Issue metadata
Sign in to add a comment
|
Bad-cast to webrtc::MetricsObserverInterface from invalid vptr in cricket::BasicPortAllocator::OnIceRegathering |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5464101802475520 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x08399ff66600 Crash State: Bad-cast to webrtc::MetricsObserverInterface from invalid vptr cricket::BasicPortAllocator::OnIceRegathering sigslot::signal_with_thread_policy<sigslot::single_threaded, cricket::PortAllocatorSession*, cricket::IceRegatheringReason>::emit Sanitizer: cfi (CFI) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=523197:523221 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5464101802475520 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 16 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 16 2017
,
Dec 16 2017
This was last seen as Issue 792179 , but the investigator was unable to reproduce.
,
Dec 16 2017
(Actually, the stack on the earlier one was slightly different. Perhaps the vptr gets corrupted in multiple ways and it just tends to blow up here.)
,
Dec 18 2017
From the stack-trace it looks like this may be caused by a bad static cast in the UMA metrics at https://cs.chromium.org/chromium/src/third_party/webrtc/p2p/client/basicportallocator.cc?sq=package:chromium&l=172 Based on the CL https://codereview.webrtc.org/2386783002 adding honghaiz and deadbeef. Could you please take a look? Thanks.
,
Dec 18 2017
I couldn't access the fuzzer from any of my accounts. Any idea why? I can't imagine how this could occur though. It may be related to recent changes being made for Unified Plan SDP, but that's all I can think of. There should only be one UMA observer, and it should definitely be destroyed after the PeerConnection; we had this issue before (https://codereview.chromium.org/2638993002).
,
Dec 19 2017
If this is a regression, it is likely caused by some recent changes.
,
Dec 19 2017
,
Dec 30 2017
deadbeef: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 4 2018
Duplicate issue: https://bugs.chromium.org/p/chromium/issues/detail?id=798251
,
Jan 5 2018
ClusterFuzz testcase 5677486364164096 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 5 2018
,
Feb 13 2018
,
Mar 27 2018
,
Apr 13 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Dec 16 2017