Sept 20 Roll WebRTC: https://chromium.googlesource.com/chromium/src/+/86cc5ff4d533256008521baaac593e9c55077798

Feb 17 Implemented the Module interface for CongestionController
https://chromium.googlesource.com/external/webrtc/trunk/webrtc.git/+/1262b9d0f85ee9db45f135171a19ab9984a8784c 

Sanitizer complains about Bad-cast to webrtc::Module from webrtc::BitrateControllerImpl, but BitrateControllerImpl derives from BitrateController which derives from Module. This seems like it should be okay.

kcc: this seems a bit strange, would you mind taking a look?

Ivan has been dealing with these lately

This regressed tonight and 'UBSanVptr Linux' bot became red because of that:
https://build.chromium.org/p/chromium.fyi/builders/UBSanVptr%20Linux/builds/1187

The problematic change arrived as a part of the WebRTC roll:
https://chromium.googlesource.com/chromium/src/+/86cc5ff4d533256008521baaac593e9c55077798

I will take a closer look to see what shall be fixed.

Reproduced locally, I know what happens. In this change:
https://codereview.webrtc.org/2334613002,

webrtc::DtxController declared in webrtc/modules/audio_coding/audio_network_adaptor/bitrate_controller.h was renamed to webrtc::BitrateController:
https://codereview.webrtc.org/2334613002/diff/140001/webrtc/modules/audio_coding/audio_network_adaptor/bitrate_controller.h?context=10&column_width=80&tab_spaces=8

So, now, there're two webrtc::BitrateController classes, and webrtc::BitrateControllerImpl is derived from the wrong one, which is not a webrtc::Module, so UBSan complains.

I urge you to revert the CL (and probably the roll on Chrome side as well). Then rename one of the classes to avoid the ODR violation.

Removing restrictions on the bug, as there's no immediate security threat due to this issue.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

it has been reverted.

#13 - Can you reference the revert commit and update status to Fixed? Thanks!

The revert is made in this

https://codereview.webrtc.org/2352223002/

ClusterFuzz has detected this issue as fixed in range 420048:420163.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4766268475572224

Fuzzer: phoglund_webrtc_peerconnection
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0631f3d3f600
Crash State:
  Bad-cast to webrtc::Module from webrtc::BitrateControllerImpl
  webrtc::CongestionController::TimeUntilNextProcess
  webrtc::ProcessThreadImpl::Process
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=419690:419701
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=420048:420163

Minimized Testcase (1.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94_f9WS_cGhC1ZbxbEDwLWqFhxLB76JO1-iYM8e_-Rhe-aSWAeNi3_s7pSZx1gqjtO7g6U576-kHrJQCp9VQ0U5NWnwjCpqoN3MWmplit_-SMXcJxoewhZmhXvSdZJzgZ_GmwFr36T6w5s1ddsRLdq-9D-k8g?testcase_id=4766268475572224

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot