Closed
Bug 1298107
Opened 8 years ago
Closed 8 years ago
Invalid array access in MediaEngineCameraVideoSource::GetCapability()
Categories
(Core :: WebRTC: Audio/Video, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla52
People
(Reporter: mccr8, Assigned: jib)
References
Details
(Keywords: crash, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main50+])
Crash Data
Attachments
(1 file, 1 obsolete file)
3.45 KB,
patch
|
jesup
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-be7e0580-8f63-4352-9b20-0f72c2160823. ============================================================= There's an assert against this, but it looks like we at least sometimes pass an invalid index. In this report: ElementAt(aIndex = 1, aLength = 1)
Assignee | ||
Updated•8 years ago
|
Rank: 15
Priority: -- → P1
Updated•8 years ago
|
Keywords: sec-moderate
Comment 1•8 years ago
|
||
In addition to finding the root cause, we could also MOZ_RELEASE_ASSERT, or simply "if (index >= array.Length()) { ... }"
Comment 2•8 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #1) > In addition to finding the root cause, we could also MOZ_RELEASE_ASSERT, or > simply "if (index >= array.Length()) { ... }" This issue was discovered and reported because nsTArray's ElementAt now does MOZ_RELEASE_ASSERT. Because of this this bug isn't exploitable in Aurora or Nightly (where the nsTArray release assert patch has landed), but is still potentially exploitable in Release, ESR, and Beta.
Updated•8 years ago
|
Assignee: nobody → jib
Comment 4•8 years ago
|
||
Any ideas? It seems extremely odd... I can't yet see how it's even possible.
Flags: needinfo?(jib)
Updated•8 years ago
|
Crash Signature: [@ InvalidArrayIndex_CRASH] → [@ InvalidArrayIndex_CRASH]
[@ InvalidArrayIndex_CRASH | mozilla::MediaEngineCameraVideoSource::GetCapability]
Comment 5•8 years ago
|
||
https://crash-stats.mozilla.com/report/index/aa05aecf-2e70-48db-9b16-d24ff2161006 is especially confusing. the invalid index and the number of entries in the array are 8 (most of the crashes are 1 or sometimes 2) .... we have the call to ::GetCapability() in an "if (!mHardcodedCapabilities.IsEmpty())", so we must have entries in the array. That can only happen if mozilla::camera::GetChildAndCall(&CamerasChild:NumberOfCapabilities) returns no entries - and then normally only on Mac. Screensharing will append a single item to the mHardCodedCapabilities,and so in theory could be involved.
Assignee | ||
Comment 6•8 years ago
|
||
I don't have a clear case where it can happen, though it may involve adding or removing a camera. The main issue I think is that GetCapabilities considers mHardcodedCapabilities as the first thing, whereas NumCapabilities considers mHardcodedCapabilities as a last thing. They should agree. The other thing is that a default hardcoded capability should be added based on type, not on coming up empty, and finally I should remove the hardcoded capabilities on OSX where they're no longer needed. I'll add a minimal patch to clamp the value to the last entry in the array, for uplift, and a second patch to fix up the logic.
Flags: needinfo?(jib)
Assignee | ||
Comment 7•8 years ago
|
||
Attachment #8798933 -
Flags: review?(rjesup)
Assignee | ||
Comment 8•8 years ago
|
||
Attachment #8798933 -
Attachment is obsolete: true
Attachment #8798933 -
Flags: review?(rjesup)
Attachment #8798944 -
Flags: review?(rjesup)
Assignee | ||
Comment 9•8 years ago
|
||
The NumCapabilities code before this patch is susceptible to GetChildAndCall(&CamerasChild::NumberOfCapabilities, ...) failing (returning -1, e.g. from [1] in theory), or returning 0 capabilities, and - having no way to fail itself, and by design - invents one mHardcodedCapabilities entry (sometimes several) when that happens. The way GetCapabilities is written, if future calls to GetChildAndCall(&CamerasChild::NumberOfCapabilities, ...) were to subsequently succeed with a real number > 0 (I don't know what situation would make it do that, gcp?), it would try to access mHardcodedCapabilities with that number, the problem. This patch closes that vulnerability now that mHardcodedCapabilities isn't used for anything else in this class (OSX has capabilities through AVFoundation now since bug 1180725). [1] https://dxr.mozilla.org/mozilla-central/rev/4b9944879c9a60a9aba4a744a7401bc38e0f39c4/dom/media/systemservices/CamerasChild.h#135
Flags: needinfo?(gpascutto)
Comment 10•8 years ago
|
||
>I don't know what situation would make it do that, gcp?
No idea. The comment suggest it may fail at shutdown, which would preclude the second part of your failure scenario.
Flags: needinfo?(gpascutto)
Comment 11•8 years ago
|
||
Comment on attachment 8798944 [details] [diff] [review] Remove hardcoded capabilities on OSX that are no longer used. (2) Review of attachment 8798944 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/media/webrtc/MediaEngineCameraVideoSource.cpp @@ +48,5 @@ > MediaEngineCameraVideoSource::GetCapability(size_t aIndex, > webrtc::CaptureCapability& aOut) const > { > MOZ_ASSERT(aIndex < mHardcodedCapabilities.Length()); > + aOut = mHardcodedCapabilities.SafeElementAt(aIndex, webrtc::CaptureCapability()); This should make it safe; it doesn't really avoid the cause of the bad index however. I presume this is the "uplift" version of the patch?
Attachment #8798944 -
Flags: review?(rjesup) → review+
Assignee | ||
Comment 12•8 years ago
|
||
This patch fixes the "cause" inasmuch as it corrects it so an index from CamerasParent is never applied to the mHardCodedCapabilities array, which is the direct cause of the overflow. We could uplift a smaller version, basically just the SafeElementAt change if we want, which would be the minimum patch, but I recommend uplifting the patch as-is. Without understanding the situations in which this could happen better, I don't have any additional patch planned atm.
Assignee | ||
Comment 13•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=d62eaef0b188&selectedJob=28808827
Keywords: checkin-needed
Comment 15•8 years ago
|
||
Oh, this apparently landed under bug 1304597. https://hg.mozilla.org/mozilla-central/rev/29c1b972c04d
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Comment 16•8 years ago
|
||
Comment on attachment 8798944 [details] [diff] [review] Remove hardcoded capabilities on OSX that are no longer used. (2) Approval Request Comment [Feature/regressing bug #]: Capability code (some time ago) [User impact if declined]: Crashes (RELEASE_ASSERTs) in 50 and newer, moderate sec issue in 49 and ESR45 (read access pass end of array) - not requesting uplift to those as this is a moderate. [Describe test coverage new/current, TreeHerder]: None since this requires plugging and unplugging devices during a run. [Risks and why]: virtually no risk - removes some no-longer-needed code for mac, and makes the array access safe. [String/UUID change made/needed]: none
Attachment #8798944 -
Flags: approval-mozilla-beta?
Attachment #8798944 -
Flags: approval-mozilla-aurora?
status-firefox50:
--- → affected
Comment on attachment 8798944 [details] [diff] [review] Remove hardcoded capabilities on OSX that are no longer used. (2) Sec-mod, Aurora51+, Beta50+
Attachment #8798944 -
Flags: approval-mozilla-beta?
Attachment #8798944 -
Flags: approval-mozilla-beta+
Attachment #8798944 -
Flags: approval-mozilla-aurora?
Attachment #8798944 -
Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/3f69ada08e16 https://hg.mozilla.org/releases/mozilla-beta/rev/3a88afcbfdc4
Updated•8 years ago
|
Group: media-core-security → core-security-release
Updated•8 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main50+]
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•