Closed
Bug 1133051
Opened 10 years ago
Closed 10 years ago
MediaPipeline releases SrtpFlows on the wrong thread
Categories
(Core :: WebRTC: Networking, defect)
Core
WebRTC: Networking
Tracking
()
RESOLVED
FIXED
mozilla39
| Tracking | Status | |
|---|---|---|
| firefox39 | --- | fixed |
People
(Reporter: bwc, Assigned: bwc)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 1 obsolete file)
|
1.77 KB,
patch
|
Details | Diff | Splinter Review |
While playing with TSAN, I noticed that we're getting data races when MediaPipelines are destroyed, because the SrtpFlow members are being destroyed on main instead of STS. This seems to have been a problem for a long time (the bundle work moved these into another member, but they weren't being deleted correctly before either). We probably need to release the references in MediaPipeline::ShutdownTransport_s, in the same place where we release the TransportFlows.
|
Assignee | |
Comment 1•10 years ago
|
||
I should note that the specific race I observed was here, which looks pretty alarming at first glance, but AFAICT we don't actually do anything with the value:
https://dxr.mozilla.org/mozilla-central/source/netwerk/srtp/src/crypto/cipher/aes_icm.c?from=aes_icm.c&case=true#149
|
|
Assignee | |
Comment 2•10 years ago
|
||
|
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → docfaraday
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•10 years ago
|
||
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8564352 -
Flags: review?(martin.thomson)
|
||
Comment 4•10 years ago
|
||
I note that this bug seems to be about SRTP but the patch is titled SCTP. I believe that
the bug title is what is correct.
This does appear to be a problem. Are we sure that there is never any time when the
flows are also manipulated on main, e.g., when they are created?
|
|
Assignee | |
Comment 5•10 years ago
|
||
Yes, I seem to have made a typo in the patch description.
I have not carried out any analysis of whether there are other racy accesses on these. I'll try to make some time for this.
|
|
Assignee | |
Comment 6•10 years ago
|
||
It does not look like these are touched anywhere other than STS to me.
|
||
Comment 7•10 years ago
|
||
Comment on attachment 8564352 [details] [diff] [review]
Clean up SctpFlows on STS
Review of attachment 8564352 [details] [diff] [review]:
-----------------------------------------------------------------
::: media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp
@@ +105,5 @@
> disconnect_all();
> transport_->Detach();
> rtp_.transport_ = nullptr;
> + rtp_.send_srtp_ = nullptr;
> + rtp_.recv_srtp_ = nullptr;
Might be better to move this to a TransportInfo::Detach(). or ::Destroy().
Attachment #8564352 -
Flags: review?(martin.thomson) → review+
|
|
Assignee | |
Comment 8•10 years ago
|
||
Incorporate feedback.
|
|
Assignee | |
Comment 9•10 years ago
|
||
Flags: needinfo?(docfaraday)
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8564352 -
Attachment is obsolete: true
Flags: needinfo?(docfaraday)
|
|
Assignee | |
Comment 10•10 years ago
|
||
I was unable to spot any other races than the one in comment 1, and that one looked harmless since the value was never used apart from logging (https://dxr.mozilla.org/mozilla-central/search?q=%2Bvar-ref%3Acipher_type_t%3A%3Aref_count). This is probably not worth keeping as security sensitive.
Keywords: sec-audit
|
||
Updated•10 years ago
|
Group: core-security
|
||
Comment 11•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox39:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in
before you can comment on or make changes to this bug.
Description
•