Heap-buffer-overflow in webrtc::internal::CopyColumn |
||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5137307192262656 Fuzzer: libFuzzer_ulpfec_generator_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x6170000021e7 Crash State: webrtc::internal::CopyColumn webrtc::ForwardErrorCorrection::InsertZerosInPacketMasks webrtc::ForwardErrorCorrection::EncodeFec Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=428777:428862 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5137307192262656 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jun 7 2018
Automatically adding ccs based on suspected regression changelists: Rename ProducerFec to UlpfecGenerator. by brandtr@webrtc.org - https://chromium.googlesource.com/external/webrtc/trunk/webrtc/+/0c6d8cf89a80e54bdac59af7d72552efc5f1787c If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
,
Jun 7 2018
I don't seem to have the right to edit this bug. Somebody with access, please cc yinwa@chromium.org.
,
Jun 7 2018
,
Jun 7 2018
,
Jun 7 2018
,
Jun 7 2018
,
Jun 8 2018
I don't think the CL in #2 is the culprit as that change is a simple rename that landed in 2016. Rather, these changes to forward_error_correction_internal.cc look suspect: https://webrtc-review.googlesource.com/c/src/+/65920 https://webrtc-review.googlesource.com/c/src/+/69680 https://webrtc-review.googlesource.com/c/src/+/71200 Ying, can you take a look?
,
Jun 8 2018
,
Jun 12 2018
In rare test input the packets number may loop around and in the same FEC-protected group the packet sequence number became out of order. e.g.: In one test input, packets 0, 1, ..., 68 are with FEC protection, 69, 70, ..., 65535, 0, 1, 2, ..., 65 are without FEC protection. Packet with sequence number 66 has FEC protection. Now the group of FEC protected media packets became x, x, x, 68, 66, x, x, x. The sequence number is out of order and result in CopyColumn(), new_byte_index equals to 65535 thus out of array boundary. https://webrtc.googlesource.com/src/+/a46bd4b9c745e057b7a8d502bb9a914958642f4d/modules/rtp_rtcp/source/forward_error_correction_internal.cc#506
,
Jun 15 2018
The following revision refers to this bug: https://webrtc.googlesource.com/src.git/+/6a9bd744811c183764ef4a590aacbf96f18eb57e commit 6a9bd744811c183764ef4a590aacbf96f18eb57e Author: Ying Wang <yinwa@webrtc.org> Date: Fri Jun 15 13:30:26 2018 Fix a downstream test failure. In rare case the packets number may loop around and in the same FEC-protected group the packet sequence number became out of order. Bug: chromium:850493 Change-Id: Ice82aafd537e0edc1dbdb8b934e11e7c42a4cf60 Reviewed-on: https://webrtc-review.googlesource.com/82802 Commit-Queue: Ying Wang <yinwa@webrtc.org> Reviewed-by: Henrik Lundin <henrik.lundin@webrtc.org> Reviewed-by: Rasmus Brandt <brandtr@webrtc.org> Cr-Commit-Position: refs/heads/master@{#23633} [modify] https://crrev.com/6a9bd744811c183764ef4a590aacbf96f18eb57e/modules/rtp_rtcp/source/forward_error_correction_internal.cc [modify] https://crrev.com/6a9bd744811c183764ef4a590aacbf96f18eb57e/test/fuzzers/ulpfec_generator_fuzzer.cc
,
Jun 15 2018
,
Jun 15 2018
,
Jun 18 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/501f0a11a0dfbf4253d519ccaa2a33ceaa7c1ebd commit 501f0a11a0dfbf4253d519ccaa2a33ceaa7c1ebd Author: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Mon Jun 18 07:57:53 2018 Roll src/third_party/webrtc e61d72b37c64..00c71836144b (11 commits) https://webrtc.googlesource.com/src.git/+log/e61d72b37c64..00c71836144b git log e61d72b37c64..00c71836144b --date=short --no-merges --format='%ad %ae %s' 2018-06-16 danilchap@webrtc.org Replace rtc::Optional with absl::optional in media, ortc, p2p 2018-06-15 titovartem@webrtc.org Add base64 webrtc owned third_party dep 2018-06-15 phoglund@webrtc.org Make instructions for checkin_chrome_dep a bit clearer. 2018-06-15 srte@webrtc.org Adds trial to ignore video pacing for audio packets. 2018-06-15 jonasolsson@webrtc.org Refactor checks to use a copy of the new logging backend. 2018-06-15 yinwa@webrtc.org Fix a downstream test failure. 2018-06-15 srte@webrtc.org Adds trial to always send padding packets when not sending video. 2018-06-15 jonasolsson@webrtc.org Remove stringstreams from modules/video_coding/ 2018-06-15 srte@webrtc.org Makes BBR congestion window more similar to QUIC. 2018-06-15 srte@webrtc.org Improves buffer time calculation in network control tester. 2018-06-15 danilchap@webrtc.org Replace rtc::Optional with absl::optional in audio, call and video Created with: gclient setdep -r src/third_party/webrtc@00c71836144b The AutoRoll server is located here: https://webrtc-chromium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_archive_rel_ng;master.tryserver.chromium.mac:mac_chromium_archive_rel_ng BUG=chromium:None,chromium:850493 TBR=webrtc-chromium-sheriffs-robots@google.com Change-Id: I6ffa1cac7dd2e705ed84e9dee4649f7b3f9d6c54 Reviewed-on: https://chromium-review.googlesource.com/1103737 Reviewed-by: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#567944} [modify] https://crrev.com/501f0a11a0dfbf4253d519ccaa2a33ceaa7c1ebd/DEPS
,
Jun 19 2018
ClusterFuzz has detected this issue as fixed in range 567943:567948. Detailed report: https://clusterfuzz.com/testcase?key=5137307192262656 Fuzzer: libFuzzer_ulpfec_generator_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x6170000021e7 Crash State: webrtc::internal::CopyColumn webrtc::ForwardErrorCorrection::InsertZerosInPacketMasks webrtc::ForwardErrorCorrection::EncodeFec Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=428777:428862 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=567943:567948 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5137307192262656 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 19 2018
ClusterFuzz testcase 5137307192262656 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 23
,
Aug 16
,
Sep 21
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by ClusterFuzz
, Jun 7 2018Labels: ClusterFuzz-Auto-CC