New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 648062 link

Starred by 1 user
Status: Verified
Owner:
deadbeef@chromium.org
Last visit > 30 days ago
Closed: Oct 2016
Cc:
kcc@chromium.org
pbos@chromium.org
phoglund@chromium.org
mmoroz@chromium.org
aizatsky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in default_terminate_handler

Project Member Reported by ClusterFuzz, Sep 18 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4523351634870272

Fuzzer: libfuzzer_sdp_parser_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e90000618c
Crash State:
  default_terminate_handler
  std::__terminate
  failed_throw
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=419157:419245

Minimized Testcase (0.18 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96oaftPYPtr09SznHuIrXp3qLFbn_6n3ZJk232c8qc90Qul9KjFhmlmq4PPZ7GN6JRcxi-e-VrE-bHeLGg5uKL7_cSgfTrxaMu2YIYxPRscu2Xo73ReXbvutpTxcjh1oBgPBEeMUQytzhFx-Gd1RnJovP6ybA?testcase_id=4523351634870272
v=0
o=moa...THIS_IS_SDPARTA-46.0.1 5115930144083302970 0 IN IPfingerprint4 0.0.0.0
s=-
t=0 0
m=videoapplication 9 DTLS/SCTP v
a=sctp-portrtcpfb:126 nack
m=application 9 DTLS/SCTP 5000


Issue manually filed by: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by mmoroz@chromium.org, Sep 18 2016

Cc: mmoroz@chromium.org kcc@chromium.org pbos@chromium.org aizatsky@chromium.org
Components: Blink>WebRTC
Owner: phoglund@chromium.org
phoglund@, would you mind taking a look as a person who had reviewed the fuzzer previously and enabled it then?

Comment 2 by pbos@chromium.org, Sep 18 2016

Cc: phoglund@chromium.org
Owner: deadbeef@chromium.org
Status: Assigned (was: Untriaged)
deadbeef@ feel free to reassign if I'm assigning too many bugs to you. I think libfuzzer_sdp_parser_fuzzer is a new fuzzer binary, ping me if you have any questions on how to repro, I'll gladly help you get set up.

Comment 3 by deadbeef@chromium.org, Sep 19 2016 

Yep, definitely seems to be a new fuzzer (and a quite effective one). Who knew there could be so many bugs in code that's entirely built around static_cast'ing pointers? :)

Comment 4 by phoglund@chromium.org, Sep 26 2016 

Yeah, I enabled those a couple weeks ago. I'm glad to hear they work ;)
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 28 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/7e146cb97e27644691a8017fe252dfc184c03808

commit 7e146cb97e27644691a8017fe252dfc184c03808
Author: deadbeef <deadbeef@webrtc.org>
Date: Wed Sep 28 17:04:34 2016

Fixing heap read overflow when "sctp-port" is in a video description.

This added an SCTP codec, which is later re-interpreted as a video
codec. We shouldn't be adding codecs that don't match the type of the
media description.

BUG= chromium:648062 

Review-Url: https://codereview.webrtc.org/2354723002
Cr-Commit-Position: refs/heads/master@{#14421}

[modify] https://crrev.com/7e146cb97e27644691a8017fe252dfc184c03808/webrtc/api/webrtcsdp.cc
[modify] https://crrev.com/7e146cb97e27644691a8017fe252dfc184c03808/webrtc/api/webrtcsdp_unittest.cc

Comment 6 by deadbeef@chromium.org, Sep 28 2016

Status: Started (was: Assigned)
This will be fixed by the above CL on the next WebRTC roll.

Comment 7 by deadbeef@chromium.org, Sep 28 2016 

 Issue 648372  has been merged into this issue.

Comment 8 by deadbeef@chromium.org, Sep 28 2016 

 Issue 648198  has been merged into this issue.

Comment 9 by deadbeef@chromium.org, Sep 28 2016 

 Issue 647915  has been merged into this issue.

Comment 10 by deadbeef@chromium.org, Sep 28 2016 

 Issue 647904  has been merged into this issue.

Comment 11 by deadbeef@chromium.org, Sep 28 2016 

 Issue 647905  has been merged into this issue.

Comment 12 by deadbeef@chromium.org, Sep 28 2016 

 Issue 647948  has been merged into this issue.

Comment 13 by deadbeef@chromium.org, Sep 28 2016 

 Issue 647916  has been merged into this issue.

Comment 14 by deadbeef@chromium.org, Sep 28 2016

Labels: ReleaseBlock-Beta

Comment 15 by deadbeef@chromium.org, Sep 28 2016

Labels: Restrict-View-SecurityTeam

Comment 16 by aarya@google.com, Sep 29 2016

Labels: -Type-Bug Security_Severity-High Type-Bug-Security

Comment 17 by kenrb@chromium.org, Sep 29 2016

Labels: Security_Impact-Head
Project Member

Comment 18 by sheriffbot@chromium.org, Sep 30 2016

Labels: M-55

Comment 19 by deadbeef@chromium.org, Sep 30 2016 

FYI: For anyone triaging a fuzzer bug and wondering "is it a duplicate of this?", the way to tell is if "a=sctp-port" appears under "m=audio" or "m=video", rather than under "m=application".

Comment 20 by kenrb@chromium.org, Oct 1 2016 

 Issue 652002  has been merged into this issue.

Comment 21 by kenrb@chromium.org, Oct 1 2016 

Comment 19 is very helpful, thanks!

Comment 22 by gov...@chromium.org, Oct 4 2016 

A friendly reminder that M55 Beta launch is coming soon! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.

Comment 23 by deadbeef@chromium.org, Oct 4 2016

Status: Fixed (was: Started)
WebRTC was rolled into Chromium this morning, which included the above fix.
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 5 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 25 by ClusterFuzz, Oct 5 2016 

ClusterFuzz has detected this issue as fixed in range 422769:422805.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4523351634870272

Fuzzer: libfuzzer_sdp_parser_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e90000618c
Crash State:
  default_terminate_handler
  std::__terminate
  failed_throw
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=419157:419245
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=422769:422805

Minimized Testcase (0.18 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96oaftPYPtr09SznHuIrXp3qLFbn_6n3ZJk232c8qc90Qul9KjFhmlmq4PPZ7GN6JRcxi-e-VrE-bHeLGg5uKL7_cSgfTrxaMu2YIYxPRscu2Xo73ReXbvutpTxcjh1oBgPBEeMUQytzhFx-Gd1RnJovP6ybA?testcase_id=4523351634870272
v=0
o=moa...THIS_IS_SDPARTA-46.0.1 5115930144083302970 0 IN IPfingerprint4 0.0.0.0
s=-
t=0 0
m=videoapplication 9 DTLS/SCTP v
a=sctp-portrtcpfb:126 nack
m=application 9 DTLS/SCTP 5000


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 26 by awhalley@chromium.org, Oct 10 2016 

 Issue 648842  has been merged into this issue.

Comment 27 by awhalley@chromium.org, Oct 25 2016

Labels: -ReleaseBlock-Beta
Project Member

Comment 28 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Jan 11 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 30 by ClusterFuzz, Nov 27 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6212187469381632 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment