Closed
Bug 1317670
Opened 8 years ago
Closed 8 years ago
ref_fuzz5 crashes Nightly in mozilla::MediaManager::OnNavigation
Categories
(Core :: WebRTC, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla53
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox50 | --- | unaffected |
firefox51 | + | fixed |
firefox52 | + | fixed |
firefox53 | + | fixed |
People
(Reporter: geeknik, Assigned: mchiang)
References
()
Details
(4 keywords, Whiteboard: [post-critsmash-triage])
Attachments
(2 files, 1 obsolete file)
2.44 KB,
patch
|
jib
:
review+
dveditz
:
sec-approval+
|
Details | Diff | Splinter Review |
1.77 KB,
patch
|
mchiang
:
review+
gchang
:
approval-mozilla-aurora+
gchang
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
While fuzzing Nightly with ref_fuzz5, this crash happened. https://crash-stats.mozilla.com/report/index/378396d7-43d6-4774-b4a2-087ae2161115 windbg + a516c754042c438a5c1499171ca525a980ecb911: (3688.3fc4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. xul!mozilla::MediaManager::OnNavigation+0x1de: 00007ffe`d2707856 4c3998c8000000 cmp qword ptr [rax+0C8h],r11 ds:e5e5e5e5`e5e5e6ad=???????????????? 2:031> ~* kp . 31 Id: 3688.3fc4 Suspend: 1 Teb: 00007ff6`3380d000 Unfrozen Child-SP RetAddr Call Site 0000003c`cefce510 00007ffe`d216dabc xul!mozilla::MediaManager::OnNavigation(unsigned int64 aWindowID = 0x8000006e)+0x1de [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\media\mediamanager.cpp @ 2698] 0000003c`cefce560 00007ffe`d194366a xul!mozilla::dom::Navigator::OnNavigation(void)+0x28 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\base\navigator.cpp @ 1778] 0000003c`cefce590 00007ffe`d14d8453 xul!nsGlobalWindow::SetNewDocument+0x8bf5be [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\base\nsglobalwindow.cpp @ 2700] 0000003c`cefce8b0 00007ffe`d14d6b9e xul!nsDocumentViewer::InitInternal(class nsIWidget * aParentWidget = 0x0000003c`d92ed000, class nsISupports * aState = 0x00000000`00000000, struct mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> * aBounds = 0x0000003c`dde40c20, bool aDoCreation = true, bool aNeedMakeCX = true, bool aForceSetNewDocument = true)+0x25b [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\layout\base\nsdocumentviewer.cpp @ 900] 0000003c`cefce950 00007ffe`d131cac5 xul!nsDocumentViewer::Init(class nsIWidget * aParentWidget = 0x0000003c`d6042ec0, struct mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> * aBounds = 0x0000003c`cefceaa0)+0x1e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\layout\base\nsdocumentviewer.cpp @ 644] 0000003c`cefce9a0 00007ffe`d10789df xul!nsDocShell::SetupNewViewer(class nsIContentViewer * aNewViewer = 0x0000003c`d8f04a60)+0x355 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 9382] 0000003c`cefceb60 00007ffe`d14b69f4 xul!nsDocShell::Embed(class nsIContentViewer * aContentViewer = 0x00000000`80000000, char * aCommand = 0x0000003c`d9043800 "???", class nsISupports * aExtraInfo = 0x00007ffe`d1721562)+0x2f [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 7241] 0000003c`cefceb90 00007ffe`d14b6658 xul!nsDocShell::CreateContentViewer(class nsACString_internal * aContentType = 0x00000000`00000000, class nsIRequest * aRequest = 0x0000003c`dde05dd0, class nsIStreamListener ** aContentHandler = 0x0000003c`dde05dd0)+0x158 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 9187] 0000003c`cefcec40 00007ffe`d14b641a xul!nsDSURIContentListener::DoContent(class nsACString_internal * aContentType = 0x0000003c`d89478b8, bool aIsContentPreferred = true, class nsIRequest * aRequest = 0x00000000`00000000, class nsIStreamListener ** aContentHandler = 0x0000003c`00790800, bool * aAbortProcess = 0x0000003c`cefced98)+0xe8 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\docshell\base\nsdsuricontentlistener.cpp @ 128] 0000003c`cefcecb0 00007ffe`d14b54d5 xul!nsDocumentOpenInfo::TryContentListener(class nsIURIContentListener * aListener = 0x00000000`00000001, class nsIChannel * aChannel = 0x0000003c`e7000620)+0x2fe [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\uriloader\base\nsuriloader.cpp @ 742] 0000003c`cefced80 00007ffe`d11a847b xul!nsDocumentOpenInfo::DispatchContent(class nsIRequest * request = 0x00000000`00000000, class nsISupports * aCtxt = 0x0000003c`d62f7301)+0x34d [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\uriloader\base\nsuriloader.cpp @ 414] 0000003c`cefcefa0 00007ffe`d11a7b7f xul!nsDocumentOpenInfo::OnStartRequest(class nsIRequest * request = 0x0000003c`d0f49918, class nsISupports * aCtxt = 0x0000003c`cefcf128)+0x353 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\uriloader\base\nsuriloader.cpp @ 277] 0000003c`cefcf0c0 00007ffe`d11cbf83 xul!nsBaseChannel::OnStartRequest(class nsIRequest * request = 0x0000003c`db542d70, class nsISupports * ctxt = 0x0000003c`db542d70)+0x7f [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\netwerk\base\nsbasechannel.cpp @ 809] 0000003c`cefcf0f0 00007ffe`d11ccc71 xul!nsInputStreamPump::OnStateStart(void)+0xc3 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\netwerk\base\nsinputstreampump.cpp @ 525] 0000003c`cefcf120 00007ffe`d11ccb64 xul!nsInputStreamPump::OnInputStreamReady(class nsIAsyncInputStream * stream = 0x0000003c`d6047d68)+0xf9 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\netwerk\base\nsinputstreampump.cpp @ 441] 0000003c`cefcf160 00007ffe`d120a83f xul!nsOutputStreamReadyEvent::Run(void)+0x24 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\io\nsstreamutils.cpp @ 97] 0000003c`cefcf190 00007ffe`d12087c5 xul!nsThread::ProcessNextEvent(bool aMayWait = true, bool * aResult = 0x0000003c`cefcf5f0)+0x4b3 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1216] 0000003c`cefcf2a0 00007ffe`d1d3f600 xul!mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate * aDelegate = 0x0000003c`cefcf601)+0x9d [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 96] 0000003c`cefcf320 00007ffe`d15abb8f xul!mozilla::ipc::MessagePumpForChildProcess::Run(class base::MessagePump::Delegate * aDelegate = 0x0000003c`cefcf610)+0x70 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 302] 0000003c`cefcf350 00007ffe`d15abb52 xul!MessageLoop::RunHandler(void)+0x1b [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226] ^ User interrupted operation error in '~* kp' 2:031> !analyze -v -f ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ole32.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\System32\msmpeg2vdec.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\mf.dll - *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Stardock\Start8\Start8_64.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\SYSTEM32\nvwgf2umx.dll - FAULTING_IP: xul!mozilla::MediaManager::OnNavigation+1de [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\media\mediamanager.cpp @ 2698] 00007ffe`d2707856 4c3998c8000000 cmp qword ptr [rax+0C8h],r11 EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00007ffed2707856 (xul!mozilla::MediaManager::OnNavigation+0x00000000000001de) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: ffffffffffffffff Attempt to read from address ffffffffffffffff FAULTING_THREAD: 0000000000003fc4 PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: ffffffffffffffff READ_ADDRESS: ffffffffffffffff FOLLOWUP_IP: xul!mozilla::MediaManager::OnNavigation+1de [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\media\mediamanager.cpp @ 2698] 00007ffe`d2707856 4c3998c8000000 cmp qword ptr [rax+0C8h],r11 NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5 DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5 LAST_CONTROL_TRANSFER: from 00007ffed216dabc to 00007ffed2707856 STACK_TEXT: 0000003c`cefce510 00007ffe`d216dabc : 00000000`00000000 00000000`8000006e 0000003c`d9043800 0000003c`cefce690 : xul!mozilla::MediaManager::OnNavigation+0x1de [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\media\mediamanager.cpp @ 2698] 0000003c`cefce560 00007ffe`d194366a : 0000003c`d9043800 00000000`00000000 0000003c`d9043800 0000003c`d9098000 : xul!mozilla::dom::Navigator::OnNavigation+0x28 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\base\navigator.cpp @ 1778] 0000003c`cefce590 00007ffe`d14d8453 : 0000003c`d9043830 0000003c`d9043830 0000003c`cefce908 00000000`00000000 : xul!nsGlobalWindow::SetNewDocument+0x8bf5be [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\base\nsglobalwindow.cpp @ 2700] 0000003c`cefce8b0 00007ffe`d14d6b9e : 00000000`00000001 0000003c`d92ed000 00000000`00000000 0000003c`dde40c20 : xul!nsDocumentViewer::InitInternal+0x25b [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\layout\base\nsdocumentviewer.cpp @ 900] 0000003c`cefce950 00007ffe`d131cac5 : 0000003c`d6042ec0 0000003c`d6042ec0 0000003c`cefceaa0 0000003c`d9043800 : xul!nsDocumentViewer::Init+0x1e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\layout\base\nsdocumentviewer.cpp @ 644] 0000003c`cefce9a0 00007ffe`d10789df : 0000003c`00000000 0000003c`d8f04a60 0000003c`d90439c8 0000003c`d90439c8 : xul!nsDocShell::SetupNewViewer+0x355 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 9382] 0000003c`cefceb60 00007ffe`d14b69f4 : 0000003c`d0f498e0 00000000`80000000 0000003c`d9043800 00007ffe`d1721562 : xul!nsDocShell::Embed+0x2f [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 7241] 0000003c`cefceb90 00007ffe`d14b6658 : 00000000`00000000 00000000`00000000 0000003c`dde05dd0 0000003c`dde05dd0 : xul!nsDocShell::CreateContentViewer+0x158 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 9187] 0000003c`cefcec40 00007ffe`d14b641a : 00000000`00790800 0000003c`d89478b8 0000003c`d89478a0 00000000`00000000 : xul!nsDSURIContentListener::DoContent+0xe8 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\docshell\base\nsdsuricontentlistener.cpp @ 128] 0000003c`cefcecb0 00007ffe`d14b54d5 : 0000003c`d62f7301 00000000`00000001 0000003c`e7000620 0000003c`cf300200 : xul!nsDocumentOpenInfo::TryContentListener+0x2fe [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\uriloader\base\nsuriloader.cpp @ 742] 0000003c`cefced80 00007ffe`d11a847b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : xul!nsDocumentOpenInfo::DispatchContent+0x34d [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\uriloader\base\nsuriloader.cpp @ 414] 0000003c`cefcefa0 00007ffe`d11a7b7f : 00000000`00000000 0000003c`d0f49918 0000003c`cefcf128 00000000`00003682 : xul!nsDocumentOpenInfo::OnStartRequest+0x353 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\uriloader\base\nsuriloader.cpp @ 277] 0000003c`cefcf0c0 00007ffe`d11cbf83 : 0000003c`db542d70 0000003c`db542d70 0000003c`db542d70 0000003c`d8a4bca8 : xul!nsBaseChannel::OnStartRequest+0x7f [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\netwerk\base\nsbasechannel.cpp @ 809] 0000003c`cefcf0f0 00007ffe`d11ccc71 : 0000003c`d0f3f000 00000000`00003682 0000003c`db542d78 0000003c`d8a4bca8 : xul!nsInputStreamPump::OnStateStart+0xc3 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\netwerk\base\nsinputstreampump.cpp @ 525] 0000003c`cefcf120 00007ffe`d11ccb64 : 0000003c`d0f3f000 0000003c`d6047d68 0000003c`cefcf239 0000003c`d0f093d0 : xul!nsInputStreamPump::OnInputStreamReady+0xf9 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\netwerk\base\nsinputstreampump.cpp @ 441] 0000003c`cefcf160 00007ffe`d120a83f : 0000003c`d0f8a800 0000003c`cefcf239 0000003c`cefcf301 00000000`00000001 : xul!nsOutputStreamReadyEvent::Run+0x24 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\io\nsstreamutils.cpp @ 97] 0000003c`cefcf190 00007ffe`d12087c5 : 0000003c`d0f12ce0 0000003c`d0f12ce0 0000003c`cefcf5f0 0000003c`d0f12ce0 : xul!nsThread::ProcessNextEvent+0x4b3 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1216] 0000003c`cefcf2a0 00007ffe`d1d3f600 : 0000003c`d0f12ce0 0000003c`cefcf601 0000003c`cefcf501 0000003c`cefcf7a0 : xul!mozilla::ipc::MessagePump::Run+0x9d [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 96] 0000003c`cefcf320 00007ffe`d15abb8f : 0000003c`cefcf5f0 0000003c`cefcf610 0000003c`d0f02101 00007ffe`dea1854d : xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x70 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 302] 0000003c`cefcf350 00007ffe`d15abb52 : 0000003c`cefcf3d8 0000003c`d0f02098 00007ffe`d3f04af0 00007ffe`d1206e3e : xul!MessageLoop::RunHandler+0x1b [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226] 0000003c`cefcf380 00007ffe`d14945a4 : 0000003c`d8a4bca0 0000003c`d901dd60 0000003c`cefcf610 0000003c`d0f02101 : xul!MessageLoop::Run+0x3e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206] 0000003c`cefcf3d0 00007ffe`d1494264 : 0000003c`d8a4bca0 00007ffe`d1454f8a 0000edeb`f46a4bc1 0000003c`d8a4bca0 : xul!nsBaseAppShell::Run+0x3c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\widget\nsbaseappshell.cpp @ 158] 0000003c`cefcf400 00007ffe`d2ead0a6 : 00000000`00000003 0000003c`d0f02101 0000003c`cefcf4a9 00007ffe`d2eac2fd : xul!nsAppShell::Run+0x2c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\widget\windows\nsappshell.cpp @ 264] 0000003c`cefcf430 00007ffe`d1d3f5b9 : 0000003c`d8a4bca0 00000000`00000000 00000000`00000002 00007ffe`d35896f8 : xul!XRE_RunAppShell+0x2e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\toolkit\xre\nsembedfunctions.cpp @ 869] 0000003c`cefcf460 00007ffe`d15abb8f : 0000003c`cefcf5f0 0000003c`cefcf610 0000003c`d0f02101 0000003c`cefcf4b0 : xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x29 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 278] 0000003c`cefcf490 00007ffe`d15abb52 : 0000003c`00000fff 0000003c`cefcf7a0 00000000`00000003 00007ffe`d15db476 : xul!MessageLoop::RunHandler+0x1b [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226] 0000003c`cefcf4c0 00007ffe`d2eacd2d : 0000003c`d8a40400 0000003c`cefcf610 00000000`00000003 0000003c`cefcf7a0 : xul!MessageLoop::Run+0x3e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206] 0000003c`cefcf510 00007ff6`3449b116 : 00000000`0000000b 0000003c`d0f020e0 0000003c`d0f02080 00007ff6`344b68a0 : xul!XRE_InitChildProcess+0x639 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\toolkit\xre\nsembedfunctions.cpp @ 705] 0000003c`cefcf780 00007ff6`34498669 : 00000000`0000000c 00000000`0000000c 0000003c`d0f020e0 00000000`00000480 : firefox!content_process_main+0x8e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\contentproc\plugin-container.cpp @ 198] 0000003c`cefcf7d0 00007ff6`34496615 : 00000000`00000000 00007ff6`3380f000 00000000`00000000 00000000`00000000 : firefox!wmain+0x54f9 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\toolkit\xre\nswindowswmain.cpp @ 115] 0000003c`cefcfbd0 00007ffe`f47113d2 : 00007ff6`34496670 00007ff6`3380f000 00000000`00000000 00000000`00000000 : firefox!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253] 0000003c`cefcfc10 00007ffe`f68654e4 : 00007ffe`f47113b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22 0000003c`cefcfc40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34 FAULTING_SOURCE_CODE: No source found for 'c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\media\mediamanager.cpp' SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: xul!mozilla::MediaManager::OnNavigation+1de FOLLOWUP_NAME: MachineOwner MODULE_NAME: xul IMAGE_NAME: xul.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5829c841 STACK_COMMAND: ~31s ; kb FAILURE_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5_c0000005_xul.dll!mozilla::MediaManager::OnNavigation BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5_xul!mozilla::MediaManager::OnNavigation+1de WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/firefox_exe/53_0_0_6162/5829c279/xul_dll/53_0_0_6162/5829c841/c0000005/01717856.htm?Retriage=1 Followup: MachineOwner
Updated•8 years ago
|
Flags: sec-bounty?
