Closed Bug 1258079 Opened 8 years ago Closed 8 years ago

Intermittent test_mediaDecoding.html | application crashed [@ mozilla::OffTheBooksMutex::Lock]


(Core :: Audio/Video: MediaStreamGraph, defect, P1)




Tracking Status
firefox47 + wontfix
firefox48 + fixed
firefox49 + fixed
firefox-esr38 --- wontfix
firefox-esr45 48+ fixed
firefox50 + fixed


(Reporter: philor, Assigned: jesup)


(Keywords: csectype-uaf, intermittent-failure, sec-high, Whiteboard: [post-critsmash-triage][adv-main48+][adv-esr45.3+])


(2 files)

Possibly a dup
Rank: 10
Component: Web Audio → Audio/Video: MediaStreamGraph
Flags: needinfo?(rjesup)
Priority: -- → P1
Fwiw, I got this while running crashtests on Try.
Matt - that's a totally different bug; it's deadlocking in ObservedDocShell::ClearMarkers(), locking mOffTheMainThreadTimelineMarkers.  Please file a bug in that component
Flags: needinfo?(rjesup) → needinfo?(mats)
Filed bug 1278588.
Flags: needinfo?(mats)
Closing since this has an e5e5 signature (UAF)
Assignee: nobody → rjesup
Group: media-core-security
Attachment #8760912 - Flags: review?(padenot) → review+
Comment on attachment 8760912 [details] [diff] [review]
hold a ref to the GraphDriver during initialization

[Security approval request comment]
How easily could an exploit be constructed based on the patch?  Tough.  Very timing-related; seen once in automation.  Perhaps not impossible though.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?  Not beyond typical "made something a refptr on a sec bug"

Which older supported branches are affected by this flaw? all

If not all supported branches, which bug introduced the flaw? 34

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?  Trivial, safe

How likely is this patch to cause regressions; how much testing does it need?  most likely regression would be a leak (and not very likely).  Green try.
Attachment #8760912 - Flags: sec-approval?
Attachment #8760912 - Flags: approval-mozilla-esr45?
Attachment #8760912 - Flags: approval-mozilla-beta?
Attachment #8760912 - Flags: approval-mozilla-aurora?
This has sec-approval+ for checkin into trunk on June 21. After that we will want branch patches made and nominated for affected branches.
Whiteboard: [checkin on 6/11]
Attachment #8760912 - Flags: sec-approval? → sec-approval+
Tracking, sec-high.
Hi Al, should I consider including this as a ride-along in a 47 dot release? So far there are no dot release drivers but we might end up doing a dot release the week of 6/20 for the Selenium WebDriver issue.
Flags: needinfo?(abillings)
Ritu, this is a one line change so it would probably be ok for ride along.
Flags: needinfo?(abillings)
Whiteboard: [checkin on 6/11] → [checkin on 6/21]
(In reply to Al Billings [:abillings] from comment #11)
> Ritu, this is a one line change so it would probably be ok for ride along.

Ok. Thanks Al! Let me include it in my list of 47 ride-alongs.
If we are going to include this in a 47 dot release, do we also need to do an esr dot release? Or can this wait until 47.4.0esr?
Hi Paul, both Jesup and Maire are on PTO until July 5th. Is this something that is safe enough to be included in a 47 dot release? I am considering taking this one as a ride-along. Please let me know.
Flags: needinfo?(padenot)
For sure, yes.
Flags: needinfo?(padenot)
Keywords: checkin-needed
Whiteboard: [checkin on 6/21]
Comment on attachment 8760912 [details] [diff] [review]
hold a ref to the GraphDriver during initialization

Let's take it on all branches!
Should be in 48 beta 3 and 45.3.0!
Attachment #8760912 - Flags: approval-mozilla-esr45?
Attachment #8760912 - Flags: approval-mozilla-esr45+
Attachment #8760912 - Flags: approval-mozilla-beta?
Attachment #8760912 - Flags: approval-mozilla-beta+
Attachment #8760912 - Flags: approval-mozilla-aurora?
Attachment #8760912 - Flags: approval-mozilla-aurora+
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Group: media-core-security → core-security-release
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main48+][adv-esr45.3+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.