Security: libaom/av1_dec_fuzzer_threaded: ASSERT: 0 <= sum && sum < (1 << (bd + FILTER_BITS + 1)) |
|||||||||||||||
Issue descriptionOriginal bug reported by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9474 Detailed report: https://oss-fuzz.com/testcase?key=6313577471279104 Project: libaom Fuzzer: libFuzzer_libaom_av1_dec_fuzzer_threaded Fuzz target binary: av1_dec_fuzzer_threaded Job Type: libfuzzer_msan_libaom Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: 0 <= sum && sum < (1 << (bd + FILTER_BITS + 1)) av1_highbd_convolve_2d_scale_c av1_highbd_convolve_2d_facade Sanitizer: memory (MSAN) Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=6313577471279104 [There's a 2nd oss-fuzz reported bug too, with the same root cause: https://crbug.com/oss-fuzz/9323 , and the same patch that's coming up fixes that as well].
,
Jul 24
From a quick glance at the report it's not clear to me what the security implications of this would be in a release build, if any. Could you provide a brief summary of what would happen in a build without this assert to help with our security triage?
,
Jul 24
@mbarbella: Good question! In this particular testcase (repro case from oss-fuzz), the decoder would go into an inconsistent state where some buffers that are supposed to have 8-bit data, will have 10-bit data instead. These buffers are 16-bit though, so no buffer-overflow read/write happens in this particular case. However,the two patches mentioned above fix the core problem of mismatching sequence header structs in general. (The case above was just one particular field of sequence header struct mismatching). So, it's hard to tell what all different inconsistent states the decoder can go into when other field(s) are mismatching in that struct. And it is possible that some of those mismatching fields may lead to security issues. That's why I feel that these two patches are important.
,
Jul 25
,
Jul 25
Makes sense to me. These cases are always a bit messy for security triage but applying labels as though it fixes that type of vulnerability since it seems like worthwhile hardening.
,
Jul 25
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd commit 4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd Author: Urvang Joshi <urvang@google.com> Date: Wed Jul 25 18:17:29 2018 Roll src/third_party/libaom/source/libaom/ 88e4b0a4e..0415f2e50 (22 commits) https://aomedia.googlesource.com/aom.git/+log/88e4b0a4ee32..0415f2e501a2 $ git log 88e4b0a4e..0415f2e50 --date=short --no-merges --format='%ad %ae %s' 2018-07-23 yaowu Fix a MSVC compiler warning 2018-07-23 wtc Add ATTRIBUTE_PACKED to some enum types. 2018-07-20 jzern decoder.h: rm unused dec_is_ref_frame_buf 2018-07-20 jzern warped_motion.[hc]: rm unused project_points_affine 2018-07-20 jzern txb_common.h: rm unused get_nz_count 2018-07-20 jzern scan.h: rm unused get_coef_context 2018-07-20 jzern quant_common.[hc]: rm unused av1_qindex_from_ac_Q3 2018-07-20 jzern onyxc_int.h: rm unused mi_(rows|cols)_aligned_to_sb 2018-07-20 jzern mv.h: rm unused mv_has_subpel 2018-07-20 jzern blockd.h: rm transpose_* 2018-07-20 jzern av1_txfm.h: rm dead av1_rotate* code 2018-06-29 huisu Add a ML model to prune horz4 and vert4 partitions 2018-07-20 wtc OBU_FRAME type requires show_existing_frame == 0. 2018-07-20 ddvfinite Fix Valgrind error from WRAP_AVX2/ConvolveTest.Copy 2018-07-19 wtc Skip a copy of the frame header in the bit buffer. 2018-07-19 binpengsmail Speedup InterpFilterParams 2018-07-19 wtc Document how to call setjmp() correctly. 2018-07-20 wtc Revert "Save the first frame header in pbi->frame_header." 2018-07-19 urvang Move film_grain_params_present to SequenceHeader. 2018-07-19 urvang Revert "highbd_dc_pred_rect: Assert on valid only" (...) Created with: roll-dep src/third_party/libaom/source/libaom R=jzern@chromium.org Bug: 866698 Change-Id: Ie5aeb939055300e70b105edd6de10fc9360af0e8 Reviewed-on: https://chromium-review.googlesource.com/1148699 Reviewed-by: Johann Koenig <johannkoenig@google.com> Reviewed-by: James Zern <jzern@google.com> Commit-Queue: Urvang Joshi <urvang@chromium.org> Cr-Commit-Position: refs/heads/master@{#577979} [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/DEPS [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/README.chromium [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/libaom_srcs.gni [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/config/aom_version.h [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/arm-neon-cpu-detect/config/aom_config.c [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/arm-neon-cpu-detect/config/av1_rtcd.h [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/arm-neon/config/aom_config.c [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/arm-neon/config/av1_rtcd.h [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/arm/config/aom_config.c [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/arm/config/av1_rtcd.h [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/arm64/config/aom_config.c [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/arm64/config/av1_rtcd.h [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/generic/config/av1_rtcd.h [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/ia32/config/aom_config.c [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/ia32/config/av1_rtcd.h [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/linux/x64/config/av1_rtcd.h [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/win/ia32/config/aom_config.c [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/win/ia32/config/av1_rtcd.h [modify] https://crrev.com/4c3ad9d6a49eb88d36aeecd7dad7e912c80f04bd/third_party/libaom/source/config/win/x64/config/av1_rtcd.h
,
Jul 26
,
Jul 26
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26
urvang@ are you looking into this issue?
