Closed
Bug 1178148
(CVE-2015-4486)
Opened 9 years ago
Closed 9 years ago
Out of bounds read in decrease_ref_count
Categories
(Core :: Audio/Video, defect)
Core
Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla42
Tracking | Status | |
---|---|---|
firefox39 | --- | wontfix |
firefox40 | + | verified |
firefox41 | + | verified |
firefox42 | + | verified |
firefox-esr38 | - | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | unaffected |
b2g-v2.2r | --- | unaffected |
b2g-master | --- | fixed |
People
(Reporter: inferno, Assigned: rillian)
References
Details
(Keywords: csectype-bounds, sec-high, Whiteboard: [adv-main40+])
Attachments
(1 file)
2.49 MB,
application/x-zip-compressed
|
Details |
>================================================================= >==18435==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f00008dab0 at pc 0x7fcb35a73832 bp 0x7fcaf976e030 sp 0x7fcaf976e028 >READ of size 8 at 0x61f00008dab0 thread T101 (MediaPl~back #1) > #0 0x7fcb35a73831 in decrease_ref_count /build/firefox/src/media/libvpx/vp9/decoder/vp9_decoder.h:126 > #1 0x7fcb35c0044b in frame_worker_hook /build/firefox/src/media/libvpx/vp9/vp9_dx_iface.c:322 > #2 0x7fcb35a0ed76 in execute /build/firefox/src/media/libvpx/vp9/common/vp9_thread.c:134 > #3 0x7fcb35bffadd in decode_one /build/firefox/src/media/libvpx/vp9/vp9_dx_iface.c:493 > #4 0x7fcb35bf9507 in decoder_decode /build/firefox/src/media/libvpx/vp9/vp9_dx_iface.c:686 > #5 0x7fcb35c013c7 in vpx_codec_decode /build/firefox/src/media/libvpx/vpx/src/vpx_decoder.c:122 > #6 0x7fcb32ad4f6e in DecodeVideoFrame /build/firefox/src/dom/media/webm/SoftwareWebMVideoDecoder.cpp:149 > #7 0x7fcb3269a919 in RequestVideoData /build/firefox/src/dom/media/MediaDecoderReader.cpp:277 > #8 0x7fcb3278e93d in Invoke /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/MediaPromise.h:902 > #9 0x7fcb3278ec53 in Run /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/MediaPromise.h:919 > #10 0x7fcb32649dbc in Run /build/firefox/src/dom/media/TaskDispatcher.h:181 > #11 0x7fcb327d6489 in Run /build/firefox/src/dom/media/MediaTaskQueue.cpp:256 > #12 0x7fcb2dd6648e in Run /build/firefox/src/xpcom/threads/nsThreadPool.cpp:221 > #13 0x7fcb2dd66a6c in _ZThn8_N12nsThreadPool3RunEv /build/firefox/src/xpcom/threads/nsThreadPool.cpp:151 > #14 0x7fcb2dd60106 in ProcessNextEvent /build/firefox/src/xpcom/threads/nsThread.cpp:848 > #15 0x7fcb2ddd70fc in NS_ProcessNextEvent /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:265 > #16 0x7fcb2e687ed6 in Run /build/firefox/src/ipc/glue/MessagePump.cpp:326 > #17 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234 > #18 0x7fcb2dd5cba1 in ThreadFunc /build/firefox/src/xpcom/threads/nsThread.cpp:360 > #19 0x7fcb3b5c5ffa in _pt_root /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:212 > #20 0x7fcb3bc0a181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312 (discriminator 2) > #21 0x7fcb2b24047c in clone /build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111 > >0x61f00008dab0 is located 17 bytes to the right of 3103-byte region [0x61f00008ce80,0x61f00008da9f) >allocated by thread T102 (MediaPl~back #2) here: > #0 0x4b6338 in __interceptor_malloc _asan_rtl_ (discriminator 14) > #1 0x7fcb35c03256 in vpx_memalign /build/firefox/src/media/libvpx/vpx_mem/vpx_mem.c:126 > #2 0x7fcb35bf853a in init_decoder /build/firefox/src/media/libvpx/vp9/vp9_dx_iface.c:372 > #3 0x7fcb35c013c7 in vpx_codec_decode /build/firefox/src/media/libvpx/vpx/src/vpx_decoder.c:122 > #4 0x7fcb32ad4f6e in DecodeVideoFrame /build/firefox/src/dom/media/webm/SoftwareWebMVideoDecoder.cpp:149 > #5 0x7fcb3269a919 in RequestVideoData /build/firefox/src/dom/media/MediaDecoderReader.cpp:277 > #6 0x7fcb3278e93d in Invoke /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/MediaPromise.h:902 > #7 0x7fcb3278ec53 in Run /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/MediaPromise.h:919 > #8 0x7fcb32649dbc in Run /build/firefox/src/dom/media/TaskDispatcher.h:181 > #9 0x7fcb327d6489 in Run /build/firefox/src/dom/media/MediaTaskQueue.cpp:256 > #10 0x7fcb2dd6648e in Run /build/firefox/src/xpcom/threads/nsThreadPool.cpp:221 > #11 0x7fcb2dd66a6c in _ZThn8_N12nsThreadPool3RunEv /build/firefox/src/xpcom/threads/nsThreadPool.cpp:151 > #12 0x7fcb2dd60106 in ProcessNextEvent /build/firefox/src/xpcom/threads/nsThread.cpp:848 > #13 0x7fcb2ddd70fc in NS_ProcessNextEvent /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:265 > #14 0x7fcb2e687ed6 in Run /build/firefox/src/ipc/glue/MessagePump.cpp:326 > #15 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234 > #16 0x7fcb2dd5cba1 in ThreadFunc /build/firefox/src/xpcom/threads/nsThread.cpp:360 > #17 0x7fcb3b5c5ffa in _pt_root /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:212 > #18 0x7fcb3bc0a181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312 (discriminator 2) > >Thread T101 (MediaPl~back #1) created by T0 (Web Content) here: > #0 0x430269 in __interceptor_pthread_create _asan_rtl_ (discriminator 7) > #1 0x7fcb3b5c2dbf in _PR_CreateThread /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:453 > #2 0x7fcb3b5c29ea in PR_CreateThread /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:544 > #3 0x7fcb2dd5df66 in Init /build/firefox/src/xpcom/threads/nsThread.cpp:470 > #4 0x7fcb2dd63c6f in NewThread /build/firefox/src/xpcom/threads/nsThreadManager.cpp:253 > #5 0x7fcb2dd653dd in PutEvent /build/firefox/src/xpcom/threads/nsThreadPool.cpp:102 > #6 0x7fcb2dd66eda in Dispatch /build/firefox/src/xpcom/threads/nsThreadPool.cpp:262 > #7 0x7fcb327d4c9e in DispatchLocked /build/firefox/src/dom/media/MediaTaskQueue.cpp:65 > #8 0x7fcb327383cf in Dispatch /build/firefox/src/objdir-ff-asan/dom/media/fmp4/../../../dist/include/MediaTaskQueue.h:52 > #9 0x7fcb32648958 in DispatchTaskGroup /build/firefox/src/dom/media/TaskDispatcher.h:233 > #10 0x7fcb32648567 in reset /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/mozilla/Maybe.h:373 > #11 0x7fcb3264abb0 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/nsThreadUtils.h:618 (discriminator 4) > #12 0x7fcb337195e1 in RunSyncSectionsInternal /build/firefox/src/widget/nsBaseAppShell.cpp:376 > #13 0x7fcb3371a8be in AfterProcessNextEvent /build/firefox/src/widget/nsBaseAppShell.h:95 > #14 0x7fcb2dd60563 in ProcessNextEvent /build/firefox/src/xpcom/threads/nsThread.cpp:862 > #15 0x7fcb2ddd70fc in NS_ProcessNextEvent /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:265 > #16 0x7fcb2e6870fe in Run /build/firefox/src/ipc/glue/MessagePump.cpp:95 > #17 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234 > #18 0x7fcb33717e6f in _ZN14nsBaseAppShell3RunEv /build/firefox/src/widget/nsBaseAppShell.cpp:165 > #19 0x7fcb356592c3 in XRE_RunAppShell /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:778 > #20 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234 > #21 0x7fcb356587e7 in XRE_InitChildProcess /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:614 > #22 0x4dbbf2 in content_process_main /build/firefox/src/ipc/app/../contentproc/plugin-container.cpp:236 > #23 0x7fcb2b167ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 > >Thread T102 (MediaPl~back #2) created by T0 (Web Content) here: > #0 0x430269 in __interceptor_pthread_create _asan_rtl_ (discriminator 7) > #1 0x7fcb3b5c2dbf in _PR_CreateThread /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:453 > #2 0x7fcb3b5c29ea in PR_CreateThread /build/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:544 > #3 0x7fcb2dd5df66 in Init /build/firefox/src/xpcom/threads/nsThread.cpp:470 > #4 0x7fcb2dd63c6f in NewThread /build/firefox/src/xpcom/threads/nsThreadManager.cpp:253 > #5 0x7fcb2dd653dd in PutEvent /build/firefox/src/xpcom/threads/nsThreadPool.cpp:102 > #6 0x7fcb2dd66eda in Dispatch /build/firefox/src/xpcom/threads/nsThreadPool.cpp:262 > #7 0x7fcb327d4c9e in DispatchLocked /build/firefox/src/dom/media/MediaTaskQueue.cpp:65 > #8 0x7fcb327383cf in Dispatch /build/firefox/src/objdir-ff-asan/dom/media/fmp4/../../../dist/include/MediaTaskQueue.h:52 > #9 0x7fcb32648958 in DispatchTaskGroup /build/firefox/src/dom/media/TaskDispatcher.h:233 > #10 0x7fcb32648567 in reset /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/mozilla/Maybe.h:373 > #11 0x7fcb3264abb0 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /build/firefox/src/objdir-ff-asan/dom/media/../../dist/include/nsThreadUtils.h:618 (discriminator 4) > #12 0x7fcb337195e1 in RunSyncSectionsInternal /build/firefox/src/widget/nsBaseAppShell.cpp:376 > #13 0x7fcb3371a8be in AfterProcessNextEvent /build/firefox/src/widget/nsBaseAppShell.h:95 > #14 0x7fcb2dd60563 in ProcessNextEvent /build/firefox/src/xpcom/threads/nsThread.cpp:862 > #15 0x7fcb2ddd70fc in NS_ProcessNextEvent /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:265 > #16 0x7fcb2e6870fe in Run /build/firefox/src/ipc/glue/MessagePump.cpp:95 > #17 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234 > #18 0x7fcb33717e6f in _ZN14nsBaseAppShell3RunEv /build/firefox/src/widget/nsBaseAppShell.cpp:165 > #19 0x7fcb356592c3 in XRE_RunAppShell /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:778 > #20 0x7fcb2e611c61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234 > #21 0x7fcb356587e7 in XRE_InitChildProcess /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:614 > #22 0x4dbbf2 in content_process_main /build/firefox/src/ipc/app/../contentproc/plugin-container.cpp:236 > #23 0x7fcb2b167ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 > >Shadow bytes around the buggy address: > 0x0c3e80009b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c3e80009b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c3e80009b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c3e80009b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c3e80009b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >=>0x0c3e80009b50: 00 00 00 07 fa fa[fa]fa fa fa fa fa fa fa fa fa > 0x0c3e80009b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c3e80009b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c3e80009b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c3e80009b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c3e80009ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb >==18435==ABORTING
Updated•9 years ago
|
Keywords: csectype-bounds,
sec-high
Summary: Heap-buffer-overflow in decrease_ref_count → Out of bounds read in decrease_ref_count
Reporter | ||
Comment 1•9 years ago
|
||
Latest snapshot update (from Bug 1178215) has fixed this. It no longer reproduces.
Assignee | ||
Comment 3•9 years ago
|
||
Looks like. David, do you think we should uplift the libvpx update fronm Bug 1178215 to aurora/beta?
Flags: needinfo?(giles) → needinfo?(dveditz)
Comment 4•9 years ago
|
||
Yes, we should upgrade that on Aurora for sure, and Beta unless there are concerns it was a large, unstable version jump. I assume ESR-38 is likely affected too? If so we should land the library there as well.
status-firefox39:
--- → affected
status-firefox40:
--- → affected
status-firefox41:
--- → affected
status-firefox-esr38:
--- → ?
tracking-firefox40:
--- → +
tracking-firefox41:
--- → +
tracking-firefox42:
--- → +
tracking-firefox-esr38:
--- → ?
Depends on: 1178215
Flags: needinfo?(dveditz) → needinfo?(giles)
Assignee | ||
Comment 5•9 years ago
|
||
Bug 1178215 is now on aurora and beta. I need help verifying whether ESR38 is vulnerable.
Flags: needinfo?(giles)
Assignee | ||
Comment 6•9 years ago
|
||
I am unable to reproduce with an asan build of esr 38 from try. https://treeherder.mozilla.org/#/jobs?repo=try&revision=d3a81aeeaa17
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment 7•9 years ago
|
||
Given comment 6 above, I am untracking. Please feel free to re-request tracking if esr 38 affected status changes.
Updated•9 years ago
|
Flags: needinfo?(kjozwiak)
QA Contact: kjozwiak
Comment 8•9 years ago
|
||
Reproduced the original issue using the following m-c asan build: - http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1435355074/ Went through verification using the following build: - http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1438092824/ - http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1438081364/ - http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-beta-linux64-asan/1438048425/ Test Cases Used: - opened test.html in several new windows in both e10s and non-e10s - opened test.html in several new tabs in both e10s and non-e10s - opened test.html in several Private Browsing windows/tabs in both e10s and non-e10s
Flags: needinfo?(kjozwiak)
Updated•9 years ago
|
Whiteboard: [adv-main40+]
Updated•9 years ago
|
Alias: CVE-2015-4486
Updated•9 years ago
|
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-v2.2r:
--- → unaffected
status-b2g-master:
--- → fixed
Target Milestone: --- → mozilla42
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Flags: sec-bounty?
Comment 9•8 years ago
|
||
Bounty for this bug combined with bug 1177948 which triggered the library update that fixed both bugs.
Flags: sec-bounty? → sec-bounty-
Updated•8 years ago
|
Group: core-security-release
Updated•4 years ago
|
Flags: sec-bounty-hof-
You need to log in
before you can comment on or make changes to this bug.
Description
•