Closed
Bug 1480088
(CVE-2018-6156)
Opened 7 years ago
Closed 6 years ago
WebRTC: Overflow in FEC Processing (project zero)
Categories
(Core :: WebRTC: Audio/Video, defect, P2)
Core
WebRTC: Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla70
People
(Reporter: posidron, Assigned: drno)
References
Details
(Keywords: csectype-bounds, sec-audit, sec-high, Whiteboard: [adv-main70+])
Attachments
(2 files)
WebRTC: Overflow in FEC Processing
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Updated•7 years ago
|
Group: core-security
Component: WebRTC → WebRTC: Signaling
Reporter | ||
Comment 2•7 years ago
|
||
The pref 'media.navigator.video.red_ulpfec_enabled' is disabled by default in Firefox. I did enable it now for Domino fuzzing runs.
Assignee | ||
Comment 4•7 years ago
|
||
From bug 1480173 comment #1:
Project Zero found a problem in processing RED packets: https://bugs.chromium.org/p/project-zero/issues/detail?id=1573
By default RED support is preffed off in Firefox.
As the Chrome bug is again not public yet going from the stack trace in the Project Zero report it looks like Firefox is affected:
https://searchfox.org/mozilla-central/rev/196560b95f191b48ff7cba7c2ba9237bba6b5b6a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc#173
Because the buffer size is fixed to 1500 bytes:
https://searchfox.org/mozilla-central/rev/196560b95f191b48ff7cba7c2ba9237bba6b5b6a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/forward_error_correction.h#42
https://searchfox.org/mozilla-central/rev/196560b95f191b48ff7cba7c2ba9237bba6b5b6a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/include/rtp_rtcp_defines.h#24
Assignee | ||
Updated•7 years ago
|
Component: WebRTC: Signaling → WebRTC: Audio/Video
Assignee | ||
Updated•7 years ago
|
Rank: 15
Priority: -- → P2
Comment 5•7 years ago
|
||
this is chrome bug https://bugs.chromium.org/p/chromium/issues/detail?id=841962
The patch appears to be https://webrtc.googlesource.com/src.git/+/7a84fcf47a492d17ca20947e65b21a06b28e77cd
Group: core-security → media-core-security
Rank: 15
status-firefox63:
--- → disabled
status-firefox-esr60:
--- → disabled
Component: WebRTC: Audio/Video → WebRTC: Signaling
Keywords: sec-other
Priority: P2 → --
See Also: → https://bugs.chromium.org/p/project-zero/issues/detail?id=1573,
https://bugs.chromium.org/p/chromium/issues/detail?id=841962
Summary: WebRTC: Overflow in FEC Processing → WebRTC: Overflow in FEC Processing (project zero)
Comment 6•7 years ago
|
||
If this is disabled in Firefox can we unhide the bug? Or were we planning on enabling some time soon?
Component: WebRTC: Signaling → WebRTC: Audio/Video
Flags: needinfo?(drno)
Assignee | ||
Comment 7•7 years ago
|
||
No we are not planing on enabling it soon. So if it's okay to disclose preffed off issues, then we should be able to disclose this one.
Flags: needinfo?(drno)
Updated•7 years ago
|
Rank: 15
Priority: -- → P2
Assignee | ||
Comment 9•6 years ago
|
||
Updated•6 years ago
|
Assignee: nobody → drno
Status: NEW → ASSIGNED
Assignee | ||
Updated•6 years ago
|
Group: media-core-security
Comment 10•6 years ago
|
||
Pushed by nohlmeier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cc5e3d514f28
Added length check for uplfec. r=dminor
Comment 11•6 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox70:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Updated•5 years ago
|
Whiteboard: [adv-main70+]
Updated•5 years ago
|
Alias: CVE-2018-6156
Comment 12•5 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•