Closed
Bug 1178148
(CVE-2015-4486)
Opened 10 years ago
Closed 10 years ago
Out of bounds read in decrease_ref_count
Categories
(Core :: Audio/Video, defect)
Core
Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla42
| Tracking | Status | |
|---|---|---|
| firefox39 | --- | wontfix |
| firefox40 | + | verified |
| firefox41 | + | verified |
| firefox42 | + | verified |
| firefox-esr38 | - | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | unaffected |
| b2g-v2.2r | --- | unaffected |
| b2g-master | --- | fixed |
People
(Reporter: inferno, Assigned: rillian)
References
Details
(Keywords: csectype-bounds, reporter-external, sec-high, Whiteboard: [adv-main40+])
Attachments
(1 file)
|
2.49 MB,
application/x-zip-compressed
|
Details |
>=================================================================
>==18435==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f00008dab0 at pc 0x7fcb35a73832 bp 0x7fcaf976e030 sp 0x7fcaf976e028
>READ of size 8 at 0x61f00008dab0 thread T101 (MediaPl~back #1)
> #0 0x7fcb35a73831 in decrease_ref_count /build/firefox/src/media/libvpx/vp9/decoder/vp9_decoder.h:126
> #1 0x7fcb35c0044b in frame_worker_hook /build/firefox/src/media/libvpx/vp9/vp9_dx_iface.c:322
> #2 0x7fcb35a0ed76 in execute /build/firefox/src/media/libvpx/vp9/common/vp9_thread.c:134
> #3 0x7fcb35bffadd in decode_one /build/firefox/src/media/libvpx/vp9/vp9_dx_iface.c:493
> #4 0x7fcb35bf9507 in decoder_decode /build/firefox/src/media/libvpx/vp9/vp9_dx_iface.c:686
> #5 0x7fcb35c013c7 in vpx_codec_decode /build/firefox/src/media/libvpx/vpx/src/vpx_decoder.c:122
> #6 0x7fcb32ad4f6e in DecodeVideoFrame /build/firefox/src/dom/media/webm/SoftwareWebMVideoDecoder.cpp:149
> #7 0x7fcb3269a919 in RequestVideoData /build/firefox/src/dom/media/MediaDecoderReader.cpp:277
> #8 0x7fcb3278e93d in Invoke /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/MediaPromise.h:902
> #9 0x7fcb3278ec53 in Run /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/MediaPromise.h:919
> #10 0x7fcb32649dbc in Run /build/firefox/src/dom/media/TaskDispatcher.h:181
> #11 0x7fcb327d6489 in Run /build/firefox/src/dom/media/MediaTaskQueue.cpp:256
> #12 0x7fcb2dd6648e in Run /build/firefox/src/xpcom/threads/nsThreadPool.cpp:221
> #13 0x7fcb2dd66a6c in _ZThn8_N12nsThreadPool3RunEv /build/firefox/src/xpcom/threads/nsThreadPool.cpp:151
> #14 0x7fcb2dd60106 in ProcessNextEvent /build/firefox/src/xpcom/threads/nsThread.cpp:848
> #15 0x7fcb2ddd70fc in NS_ProcessNextEvent /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:265
> #16 0x7fcb2e687ed6 in Run /build/firefox/src/ipc/glue/MessagePump.cpp:326
> #17 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234
> #18 0x7fcb2dd5cba1 in ThreadFunc /build/firefox/src/xpcom/threads/nsThread.cpp:360
> #19 0x7fcb3b5c5ffa in _pt_root /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:212
> #20 0x7fcb3bc0a181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312 (discriminator 2)
> #21 0x7fcb2b24047c in clone /build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
>
>0x61f00008dab0 is located 17 bytes to the right of 3103-byte region [0x61f00008ce80,0x61f00008da9f)
>allocated by thread T102 (MediaPl~back #2) here:
> #0 0x4b6338 in __interceptor_malloc _asan_rtl_ (discriminator 14)
> #1 0x7fcb35c03256 in vpx_memalign /build/firefox/src/media/libvpx/vpx_mem/vpx_mem.c:126
> #2 0x7fcb35bf853a in init_decoder /build/firefox/src/media/libvpx/vp9/vp9_dx_iface.c:372
> #3 0x7fcb35c013c7 in vpx_codec_decode /build/firefox/src/media/libvpx/vpx/src/vpx_decoder.c:122
> #4 0x7fcb32ad4f6e in DecodeVideoFrame /build/firefox/src/dom/media/webm/SoftwareWebMVideoDecoder.cpp:149
> #5 0x7fcb3269a919 in RequestVideoData /build/firefox/src/dom/media/MediaDecoderReader.cpp:277
> #6 0x7fcb3278e93d in Invoke /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/MediaPromise.h:902
> #7 0x7fcb3278ec53 in Run /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/MediaPromise.h:919
> #8 0x7fcb32649dbc in Run /build/firefox/src/dom/media/TaskDispatcher.h:181
> #9 0x7fcb327d6489 in Run /build/firefox/src/dom/media/MediaTaskQueue.cpp:256
> #10 0x7fcb2dd6648e in Run /build/firefox/src/xpcom/threads/nsThreadPool.cpp:221
> #11 0x7fcb2dd66a6c in _ZThn8_N12nsThreadPool3RunEv /build/firefox/src/xpcom/threads/nsThreadPool.cpp:151
> #12 0x7fcb2dd60106 in ProcessNextEvent /build/firefox/src/xpcom/threads/nsThread.cpp:848
> #13 0x7fcb2ddd70fc in NS_ProcessNextEvent /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:265
> #14 0x7fcb2e687ed6 in Run /build/firefox/src/ipc/glue/MessagePump.cpp:326
> #15 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234
> #16 0x7fcb2dd5cba1 in ThreadFunc /build/firefox/src/xpcom/threads/nsThread.cpp:360
> #17 0x7fcb3b5c5ffa in _pt_root /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:212
> #18 0x7fcb3bc0a181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312 (discriminator 2)
>
>Thread T101 (MediaPl~back #1) created by T0 (Web Content) here:
> #0 0x430269 in __interceptor_pthread_create _asan_rtl_ (discriminator 7)
> #1 0x7fcb3b5c2dbf in _PR_CreateThread /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:453
> #2 0x7fcb3b5c29ea in PR_CreateThread /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:544
> #3 0x7fcb2dd5df66 in Init /build/firefox/src/xpcom/threads/nsThread.cpp:470
> #4 0x7fcb2dd63c6f in NewThread /build/firefox/src/xpcom/threads/nsThreadManager.cpp:253
> #5 0x7fcb2dd653dd in PutEvent /build/firefox/src/xpcom/threads/nsThreadPool.cpp:102
> #6 0x7fcb2dd66eda in Dispatch /build/firefox/src/xpcom/threads/nsThreadPool.cpp:262
> #7 0x7fcb327d4c9e in DispatchLocked /build/firefox/src/dom/media/MediaTaskQueue.cpp:65
> #8 0x7fcb327383cf in Dispatch /build/firefox/src/objdir-ff-asan/dom/media/fmp4/../../../dist/include/MediaTaskQueue.h:52
> #9 0x7fcb32648958 in DispatchTaskGroup /build/firefox/src/dom/media/TaskDispatcher.h:233
> #10 0x7fcb32648567 in reset /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/mozilla/Maybe.h:373
> #11 0x7fcb3264abb0 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/nsThreadUtils.h:618 (discriminator 4)
> #12 0x7fcb337195e1 in RunSyncSectionsInternal /build/firefox/src/widget/nsBaseAppShell.cpp:376
> #13 0x7fcb3371a8be in AfterProcessNextEvent /build/firefox/src/widget/nsBaseAppShell.h:95
> #14 0x7fcb2dd60563 in ProcessNextEvent /build/firefox/src/xpcom/threads/nsThread.cpp:862
> #15 0x7fcb2ddd70fc in NS_ProcessNextEvent /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:265
> #16 0x7fcb2e6870fe in Run /build/firefox/src/ipc/glue/MessagePump.cpp:95
> #17 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234
> #18 0x7fcb33717e6f in _ZN14nsBaseAppShell3RunEv /build/firefox/src/widget/nsBaseAppShell.cpp:165
> #19 0x7fcb356592c3 in XRE_RunAppShell /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:778
> #20 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234
> #21 0x7fcb356587e7 in XRE_InitChildProcess /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:614
> #22 0x4dbbf2 in content_process_main /build/firefox/src/ipc/app/../contentproc/plugin-container.cpp:236
> #23 0x7fcb2b167ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
>
>Thread T102 (MediaPl~back #2) created by T0 (Web Content) here:
> #0 0x430269 in __interceptor_pthread_create _asan_rtl_ (discriminator 7)
> #1 0x7fcb3b5c2dbf in _PR_CreateThread /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:453
> #2 0x7fcb3b5c29ea in PR_CreateThread /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:544
> #3 0x7fcb2dd5df66 in Init /build/firefox/src/xpcom/threads/nsThread.cpp:470
> #4 0x7fcb2dd63c6f in NewThread /build/firefox/src/xpcom/threads/nsThreadManager.cpp:253
> #5 0x7fcb2dd653dd in PutEvent /build/firefox/src/xpcom/threads/nsThreadPool.cpp:102
> #6 0x7fcb2dd66eda in Dispatch /build/firefox/src/xpcom/threads/nsThreadPool.cpp:262
> #7 0x7fcb327d4c9e in DispatchLocked /build/firefox/src/dom/media/MediaTaskQueue.cpp:65
> #8 0x7fcb327383cf in Dispatch /build/firefox/src/objdir-ff-asan/dom/media/fmp4/../../../dist/include/MediaTaskQueue.h:52
> #9 0x7fcb32648958 in DispatchTaskGroup /build/firefox/src/dom/media/TaskDispatcher.h:233
> #10 0x7fcb32648567 in reset /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/mozilla/Maybe.h:373
> #11 0x7fcb3264abb0 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/nsThreadUtils.h:618 (discriminator 4)
> #12 0x7fcb337195e1 in RunSyncSectionsInternal /build/firefox/src/widget/nsBaseAppShell.cpp:376
> #13 0x7fcb3371a8be in AfterProcessNextEvent /build/firefox/src/widget/nsBaseAppShell.h:95
> #14 0x7fcb2dd60563 in ProcessNextEvent /build/firefox/src/xpcom/threads/nsThread.cpp:862
> #15 0x7fcb2ddd70fc in NS_ProcessNextEvent /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:265
> #16 0x7fcb2e6870fe in Run /build/firefox/src/ipc/glue/MessagePump.cpp:95
> #17 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234
> #18 0x7fcb33717e6f in _ZN14nsBaseAppShell3RunEv /build/firefox/src/widget/nsBaseAppShell.cpp:165
> #19 0x7fcb356592c3 in XRE_RunAppShell /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:778
> #20 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234
> #21 0x7fcb356587e7 in XRE_InitChildProcess /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:614
> #22 0x4dbbf2 in content_process_main /build/firefox/src/ipc/app/../contentproc/plugin-container.cpp:236
> #23 0x7fcb2b167ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
>
>Shadow bytes around the buggy address:
> 0x0c3e80009b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3e80009b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3e80009b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3e80009b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3e80009b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>=>0x0c3e80009b50: 00 00 00 07 fa fa[fa]fa fa fa fa fa fa fa fa fa
> 0x0c3e80009b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c3e80009b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c3e80009b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c3e80009b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c3e80009ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
>==18435==ABORTING
|
||
Updated•10 years ago
|
Keywords: csectype-bounds,
sec-high
Summary: Heap-buffer-overflow in decrease_ref_count → Out of bounds read in decrease_ref_count
|
Reporter | |
Comment 1•10 years ago
|
||
Latest snapshot update (from Bug 1178215) has fixed this. It no longer reproduces.
|
Assignee | |
Comment 3•10 years ago
|
||
Looks like. David, do you think we should uplift the libvpx update fronm Bug 1178215 to aurora/beta?
Flags: needinfo?(giles) → needinfo?(dveditz)
|
|
||
Comment 4•10 years ago
|
||
Yes, we should upgrade that on Aurora for sure, and Beta unless there are concerns it was a large, unstable version jump. I assume ESR-38 is likely affected too? If so we should land the library there as well.
status-firefox39:
--- → affected
status-firefox40:
--- → affected
status-firefox41:
--- → affected
status-firefox-esr38:
--- → ?
tracking-firefox40:
--- → +
tracking-firefox41:
--- → +
tracking-firefox42:
--- → +
tracking-firefox-esr38:
--- → ?
Depends on: 1178215
Flags: needinfo?(dveditz) → needinfo?(giles)
|
|
Assignee | |
Comment 5•10 years ago
|
||
Bug 1178215 is now on aurora and beta. I need help verifying whether ESR38 is vulnerable.
Flags: needinfo?(giles)
|
|
Assignee | |
Comment 6•10 years ago
|
||
I am unable to reproduce with an asan build of esr 38 from try.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=d3a81aeeaa17
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Comment 7•10 years ago
|
||
Given comment 6 above, I am untracking. Please feel free to re-request tracking if esr 38 affected status changes.
|
||
Updated•10 years ago
|
Flags: needinfo?(kjozwiak)
QA Contact: kjozwiak
|
|
||
Comment 8•10 years ago
|
||
Reproduced the original issue using the following m-c asan build:
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1435355074/
Went through verification using the following build:
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1438092824/
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1438081364/
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-beta-linux64-asan/1438048425/
Test Cases Used:
- opened test.html in several new windows in both e10s and non-e10s
- opened test.html in several new tabs in both e10s and non-e10s
- opened test.html in several Private Browsing windows/tabs in both e10s and non-e10s
Flags: needinfo?(kjozwiak)
|
||
Updated•10 years ago
|
Whiteboard: [adv-main40+]
|
|
||
Updated•10 years ago
|
Alias: CVE-2015-4486
|
||
Updated•10 years ago
|
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-v2.2r:
--- → unaffected
status-b2g-master:
--- → fixed
Target Milestone: --- → mozilla42
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
|
||
Comment 9•9 years ago
|
||
Bounty for this bug combined with bug 1177948 which triggered the library update that fixed both bugs.
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Flags: sec-bounty-hof-
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•