New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
User never visited
Closed: Oct 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment

Heap-buffer-overflow in WebRtcIsacfix_Decode

Project Member Reported by ClusterFuzz, Oct 16 2014 Back to list

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5702886720798720

Fuzzer: Phoglund_webrtc_peerconnection
Job Type: Android_asan_chrome

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x42ea3376
Crash State:
  WebRtcIsacfix_Decode
  webrtc::acm2::ACMISAC::Decode
  webrtc::NetEqImpl::DecodeLoop
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=android_asan_chrome&range=215316:215323

Minimized Testcase (25.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94nIXAyxtZDF34wPiR--20NXFesyTMDLeFYupQb3Eugijp44dL77stDe6CpEsto5_HiXbAV5kpT8LoYEanHzHuAcq_eHpjsX-TROx9xYBWQM4D2ndBeC3-lHbZLSwa7YnHL7d5nFb-Xs33yW1NxxSjOJLLgz5aJLhif99Ys_ugYoFM7Pu8

Additional requirements: Requires HTTP

Filer: inferno
 
Cc: phoglund@chromium.org
Owner: turajs@chromium.org
Status: Assigned (was: NULL)
This bug came back again ? Did your fix got reverted ?

Comment 2 by turajs@chromium.org, Oct 16 2014

This is not the same as previous one. I added Karl as he recently worked on this part of the code. I could not find a problem, at first glance. The line that it is pointed to a simple assignment within the range, unless I'm looking at a revision different that what the test executed. Patrik, how can I know which revision the test is running on?
It tells the revision info for the build where it crashed in report.

Chromium: 299633
Clank: 6b520358bf4001cf0322f4d75472d80f2877cbc4
Project Member

Comment 4 by ClusterFuzz, Oct 16 2014

Labels: Pri-1
Project Member

Comment 5 by ClusterFuzz, Oct 19 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6077870064533504

Fuzzer: Phoglund_webrtc_peerconnection
Job Type: Android_asan_chrome

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x42eaba30
Crash State:
  WebRtcIsacfix_Decode
  webrtc::acm2::ACMISAC::Decode
  webrtc::NetEqImpl::DecodeLoop
  

Minimized Testcase (28.51 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94udZwqW_4LX6PtHht5VjiZ7wYsURXtwC9FbA1S_a3izQK6pkIcjOLOgXzMpxo-mm4CuRNHtzsJMlH3DIK_Q6ALfN0vx4G9LEJiKK09rOWf7kN4QDJqU1CCKCSgjZgSjhgJkcTzIEVc4DSENUXUvSK6B0tjxbsU64AvApdSahMT-Izuwqk

Additional requirements: Requires HTTP

Filer: inferno
Labels: M-39

Comment 7 by turajs@chromium.org, Oct 21 2014

Cc: kwiberg@chromium.org
I suppose this should be resolved when Karl commit this https://webrtc-codereview.appspot.com/28569004/

Karl would you please take a look? I suppose the problem is that odd number of bytes is cast to uint16_t and we access the last word. Although we do not read the last two bytes (last in network order), but we are accessing a word with MSB byte (in little-endian architecture) outside the allocated memory. If my interpretation is correct the above CL should resolve it. Please let me know what you think.

Project Member

Comment 8 by ClusterFuzz, Oct 24 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4593262223425536

Fuzzer: Phoglund_webrtc_peerconnection
Job Type: Android_asan_chrome

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x4315bbc6
Crash State:
  WebRtcIsacfix_Decode
  webrtc::acm2::ACMISAC::Decode
  webrtc::NetEqImpl::DecodeLoop
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=android_asan_chrome&range=216490:216583

Minimized Testcase (28.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv968JVPA1flAUn-EsX5eyHXqRdxUUTF6CNE8mhFovf4EiroPxDWCBKjD1HozUP_Is5htW6Hl0oJYbSxoivhC3F3JOhJlRsMawcp-g6458PbpphHXuxIRhKfsvw-bBAgNyASaCTRAcUKVruu3NHWqxCC3MxeQkJ8aI65Ni0vfcalnJA3Gn_s

Additional requirements: Requires HTTP

Filer: inferno
I think you may be right---that CL fixes a problem that's probably the same as this one. I'm getting ready to commit it now, so we'll see...
Project Member

Comment 10 by ClusterFuzz, Oct 29 2014

Labels: Nag
turajs@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 11 by ClusterFuzz, Oct 29 2014

ClusterFuzz has detected this issue as fixed in range 239982:240018.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4593262223425536

Fuzzer: Phoglund_webrtc_peerconnection
Job Type: Android_asan_chrome

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x4315bbc6
Crash State:
  WebRtcIsacfix_Decode
  webrtc::acm2::ACMISAC::Decode
  webrtc::NetEqImpl::DecodeLoop
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=android_asan_chrome&range=216490:216583
Fixed: https://cluster-fuzz.appspot.com/revisions?job=android_asan_chrome&range=239982:240018

Minimized Testcase (28.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv968JVPA1flAUn-EsX5eyHXqRdxUUTF6CNE8mhFovf4EiroPxDWCBKjD1HozUP_Is5htW6Hl0oJYbSxoivhC3F3JOhJlRsMawcp-g6458PbpphHXuxIRhKfsvw-bBAgNyASaCTRAcUKVruu3NHWqxCC3MxeQkJ8aI65Ni0vfcalnJA3Gn_s

Additional requirements: Requires HTTP

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Status: Fixed (was: NULL)
fixed by c#7 cl and WebRTC	4415bacc16e429ee132e9759ba6880043b61cbdd:4f2aa0829e4e69972202efb7de2f53cc8858e2c9
Project Member

Comment 13 by ClusterFuzz, Oct 29 2014

Labels: -Restrict-View-SecurityTeam Merge-Triage M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: Release-0-M39
Labels: -Merge-Triage
Project Member

Comment 16 by ClusterFuzz, Feb 4 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 18 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment