Closed Bug 1664904 Opened 4 years ago Closed 4 years ago

SkArenaAlloc aligned under-allocation

Categories

(Core :: Graphics, defect)

x86
Unspecified
defect

Tracking

()

RESOLVED INVALID

People

(Reporter: dveditz, Assigned: lsalzman)

References

Details

(Keywords: csectype-bounds, sec-high)

Google recently fixed an under-allocation problem in Skia due to alignment on 32-bit builds, found by fuzzing. The fix appears to apply to our version:

https://skia.googlesource.com/skia/+/26c24eda3ef2f853b8435f95402b3a91e3432c8c

They only ran into this problem after they changed the Footer in their arena structure so we may not be vulnerable, or as vulnerable, if we haven't picked up those recent changes. I don't know if we ever specify alignment when we call Skia APIs or if this is an internal detail.

The apparently regressing change was:

https://skia-review.googlesource.com/c/skia/+/313066

Going with the Chrome security rating to start, but maybe this is a between-snapshot regression that doesn't affect us.

Flags: needinfo?(lsalzman)

Hey Jim & Lee, Can you review Dan's description and comment on whether we're vulnerable to this bug, and if so, take action? (And if not, close this out.) It's a sec-high. I'm assigning to Lee for the evaluation (which I'd really appreciate if we could do early this coming week). Thanks!

Assignee: nobody → lsalzman
Flags: needinfo?(jmathies)
Blocks: gfx-triage
Flags: needinfo?(jmathies)

We never incorporate the regressing change, which had made the size of an allocation footer an odd number of bytes, where it was previously a nicely aligned 8 byte structure. As such, our version of Skia still uses the 8 aligned footer.

I don't believe we are vulnerable to this issue, and a cherry-pick shouldn't be necessary.

Flags: needinfo?(lsalzman)

Thanks for flagging this, Dan, and thanks, Lee, for your analysis. Based on Lee's analysis (see comment 2), I'm marking this bug as INVALID (since we never incorporated the regressing change into our code).

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
No longer blocks: gfx-triage
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.