New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 648064 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Direct-leak in cricket::StunAttribute::Create

Project Member Reported by ClusterFuzz, Sep 18 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5067713573814272

Fuzzer: libfuzzer_stun_parser_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  cricket::StunAttribute::Create
  cricket::StunMessage::CreateAttribute
  cricket::StunMessage::Read
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=419151:419211

Minimized Testcase (0.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv976oKbefdSapinsJ95dTYgdUh_WtwGDWl7c704_B-k1XhhIaoyDYrHeXPIqb0HPo7wZhQGozm2-6L5ZxQqD4cYEERNgGmmliRvvDDaboVUvN3jbvkk7BO09YsM3AUX3m3gh_ufKh_vkVsVYv8_7ppfAflFIOA?testcase_id=5067713573814272

Issue manually filed by: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by mmoroz@chromium.org, Sep 18 2016

Cc: mmoroz@chromium.org phoglund@chromium.org kcc@chromium.org pbos@chromium.org aizatsky@chromium.org
Components: Blink>WebRTC
Owner: henrika@chromium.org
henrika@, git blame shows that you've touched stack frames #1 and #3 some time ago. Would you mind taking a look or suggesting another owner?

Comment 2 by pbos@chromium.org, Sep 18 2016

Cc: henrika@chromium.org deadbeef@chromium.org
Owner: pthatcher@chromium.org
Status: Assigned (was: Untriaged)
henrike != henrika, and those commits were just code moving (as was mine in frame #2)

pthatcher@, is your team owning stun? As far as I can tell the fuzzing setup looks correct and everything parsed should go out of scope and be deleted. Leak happens in here:

https://chromium.googlesource.com/external/webrtc/+/1d4fefbbaf056492096e9e8a689550c6b7c49fe9/webrtc/test/fuzzers/stun_parser_fuzzer.cc#26

Comment 3 by mmoroz@chromium.org, Sep 19 2016

Thanks a lot Peter for helping to triage WebRTC crashes!
The memory leak happened here. https://cs.chromium.org/chromium/src/third_party/webrtc/p2p/base/stun.cc?rcl=1474384719&l=352
If the read returns true, the attr is added to the vector and will be released when the vector is released. 
But if the read returns false, the created attr will not be release. 
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 22 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/external/webrtc.git/+/3e02430587370ba7e02cd6eec4970fdd6e1ea2c2

commit 3e02430587370ba7e02cd6eec4970fdd6e1ea2c2
Author: Honghai Zhang <honghaiz@webrtc.org>
Date: Thu Sep 22 16:52:16 2016

Fix a stun attribute leak.

In https://cs.chromium.org/chromium/src/third_party/webrtc/p2p/base/stun.cc?rcl=1474384719&l=352,
if read returned false, the created attr would not be released.

BUG= chromium:648064 
R=skvlad@webrtc.org

Review URL: https://codereview.webrtc.org/2357733002 .

Cr-Commit-Position: refs/heads/master@{#14357}

[modify] https://crrev.com/3e02430587370ba7e02cd6eec4970fdd6e1ea2c2/webrtc/p2p/base/stun.cc

Comment 6 by pbos@chromium.org, Sep 22 2016

Cc: pthatcher@chromium.org
Owner: honghaiz@chromium.org
Status: Fixed (was: Assigned)
Project Member

Comment 8 by ClusterFuzz, Oct 5 2016

ClusterFuzz has detected this issue as fixed in range 422768:422805.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5067713573814272

Fuzzer: libfuzzer_stun_parser_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  cricket::StunAttribute::Create
  cricket::StunMessage::CreateAttribute
  cricket::StunMessage::Read
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=419151:419211
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=422768:422805

Minimized Testcase (0.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv976oKbefdSapinsJ95dTYgdUh_WtwGDWl7c704_B-k1XhhIaoyDYrHeXPIqb0HPo7wZhQGozm2-6L5ZxQqD4cYEERNgGmmliRvvDDaboVUvN3jbvkk7BO09YsM3AUX3m3gh_ufKh_vkVsVYv8_7ppfAflFIOA?testcase_id=5067713573814272

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Cc: anatolid@chromium.org
Can the owner please set a milestone label to this issue?

FYI, the last CL associated with this issue has been added after the M54 branch was created and before the M55 branch was created, so perhaps it should be labelled as M55?
Labels: M-55
Project Member

Comment 11 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment