Closed
Bug 1188590
Opened 9 years ago
Closed 9 years ago
jsjni_GetGlobalClassRef goes reentrant on main
Categories
(Core :: WebRTC: Audio/Video, defect, P1)
Core
WebRTC: Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla42
Tracking | Status | |
---|---|---|
firefox39 | --- | wontfix |
firefox40 | + | fixed |
firefox41 | + | fixed |
firefox42 | + | fixed |
firefox-esr38 | --- | wontfix |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | unaffected |
b2g-v2.2r | --- | unaffected |
b2g-master | --- | unaffected |
backlog | webrtc/webaudio+ |
People
(Reporter: bwc, Assigned: bwc)
References
Details
(Keywords: sec-critical, Whiteboard: [adv-main40+][post-critsmash-triage])
Attachments
(2 files)
1.16 KB,
patch
|
snorp
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
3.14 KB,
patch
|
RyanVM
:
review+
|
Details | Diff | Splinter Review |
This has only been observed on android 4.0. (And only on mozilla-beta, since the android 4.0 tests are disabled on aurora and central) The patch from bug 1182289 detected this problem.
Assignee | ||
Updated•9 years ago
|
Keywords: sec-critical
Assignee | ||
Comment 1•9 years ago
|
||
Ok, diagnostics are in: http://ftp.mozilla.org/pub/mozilla.org/mobile/try-builds/bcampen@mozilla.com-9a9bdd9b7c40/try-android-api-11-debug/try_panda_android-debug_test-mochitest-5-bm89-tests1-panda-build1491.txt.gz We are going reentrant in jsjni_GetGlobalClassRef, which is definitely android specific. https://dxr.mozilla.org/mozilla-central/source/widget/android/AndroidJNIWrapper.cpp#65
Assignee | ||
Updated•9 years ago
|
Summary: Unknown reentrancy on main somewhere below CreateOrUpdateMediaPipeline → jsjni_GetGlobalClassRef goes reentrant on main
Assignee | ||
Comment 2•9 years ago
|
||
This might work: https://treeherder.mozilla.org/#/jobs?repo=try&revision=fb6def2e8aaf
Assignee: nobody → docfaraday
Updated•9 years ago
|
status-firefox40:
--- → affected
status-firefox41:
--- → affected
Assignee | ||
Comment 3•9 years ago
|
||
Ok, fixed the compile bug, looks good (there's a known perma-orange on android, but that's about it). https://treeherder.mozilla.org/#/jobs?repo=try&revision=6b584fd6ab3f
Assignee | ||
Comment 4•9 years ago
|
||
Assignee | ||
Updated•9 years ago
|
Attachment #8640498 -
Attachment filename: . → remove_gratuitous_dispatch.patch
Attachment #8640498 -
Flags: review?(snorp)
Assignee | ||
Comment 5•9 years ago
|
||
Attachment #8640498 -
Flags: review?(snorp) → review+
Assignee | ||
Comment 6•9 years ago
|
||
Comment on attachment 8640503 [details] [diff] [review] (Beta only) Reenable mochitests for bug 1013809 Approval Request Comment Just re-enabling some tests that were disabled to allow bug 1182289 to land, now that we've found the cause of the mystery reentrancy.
Attachment #8640503 -
Flags: review?(rjesup)
Attachment #8640503 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 7•9 years ago
|
||
Comment on attachment 8640498 [details] [diff] [review] Don't sync dispatch if we're already on main Approval Request Comment for aurora, beta, and esr38 [Feature/regressing bug #]: Bug 839836 [User impact if declined]: Content will probably be able to cause UAFs in webrtc code (and probably other code too) on android. [Describe test coverage new/current, TreeHerder]: The patches from bug 1182289 uncovered this bug, because there are assertions that are tripped when main goes reentrant if CreateOrUpdateMediaPipeline is on the stack. These asserts do not cover all of the API in PeerConnection, nor do they cover other code that cannot tolerate main going reentrant. [Risks and why]: This patch alters timing (GetGlobalClassRef will finish earlier than stuff in main's event queue), so it is possible it could uncover other problems. However, I'm not seeing evidence of this on try. [String/UUID change made/needed]: None. [Security approval request comment] How easily could an exploit be constructed based on the patch? Since our mochitests for bug 1013809 hit this every time on android 4.0, it would seem pretty easy to hit this reliably. There are probably other ways to cause this bug too. It is hard to say how easy it would be to actually exploit. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? The patch for re-enabling the tests for bug 1013809 on beta would provide a pretty good hint at how to trigger this bug, but the fix itself does not paint this kind of bullseye. We may wish to open a separate bug for the test patch, so the two are harder to link together. Which older supported branches are affected by this flaw? All. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? I'm pretty sure the patch will apply cleanly. If not, it will be a trivial backport. How likely is this patch to cause regressions; how much testing does it need? This patch alters timing (GetGlobalClassRef will finish earlier than stuff in main's event queue), so it is possible it could uncover other problems. However, I'm not seeing evidence of this on try.
Attachment #8640498 -
Flags: sec-approval?
Attachment #8640498 -
Flags: approval-mozilla-esr38?
Attachment #8640498 -
Flags: approval-mozilla-beta?
Attachment #8640498 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•9 years ago
|
status-firefox39:
--- → affected
status-firefox-esr38:
--- → affected
Updated•9 years ago
|
Comment 8•9 years ago
|
||
Comment on attachment 8640498 [details] [diff] [review] Don't sync dispatch if we're already on main Android isn't supported on esr38
Attachment #8640498 -
Flags: approval-mozilla-esr38?
Updated•9 years ago
|
Comment 9•9 years ago
|
||
Comment on attachment 8640498 [details] [diff] [review] Don't sync dispatch if we're already on main Approvals given!
Attachment #8640498 -
Flags: sec-approval?
Attachment #8640498 -
Flags: sec-approval+
Attachment #8640498 -
Flags: approval-mozilla-beta?
Attachment #8640498 -
Flags: approval-mozilla-beta+
Attachment #8640498 -
Flags: approval-mozilla-aurora?
Attachment #8640498 -
Flags: approval-mozilla-aurora+
Comment 10•9 years ago
|
||
Comment on attachment 8640503 [details] [diff] [review] (Beta only) Reenable mochitests for bug 1013809 Test-only changes can land w/o approval.
Attachment #8640503 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 11•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=67ee052e79c9
Comment 12•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/0104fc2803cb https://hg.mozilla.org/releases/mozilla-beta/rev/d87f96fc45b1 https://hg.mozilla.org/releases/mozilla-beta/rev/6b716448c59d Calling this in-testsuite+ since we in fact have tests that caught the issue, albeit on beta and on a platform we're soon to not be testing on anymore.
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-v2.2r:
--- → unaffected
status-b2g-master:
--- → unaffected
Flags: in-testsuite+
Updated•9 years ago
|
Attachment #8640503 -
Flags: review?(rjesup) → review+
Updated•9 years ago
|
backlog: --- → webRTC+
Rank: 5
Priority: -- → P1
Updated•9 years ago
|
Whiteboard: [adv-main40+]
https://hg.mozilla.org/mozilla-central/rev/67ee052e79c9
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Comment 14•9 years ago
|
||
See bug 1189058. The issue there was detected on the media thread. This bug will fix it for the main thread (and is a good idea) but it doesn't fix the underlying cause.
Updated•9 years ago
|
Whiteboard: [adv-main40+] → [adv-main40+][post-critsmash-triage]
Comment 15•9 years ago
|
||
I'm very worried about the fact that this was only caught by chance on an uplift to beta on a platform that's soon to be decommissioned. Looking at the test manifest, we disable all WebRTC tests on Android 2.3/4.3 - http://hg.mozilla.org/mozilla-central/file/e9389ca320ff/dom/media/tests/mochitest/mochitest.ini#l4. Looks like this goes back to when 2.3/4.3 were enabled to begin with. Maire, any idea what needs to be done to get these running again on 41+? We obviously got lucky this time.
Flags: needinfo?(mreavy)
Comment 16•9 years ago
|
||
I've opened a new bug and made it a P1: Bug 1189784. I gave Catlee a heads up that we'd likely need someone from releng to assist, and kmoir has already pinged me to ask how she can help.
Flags: needinfo?(mreavy)
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•