New issue
Advanced search Search tips

Issue 887843 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Sep 22
Cc:
hcm@google.com
mtklein@chromium.org
kjlubick@chromium.org
reed@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Skia: Invalid processing of SkPipeReader object

Reported by quangn...@gmail.com, Sep 21 
VULNERABILITY DETAILS
I have found a vulnerability in do_playback. The attached poc can crash skia.

The following line, `do_playback` doesn't check `reader.eof()` and this function returns true before processing data stream.
https://cs.chromium.org/chromium/src/third_party/skia/src/pipe/SkPipeReader.cpp?g=0&l=835

VERSION
Operating System: Linux

REPRODUCTION CASE

Build Skia with asserts disabled
```
bin/gn gen out/Release --args='is_debug=false'
ninja -C out/Release
```

Run testcase:
```
./out/Release/fuzz -t pipe -b SkPipeReader_do_playback2_eof
```

Crate state:
```
#0  0x0000000000e5fce6 in sk_sp<SkPicture>::reset (this=0xfffffffffffffff0, ptr=0x25f0cc0) at ../../include/core/SkRefCnt.h:307
#1  0x0000000000e5f7ca in sk_sp<SkPicture>::operator=(sk_sp<SkPicture>&&) (this=0xfffffffffffffff0,
    that=<unknown type in /mnt/data2/fuzz/skia_org/out/Release-noopt/fuzz, CU 0x1263ff2, DIE 0x128b72f>) at ../../include/core/SkRefCnt.h:279
#2  0x0000000000e5ef75 in SkRefSet<SkPicture>::set (this=0x25f1fd8, index=0xfffffffe, value=...) at ../../src/pipe/SkRefSet.h:23
#3  0x0000000000e5b29b in SkPipeInflator::setPicture (this=0x7fffffffcbc0, index=0xffffffff, pic=...) at ../../src/pipe/SkPipeReader.cpp:70
#4  0x0000000000e5e2ca in definePicture_handler (reader=..., packedVerb=0x23000000, canvas=0x0) at ../../src/pipe/SkPipeReader.cpp:705
#5  0x0000000000e5e947 in SkPipeDeserializer::readPicture (this=0x7fffffffcd70, data=0x7ffff7ff6000, size=0x10)
    at ../../src/pipe/SkPipeReader.cpp:832
#6  0x0000000000c350a9 in SkPipeDeserializer::readPicture (this=0x7fffffffcd70, data=0x25f1a10) at ../../src/core/SkPipe.h:63
#7  0x0000000000c38d8d in fuzz_skpipe (bytes=...) at ../../fuzz/FuzzMain.cpp:614
#8  0x0000000000c362c6 in fuzz_file (path=..., type=...) at ../../fuzz/FuzzMain.cpp:189
#9  0x0000000000c35bc4 in main (argc=0x5, argv=0x7fffffffe1a8) at ../../fuzz/FuzzMain.cpp:109
#10 0x00007ffff6061830 in __libc_start_main (main=0xc35a93 <main(int, char**)>, argc=0x5, argv=0x7fffffffe1a8, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:291
#11 0x0000000000c1a5b9 in _start ()
gdb-peda$
```

PATCH

patch for this issue:
```
diff --git a/src/pipe/SkPipeReader.cpp b/src/pipe/SkPipeReader.cpp
--- a/src/pipe/SkPipeReader.cpp
+++ b/src/pipe/SkPipeReader.cpp
@@ -832,6 +843,8 @@ static bool do_playback(SkPipeReader& reader, SkCanvas* canvas, int* endPictureI

     const bool showEachVerb = false;
     int counter = 0;
+    if (reader.eof())
+        return false;
     while (!reader.eof()) {
         uint32_t prevOffset = reader.offset();
         uint32_t packedVerb = reader.read32();
```

Comment 1 by metzman@chromium.org, Sep 21

Cc: kjlubick@chromium.org hcm@google.com
Components: Internals>Skia
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows

Comment 2 by mbarbe...@chromium.org, Sep 21

Cc: mtklein@chromium.org reed@google.com
Labels: Security_Impact-None
Status: Available (was: Unconfirmed)
Bulk edit of recently filed skia pipe bugs.

Comment 3 by infe...@chromium.org, Sep 22

Status: WontFix (was: Available)
See https://bugs.chromium.org/p/chromium/issues/detail?id=886713#c8
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 29

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment