please note merge listed at #17 didn't got out to M66 Beta yet. Thank you.
I will be on vacation for a week. I've prepared a cherry pick CL and locally verified it. Assigning brianosman@ to click the submit button if the merger is approved:

https://skia-review.googlesource.com/c/skia/+/116220
Labels: reward-topanel
Cc: metzman@chromium.org kjlubick@chromium.org
+cc Jonathan, Kevin since it was not found in our fuzzing ? Or did we find it too with some different stack ? I think we found some crashes in AAHairlineOp ?
The skia-side afl fuzzing had some flakey results from the debug GPU fuzzer that went away around the time bsaloman landed the fix.  I didn't look too much into it at the time, but now I strongly believe this was the underlying bug.

It would be nice to get the native GPU fuzzer into oss-fuzz so we can have more consistent and less noisy results.
Cc: infe...@chromium.org
Does that require a real GPU ?
I think so, which may make it difficult for oss-fuzz.  metzman was looking into afl-persistant mode which was looking promising for using a native GL fuzzer Skia-side
We might think about https://cloud.google.com/gpu/.
Labels: -reward-topanel reward-unpaid reward-3000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Hello! The VRP panel decided to award $3,000 for this report!  (And also kindly ask that you symbolize the stack next time :)

Also, how would you like to be credited in release notes?
Labels: -reward-unpaid reward-inprocess
Please credit me as "ZhanJia Song". Thanks!
Labels: -Merge-Request-65 Merge-Rejected-65
Rejecting merge to M65 as we're not planning any further M65 releases. 
awhalley@, Please let me know if there is any concern here. Thank you.
Labels: -M-65 Release-0-M66 M-66
Labels: CVE-2018-6090
Labels: CVE_description-missing
Project Member

Comment 36 by sheriffbot@chromium.org, Jun 27

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment