Security:crash(SEGV_MAPERR) in chrome third-party skia module.
Reported by
cdsrc2...@gmail.com,
Mar 16 2018
|
||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce the problem: chrome Version: 67.0.3369.0 (Developer Build) (64-bit) ubuntu version: 16.04 1. config args.gn file as below: treat_warnings_as_errors = false 2. build chrome: ninja -j16 -C out/chrome_asan chrome 3. reproduce with chrome browser 1) open chrome browser,"./chrome". 2) drag crash.html. What is the expected behavior? What went wrong? The testcase inspired from old one(CVE-2012-2900:https://bugs.chromium.org/p/chromium/issues/detail?id=138208).I don't understand what is really going on... asan symbolized crash log: Received signal 11 SEGV_MAPERR 000000000000 #0 0x557c329a4b21 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3957:13 #1 0x557c3aa7945e in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41 #2 0x557c3aa7828f in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3 #3 0x7fb110ae4390 in __funlockfile ??:? #4 0x7fb110ae4390 in ?? ??:0 #5 0x557c32e73309 in GrSimpleTextureEffect::GrSimpleTextureEffect(sk_sp<GrTextureProxy>, SkMatrix44, GrSamplerState) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/gpu/effects/GrSimpleTextureEffect.h:53:63 #6 0x557c32fc1cac in GrSimpleTextureEffect::Make(sk_sp<GrTextureProxy>, SkMatrix const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/gpu/effects/GrSimpleTextureEffect.h:24:21 #7 0x557c3afcf677 in draw_mask(GrRenderTargetContext*, GrClip const&, SkMatrix const&, SkIRect const&, GrPaint&&, sk_sp<GrTextureProxy>) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/gpu/GrBlurUtils.cpp:48:40 #8 0x557c3afcbce3 in sw_draw_with_mask_filter /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/gpu/GrBlurUtils.cpp:102:12 #9 0x557c3afcbce3 in draw_path_with_mask_filter(GrContext*, GrRenderTargetContext*, GrClip const&, GrPaint&&, GrAA, SkMatrix const&, SkMaskFilterBase const*, GrStyle const&, SkPath const*, bool) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/gpu/GrBlurUtils.cpp:243:0 #10 0x557c3afcea3c in GrBlurUtils::drawPathWithMaskFilter(GrContext*, GrRenderTargetContext*, GrClip const&, SkPath const&, SkPaint const&, SkMatrix const&, SkMatrix const*, SkIRect const&, bool) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/gpu/GrBlurUtils.cpp:310:9 #11 0x557c3afc67e9 in GrRenderTargetContext::TextTarget::drawPath(GrClip const&, SkPath const&, SkPaint const&, SkMatrix const&, SkMatrix const*, SkIRect const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/gpu/GrRenderTargetContext.cpp:68:9 #12 0x557c3b2408dd in GrAtlasTextBlob::flush(GrTextUtils::Target*, SkSurfaceProps const&, GrDistanceFieldAdjustTable const*, GrTextUtils::Paint const&, GrClip const&, SkMatrix const&, SkIRect const&, float, float) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/gpu/text/GrAtlasTextBlob.cpp:336:25 #13 0x557c3b221d34 in GrAtlasTextContext::drawTextBlob(GrContext*, GrTextUtils::Target*, GrClip const&, SkPaint const&, SkMatrix const&, SkSurfaceProps const&, SkTextBlob const*, float, float, SkDrawFilter*, SkIRect const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/gpu/text/GrAtlasTextContext.cpp:184:16 #14 0x557c3afa01b6 in GrRenderTargetContext::drawTextBlob(GrClip const&, SkPaint const&, SkMatrix const&, SkTextBlob const*, float, float, SkDrawFilter*, SkIRect const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/gpu/GrRenderTargetContext.cpp:260:23 #15 0x557c3b347ed2 in SkGpuDevice::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&, SkDrawFilter*) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/gpu/SkGpuDevice.cpp:1675:27 #16 0x557c32ac40a2 in SkCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/core/SkCanvas.cpp:2542:23 #17 0x557c32ac6388 in SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/core/SkCanvas.cpp:2600:11 #18 0x557c32b141b2 in SkColorSpaceXformCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/core/SkColorSpaceXformCanvas.cpp:137:18 #19 0x557c32ac6388 in SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/skia/src/core/SkCanvas.cpp:2600:11 #20 0x557c3c1eb5d0 in RasterWithFlags /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/paint/paint_op_buffer.cc:1259:11 #21 0x557c3c1eb5d0 in RasterWithFlags /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/paint/paint_op_buffer.cc:105:0 #22 0x557c3c1eb5d0 in operator() /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/paint/paint_op_buffer.cc:140:0 #23 0x557c3c1eb5d0 in cc::$_44::__invoke(cc::PaintOp const*, cc::PaintFlags const*, SkCanvas*, cc::PlaybackParams const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/paint/paint_op_buffer.cc:140:0 #24 0x557c3c1e4c8d in RasterWithFlags /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/paint/paint_op_buffer.cc:1942:3 #25 0x557c3c1e4c8d in cc::PaintOpBuffer::Playback(SkCanvas*, cc::PlaybackParams const&, std::__1::vector<unsigned long, std::__1::allocator<unsigned long> > const*) const /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/paint/paint_op_buffer.cc:2274:0 #26 0x557c3c234838 in cc::SkiaPaintCanvas::drawPicture(sk_sp<cc::PaintOpBuffer const>, base::RepeatingCallback<void (SkCanvas*, unsigned int)>) /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/paint/skia_paint_canvas.cc:390:11 #27 0x557c3c2343f4 in cc::SkiaPaintCanvas::drawPicture(sk_sp<cc::PaintOpBuffer const>) /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/paint/skia_paint_canvas.cc:347:3 #28 0x557c46c69a35 in blink::Canvas2DLayerBridge::FlushRecording() /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/WebKit/Source/platform/graphics/Canvas2DLayerBridge.cpp:524:15 #29 0x557c46c6e1bb in blink::Canvas2DLayerBridge::PrepareTransferableResource(viz::TransferableResource*, std::__1::unique_ptr<viz::SingleReleaseCallback, std::__1::default_delete<viz::SingleReleaseCallback> >*) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/WebKit/Source/platform/graphics/Canvas2DLayerBridge.cpp:640:3 #30 0x557c3f2f7e87 in cc::TextureLayer::Update() /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/layers/texture_layer.cc:169:18 #31 0x557c3decc27b in PaintContent /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/trees/layer_tree_host.cc:1229:33 #32 0x557c3decc27b in cc::LayerTreeHost::DoUpdateLayers(cc::Layer*) /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/trees/layer_tree_host.cc:808:0 #33 0x557c3decb345 in cc::LayerTreeHost::UpdateLayers() /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/trees/layer_tree_host.cc:669:17 #34 0x557c3e10791e in cc::ProxyMain::BeginMainFrame(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >) /home/cowboy/chrom/src/out/chrome_asan_shared/../../cc/trees/proxy_main.cc:268:60 #35 0x557c3e11f499 in Invoke<base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/bind_internal.h:447:12 #36 0x557c3e11f499 in MakeItSo<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/bind_internal.h:550:0 #37 0x557c3e11f499 in void base::internal::Invoker<base::internal::BindState<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, void ()>::RunImpl<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, 0ul, 1ul>(void (cc::ProxyMain::*&&)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/bind_internal.h:604:0 #38 0x557c3aa7d5b8 in Run /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/callback.h:95:12 #39 0x557c3aa7d5b8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:61:0 #40 0x557c399a7136 in blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::SequencedTaskSource::WorkType) /home/cowboy/chrom/src/out/chrome_asan_shared/../../third_party/WebKit/Source/platform/scheduler/base/thread_controller_impl.cc:162:21 #41 0x557c3aa7d5b8 in Run /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/callback.h:95:12 #42 0x557c3aa7d5b8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:61:0 #43 0x557c3aaf2fbf in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:395:25 #44 0x557c3aaf44e0 in DeferOrRunPendingTask /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:407:5 #45 0x557c3aaf44e0 in base::MessageLoop::DoWork() /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:451:0 #46 0x557c3aafd0c0 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31 #47 0x557c3ab8fb1c in base::RunLoop::Run() /home/cowboy/chrom/src/out/chrome_asan_shared/../../base/run_loop.cc:133:14 #48 0x557c4a7bacbe in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:227:23 #49 0x557c39ed8748 in content::ContentMainRunnerImpl::Run() /home/cowboy/chrom/src/out/chrome_asan_shared/../../content/app/content_main_runner.cc:703:12 #50 0x557c39f02e20 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:453:29 #51 0x557c39ed44a3 in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chrom/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10 #52 0x557c32a2ac3e in ChromeMain /home/cowboy/chrom/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12 #53 0x7fb109d45830 in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291:0 #54 0x557c3295902a in _start ??:0:0 r8: 00007fb0ff700000 r9: 00007fb0ff6fe4e8 r10: 00000000000000f0 r11: 0000000000004301 r12: 00007fb0ff94e720 r13: 00007fb0ff94e820 r14: 00000ff61ff29ce4 r15: 0000621000517d40 di: 0000000000000000 si: ffffffffffffffff bp: 00007ffdf68a1170 bx: 00007ffdf68a10e0 dx: 00007fb0ff94e800 ax: 0000000000000000 cx: 0000000000000002 sp: 00007ffdf68a10e0 ip: 0000557c32e73309 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000 [end of stack trace] Calling _exit(1). Core file will not be generated. non-asan debug version log: Received signal 11 SEGV_MAPERR 000000000000 #0 0x55b8a87e516c base::debug::StackTrace::StackTrace() #1 0x55b8a87e4cd1 base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7f1f2ddf7390 <unknown> #3 0x55b8a6cc54c8 GrSimpleTextureEffect::GrSimpleTextureEffect() #4 0x55b8a6d189f3 GrSimpleTextureEffect::Make() #5 0x55b8a892808c draw_mask() #6 0x55b8a8927a15 draw_path_with_mask_filter() #7 0x55b8a8927fb1 GrBlurUtils::drawPathWithMaskFilter() #8 0x55b8a892601e GrRenderTargetContext::TextTarget::drawPath() #9 0x55b8a89add32 GrAtlasTextBlob::flush() #10 0x55b8a89a6806 GrAtlasTextContext::drawTextBlob() #11 0x55b8a891cd66 GrRenderTargetContext::drawTextBlob() #12 0x55b8a89e8d9a SkGpuDevice::drawTextBlob() #13 0x55b8a6bef4e4 SkCanvas::onDrawTextBlob() #14 0x55b8a6befc87 SkCanvas::drawTextBlob() #15 0x55b8a6c0062c SkColorSpaceXformCanvas::onDrawTextBlob() #16 0x55b8a6befc87 SkCanvas::drawTextBlob() #17 0x55b8a8d4164c cc::$_44::__invoke() #18 0x55b8a8d403c3 cc::PaintOpBuffer::Playback() #19 0x55b8a8d4e942 cc::SkiaPaintCanvas::drawPicture() #20 0x55b8a8d4e80e cc::SkiaPaintCanvas::drawPicture() #21 0x55b8ab33a284 blink::Canvas2DLayerBridge::FlushRecording() #22 0x55b8ab33b1cf blink::Canvas2DLayerBridge::PrepareTransferableResource() #23 0x55b8a991d09a cc::TextureLayer::Update() #24 0x55b8a9492559 cc::LayerTreeHost::DoUpdateLayers() #25 0x55b8a9492044 cc::LayerTreeHost::UpdateLayers() #26 0x55b8a950ddac cc::ProxyMain::BeginMainFrame() #27 0x55b8a9513b57 _ZN4base8internal7InvokerINS0_9BindStateIMN2cc9ProxyMainEFvNSt3__110unique_ptrINS3_28BeginMainFrameAndCommitStateENS5_14default_deleteIS7_EEEEEJNS_7WeakPtrIS4_EENS0_13PassedWrapperISA_EEEEEFvvEE7RunImplISC_NS5_5tupleIJSE_SG_EEEJLm0ELm1EEEEvOT_OT0_NS5_16integer_sequenceImJXspT1_EEEE #28 0x55b8a87e64fd base::debug::TaskAnnotator::RunTask() #29 0x55b8a8430472 blink::scheduler::internal::ThreadControllerImpl::DoWork() #30 0x55b8a87e64fd base::debug::TaskAnnotator::RunTask() #31 0x55b8a8800347 base::MessageLoop::RunTask() #32 0x55b8a8800817 base::MessageLoop::DoWork() #33 0x55b8a88028ea base::MessagePumpDefault::Run() #34 0x55b8a8822db5 base::RunLoop::Run() #35 0x55b8abfac441 content::RendererMain() #36 0x55b8a852cb39 content::RunZygote() #37 0x55b8a852dca8 content::ContentMainRunnerImpl::Run() #38 0x55b8a8537695 service_manager::Main() #39 0x55b8a852c894 content::ContentMain() #40 0x55b8a6b901b3 ChromeMain #41 0x7f1f27eae830 __libc_start_main #42 0x55b8a6b9002a _start r8: 0000000000000001 r9: 0000000000000000 r10: 0000000000000001 r11: fffffffffffffe18 r12: 00007fff62194138 r13: 00007fff621944d0 r14: 00007fff621940f0 r15: 00007fff62194178 di: 000035e8fc318040 si: 00007fff62194138 bp: 00007fff621940e0 bx: 000035e8fc318040 dx: 00007fff621940f0 ax: 0000000000000000 cx: 0000000000000000 sp: 00007fff62194070 ip: 000055b8a6cc54c8 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000 [end of stack trace] Calling _exit(1). Core file will not be generated. Did this work before? N/A Chrome version: 67.0.3369.0 Channel: dev OS Version: Ubuntu 1604 Flash Version:
,
Mar 16 2018
,
Mar 16 2018
ClusterFuzz can't repro, but can someone from Skia please take a look?
,
Mar 19 2018
No obvious code changes lately in the Skia space, or cc from a quick glance... this one will be hard to find without a repro to give us more info on the corrupted pointer or whatever is at hand here.
,
Mar 20 2018
To the reporter, is there any additional information you can share about how to repro? Are you able to repro with one of the recent builds from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html?prefix=linux-debug/?
,
Mar 20 2018
FWIW, opening crash.html on Mac OS X 10.13.3 results in an "Aw Snap" page with a crash in GrSimpleTextureEffect::GrSimpleTextureEffect. crash/dc9d0d709c04a8eb
,
Mar 20 2018
,
Mar 20 2018
Assigning back to hcm@. I wasn't able to repro on Linux, but can you investigate given a repro on Mac? (c#6)
,
Mar 20 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5346177705574400.
,
Mar 20 2018
,
Mar 20 2018
Hi. FWIW,It can repro with the recent builds [DIR] asan-linux-release-544249.zip 2018-03-20 01:49:41 3093.46MB 544249 12c3eb1846dc7ed0460ba5a6fd10ac537b19a461 tested in: 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
,
Mar 20 2018
Detailed report: https://clusterfuzz.com/testcase?key=5346177705574400 Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: GrSimpleTextureEffect::GrSimpleTextureEffect GrSimpleTextureEffect::Make draw_mask Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=541822:541836 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5346177705574400 See https://github.com/google/clusterfuzz-tools for more information.
,
Mar 20 2018
,
Mar 20 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 22 2018
Related to DDL changes??
,
Mar 22 2018
,
Mar 22 2018
The following revision refers to this bug: https://skia.googlesource.com/skia/+/0a4b13cdea208946a59c612e0743f28533124166 commit 0a4b13cdea208946a59c612e0743f28533124166 Author: Robert Phillips <robertphillips@google.com> Date: Thu Mar 22 19:55:05 2018 Remove std::move from GrSimpleTextureEffect Bug:822680 Change-Id: I4780ce12a6ce244a2165bfb7b293adb06ae577c5 Reviewed-on: https://skia-review.googlesource.com/115900 Reviewed-by: Ethan Nicholas <ethannicholas@google.com> Reviewed-by: Brian Salomon <bsalomon@google.com> Commit-Queue: Robert Phillips <robertphillips@google.com> [modify] https://crrev.com/0a4b13cdea208946a59c612e0743f28533124166/src/sksl/SkSLHCodeGenerator.cpp [modify] https://crrev.com/0a4b13cdea208946a59c612e0743f28533124166/src/gpu/effects/GrSimpleTextureEffect.h [modify] https://crrev.com/0a4b13cdea208946a59c612e0743f28533124166/src/gpu/effects/GrSimpleTextureEffect.fp
,
Mar 22 2018
From what I can tell (from looking at the code) this appears to be a compiler bug where the std::move is moving the pointer before a user earlier in the initializer list can access (resulting in the null pointer reference).
,
Mar 22 2018
Talking with some folks who know way more about C++ stuff than I do, it's not clear why the std::move would have an impact here, insofar as std::move doesn't actually "move" anything. A proposed explanation is that in this scenario https://cs.chromium.org/chromium/src/third_party/skia/src/gpu/GrBlurUtils.cpp?type=cs&sq=package:chromium&l=97 is returning nullptr, which is more consistent with the regression range reported by Clusterfuzz (https://skia.googlesource.com/skia/+/c7c2baf0cf264b9d0d9c0f67cfb827a7e4a5e32c%5E%21/#F4 added that line) If this is consistently a null pointer dereference (which it seems to be) the security severity should be lowered.
,
Mar 23 2018
You're right - that is more plausible. I guess I got caught up in the non-asan debug version log which elides the sw_draw_with_mask_filter call.
,
Mar 23 2018
The following revision refers to this bug: https://skia.googlesource.com/skia/+/a98183a820bc859600541cb12fb575cde5850dff commit a98183a820bc859600541cb12fb575cde5850dff Author: Robert Phillips <robertphillips@google.com> Date: Fri Mar 23 11:44:31 2018 Revert "Remove std::move from GrSimpleTextureEffect" This reverts commit 0a4b13cdea208946a59c612e0743f28533124166. Reason for revert: incorrect change Original change's description: > Remove std::move from GrSimpleTextureEffect > > Bug:822680 > Change-Id: I4780ce12a6ce244a2165bfb7b293adb06ae577c5 > Reviewed-on: https://skia-review.googlesource.com/115900 > Reviewed-by: Ethan Nicholas <ethannicholas@google.com> > Reviewed-by: Brian Salomon <bsalomon@google.com> > Commit-Queue: Robert Phillips <robertphillips@google.com> TBR=bsalomon@google.com,robertphillips@google.com,ethannicholas@google.com Change-Id: Ib4123d50b02eeac3f5112bf2702b12fc080f0d1c No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 822680 Reviewed-on: https://skia-review.googlesource.com/116140 Reviewed-by: Robert Phillips <robertphillips@google.com> Commit-Queue: Robert Phillips <robertphillips@google.com> [modify] https://crrev.com/a98183a820bc859600541cb12fb575cde5850dff/src/sksl/SkSLHCodeGenerator.cpp [modify] https://crrev.com/a98183a820bc859600541cb12fb575cde5850dff/src/gpu/effects/GrSimpleTextureEffect.h [modify] https://crrev.com/a98183a820bc859600541cb12fb575cde5850dff/src/gpu/effects/GrSimpleTextureEffect.fp
,
Mar 23 2018
The following revision refers to this bug: https://skia.googlesource.com/skia/+/48ce22b374c987e91584efb3665e7a835fdd14da commit 48ce22b374c987e91584efb3665e7a835fdd14da Author: Robert Phillips <robertphillips@google.com> Date: Fri Mar 23 15:56:10 2018 Add error return, upon mask creation failure, in sw_draw_with_mask_filter Bug: 822680 Change-Id: I7296c5be4faf1f706ad1cc05198559771e324841 Reviewed-on: https://skia-review.googlesource.com/116180 Reviewed-by: Brian Salomon <bsalomon@google.com> Commit-Queue: Robert Phillips <robertphillips@google.com> [modify] https://crrev.com/48ce22b374c987e91584efb3665e7a835fdd14da/src/gpu/GrBlurUtils.cpp
,
Mar 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/27bca7c86cc2ead98da273eb23447115d13e911e commit 27bca7c86cc2ead98da273eb23447115d13e911e Author: skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Fri Mar 23 01:23:11 2018 Roll src/third_party/skia/ 1b6930f55..7956b59ba (9 commits) https://skia.googlesource.com/skia.git/+log/1b6930f55c7c..7956b59ba50b $ git log 1b6930f55..7956b59ba --date=short --no-merges --format='%ad %ae %s' 2018-03-22 herb Remove SkAutoGlyphCache decls that happen to work 2018-02-15 bungeman Add color fonts. 2018-03-22 halcanary BUILD: build when !skia_use_expat 2018-03-22 joe Upload cipd package for Node. 2018-03-22 robertphillips Remove std::move from GrSimpleTextureEffect 2018-03-22 halcanary tests/ImageTest: fail gracefully 2018-03-21 halcanary CreatePlatformGLTestContext_egl: Try GLES 3, then GLES 2. 2018-03-19 bsalomon Always validate GrBackendTextures passed to YUV image factories 2018-03-22 halcanary GrGLES Interface: GL_OES_vertex_array_object ext Created with: roll-dep src/third_party/skia BUG= chromium:822680 The AutoRoll server is located here: https://autoroll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel TBR=jvanverth@chromium.org Change-Id: Ic4783cd2b71ca17450f73b6fb76c5e29d1de987c Reviewed-on: https://chromium-review.googlesource.com/977001 Reviewed-by: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#545325} [modify] https://crrev.com/27bca7c86cc2ead98da273eb23447115d13e911e/DEPS
,
