anansi2safe/CVE-2026-3909-PoC

# CVE-2026-3909 Chromium 浏览器 PoC 本仓库包含 **CVE-2026-3909** 的概念验证，可以在 Chromium 浏览器中可靠地触发。 ## 背景 针对此漏洞的官方 Skia 修复仅包含一个简化的演示测试用例： - **官方演示**: [AtlasOobTest.cpp](https://skia-review.googlesource.com/c/skia/+/1184076/6/tests/AtlasOobTest.cpp) 它无法在真实的 Chromium 环境中运行。该官方演示是故意受限的，并省略了关键的触发条件。 本 PoC 基于官方演示构建，并已进行修改，以便在真实的 Chromium 浏览器环境中可靠地触发该漏洞。 ## 包含的补丁 本 PoC 包含对以下文件的修改： ### 1. `raster_implementation.cc.patch` **路径:** /src/gpu/command_buffer/client/raster_implementation.cc ### 2. `SkChromeRemoteGlyphCache.cpp.patch` **路径:** /src/third_party/skia/src/text/gpu/SkChromeRemoteGlyphCache.cpp ### 3. 其他 除了这两个现有的补丁文件外，您还可以在 DrawAtlas::hasID() 函数内部添加调试代码。 这允许您分析和观察为什么触发了中止。 ``` bool hasID(const skgpu::PlotLocator& plotLocator) { if (!plotLocator.isValid()) { return false; } uint32_t plot = plotLocator.plotIndex(); uint32_t page = plotLocator.pageIndex(); // patch code printf("[*] POC plot idx: %x fNumPlots: %x\n", plot, fNumPlots); // origin code uint64_t plotGeneration = fPages[page].fPlotArray[plot]->genID(); uint64_t locatorGeneration = plotLocator.genID(); return plot < fNumPlots && page < fNumActivePages && plotGeneration == locatorGeneration; } ``` 输出: ``` [*] POC plot idx: 1f fNumPlots: 10 ``` ## Git 日志 ``` commit e00a64ead1abef9447943efede7bc26362ac3797 (HEAD -> 146.0.7680.71, tag: 146.0.7680.71) Author: Roger McFarlane Date: Mon Mar 9 12:52:01 2026 -0700 [M146-desktop-respin] Make LimitedLayerEntropyCostTracker time-aware. This change modifies the LimitedLayerEntropyCostTracker to account for the entropy cost of studies that are active at a specific evaluation time. The evaluation time is passed to the tracker's constructor and is used to check against the study's filter dates and Google web visibility dates. The current time for entropy evaluation is sourced from VariationsIdsProvider. (cherry picked from commit 2ec2c50b47686def251947a2675a207863803cac) Bug: 490248046, 490432663 Change-Id: I3174730f35b037d533bf10b2b1d0531e3781acfe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7639358 Reviewed-by: Alexei Svitkine Commit-Queue: Alexei Svitkine Cr-Original-Commit-Position: refs/heads/main@{#1595543} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7637760 Bot-Commit: Rubber Stamper Cr-Commit-Position: refs/branch-heads/7680_65@{#23} Cr-Branched-From: efe36a9d42443b4091a5be1be21e93ceff9b7a5e-refs/branch-heads/7680@{#1898} Cr-Branched-From: 76b7d80e5cda23fe6537eed26d68c92e995c7f39-refs/heads/main@{#1582197} ``` ## 构建参数 ``` # 在此处设置 build arguments。参见 `gn help buildargs`。 is_official_build = false is_debug = true symbol_level = 2 v8_symbol_level = 2 blink_symbol_level = 2 is_component_build = false proprietary_codecs = true ffmpeg_branding = "Chrome" v8_enable_sandbox = true dcheck_always_on = true optimize_webui = true target_os = "linux" target_cpu = "x64" ``` ## 用法 1. 将两个补丁文件应用到存在漏洞的 Chromium 版本。 2. 打开浏览器 `chrome /trigger.html` ## 中止 ``` gen/third_party/libc++/src/include/__memory/unique_ptr.h:578: libc++ Hardening assertion __checker_.__in_bounds(std::__to_address(__ptr_), __i) failed: unique_ptr::operator[](index): index out of range Received signal 6 #0 0x5ee6abc4b669 base::debug::CollectStackTrace() [../../base/debug/stack_trace_posix.cc:1048:7] #1 0x5ee6abc1674a base::debug::StackTrace::StackTrace() [../../base/debug/stack_trace.cc:280:20] #2 0x5ee6abc166b5 base::debug::StackTrace::StackTrace() [../../base/debug/stack_trace.cc:275:28] #3 0x5ee6abc4aed9 base::debug::(anonymous namespace)::StackDumpSignalHandler() [../../base/debug/stack_trace_posix.cc:483:3] #4 0x79f1d4a45330 (/usr/lib/x86_64-linux-gnu/libc.so.6+0x4532f) #5 0x79f1d4a9eb2c pthread_kill #6 0x79f1d4a4527e gsignal #7 0x79f1d4a288ff abort #8 0x5ee6c330842e std::__Cr::__libcpp_verbose_abort() #9 0x5ee69655008d std::__Cr::unique_ptr<>::operator[]() [gen/third_party/libc++/src/include/__memory/unique_ptr.h:577:5] #10 0x5ee6ad4ed963 GrDrawOpAtlas::hasID() [../../third_party/skia/src/gpu/ganesh/GrDrawOpAtlas.h:130:35] #11 0x5ee6ad577e0b GrAtlasManager::hasGlyph() [../../third_party/skia/src/gpu/ganesh/text/GrAtlasManager.cpp:54:36] // Abort in here #12 0x5ee6ad5790b7 sktext::gpu::GlyphVector::regenerateAtlasForGanesh() [../../third_party/skia/src/gpu/ganesh/text/GrAtlasManager.cpp:320:32] #13 0x5ee6ad48060e skgpu::ganesh::AtlasTextOp::onPrepareDraws()::$_0::operator()() [../../third_party/skia/src/gpu/ganesh/ops/AtlasTextOp.cpp:532:28] #14 0x5ee6ad4805ba std::__Cr::__invoke<>() [gen/third_party/libc++/src/include/__type_traits/invoke.h:90:27] #15 0x5ee6ad48055d std::__Cr::__invoke_void_return_wrapper<>::__call<>() [gen/third_party/libc++/src/include/__type_traits/invoke.h:342:12] #16 0x5ee6ad48050d std::__Cr::__invoke_r<>() [gen/third_party/libc++/src/include/__type_traits/invoke.h:356:10] #17 0x5ee6ad4804a3 std::__Cr::__function::__policy_func<>::__call_func<>() [gen/third_party/libc++/src/include/__functional/function.h:443:12] #18 0x5ee6ad5ddc1b std::__Cr::__function::__policy_func<>::operator()() [gen/third_party/libc++/src/include/__functional/function.h:502:12] #19 0x5ee6ad5ddbbb std::__Cr::function<>::operator()() [gen/third_party/libc++/src/include/__functional/function.h:754:10] #20 0x5ee6ad5d6c08 (anonymous namespace)::DirectMaskSubRun::regenerateAtlas() [../../third_party/skia/src/text/gpu/SubRunContainer.cpp:672:16] #21 0x5ee6ad47f60d skgpu::ganesh::AtlasTextOp::onPrepareDraws() [../../third_party/skia/src/gpu/ganesh/ops/AtlasTextOp.cpp:538:50] #22 0x5ee6ad4b6129 GrMeshDrawOp::onPrepare() [../../third_party/skia/src/gpu/ganesh/ops/GrMeshDrawOp.cpp:27:61] #23 0x5ee6ad4b7234 GrOp::prepare() [../../third_party/skia/src/gpu/ganesh/ops/GrOp.cpp:59:11] #24 0x5ee6ad4d43a3 skgpu::ganesh::OpsTask::onPrepare() [../../third_party/skia/src/gpu/ganesh/ops/OpsTask.cpp:548:27] #25 0x5ee6ad37e5dd GrRenderTask::prepare() [../../third_party/skia/src/gpu/ganesh/GrRenderTask.cpp:111:11] #26 0x5ee6ad320e43 GrDrawingManager::executeRenderTasks() [../../third_party/skia/src/gpu/ganesh/GrDrawingManager.cpp:266:21] #27 0x5ee6ad31fca0 GrDrawingManager::flush() [../../third_party/skia/src/gpu/ganesh/GrDrawingManager.cpp:209:34] #28 0x5ee6ad3217f7 GrDrawingManager::flushSurfaces() [../../third_party/skia/src/gpu/ganesh/GrDrawingManager.cpp:540:27] #29 0x5ee6ad31c252 GrDirectContextPriv::flushSurfaces() [../../third_party/skia/src/gpu/ganesh/GrDirectContextPriv.cpp:92:47] #30 0x5ee6ad2da828 GrDirectContextPriv::flushSurface() [../../third_party/skia/src/gpu/ganesh/GrDirectContextPriv.h:106:22] #31 0x5ee6ad2d5d2b GrDirectContext::flush() [../../third_party/skia/src/gpu/ganesh/GrDirectContext.cpp:520:25] #32 0x5ee6ad52d6be skgpu::ganesh::Flush() [../../third_party/skia/src/gpu/ganesh/surface/SkSurface_Ganesh.cpp:759:45] #33 0x5ee6b2de1d86 gpu::SharedContextState::FlushWriteAccess() [../../gpu/command_buffer/service/shared_context_state.cc:899:9] #34 0x5ee6b2fc974d gpu::raster::RasterDecoderImpl::DoEndRasterCHROMIUM() [../../gpu/command_buffer/service/raster_decoder.cc:3108:30] #35 0x5ee6b2fc720c gpu::raster::RasterDecoderImpl::HandleEndRasterCHROMIUM() [../../gpu/command_buffer/service/raster_decoder_autogen.h:151:3] #36 0x5ee6b2fdbda0 gpu::raster::RasterDecoderImpl::DoCommandsImpl<>() [../../gpu/command_buffer/service/raster_decoder.cc:1535:18] #37 0x5ee6b2fcb03e gpu::raster::RasterDecoderImpl::DoCommands() [../../gpu/command_buffer/service/raster_decoder.cc:1597:12] #38 0x5ee69ff67c00 gpu::CommandBufferService::Flush() [../../gpu/command_buffer/service/command_buffer_service.cc:267:35] #39 0x5ee6b294071f gpu::CommandBufferStub::OnAsyncFlush() [../../gpu/ipc/service/command_buffer_stub.cc:504:22] #40 0x5ee6b29401ed gpu::CommandBufferStub::ExecuteDeferredRequest() [../../gpu/ipc/service/command_buffer_stub.cc:173:7] #41 0x5ee6b295fe51 gpu::GpuChannel::ExecuteDeferredRequest() [../../gpu/ipc/service/gpu_channel.cc:833:13] #42 0x5ee6b296c5a0 base::internal::DecayedFunctorTraits<>::Invoke<>() [../../base/functional/bind_internal.h:740:12] #43 0x5ee6b296c4cf base::internal::InvokeHelper<>::MakeItSo<>() [../../base/functional/bind_internal.h:956:5] #44 0x5ee6b296c425 base::internal::Invoker<>::RunImpl<>() [../../base/functional/bind_internal.h:1069:14] #45 0x5ee6b296c361 base::internal::Invoker<>::RunOnce() [../../base/functional/bind_internal.h:982:12] #46 0x5ee69ffa4e24 base::OnceCallback<>::Run() [../../base/functional/callback.h:155:12] #47 0x5ee69ffa4cb5 base::internal::DecayedFunctorTraits<>::Invoke<>() [../../base/functional/bind_internal.h:815:49] #48 0x5ee69ffa4c4f base::internal::InvokeHelper<>::MakeItSo<>() [../../base/functional/bind_internal.h:932:12] #49 0x5ee69ffa4bfd base::internal::Invoker<>::RunImpl<>() [../../base/functional/bind_internal.h:1069:14] #50 0x5ee69ffa4b99 base::internal::Invoker<>::RunOnce() [../../base/functional/bind_internal.h:982:12] #51 0x5ee695d021ec base::OnceCallback<>::Run() [../../base/functional/callback.h:155:12] #52 0x5ee69ff767e0 gpu::Scheduler::ExecuteSequence() [../../gpu/command_buffer/service/scheduler.cc:707:29] #53 