Crash in webrtc::WebRtcSession::UpdateSessionState |
|||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5090300541534208 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: webrtc::WebRtcSession::UpdateSessionState webrtc::WebRtcSession::SetLocalDescription webrtc::PeerConnection::SetLocalDescription Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=364390:364453 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94hGMmskozSByoW1IqnWqXHh8fB2qt4yRPUks9hP2laJwlAcRpy-Q-E9cjN5LOWFjsflqp9QE5dc_2-6iS41rUg35pfKxpF1wow8LE_PUboXXW9j0pgbN_fiFb5VHFUFoavEb5GXu2CUtriQTIipIKkLvBK5fB5W3sormLC2dqbznL8QZY?testcase_id=5090300541534208 Additional requirements: Requires HTTP Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 3 2017
,
Jan 3 2017
,
Jan 3 2017
,
Feb 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/external/webrtc.git/+/90f1e1e0d7f7b88eb5bd849bbe6a75c6778c3bc8 commit 90f1e1e0d7f7b88eb5bd849bbe6a75c6778c3bc8 Author: deadbeef <deadbeef@webrtc.org> Date: Fri Feb 10 20:35:05 2017 Fixing SDP parsing crash due to invalid port numbers. BUG=chromium:677029 Review-Url: https://codereview.webrtc.org/2675273003 Cr-Commit-Position: refs/heads/master@{#16541} [modify] https://crrev.com/90f1e1e0d7f7b88eb5bd849bbe6a75c6778c3bc8/webrtc/base/socketaddress.h [modify] https://crrev.com/90f1e1e0d7f7b88eb5bd849bbe6a75c6778c3bc8/webrtc/pc/webrtcsdp.cc [modify] https://crrev.com/90f1e1e0d7f7b88eb5bd849bbe6a75c6778c3bc8/webrtc/pc/webrtcsdp_unittest.cc
,
Feb 10 2017
Oops, that CL referenced the wrong bug number. Was meant to reference https://bugs.chromium.org/p/chromium/issues/detail?id=686405. This bug hasn't been fixed yet.
,
Mar 9 2017
ClusterFuzz has detected this issue as fixed in range 455091:455389. Detailed report: https://clusterfuzz.com/testcase?key=5090300541534208 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: webrtc::WebRtcSession::UpdateSessionState webrtc::WebRtcSession::SetLocalDescription webrtc::PeerConnection::SetLocalDescription Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=364390:364453 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=455091:455389 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94hGMmskozSByoW1IqnWqXHh8fB2qt4yRPUks9hP2laJwlAcRpy-Q-E9cjN5LOWFjsflqp9QE5dc_2-6iS41rUg35pfKxpF1wow8LE_PUboXXW9j0pgbN_fiFb5VHFUFoavEb5GXu2CUtriQTIipIKkLvBK5fB5W3sormLC2dqbznL8QZY?testcase_id=5090300541534208 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 9 2017
ClusterFuzz testcase 5090300541534208 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 9 2017
I don't know how this got fixed, but I'll take it.
,
Mar 21 2017
,
Jun 23 2017
Reopening because I found a way to reproduce the crash. Some simple steps to repro: 1. Create a normal offer with an audio "m=" section, apply to some PeerConnection as a remote description. 2. Create an answer. But before applying it as a local description, replace "BUNDLE audio" with just "BUNDLE" in the SDP. 3. Try to apply it. It fails. 4. Try to apply it again. Crash. The issue, in short, is that when applying a description fails, sometimes the PeerConnection is left in a broken state where future operations result in undefined behavior. Specifically, what happens here is that at step 3, the state is: Signaling state: Have remote offer pendingRemoteDescription: non-null currentRemoteDescription: null pendingLocalDescription: null currentLocalDescription: null Then in step 4, the weird "undefined behavior" state is: Signaling state: Have remote offer pendingRemoteDescription: null currentRemoteDescription: non-null pendingLocalDescription: null currentLocalDescription: non-null Then, when applying the local answer, currentRemoteDescription is replaced with pendingRemoteDescription (which is null), and then the null remote description is dereferenced. This is happening in WebRtcSession. To fix this, it needs to change the "pending/current" description variables at the same time as it changes the signaling state. Which means that things like UpdateSessionState will need to take the description currently being applied as an argument, instead of relying on the member variables.
,
Jun 23 2017
,
Jun 25 2018
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 25 2018
,
Aug 2
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by mummare...@chromium.org
, Dec 27 2016Labels: Test-Predator-Wrong M-56