Closed Bug 1258942 Opened 4 years ago Closed 4 years ago

Intermittent test_getUserMedia_constraints.html | application terminated with exit code 1 / heap-use-after-free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:509 __interceptor_strlen

Categories

(Core :: WebRTC, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox46 --- disabled
firefox47 + disabled
firefox48 + fixed
firefox-esr38 --- unaffected
firefox-esr45 --- unaffected

People

(Reporter: philor, Assigned: jesup)

Details

(Keywords: csectype-uaf, intermittent-failure, sec-high)

Attachments

(2 files)

https://treeherder.mozilla.org/logviewer.html#?job_id=24375407&repo=mozilla-inbound

 17:52:06     INFO -  ==17914==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000269bf0 at pc 0x4609ce bp 0x7f0e93d0af50 sp 0x7f0e93d0af30
 17:52:06     INFO -  READ of size 2 at 0x602000269bf0 thread T262 (CubebOp~ion #14)
 17:52:06     INFO -      #0 0x4609cd in __interceptor_strlen /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:509
 17:52:06     INFO -      #1 0x7f0eccf8b55a (/usr/lib/x86_64-linux-gnu/libpulsecommon-1.1.so+0x3955a)
 17:52:06     INFO -      #2 0x7f0eccf8d52d (/usr/lib/x86_64-linux-gnu/libpulsecommon-1.1.so+0x3b52d)
 17:52:06     INFO -      #3 0x7f0ecd3e12f2 (/usr/lib/x86_64-linux-gnu/libpulse.so.0+0x292f2)
 17:52:06     INFO -      #4 0x7f0ecd3e1e62 (/usr/lib/x86_64-linux-gnu/libpulse.so.0+0x29e62)
 17:52:08     INFO -      #5 0x7f0ee6ec76a9 in pulse_stream_init /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libcubeb/src/cubeb_pulse.c:761
 17:52:08     INFO -      #6 0x7f0ee37d2d00 in mozilla::AudioCallbackDriver::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/GraphDriver.cpp:636
 17:52:08     INFO -      #7 0x7f0ee37d261b in mozilla::AsyncCubebTask::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/GraphDriver.cpp:521
 17:52:08     INFO -      #8 0x7f0edeaf1d43 in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
 17:52:08     INFO -      #9 0x7f0edeaf237c in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
 17:52:08     INFO -      #10 0x7f0edeaeb300 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:994
 17:52:08     INFO -      #11 0x7f0edeb64aaa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
 17:52:08     INFO -      #12 0x7f0edf50f86f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:332
 17:52:08     INFO -      #13 0x7f0edf474aec in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
 17:52:08     INFO -      #14 0x7f0edf474aec in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
 17:52:08     INFO -      #15 0x7f0edf474aec in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
 17:52:08     INFO -      #16 0x7f0edeae6d4b in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:396
 17:52:08     INFO -      #17 0x7f0efa77e3cf in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
 17:52:08     INFO -      #18 0x7f0efdc93e99 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99)
 17:52:08     INFO -      #19 0x7f0efcda338c (/lib/x86_64-linux-gnu/libc.so.6+0xf338c)
 17:52:08     INFO -  0x602000269bf0 is located 0 bytes inside of 11-byte region [0x602000269bf0,0x602000269bfb)
 17:52:08     INFO -  freed by thread T56 (MediaManager) here:
 17:52:08     INFO -      #0 0x471fe1 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
 17:52:08     INFO -      #1 0x7f0ee6ebf62f in cubeb_device_info_destroy /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libcubeb/src/cubeb.c:428
 17:52:08     INFO -      #2 0x7f0ee6ebf62f in cubeb_device_collection_destroy /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libcubeb/src/cubeb.c:420
 17:52:08     INFO -      #3 0x7f0ee3cb982b in mozilla::AudioInputCubeb::UpdateDeviceList() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/webrtc/MediaEngineWebRTC.cpp:96
 17:52:08     INFO -      #4 0x7f0ee3cbee4d in mozilla::AudioInputCubeb::GetNumOfRecordingDevices(int&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/webrtc/MediaEngineWebRTC.h:181
 17:52:08     INFO -      #5 0x7f0ee3cbbbbc in mozilla::MediaEngineWebRTC::EnumerateAudioDevices(mozilla::dom::MediaSourceEnum, nsTArray<RefPtr<mozilla::MediaEngineAudioSource> >*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/webrtc/MediaEngineWebRTC.cpp:348
 17:52:08     INFO -  previously allocated by thread T62 (threaded-ml) here:
 17:52:08     INFO -      #0 0x4721e1 in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
 17:52:08     INFO -      #1 0x7f0efcd37da1 (/lib/x86_64-linux-gnu/libc.so.6+0x87da1)
 17:52:08     INFO -  Thread T262 (CubebOp~ion #14) created by T62 (threaded-ml) here:
 17:52:08     INFO -      #0 0x45ea55 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
 17:52:08     INFO -      #1 0x7f0efa77ab20 in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:457
 17:52:08     INFO -      #2 0x7f0efa77a68a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:548
 17:52:08     INFO -      #3 0x7f0edeae84dd in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:526
 17:52:08     INFO -      #4 0x7f0edeaeedde in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:253
 17:52:08     INFO -      #5 0x7f0edeaf07ee in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:106
 17:52:08     INFO -      #6 0x7f0edeaf2886 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:277
 17:52:08     INFO -      #7 0x7f0ee37d559e in operator-> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsIEventTarget.h:37
 17:52:08     INFO -      #8 0x7f0ee37d559e in Dispatch /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/GraphDriver.h:561
 17:52:08     INFO -      #9 0x7f0ee37d559e in mozilla::AudioCallbackDriver::Start() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/GraphDriver.cpp:690
 17:52:08     INFO -      #10 0x7f0ee37d7820 in mozilla::AudioCallbackDriver::DataCallback(float const*, float*, long) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/GraphDriver.cpp:977
 17:52:08     INFO -      #11 0x7f0ee6ec955d in trigger_user_callback /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libcubeb/src/cubeb_pulse.c:219
 17:52:08     INFO -      #12 0x7f0ee6ec91dd in stream_read_callback /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libcubeb/src/cubeb_pulse.c:323
 17:52:08     INFO -      #13 0x7f0ecd3c5b72 (/usr/lib/x86_64-linux-gnu/libpulse.so.0+0xdb72)
 17:52:08     INFO -  Thread T62 (threaded-ml) created by T56 (MediaManager) here:
 17:52:08     INFO -      #0 0x45ea55 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
 17:52:08     INFO -      #1 0x7f0eccf914fa (/usr/lib/x86_64-linux-gnu/libpulsecommon-1.1.so+0x3f4fa)
 17:52:08     INFO -  Thread T56 (MediaManager) created by T0 here:
 17:52:08     INFO -      #0 0x45ea55 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
 17:52:08     INFO -      #1 0x7f0edf48c6e4 in CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135
 17:52:08     INFO -      #2 0x7f0edf48c6e4 in Create /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
 17:52:08     INFO -      #3 0x7f0edf48c6e4 in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/thread.cc:94
 17:52:08     INFO -      #4 0x7f0ee384f6a9 in mozilla::MediaManager::Get() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaManager.cpp:1527
 17:52:08     INFO -      #5 0x7f0ee384f073 in mozilla::dom::MediaDevices::GetUserMedia(mozilla::dom::MediaStreamConstraints const&, mozilla::ErrorResult&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDevices.cpp:156
 17:52:08     INFO -      #6 0x7f0ee19eb795 in getUserMedia /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:110
 17:52:08     INFO -      #7 0x7f0ee19eb795 in mozilla::dom::MediaDevicesBinding::getUserMedia_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::MediaDevices*, JSJitMethodCallArgs const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:128
 17:52:08     INFO -      #8 0x7f0ee2fbecad in mozilla::dom::GenericPromiseReturningBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/bindings/BindingUtils.cpp:2784
 17:52:08     INFO -      #9 0x7f0ee8c8b93c in CallJSNative /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/jscntxtinlines.h:235
 17:52:08     INFO -      #10 0x7f0ee8c8b93c in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:476
 17:52:08     INFO -      #11 0x7f0ee8ccd090 in Interpret(JSContext*, js::RunState&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:2807
 17:52:08     INFO -      #12 0x7f0ee8cadbee in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:426
 17:52:08     INFO -      #13 0x7f0ee8c8bf24 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:494
 17:52:08     INFO -      #14 0x7f0ee8ccd090 in Interpret(JSContext*, js::RunState&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:2807
 17:52:08     INFO -      #15 0x7f0ee8cadbee in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:426
 17:52:08     INFO -      #16 0x7f0ee8c8bf24 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:494
 17:52:08     INFO -      #17 0x7f0ee8ccd090 in Interpret(JSContext*, js::RunState&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:2807
 17:52:08     INFO -      #18 0x7f0ee8cadbee in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:426
 17:52:08     INFO -      #19 0x7f0ee8c8bf24 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:494
 17:52:08     INFO -      #20 0x7f0ee8cde0c4 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:528
 17:52:08     INFO -      #21 0x7f0ee80c6928 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/jit/BaselineIC.cpp:6140
 17:52:08     INFO -      #22 0x7f0ee80f1795 in EnterBaseline(JSContext*, js::jit::EnterJitData&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/jit/BaselineJIT.cpp:149
 17:52:08     INFO -      #23 0x7f0ee80f0f6d in js::jit::EnterBaselineMethod(JSContext*, js::RunState&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/jit/BaselineJIT.cpp:188
 17:52:08     INFO -      #24 0x7f0ee8cada0d in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:416
 17:52:08     INFO -      #25 0x7f0ee8c8bf24 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:494
 17:52:08     INFO -      #26 0x7f0ee8cde0c4 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/vm/Interpreter.cpp:528
 17:52:08     INFO -      #27 0x7f0ee884e85f in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/src/jsapi.cpp:2900
 17:52:08     INFO -      #28 0x7f0ee1dddb2a in mozilla::dom::AnyCallback::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:93
 17:52:08     INFO -      #29 0x7f0ee45fce5c in operator-> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:242
 17:52:08     INFO -      #30 0x7f0ee45fce5c in mozilla::dom::WrapperPromiseCallback::Call(JSContext*, JS::Handle<JS::Value>) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/promise/PromiseCallback.cpp:336
 17:52:08     INFO -      #31 0x7f0ee4604475 in mozilla::dom::PromiseReactionJob::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/promise/Promise.cpp:106
 17:52:08     INFO -      #32 0x7f0ee45dd632 in mozilla::dom::Promise::PerformMicroTaskCheckpoint() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/promise/Promise.cpp:937
 17:52:08     INFO -      #33 0x7f0ee101f027 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/base/nsGlobalWindow.cpp:11995
 17:52:08     INFO -      #34 0x7f0ee0ffd9df in nsGlobalWindow::RunTimeout(nsTimeout*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/base/nsGlobalWindow.cpp:12213
 17:52:08     INFO -      #35 0x7f0ee0f9d541 in nsGlobalWindow::TimerCallback(nsITimer*, void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/base/nsGlobalWindow.cpp:12459
 17:52:08     INFO -      #36 0x7f0edeb04dd5 in nsTimerImpl::Fire() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsTimerImpl.cpp:524
 17:52:08     INFO -      #37 0x7f0edeadeee5 in nsTimerEvent::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TimerThread.cpp:286
 17:52:08     INFO -      #38 0x7f0edeaeb300 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:994
 17:52:08     INFO -      #39 0x7f0edeb64aaa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
 17:52:08     INFO -      #40 0x7f0edf50e8e9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:97
 17:52:08     INFO -      #41 0x7f0edf474aec in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
 17:52:08     INFO -      #42 0x7f0edf474aec in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
 17:52:08     INFO -      #43 0x7f0edf474aec in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
 17:52:08     INFO -      #44 0x7f0ee4a146c7 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:156
 17:52:08     INFO -      #45 0x7f0ee68aff58 in nsAppStartup::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281
 17:52:08     INFO -      #46 0x7f0ee69ae40a in XREMain::XRE_mainRun() /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4318
 17:52:08     INFO -      #47 0x7f0ee69af676 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4415
 17:52:08     INFO -      #48 0x7f0ee69b04be in XRE_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4521
 17:52:08     INFO -      #49 0x48a793 in do_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:220
 17:52:08     INFO -      #50 0x48a793 in main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:360
 17:52:08     INFO -      #51 0x7f0efccd176c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
 17:52:08     INFO -  SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:509 __interceptor_strlen
 17:52:08     INFO -  Shadow bytes around the buggy address:
 17:52:08     INFO -    0x0c0480045320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 17:52:08     INFO -    0x0c0480045330: fa fa fd fd fa fa fa fa fa fa fa fa fa fa fd fd
 17:52:08     INFO -    0x0c0480045340: fa fa fa fa fa fa fd fd fa fa fd fa fa fa fd fd
 17:52:08     INFO -    0x0c0480045350: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
 17:52:08     INFO -    0x0c0480045360: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
 17:52:08     INFO -  =>0x0c0480045370: fa fa fd fd fa fa fa fa fa fa fd fd fa fa[fd]fd
 17:52:08     INFO -    0x0c0480045380: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
 17:52:08     INFO -    0x0c0480045390: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
 17:52:08     INFO -    0x0c04800453a0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
 17:52:08     INFO -    0x0c04800453b0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
 17:52:08     INFO -    0x0c04800453c0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
 17:52:08     INFO -  Shadow byte legend (one shadow byte represents 8 application bytes):
 17:52:08     INFO -    Addressable:           00
 17:52:08     INFO -    Partially addressable: 01 02 03 04 05 06 07
 17:52:08     INFO -    Heap left redzone:       fa
 17:52:08     INFO -    Heap right redzone:      fb
 17:52:08     INFO -    Freed heap region:       fd
 17:52:08     INFO -    Stack left redzone:      f1
 17:52:08     INFO -    Stack mid redzone:       f2
 17:52:08     INFO -    Stack right redzone:     f3
 17:52:08     INFO -    Stack partial redzone:   f4
 17:52:08     INFO -    Stack after return:      f5
 17:52:08     INFO -    Stack use after scope:   f8
 17:52:08     INFO -    Global redzone:          f9
 17:52:08     INFO -    Global init order:       f6
 17:52:08     INFO -    Poisoned by user:        f7
 17:52:08     INFO -    Contiguous container OOB:fc
 17:52:08     INFO -    ASan internal:           fe
 17:52:08     INFO -  ==17914==ABORTING
Group: core-security → media-core-security
Looks like a regression from the full duplex changes.
Rank: 10
Priority: -- → P1
It is from full-duplex.  The issue is that when you do a new enumeration, we free the old one, and suddenly all the opaque devid values we're using become UAFs (because they're pointers behind the curtain) - and we can't copy them.  

kinetik (and padenot and achronop) and I have discussed this before; I lean towards making a copy operator for the opaque devids, such that it *can't* disappear out from under us.  We've already jumped through hoops to try to hide the devid behind a stable index.  I can lock around the use of the translated devid value (via AudioInputCubeb::GetDeviceID()) until cubeb_stream_init() is done - that might be the simplest solution (and lock around replacing/deleting the enumeration).
Assignee: nobody → rjesup
Keywords: sec-high
MozReview-Commit-ID: DQ5FBW4H8mX
Attachment #8736407 - Flags: review?(padenot)
padenot: this is the same patch using hg diff -w so the whitespace diffs don't confuse things
Flags: needinfo?(padenot)
Attachment #8736407 - Flags: review?(padenot) → review+
Comment on attachment 8736407 [details] [diff] [review]
Lock around DeviceID access for audio inputs

Approval Request Comment
[Feature/regressing bug #]:
[User impact if declined]:
[Describe test coverage new/current, TreeHerder]:
[Risks and why]: 
[String/UUID change made/needed]:

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Hard.  Hitting the timing hole would be the hardest part.  Also, the UAF would be interpreted as a string of an audio device to open, so the limit of an exploit might be to open the wrong audio device, unless there's a second vulnerability inside cubeb when you pass an evil string in.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?  They make it pretty clear this needs to be locked to avoid a UAF; hard to avoid disclosing that to anyone viewing the patch.

Which older supported branches are affected by this flaw?  47 and 48, but in 47 this is preffed-off.  I'm asking for Aurora, but it's ok if we decide not to.

If not all supported branches, which bug introduced the flaw? 47 introduced; 48 has the pref-on to enable this code.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?  simple

How likely is this patch to cause regressions; how much testing does it need?   Regressions are unlikely, as there's little deadlock risk here.  Basic smoke testing is pretty much all that is needed.
Flags: needinfo?(padenot)
Attachment #8736407 - Flags: sec-approval?
Attachment #8736407 - Flags: approval-mozilla-aurora?
Comment on attachment 8736407 [details] [diff] [review]
Lock around DeviceID access for audio inputs

approvals given.
Attachment #8736407 - Flags: sec-approval?
Attachment #8736407 - Flags: sec-approval+
Attachment #8736407 - Flags: approval-mozilla-aurora?
Attachment #8736407 - Flags: approval-mozilla-aurora+
Attachment #8736407 - Flags: approval-mozilla-aurora+
Turns out Aurora is not a simple uplift because we don't have bug 1250934, which is a considerably bigger changeset, and is only needed if someone prefs-on full-duplex in 47.  In light of this, let's not land this on 47.
https://hg.mozilla.org/mozilla-central/rev/ca5142203259
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Group: media-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.