SkArenaAlloc aligned under-allocation
Categories
(Core :: Graphics, defect)
Tracking
()
People
(Reporter: dveditz, Assigned: lsalzman)
References
Details
(Keywords: csectype-bounds, sec-high)
Google recently fixed an under-allocation problem in Skia due to alignment on 32-bit builds, found by fuzzing. The fix appears to apply to our version:
https://skia.googlesource.com/skia/+/26c24eda3ef2f853b8435f95402b3a91e3432c8c
They only ran into this problem after they changed the Footer in their arena structure so we may not be vulnerable, or as vulnerable, if we haven't picked up those recent changes. I don't know if we ever specify alignment when we call Skia APIs or if this is an internal detail.
The apparently regressing change was:
https://skia-review.googlesource.com/c/skia/+/313066
Going with the Chrome security rating to start, but maybe this is a between-snapshot regression that doesn't affect us.
Comment 1•4 years ago
|
||
Hey Jim & Lee, Can you review Dan's description and comment on whether we're vulnerable to this bug, and if so, take action? (And if not, close this out.) It's a sec-high. I'm assigning to Lee for the evaluation (which I'd really appreciate if we could do early this coming week). Thanks!
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
We never incorporate the regressing change, which had made the size of an allocation footer an odd number of bytes, where it was previously a nicely aligned 8 byte structure. As such, our version of Skia still uses the 8 aligned footer.
I don't believe we are vulnerable to this issue, and a cherry-pick shouldn't be necessary.
Comment 3•4 years ago
|
||
Thanks for flagging this, Dan, and thanks, Lee, for your analysis. Based on Lee's analysis (see comment 2), I'm marking this bug as INVALID (since we never incorporated the regressing change into our code).
Updated•4 years ago
|
Reporter | ||
Updated•2 years ago
|
Description
•