New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 677029 link

Starred by 3 users

Issue metadata

Status: Assigned
Owner:
Last visit > 30 days ago
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Crash in webrtc::WebRtcSession::UpdateSessionState

Project Member Reported by ClusterFuzz, Dec 26 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5090300541534208

Fuzzer: phoglund_webrtc_peerconnection
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  webrtc::WebRtcSession::UpdateSessionState
  webrtc::WebRtcSession::SetLocalDescription
  webrtc::PeerConnection::SetLocalDescription
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=364390:364453

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94hGMmskozSByoW1IqnWqXHh8fB2qt4yRPUks9hP2laJwlAcRpy-Q-E9cjN5LOWFjsflqp9QE5dc_2-6iS41rUg35pfKxpF1wow8LE_PUboXXW9j0pgbN_fiFb5VHFUFoavEb5GXu2CUtriQTIipIKkLvBK5fB5W3sormLC2dqbznL8QZY?testcase_id=5090300541534208


Additional requirements: Requires HTTP

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Blink>WebRTC
Labels: Test-Predator-Wrong M-56
Components: -Blink>WebRTC Blink>WebRTC>PeerConnection
Owner: guidou@chromium.org
Status: Assigned (was: Untriaged)
Owner: deadbeef@chromium.org
Oops, that CL referenced the wrong bug number. Was meant to reference https://bugs.chromium.org/p/chromium/issues/detail?id=686405. This bug hasn't been fixed yet.
Project Member

Comment 7 by ClusterFuzz, Mar 9 2017

ClusterFuzz has detected this issue as fixed in range 455091:455389.

Detailed report: https://clusterfuzz.com/testcase?key=5090300541534208

Fuzzer: phoglund_webrtc_peerconnection
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  webrtc::WebRtcSession::UpdateSessionState
  webrtc::WebRtcSession::SetLocalDescription
  webrtc::PeerConnection::SetLocalDescription
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=364390:364453
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=455091:455389

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94hGMmskozSByoW1IqnWqXHh8fB2qt4yRPUks9hP2laJwlAcRpy-Q-E9cjN5LOWFjsflqp9QE5dc_2-6iS41rUg35pfKxpF1wow8LE_PUboXXW9j0pgbN_fiFb5VHFUFoavEb5GXu2CUtriQTIipIKkLvBK5fB5W3sormLC2dqbznL8QZY?testcase_id=5090300541534208


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Mar 9 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5090300541534208 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
I don't know how this got fixed, but I'll take it. 
Labels: -M-56 M-58
Labels: -Pri-1 Pri-2
Status: Available (was: Verified)
Reopening because I found a way to reproduce the crash. Some simple steps to repro:

1. Create a normal offer with an audio "m=" section, apply to some PeerConnection as a remote description.
2. Create an answer. But before applying it as a local description, replace "BUNDLE audio" with just "BUNDLE" in the SDP.
3. Try to apply it. It fails.
4. Try to apply it again. Crash.

The issue, in short, is that when applying a description fails, sometimes the PeerConnection is left in a broken state where future operations result in undefined behavior.

Specifically, what happens here is that at step 3, the state is:

Signaling state: Have remote offer
pendingRemoteDescription: non-null
currentRemoteDescription: null
pendingLocalDescription: null
currentLocalDescription: null

Then in step 4, the weird "undefined behavior" state is:

Signaling state: Have remote offer
pendingRemoteDescription: null
currentRemoteDescription: non-null
pendingLocalDescription: null
currentLocalDescription: non-null

Then, when applying the local answer, currentRemoteDescription is replaced with pendingRemoteDescription (which is null), and then the null remote description is dereferenced. This is happening in WebRtcSession. To fix this, it needs to change the "pending/current" description variables at the same time as it changes the signaling state. Which means that things like UpdateSessionState will need to take the description currently being applied as an argument, instead of relying on the member variables.
Labels: -Stability-Memory-AddressSanitizer -Clusterfuzz -M-58 -ClusterFuzz-Verified -Test-Predator-Wrong
Project Member

Comment 13 by sheriffbot@chromium.org, Jun 25 2018

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Hotlist-Recharge-Cold
Status: Available (was: Untriaged)
Status: Assigned (was: Available)

Sign in to add a comment