New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 600977 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in webrtc::RTCPReceiver::HandleRPSI

Project Member Reported by ClusterFuzz, Apr 6 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5982209189609472

Fuzzer: libfuzzer_rtcp_receiver_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  webrtc::RTCPReceiver::HandleRPSI
  webrtc::RTCPReceiver::IncomingRTCPPacket
  webrtc::FuzzOneInput
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=377571:377581

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97xHIgo3LT0Ow3fFWozsE0mLX_TkfJ_x8qRkbCM7iR5yQzb-uyy6oCJjR_JdkPGFwvaaR3bqph3nkGvrFQiy5bzjc1Zhtz1xMu0DggvRliHoZuWTvS7wl8sMeBwKz32kQTbWRLp7KBDqOcpAEvrJV-PN7uZew

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: niklase@chromium.org kcc@chromium.org mmoroz@chromium.org aizatsky@chromium.org
Components: Blink>WebRTC
Owner: pbos@chromium.org
May be the following CL introduced that: https://chromium.googlesource.com/external/webrtc/+/470e71d3649f6cac4688e83819640b012b5d38bb


Comment 2 by pbos@chromium.org, Apr 6 2016

Cc: pbos@chromium.org
Owner: danilchap@chromium.org
Status: Assigned (was: Available)
Danil can you take a look at this one? Let me know if you want help reproducing.
Project Member

Comment 3 by ClusterFuzz, Apr 14 2016

ClusterFuzz has detected this issue as fixed in range 386789:386895.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5982209189609472

Fuzzer: libfuzzer_rtcp_receiver_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  webrtc::RTCPReceiver::HandleRPSI
  webrtc::RTCPReceiver::IncomingRTCPPacket
  webrtc::FuzzOneInput
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=377571:377581
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=386789:386895

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97xHIgo3LT0Ow3fFWozsE0mLX_TkfJ_x8qRkbCM7iR5yQzb-uyy6oCJjR_JdkPGFwvaaR3bqph3nkGvrFQiy5bzjc1Zhtz1xMu0DggvRliHoZuWTvS7wl8sMeBwKz32kQTbWRLp7KBDqOcpAEvrJV-PN7uZew

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Fixed (was: Assigned)
Fixed in webrtc with https://codereview.webrtc.org/1880443002
Rolled into chromium with https://codereview.chromium.org/1881223003
Project Member

Comment 5 by ClusterFuzz, Apr 14 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 6 by mmoroz@chromium.org, Apr 27 2016

Labels: -Security_Severity-Low Security_Severity-Medium
Project Member

Comment 7 by ClusterFuzz, Apr 27 2016

Labels: Merge-Triage M-51
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: Merge-Request-51
Requesting a merge of https://codereview.webrtc.org/1880443002 into M51

Justification:
a) ClusterFuzz confirms the issue is fixed (comment #3).
b) Has been in canary for two weeks.
c) The fix includes new unit tests.

Comment 9 by tin...@google.com, Apr 29 2016

Labels: -Merge-Request-51 Merge-Approved-51 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M51 (branch: 2704)
Please merge your change to M51 branch 2704 before 5:00 PM PST, Monday (05/02/16), so we can take it in for next week M51 beta release. Thank you.
Project Member

Comment 11 by bugdroid1@chromium.org, May 2 2016

Labels: merge-merged-51
The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/c7bb9e52402c1eeeadee0264c5c6b4a2e6fdb31d

commit c7bb9e52402c1eeeadee0264c5c6b4a2e6fdb31d
Author: Danil Chapovalov <danilchap@webrtc.org>
Date: Mon May 02 10:28:52 2016

Fixed rtcp rpsi parsing of invalid packets.
Added packet type RpsiItem to destinguish parsed rpsi header and Rpsi body
  preventing handling two half-valid (header-only) rpsi packets as one valid,
  making test parser calculate rpsi packet once instead of twice.
Added check padding bits doesn't exceed native bit string length.
Marking rpsi received moved after it is validated.

BUG= chromium:600977 
R=asapersson@webrtc.org, pbos@webrtc.org

Review URL: https://codereview.webrtc.org/1936443002 .

Cr-Commit-Position: refs/branch-heads/51@{#8}
Cr-Branched-From: 5045337133d1da4a657b99e0590eb401515163bd-refs/heads/master@{#12279}

[modify] https://crrev.com/c7bb9e52402c1eeeadee0264c5c6b4a2e6fdb31d/webrtc/modules/rtp_rtcp/source/rtcp_receiver.cc
[modify] https://crrev.com/c7bb9e52402c1eeeadee0264c5c6b4a2e6fdb31d/webrtc/modules/rtp_rtcp/source/rtcp_receiver_unittest.cc
[modify] https://crrev.com/c7bb9e52402c1eeeadee0264c5c6b4a2e6fdb31d/webrtc/modules/rtp_rtcp/source/rtcp_sender_unittest.cc
[modify] https://crrev.com/c7bb9e52402c1eeeadee0264c5c6b4a2e6fdb31d/webrtc/modules/rtp_rtcp/source/rtcp_utility.cc
[modify] https://crrev.com/c7bb9e52402c1eeeadee0264c5c6b4a2e6fdb31d/webrtc/modules/rtp_rtcp/source/rtcp_utility.h
[modify] https://crrev.com/c7bb9e52402c1eeeadee0264c5c6b4a2e6fdb31d/webrtc/test/rtcp_packet_parser.cc

Project Member

Comment 12 by sheriffbot@chromium.org, May 2 2016

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Approved-51
Labels: -Merge-Triage
Project Member

Comment 15 by sheriffbot@chromium.org, Jul 21 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 16 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Project Member

Comment 19 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment