Closed
Bug 1258079
Opened 9 years ago
Closed 8 years ago
Intermittent test_mediaDecoding.html | application crashed [@ mozilla::OffTheBooksMutex::Lock]
Categories
(Core :: Audio/Video: MediaStreamGraph, defect, P1)
Core
Audio/Video: MediaStreamGraph
Tracking
()
People
(Reporter: philor, Assigned: jesup)
Details
(Keywords: csectype-uaf, intermittent-failure, sec-high, Whiteboard: [post-critsmash-triage][adv-main48+][adv-esr45.3+])
Attachments
(2 files)
|
7.05 KB,
text/plain
|
Details | |
|
960 bytes,
patch
|
padenot
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
Sylvestre
:
approval-mozilla-esr45+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
||
Comment 1•9 years ago
|
||
Possibly a dup
Rank: 10
Component: Web Audio → Audio/Video: MediaStreamGraph
Flags: needinfo?(rjesup)
Priority: -- → P1
|
||
Comment 2•9 years ago
|
||
Fwiw, I got this while running crashtests on Try.
|
Assignee | |
Comment 3•8 years ago
|
||
Matt - that's a totally different bug; it's deadlocking in ObservedDocShell::ClearMarkers(), locking mOffTheMainThreadTimelineMarkers. Please file a bug in that component
Flags: needinfo?(rjesup) → needinfo?(mats)
|
|
Assignee | |
Comment 5•8 years ago
|
||
Closing since this has an e5e5 signature (UAF)
|
|
Assignee | |
Comment 6•8 years ago
|
||
Attachment #8760912 -
Flags: review?(padenot)
|
||
Updated•8 years ago
|
Attachment #8760912 -
Flags: review?(padenot) → review+
|
|
Assignee | |
Comment 7•8 years ago
|
||
Comment on attachment 8760912 [details] [diff] [review]
hold a ref to the GraphDriver during initialization
[Security approval request comment]
How easily could an exploit be constructed based on the patch? Tough. Very timing-related; seen once in automation. Perhaps not impossible though.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Not beyond typical "made something a refptr on a sec bug"
Which older supported branches are affected by this flaw? all
If not all supported branches, which bug introduced the flaw? 34
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Trivial, safe
How likely is this patch to cause regressions; how much testing does it need? most likely regression would be a leak (and not very likely). Green try.
Attachment #8760912 -
Flags: sec-approval?
Attachment #8760912 -
Flags: approval-mozilla-esr45?
Attachment #8760912 -
Flags: approval-mozilla-beta?
Attachment #8760912 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Updated•8 years ago
|
status-firefox47:
--- → affected
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox-esr38:
--- → affected
status-firefox-esr45:
--- → affected
|
||
Comment 8•8 years ago
|
||
This has sec-approval+ for checkin into trunk on June 21. After that we will want branch patches made and nominated for affected branches.
tracking-firefox50:
--- → +
Whiteboard: [checkin on 6/11]
|
|
||
Updated•8 years ago
|
Attachment #8760912 -
Flags: sec-approval? → sec-approval+
|
||
Comment 9•8 years ago
|
||
Tracking, sec-high.
Hi Al, should I consider including this as a ride-along in a 47 dot release? So far there are no dot release drivers but we might end up doing a dot release the week of 6/20 for the Selenium WebDriver issue.
Flags: needinfo?(abillings)
|
|
||
Comment 11•8 years ago
|
||
Ritu, this is a one line change so it would probably be ok for ride along.
Flags: needinfo?(abillings)
Whiteboard: [checkin on 6/11] → [checkin on 6/21]
(In reply to Al Billings [:abillings] from comment #11)
> Ritu, this is a one line change so it would probably be ok for ride along.
Ok. Thanks Al! Let me include it in my list of 47 ride-alongs.
|
|
||
Comment 13•8 years ago
|
||
If we are going to include this in a 47 dot release, do we also need to do an esr dot release? Or can this wait until 47.4.0esr?
Hi Paul, both Jesup and Maire are on PTO until July 5th. Is this something that is safe enough to be included in a 47 dot release? I am considering taking this one as a ride-along. Please let me know.
Flags: needinfo?(padenot)
|
||
Updated•8 years ago
|
|
|
||
Updated•8 years ago
|
Keywords: checkin-needed
Whiteboard: [checkin on 6/21]
|
|
||
Comment 16•8 years ago
|
||
Comment on attachment 8760912 [details] [diff] [review]
hold a ref to the GraphDriver during initialization
Let's take it on all branches!
Should be in 48 beta 3 and 45.3.0!
Attachment #8760912 -
Flags: approval-mozilla-esr45?
Attachment #8760912 -
Flags: approval-mozilla-esr45+
Attachment #8760912 -
Flags: approval-mozilla-beta?
Attachment #8760912 -
Flags: approval-mozilla-beta+
Attachment #8760912 -
Flags: approval-mozilla-aurora?
Attachment #8760912 -
Flags: approval-mozilla-aurora+
|
||
Comment 17•8 years ago
|
||
Keywords: checkin-needed
|
|
||
Comment 18•8 years ago
|
||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
|
||
Comment 19•8 years ago
|
||
|
|
||
Comment 20•8 years ago
|
||
|
||
Updated•8 years ago
|
Group: media-core-security → core-security-release
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main48+][adv-esr45.3+]
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•