Issue metadata
Sign in to add a comment
|
Heap-use-after-free in media::PipelineIntegrationTestBase::CheckFirstAudioPacketTimestamp |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5468674814377984 Fuzzer: libFuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x6140000005e0 Crash State: media::PipelineIntegrationTestBase::CheckFirstAudioPacketTimestamp testing::Action<void testing::internal::ActionResultHolder<void>* testing::internal::ActionResultHold Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=494126:494240 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5468674814377984 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 15 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 15 2017
,
Aug 15 2017
,
Aug 15 2017
[Fixing incorrect bug reference in my previous comment 5]: This is probably just a race - the affected code is probably part of the fuzzer TIMEOUT mitigation test-only path (added recently in https://chromium-review.googlesource.com/c/614318). I'll still look into deduping/fixing this along with bug 755501 .
,
Aug 15 2017
,
Aug 15 2017
Confirmed duplicate of bug 755501 (both files trigger same UAF of the raw AudioRendererImpl* in PipelineIntegrationTestBase added in https://chromium-review.googlesource.com/c/614318). This is a test-only issue, specific to media_pipeline_integration_fuzzer; removing RBS.
,
Aug 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b40b2ee2aae490a7c9daff046e130901dafc8fa6 commit b40b2ee2aae490a7c9daff046e130901dafc8fa6 Author: Matt Wolenetz <wolenetz@chromium.org> Date: Fri Aug 18 01:38:18 2017 Fix test-only UAF/uninitialized value/bad-cast from invalid vptr in fuzzer timeout mitigation Fixes PipelineIntegrationTestBase's UAF and bad-cast from invalid vptr of |audio_renderer_| and similar use of uninitialized audio_renderer_->first_packet_timestamp_ value in the media_pipeline_integration_fuzzer timeout mitigation code from 219c7500. Instead of waiting for (thread-trampolined) buffering state change notifications to inspect the audio renderer's |first_packet_timestamp_| (risking race of its destruction), this change adds a test-only callback for directly telling the test about any positive |play_delay| in AudioRendererImpl::Render(). (Using play_delay instead of |first_packet_timestamp_| will also help a future MSE pipeline fuzzer abort early after seeking hits a large audio play delay.) This new test-only callback also must trampoline from audio thread to the fuzzer's main thread, but it precludes the need to then ask the (potentially already destructed) AudioRendererImpl for info. BUG= 755501 , 755499 , 755619 , 754500 , 756412 Change-Id: I9ab2987aa120c21a30463951c75e51838614d62f Reviewed-on: https://chromium-review.googlesource.com/616064 Commit-Queue: Matthew Wolenetz <wolenetz@chromium.org> Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Cr-Commit-Position: refs/heads/master@{#495414} [modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/renderers/audio_renderer_impl.cc [modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/renderers/audio_renderer_impl.h [modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_fuzzertest.cc [modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_test_base.cc [modify] https://crrev.com/b40b2ee2aae490a7c9daff046e130901dafc8fa6/media/test/pipeline_integration_test_base.h
,
Aug 18 2017
ClusterFuzz has detected this issue as fixed in range 495373:495424. Detailed report: https://clusterfuzz.com/testcase?key=5468674814377984 Fuzzer: libFuzzer_media_pipeline_integration_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x6140000005e0 Crash State: media::PipelineIntegrationTestBase::CheckFirstAudioPacketTimestamp testing::Action<void testing::internal::ActionResultHolder<void>* testing::internal::ActionResultHold Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=494126:494240 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=495373:495424 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5468674814377984 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 24 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Aug 15 2017