New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 617124 link

Starred by 0 users
Status: Fixed
Owner:
kwiberg@chromium.org
Last visit 15 days ago
Closed: Aug 2016
Cc:
kcc@chromium.org
pbos@chromium.org
hlundin@chromium.org
mmoroz@chromium.org
aizatsky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in WebRtcSpl_CountLeadingZeros32

Project Member Reported by ClusterFuzz, Jun 3 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6503936764936192

Fuzzer: libfuzzer_audio_decoder_ilbc_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  WebRtcSpl_CountLeadingZeros32
  WebRtcSpl_GetSizeInBits
  WebRtcIlbcfix_EnhancerInterface
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97S1CG6u00qVaGUMt1GsRGwEmiIwv7zAhWPo0Vx_3L8l5xzI7V0eakzHhx6wDxkRVXJVhxv6O8S-tYlRjBy5ymS-mgqlrIUkzArWBT_8lB17ig7XURkCbiICYC_ivN-UT-dMmYX3PtQEpsS2K-eyrnkK7UOrQ

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by mmoroz@chromium.org, Jun 3 2016

Cc: mmoroz@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: Blink>WebRTC>Audio
Labels: Pri-2
Owner: pbos@chromium.org
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 3 2016

Labels: -Pri-2 Pri-1

Comment 3 by pbos@chromium.org, Jun 3 2016

Cc: pbos@chromium.org hlundin@chromium.org
Owner: kwiberg@chromium.org
Status: Assigned (was: Available)

Comment 4 by f...@chromium.org, Jun 3 2016

Labels: M-51
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 17 2016 

kwiberg: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by ClusterFuzz, Jun 28 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5286601148334080

Fuzzer: libfuzzer_audio_decoder_ilbc_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  WebRtcSpl_CountLeadingZeros32
  WebRtcSpl_GetSizeInBits
  WebRtcIlbcfix_EnhancerInterface
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96LHHQUvc976QhJ817CTxfGf6I6niR8NbxvOEY7lLO76XQCJReescGk9VsScj7OQ6qByyfNaxpr1Wl57XzCqVZKP07IEaPCwih0x461ovZ7QTvH-ZBQV2gPFRx66aOQODpM86m87WCGwYOFjPr3jzG-45lDaw?testcase_id=5286601148334080

Filer: tanin

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 7 by hlundin@chromium.org, Jun 29 2016

Labels: -Pri-1 -Security_Impact-Stable -Security_Severity-Medium Security_Impact-None Security_Severity-Low Pri-2
Lowering the priority on this, since iLBC is not included in the Chromium build (only in the fuzzer binary).
Project Member

Comment 8 by ClusterFuzz, Jul 29 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5000365674332160

Fuzzer: libfuzzer_audio_decoder_ilbc_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  WebRtcSpl_CountLeadingZeros32
  WebRtcSpl_GetSizeInBits
  WebRtcIlbcfix_EnhancerInterface
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=397381:397497

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96GBAba7gmRpCRgYfRpY_EW5nRjhQtXabLID_zdwRsrbVj8nE6Q-O9iC43SRQ4JxzwOWkSQpUAUy-djPLDCwnDzoCJ0rGCKUvoGufcJ-1JJr8g5mHJLDtVUuydvjI1a_6OG9QOUX8iLVMNUTud4bkWxvCMn1w?testcase_id=5000365674332160

Filer: tanin

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 9 by kwiberg@chromium.org, Aug 18 2016

Status: Started (was: Assigned)
I've found the bug, or at least tracked it closer to its lair. In WebRtcIlbcfix_GetCbVec, near the end (https://cs.chromium.org/chromium/src/third_party/webrtc/modules/audio_coding/codecs/ilbc/get_cd_vec.c?rcl=1471447605&l=96), there's first a call to WebRtcSpl_FilterMAFastQ12 which writes to the first cbveclen + 5 elements of the previously uninitialized stack array tempbuff2, followed by a call to WebRtcIlbcfix_CreateAugmentedVec which reads all SUBL + 5 elements of tempbuff2.

In our unit tests, cbveclen is always equal to SUBL when we execute this code, but in this fuzzer run, cbveclen is 18 and SUBL is 40. So we read uninitialized memory from tempbuff2, and crash a while later when the outcome of a branch depends on the contents of that memory.

I haven't tracked down why cbveclen == SUBL in the unit tests but not in this fuzzer run, so I don't yet know what the actual problem is.
Project Member

Comment 10 by bugdroid1@chromium.org, Aug 23 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/2e486462e0f79a1ba436fa23495a9ac992fa4d53

commit 2e486462e0f79a1ba436fa23495a9ac992fa4d53
Author: kwiberg <kwiberg@webrtc.org>
Date: Tue Aug 23 12:54:25 2016

RTC_CHECK and RTC_DCHECK macros for C

So that we don't have to use assert(). Includes one sample call site.

NOTRY=true
BUG= chromium:617124 

Review-Url: https://codereview.webrtc.org/2262173002
Cr-Commit-Position: refs/heads/master@{#13862}

[modify] https://crrev.com/2e486462e0f79a1ba436fa23495a9ac992fa4d53/webrtc/base/checks.cc
[modify] https://crrev.com/2e486462e0f79a1ba436fa23495a9ac992fa4d53/webrtc/base/checks.h
[modify] https://crrev.com/2e486462e0f79a1ba436fa23495a9ac992fa4d53/webrtc/modules/audio_coding/codecs/opus/opus_interface.c
Project Member

Comment 11 by bugdroid1@chromium.org, Aug 24 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/619a211562eeb43fdbed4085465a0ec36a08f221

commit 619a211562eeb43fdbed4085465a0ec36a08f221
Author: kwiberg <kwiberg@webrtc.org>
Date: Wed Aug 24 09:46:44 2016

iLBC: Handle a case of bad input data

We detect an unreasonable state (caused by a bad encoded stream)
before it can lead to problems, and handle it by resetting the
decoder.

NOPRESUBMIT=true
BUG= chromium:617124 

Review-Url: https://codereview.webrtc.org/2255203002
Cr-Commit-Position: refs/heads/master@{#13888}

[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/BUILD.gn
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/BUILD.gn
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/cb_construct.c
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/cb_construct.h
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/decode.c
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/decode.h
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/decode_residual.c
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/decode_residual.h
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/encode.c
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/get_cd_vec.c
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/get_cd_vec.h
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/ilbc.c
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/ilbc.gypi
[add] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/ilbc_unittest.cc
[add] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/audio_coding/codecs/ilbc/test/empty.cc
[modify] https://crrev.com/619a211562eeb43fdbed4085465a0ec36a08f221/webrtc/modules/modules.gyp

Comment 12 by kwiberg@chromium.org, Aug 24 2016

Status: Fixed (was: Started)
The CL referenced in comment 11 should fix the bug.
Project Member

Comment 13 by sheriffbot@chromium.org, Aug 24 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 15 by ClusterFuzz, Sep 1 2016 

ClusterFuzz has detected this issue as fixed in range 415222:415266.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6503936764936192

Fuzzer: libfuzzer_audio_decoder_ilbc_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  WebRtcSpl_CountLeadingZeros32
  WebRtcSpl_GetSizeInBits
  WebRtcIlbcfix_EnhancerInterface
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=397381:397497
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=415222:415266

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96otWjD-I6z6ux-djVpeW6G4X-ejDAbiRjC2hiGX9JGY26n7_m-i80zMc3ZcGzclmCd1n2TXoEoX3IyuwN4EgkG2oJT1Q_1mWOtiABHfwuqQjZtM10N96xGvG5acMstNZ9pd4nUv1q8n5mxhN0Y8y87iCb2Ag?testcase_id=6503936764936192

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 16 by ClusterFuzz, Sep 1 2016 

ClusterFuzz has detected this issue as fixed in range 415222:415266.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5286601148334080

Fuzzer: libfuzzer_audio_decoder_ilbc_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  WebRtcSpl_CountLeadingZeros32
  WebRtcSpl_GetSizeInBits
  WebRtcIlbcfix_EnhancerInterface
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=397381:397497
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=415222:415266

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96LHHQUvc976QhJ817CTxfGf6I6niR8NbxvOEY7lLO76XQCJReescGk9VsScj7OQ6qByyfNaxpr1Wl57XzCqVZKP07IEaPCwih0x461ovZ7QTvH-ZBQV2gPFRx66aOQODpM86m87WCGwYOFjPr3jzG-45lDaw?testcase_id=5286601148334080

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 17 by ClusterFuzz, Sep 1 2016 

ClusterFuzz has detected this issue as fixed in range 415222:415266.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5000365674332160

Fuzzer: libfuzzer_audio_decoder_ilbc_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  WebRtcSpl_CountLeadingZeros32
  WebRtcSpl_GetSizeInBits
  WebRtcIlbcfix_EnhancerInterface
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=397381:397497
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=415222:415266

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96GBAba7gmRpCRgYfRpY_EW5nRjhQtXabLID_zdwRsrbVj8nE6Q-O9iC43SRQ4JxzwOWkSQpUAUy-djPLDCwnDzoCJ0rGCKUvoGufcJ-1JJr8g5mHJLDtVUuydvjI1a_6OG9QOUX8iLVMNUTud4bkWxvCMn1w?testcase_id=5000365674332160

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 20 by sheriffbot@chromium.org, Nov 30 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment