New issue
Advanced search Search tips

Issue 707173 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Bad-cast to sandbox::bpf_dsl::(anonymous namespace)::ReturnResultExprImpl from invalid vptr;content::ResolutionSet::SelectClosestPointToIdealAspectRatio;content::ResolutionSet::SelectClosestPointToIdeal

Project Member Reported by ClusterFuzz, Mar 31 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5338096586719232

Fuzzer: phoglund_webrtc_peerconnection
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f668a12f0b0
Crash State:
  Bad-cast to sandbox::bpf_dsl::(anonymous namespace)::ReturnResultExprImpl from invalid vptr
  content::ResolutionSet::SelectClosestPointToIdealAspectRatio
  content::ResolutionSet::SelectClosestPointToIdeal
  
Sanitizer: cfi (CFI)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=460787:460815

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94dZ5MdK57iICq6q6STRkxhKViDjXnrxmevKr4qfE70COyKeJNeZGa7pi_gBUhMNciYv2ylubjIm4rQOzv1bjvNbqRwdbeWn7Xk2EbpptmnCmcjxb3tJw6GYXkJQ2vkY_i6ApGxb6hx8_QSWjcwVFuDQyR8rA36-VvihEfinbdBhYuRn3UF5Us17pDnZHdnikU_eDRDeAP37bhzK7q805nsSPXBjYdevdoSgTHhWsUlsP30Z4eVDU7Ip-Zw4m6kfn0rHzr7xVRD4TgWSXFzXiHulVtfy9iG2DeYVVVD5cP0uMEKNQxglv9e175v3Pt_e-2oQ5S0kPrcGAprthZPpd4ldQdWo7i0g5PZEg8GnHkmyrvZVKeHk44PMVn_Pi-lIDh93Hieql8oUbCJSgLcJT5MzdfHRA?testcase_id=5338096586719232


Additional requirements: Requires HTTP

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Mar 31 2017

Labels: M-59
Project Member

Comment 2 by sheriffbot@chromium.org, Mar 31 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 31 2017

Labels: Pri-1

Comment 4 by ta...@google.com, Apr 1 2017

It seems clusterfuzz found this crash and resolved it (705158).
Cc: hbos@chromium.org
Components: Blink>WebRTC
Owner: guidou@chromium.org
Status: Assigned (was: Untriaged)
Clusterfuzz doesn't seem to think this is resolved. I think  https://crbug.com/705158  is a different trigger.

+guidou@: you landed crrev.com/2777703002 last week, which made changes to the method at the call site which ClusterFuzz trips up on here. Can you please take a look and investigate?
Found the issue. Working on a fix.

Comment 7 Deleted

revision 2798843005 should have fixed it.
Project Member

Comment 9 by ClusterFuzz, Apr 6 2017

ClusterFuzz has detected this issue as fixed in range 462131:462197.

Detailed report: https://clusterfuzz.com/testcase?key=5338096586719232

Fuzzer: phoglund_webrtc_peerconnection
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f668a12f0b0
Crash State:
  Bad-cast to sandbox::bpf_dsl::(anonymous namespace)::ReturnResultExprImpl from invalid vptr
  content::ResolutionSet::SelectClosestPointToIdealAspectRatio
  content::ResolutionSet::SelectClosestPointToIdeal
  
Sanitizer: cfi (CFI)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=460787:460815
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=462131:462197

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94dZ5MdK57iICq6q6STRkxhKViDjXnrxmevKr4qfE70COyKeJNeZGa7pi_gBUhMNciYv2ylubjIm4rQOzv1bjvNbqRwdbeWn7Xk2EbpptmnCmcjxb3tJw6GYXkJQ2vkY_i6ApGxb6hx8_QSWjcwVFuDQyR8rA36-VvihEfinbdBhYuRn3UF5Us17pDnZHdnikU_eDRDeAP37bhzK7q805nsSPXBjYdevdoSgTHhWsUlsP30Z4eVDU7Ip-Zw4m6kfn0rHzr7xVRD4TgWSXFzXiHulVtfy9iG2DeYVVVD5cP0uMEKNQxglv9e175v3Pt_e-2oQ5S0kPrcGAprthZPpd4ldQdWo7i0g5PZEg8GnHkmyrvZVKeHk44PMVn_Pi-lIDh93Hieql8oUbCJSgLcJT5MzdfHRA?testcase_id=5338096586719232


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by sheriffbot@chromium.org, Apr 6 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Beta
Project Member

Comment 12 by sheriffbot@chromium.org, Jul 13 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment