New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 647904 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 648062
Owner:
Last visit > 30 days ago
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Bad-cast to cricket::DataContentDescription from cricket::AudioContentDescription;webrtc::ParseContent;ParseContentDescription<cricket::AudioContentDescription>

Project Member Reported by ClusterFuzz, Sep 17 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5017647475589120

Fuzzer: libfuzzer_sdp_parser_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x29700a8ffea0
Crash State:
  Bad-cast to cricket::DataContentDescription from cricket::AudioContentDescription
  webrtc::ParseContent
  ParseContentDescription<cricket::AudioContentDescription>
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=419163:419248

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94I0CkiwWwrqrP26wnnn9WwZcqdRmD3du4JrzoCokxwlqwIS9jF7hXJsAomEp5pC_AGXeyALC6W4GryZIyEGnZ5xy8UXiKKA08jZ4qq9KNgFyj54GPiBm2YaJLnvEr53kbo8JhS0-bXqh6ssp3rQiVR2bfNTw?testcase_id=5017647475589120
v=0
o=moa...THIS_IS_SDPARTA-46.0.1 5115930144083302970 0 IN IPfingerprint4 0.0.0.0
s=-
t=0 0
m=audio=application 9 DTLS/SCTP v
a=sctp-portrtcpfb:126 nack
a=rtcp-fb:126 nack pli


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Sep 17 2016

Labels: M-55
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 17 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 17 2016

Labels: Pri-1
Cc: kjellander@chromium.org pthatcher@chromium.org
Components: Blink>WebRTC
Owner: deadbeef@chromium.org
Status: Assigned (was: Untriaged)
Hello,

Could you please help find an appropriate owner for this security bug?!


Running: /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-2-sdp_parser_fuzzer
../../third_party/webrtc/api/webrtcsdp.cc:2658:29: runtime error: downcast of address 0x06c2ecd07ea0 which does not point to an object of type cricket::DataContentDescription
0x06c2ecd07ea0: note: object is of type cricket::AudioContentDescription
 00 00 00 00  20 9d 54 00 00 00 00 00  00 00 ff ff ff ff ff ff  00 00 00 00 00 00 00 00  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for cricket::AudioContentDescription


https://cs.chromium.org/chromium/src/third_party/webrtc/api/webrtcsdp.cc?q=cricket::AudioContentDescription&sq=package:chromium&dr=C&l=2658


Thanks!
Taylor is the right owner.
Mergedinto: 648062
Status: Duplicate (was: Assigned)
Same root cause as another issue: parsing "sctp-port" in a non-data description.
Project Member

Comment 7 by ClusterFuzz, Oct 5 2016

ClusterFuzz has detected this issue as fixed in range 422762:422804.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5017647475589120

Fuzzer: libfuzzer_sdp_parser_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x29700a8ffea0
Crash State:
  Bad-cast to cricket::DataContentDescription from cricket::AudioContentDescription
  webrtc::ParseContent
  ParseContentDescription<cricket::AudioContentDescription>
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=419163:419248
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=422762:422804

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94I0CkiwWwrqrP26wnnn9WwZcqdRmD3du4JrzoCokxwlqwIS9jF7hXJsAomEp5pC_AGXeyALC6W4GryZIyEGnZ5xy8UXiKKA08jZ4qq9KNgFyj54GPiBm2YaJLnvEr53kbo8JhS0-bXqh6ssp3rQiVR2bfNTw?testcase_id=5017647475589120
v=0
o=moa...THIS_IS_SDPARTA-46.0.1 5115930144083302970 0 IN IPfingerprint4 0.0.0.0
s=-
t=0 0
m=audio=application 9 DTLS/SCTP v
a=sctp-portrtcpfb:126 nack
a=rtcp-fb:126 nack pli


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Jan 11 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment