Issue metadata
Sign in to add a comment
|
Container-overflow in webrtc::FftData::CopyToPackedArray |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6693276472836096 Fuzzer: libFuzzer_audio_processing_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Container-overflow READ 4 Crash Address: 0x624000029a60 Crash State: webrtc::FftData::CopyToPackedArray webrtc::Aec3Fft::Ifft webrtc::AdaptiveFirFilter::Constrain Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=551646:551651 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6693276472836096 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Apr 20 2018
,
Apr 20 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 20 2018
,
Apr 20 2018
,
Apr 20 2018
https://webrtc-review.googlesource.com/70580 looks like the culprit so assigning owner on the basis of that.
,
Apr 21 2018
,
Apr 23 2018
,
Apr 23 2018
As discovered by aleloi@: The issue is not related to the culprit CL indicated in #6. The issue is rather that a vector resize temporarily causes a pointer to point outside the vector size, but still inside the space of the reserved size of the vector. That means that there is no reading or writing outside of allocated memory, nor of uninitialized data. The fuzzer findings are, however, correct in that the reading is done outside of the set vector size so this is a valid issue that should be addressed. The issue is addressed in the CL: https://webrtc-review.googlesource.com/c/src/+/71820
,
Apr 24 2018
The following revision refers to this bug: https://webrtc.googlesource.com/src.git/+/882477f19da6c48c9d2342e48c9acd045196ecdc commit 882477f19da6c48c9d2342e48c9acd045196ecdc Author: Per Åhgren <peah@webrtc.org> Date: Tue Apr 24 09:02:34 2018 Corrected the counter for the filter constraint when the filter size changes Bug: chromium:834875 Change-Id: I036fe34eef894a8911a4d561fe5b671a8f98b718 Reviewed-on: https://webrtc-review.googlesource.com/71820 Reviewed-by: Alex Loiko <aleloi@webrtc.org> Commit-Queue: Per Åhgren <peah@webrtc.org> Cr-Commit-Position: refs/heads/master@{#22992} [modify] https://crrev.com/882477f19da6c48c9d2342e48c9acd045196ecdc/modules/audio_processing/aec3/adaptive_fir_filter.cc
,
Apr 24 2018
With the CL in #10. This issue should be fixed. Awaiting confirmation on that from the fuzzer bot.
,
Apr 24 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ce5f1458fb12d06ef4a31cda4dfd9544730effae commit ce5f1458fb12d06ef4a31cda4dfd9544730effae Author: webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Tue Apr 24 14:42:50 2018 Roll src/third_party/webrtc/ b04e5cae0..29e865a5d (8 commits) https://webrtc.googlesource.com/src.git/+log/b04e5cae08b8..29e865a5d8a5 $ git log b04e5cae0..29e865a5d --date=short --no-merges --format='%ad %ae %s' Created with: roll-dep src/third_party/webrtc BUG= chromium:833801 ,chromium:None,chromium:834875,chromium:None The AutoRoll server is located here: https://webrtc-chromium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_archive_rel_ng;master.tryserver.chromium.mac:mac_chromium_archive_rel_ng TBR=webrtc-chromium-sheriffs-robots@google.com Change-Id: Iab31fc923dd915e26178e425bfda37c9a6dd4f67 Reviewed-on: https://chromium-review.googlesource.com/1025320 Commit-Queue: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Reviewed-by: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#553098} [modify] https://crrev.com/ce5f1458fb12d06ef4a31cda4dfd9544730effae/DEPS
,
Apr 25 2018
M67 Stable promotion is coming soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. Thank you.
,
Apr 25 2018
ClusterFuzz has detected this issue as fixed in range 553006:553016. Detailed report: https://clusterfuzz.com/testcase?key=6693276472836096 Fuzzer: libFuzzer_audio_processing_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Container-overflow READ 4 Crash Address: 0x624000029a60 Crash State: webrtc::FftData::CopyToPackedArray webrtc::Aec3Fft::Ifft webrtc::AdaptiveFirFilter::Constrain Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=551646:551651 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=553006:553016 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6693276472836096 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 25 2018
Since the issue is now considered fine also by the fuzzer, it can be considered to be fixed.
,
Apr 25 2018
We would like to merge the fixing CL for this issue into M67.
,
Apr 25 2018
ClusterFuzz testcase 6693276472836096 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 25 2018
,
Apr 25 2018
This bug requires manual review: DEPS changes referenced in bugdroid comments. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
+awhalley@ (Security TPM) for M67 merge review.
,
Apr 25 2018
,
May 4 2018
I wonder what the status is for the merge request? This is a CL that I think it would make sense to consider merging to M67.
,
May 4 2018
awhalley@, could you ptal comment #22?
,
May 4 2018
govind@ - good for 67
,
May 4 2018
Approving merge to M67 branch 3396 based on comment #24. Please merge ASAP. Thank you.
,
May 7 2018
This fixing CL for this issue is now merged into M67. The merging CL is: https://webrtc-review.googlesource.com/c/src/+/74842
,
May 7 2018
,
May 7 2018
This is already merged to M67 at #26.
,
Aug 1
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Apr 19 2018Labels: Test-Predator-Auto-CC