Mar 24 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/94fa0583b7ece8ac08fb451fd548d7cb6a5ea153 commit 94fa0583b7ece8ac08fb451fd548d7cb6a5ea153 Author: skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Sat Mar 24 17:05:05 2018 Roll src/third_party/skia/ b2ec726e3..33477889c (24 commits) https://skia.googlesource.com/skia.git/+log/b2ec726e3776..33477889c58b $ git log b2ec726e3..33477889c --date=short --no-merges --format='%ad %ae %s' 2018-03-24 skcms-skia-autoroll Roll skia/third_party/externals/skcms/ d9500cbd4..a50fa23a3 (1 commit) 2018-03-24 update-docs Update markdown files 2018-03-24 angle-skia-autoroll Roll skia/third_party/externals/angle2/ e6a40d07d..26ed93d7d (2 commits) 2018-03-23 bsalomon Hide GrBackendTexture/RenderTarget constructors that take a GrPixelConfig 2018-03-23 angle-skia-autoroll Roll skia/third_party/externals/angle2/ d779f6a98..e6a40d07d (3 commits) 2018-03-23 csmartdalton Revert "Implement Sk2f::Store2" 2018-03-23 bsalomon Remove legacy GrContext factories function and supporting code/types. 2018-03-23 bsalomon Move GrPixelConfig to GrTypesPriv 2018-03-23 bsalomon Remove legacy SkSurface::MakeFromBackendRenderTarget that does not take SkColorType 2018-03-23 bsalomon Move a bunch of internal types from GrTypes to GrTypesPriv 2018-03-23 robertphillips Get @constructor feature of SKSL working 2018-03-23 csmartdalton Implement Sk2f::Store2 2018-03-23 skcms-skia-autoroll Roll skia/third_party/externals/skcms/ a6f932c91..d9500cbd4 (1 commit) 2018-03-21 halcanary Reland "CreatePlatformGLTestContext_egl: Try GLES 3, then GLES 2." 2018-03-23 liyuqian Use DAA for small cubics and non-convex paths that fit into a mask 2018-03-23 robertphillips Disable DDL assert to unblock Chrome 2018-03-23 fmalita [skottie] Clean up SkottieProperties 2018-03-23 bsalomon Fix leak of backend texture in GrContext_maxSurfaceSamplesForColorType test 2018-03-23 robertphillips Add error return, upon mask creation failure, in sw_draw_with_mask_filter 2018-03-23 skcms-skia-autoroll Roll skia/third_party/externals/skcms/ 2b5c77024..a6f932c91 (1 commit) 2018-03-23 halcanary Revert "CreatePlatformGLTestContext_egl: Try GLES 3, then GLES 2." 2018-03-23 jvanverth Revert "Add color fonts." 2018-03-23 angle-skia-autoroll Roll skia/third_party/externals/angle2/ 068e70308..d779f6a98 (3 commits) 2018-03-23 robertphillips Revert "Remove std::move from GrSimpleTextureEffect" Created with: roll-dep src/third_party/skia BUG= chromium:822680 , chromium:822680 The AutoRoll server is located here: https://autoroll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel TBR=jvanverth@chromium.org Change-Id: I1a33e474238714bfd70b784619457d011bcc9786 Reviewed-on: https://chromium-review.googlesource.com/979402 Reviewed-by: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#545695} [modify] https://crrev.com/94fa0583b7ece8ac08fb451fd548d7cb6a5ea153/DEPS
,
Mar 25 2018
ClusterFuzz has detected this issue as fixed in range 545694:545695. Detailed report: https://clusterfuzz.com/testcase?key=5346177705574400 Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: GrSimpleTextureEffect::GrSimpleTextureEffect GrSimpleTextureEffect::Make draw_mask Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=541822:541836 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=545694:545695 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5346177705574400 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 25 2018
ClusterFuzz testcase 5346177705574400 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 25 2018
,
Mar 26 2018
,
Apr 1 2018
I'm afraid that the VRP panel took a look at this and considered it not to exploitable, so we won't be tracking this as a security bug :-( |
||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||
Comment 1 by ClusterFuzz
, Mar 16 2018