,
Jul 26
@cmasso: Yes, the only thing needed now is merge approval for M69, so I can do a roll in that branch to bring this into M69.
,
Jul 26
This bug requires manual review: DEPS changes referenced in bugdroid comments. Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26
+awhalley@ for M69 merge review
,
Jul 26
Approving merge to M69 branch 3497 based on internal mail thread "Security Fixes for AV1 in M69". Pls merge. Thank you.
,
Jul 26
Also is this need a merge to M68? If yes, pls request a merge to M68 as I see " "M-68 & Target-68" labels here.
,
Jul 26
@govind this should be m69 only, removing the 68 label.
,
Jul 26
@govind: Thanks for the approval. I have a roll on chromium m69 in review, that includes this one and the 2 other bugs (which we are waiting to be baked in canary). So, I'll submit that tomorrow morning.
,
Jul 26
Ok, sounds good. Pls update other 2 bugs with canary result tomorrow and wait for approval. Thank you.
,
Jul 27
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 27
Please merge your change to M69 branch 3497 by 4:00 PM PT today, so we can pick it up for next week LAST M69 Dev release before Beta promotion. Thank you.
,
Jul 27
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/12380f9413ad7c04ee77bd5dda3e1df21bc51826 commit 12380f9413ad7c04ee77bd5dda3e1df21bc51826 Author: Urvang Joshi <urvang@google.com> Date: Fri Jul 27 17:36:12 2018 Roll src/third_party/libaom/source/libaom/ 369ab2088..e56f1db26 (7 commits) https://aomedia.googlesource.com/aom.git/+log/369ab2088d3f..e56f1db26bd5 $ git log 369ab2088..e56f1db26 --date=short --no-merges --format='%ad %ae %s' 2018-07-25 yunqingwang Add config flag to only enable normal tile mode 2018-07-25 debargha Add config flag to limit decoding profile 2018-07-19 wtc Skip a copy of the frame header in the bit buffer. 2018-07-18 wtc Revert 8f44a1dfacfde9ec4ab1dc5fc3bbc0b0b5bd2fba. 2018-07-18 wtc Check size limit in aom_realloc_frame_buffer. 2018-07-19 urvang Move film_grain_params_present to SequenceHeader. 2018-07-19 urvang Move profile and color config to SequenceHeader. Created with: roll-dep src/third_party/libaom/source/libaom Also, cmake flags updated to restrict two AV1 features. R=johannkoenig@google.com Bug: 866698 ,867619,867620 Change-Id: I4267f056004f7ec44800f12558d371f0864b3e5a Reviewed-on: https://chromium-review.googlesource.com/1151961 Reviewed-by: Johann Koenig <johannkoenig@google.com> Cr-Commit-Position: refs/branch-heads/3497@{#164} Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753} [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/DEPS [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/README.chromium [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/cmake_update.sh [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/config/aom_version.h [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm-neon-cpu-detect/config/aom_config.asm [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm-neon-cpu-detect/config/aom_config.c [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm-neon-cpu-detect/config/aom_config.h [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm-neon/config/aom_config.asm [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm-neon/config/aom_config.c [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm-neon/config/aom_config.h [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm/config/aom_config.asm [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm/config/aom_config.c [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm/config/aom_config.h [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm64/config/aom_config.asm [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm64/config/aom_config.c [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/arm64/config/aom_config.h [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/generic/config/aom_config.asm [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/generic/config/aom_config.c [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/generic/config/aom_config.h [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/ia32/config/aom_config.asm [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/ia32/config/aom_config.c [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/ia32/config/aom_config.h [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/x64/config/aom_config.asm [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/x64/config/aom_config.c [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/linux/x64/config/aom_config.h [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/win/ia32/config/aom_config.asm [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/win/ia32/config/aom_config.c [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/win/ia32/config/aom_config.h [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/win/x64/config/aom_config.asm [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/win/x64/config/aom_config.c [modify] https://crrev.com/12380f9413ad7c04ee77bd5dda3e1df21bc51826/third_party/libaom/source/config/win/x64/config/aom_config.h
,
Jul 28
,
Aug 15
,
Nov 3
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by urvang@chromium.org
, Jul 23