0x5ee69ff7540b gpu::Scheduler::RunNextTask() [../../gpu/command_buffer/service/scheduler.cc:625:3] #54 0x5ee69ff7b253 base::internal::DecayedFunctorTraits<>::Invoke<>() [../../base/functional/bind_internal.h:740:12] #55 0x5ee69ff7b1d1 base::internal::InvokeHelper<>::MakeItSo<>() [../../base/functional/bind_internal.h:932:12] #56 0x5ee69ff7b15d base::internal::Invoker<>::RunImpl<>() [../../base/functional/bind_internal.h:1069:14] #57 0x5ee69ff7b0e9 base::internal::Invoker<>::RunOnce() [../../base/functional/bind_internal.h:982:12] #58 0x5ee695d021ec base::OnceCallback<>::Run() [../../base/functional/callback.h:155:12] #59 0x5ee6abab2eee base::TaskAnnotator::RunTaskImpl() [../../base/task/common/task_annotator.cc:229:34] #60 0x5ee6abb214c8 base::TaskAnnotator::RunTask<>() [../../base/task/common/task_annotator.h:112:5] #61 0x5ee6abb20f5e base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl() [../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:472:23] #62 0x5ee6abb205ca base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() [../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:346:40] #63 0x5ee6abb21193 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() #64 0x5ee6ab98e268 base::MessagePumpDefault::Run() [../../base/message_loop/message_pump_default.cc:42:55] #65 0x5ee6abb21b67 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run() [../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:647:12] #66 0x5ee6aba4a7bb base::RunLoop::Run() [../../base/run_loop.cc:135:14] #67 0x5ee6b4863046 content::GpuMain() [../../content/gpu/gpu_main.cc:479:14] #68 0x5ee6a828dff7 content::RunZygote() [../../content/app/content_main_runner_impl.cc:664:14] #69 0x5ee6a828e879 content::RunOtherNamedProcessTypeMain() [../../content/app/content_main_runner_impl.cc:771:12] #70 0x5ee6a828fe8b content::ContentMainRunnerImpl::Run() [../../content/app/content_main_runner_impl.cc:1147:10] #71 0x5ee6a828c1d7 content::RunContentProcess() [../../content/app/content_main.cc:358:36] #72 0x5ee6a828c6e6 content::ContentMain() [../../content/app/content_main.cc:371:10] #73 0x5ee69540c460 ChromeMain [../../chrome/app/chrome_main.cc:191:12] #74 0x5ee69540c112 main #75 0x79f1d4a2a1ca (/usr/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) #76 0x79f1d4a2a28b __libc_start_main #77 0x5ee69540c02a _start r8: 000000000000005d r9: 0000000000000000 r10: 0000000000000008 r11: 0000000000000246 r12: 0000000000000006 r13: 0000000000000000 r14: 0000000000000016 r15: 000079f1d5aa2000 di: 0000000000177a3a si: 0000000000177a3a bp: 00007ffc58951cb0 bx: 0000000000177a3a dx: 0000000000000006 ax: 0000000000000000 cx: 000079f1d4a9eb2c sp: 00007ffc58951c70 ip: 000079f1d4a9eb2c efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000 ``` ## 稳定版方案 在 Chromium 的稳定版中，直接应用补丁可能不可行或不合需求。 相反，您可以将补丁逻辑重写为 Hook 函数，在运行时拦截并修改相关的处理函数。

标签：Chromium, CVE-2026-3909, Exploit, GPU, Out of Bounds, PoC, RCE, Skia, 后端开发, 图形渲染, 暴力破解, 浏览器漏洞, 源码分析, 漏洞复现, 编程工具, 补丁分析, 越界读取, 远程代码执行