Updated•8 years ago
|
Group: core-security → media-core-security
Comment 1•8 years ago
|
||
2698 seems to be RemoveMediaDevicesCallback(aWindowID);
Comment 2•8 years ago
|
||
Caused by Bug 1286429
Comment 3•8 years ago
|
||
The Clear()s are unneeded/useless. We could make it an nsTArray<RefPtr<>>, but that would require changing the callback type to a MediaDevices object - which is worth considering as an alternative
Attachment #8812538 -
Flags: review?(jib)
Updated•8 years ago
|
Assignee: nobody → rjesup
Status: NEW → ASSIGNED
Comment 4•8 years ago
|
||
Comment on attachment 8812538 [details] [diff] [review] imported patch Review of attachment 8812538 [details] [diff] [review]: ----------------------------------------------------------------- Lifting mCallbackMutex out to walk the list safely is a good idea, but AFAIK this particular list isn't modified off mainthread (only read), which makes me doubt it could have caused this main-thread crash. Instead, I suspect you're on to something with the ref-counting. MediaManager doesn't hold any references to the navigator.mediaDevices objects, which are cycle-collected reference-counted objects, instead it keeps raw pointers, which I think is the problem. We can change that as you suggest, or call RemoveDeviceChangeCallback from ~MediaDevices() (which as I recall, we did in an early patch version of this feature, but I expressed concern that removal in GC wasn't soon enough, so we moved it to OnNavigation, which is probably always sooner in practice, except with fuzzing. In hindsight we should of course have called it from both places). Munro, do you agree? Want to craft a patch?
Attachment #8812538 -
Flags: review?(jib) → review+
Updated•8 years ago
|
Flags: needinfo?(mchiang)
Assignee | ||
Comment 5•8 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #3) > The Clear()s are unneeded/useless. We could make it an nsTArray<RefPtr<>>, > but that would require changing the callback type to a MediaDevices object - > which is worth considering as an alternative (In reply to Jan-Ivar Bruaroey [:jib] from comment #4) > We can change that as you suggest, or call RemoveDeviceChangeCallback from > ~MediaDevices() (which as I recall, we did in an early patch version of this > feature, but I expressed concern that removal in GC wasn't soon enough, so > we moved it to OnNavigation, which is probably always sooner in practice, > except with fuzzing. In hindsight we should of course have called it from > both places). > > Munro, do you agree? Want to craft a patch? It's not easy to make it an nsTArray<RefPtr<>> because there are three classes (MediaDevices / MediaManager / CamerasChild) are derived from DeviceChangeCallback. I can add a snippet in ~MediaDevices() to call RemoveDeviceChangeCallback as jib suggested. If there is no concern, I will file a new extension bug and submit the patch.
Flags: needinfo?(mchiang)
Comment 6•8 years ago
|
||
Agree. Thanks, and you can just add your patch to this bug I think (we should avoid a public bug I think since it's a security issue).
Assignee | ||
Comment 7•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=928af300a2b5
Assignee | ||
Comment 8•8 years ago
|
||
Attachment #8812674 -
Flags: review?(jib)
Comment 9•8 years ago
|
||
Comment on attachment 8812674 [details] [diff] [review] Bug-1317670-call-MediaManager-RemoveDeviceChangeCallback-in-MediaDevices-dtor.patch Review of attachment 8812674 [details] [diff] [review]: ----------------------------------------------------------------- Lgtm provided we remove the assert. ::: dom/media/MediaDevices.cpp @@ +139,5 @@ > > +MediaDevices::~MediaDevices() > +{ > + MediaManager* mediamanager = MediaManager::GetIfExists(); > + MOZ_ASSERT(mediamanager != nullptr); We can't assert here I don't think, as navigator.mediaDevices can exist without MediaManager which is only created as needed.
Attachment #8812674 -
Flags: review?(jib) → review+
Assignee | ||
Comment 10•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=221aa3e6434a
Assignee | ||
Comment 11•8 years ago
|
||
carry r+ from jib
Attachment #8812674 -
Attachment is obsolete: true
Attachment #8812704 -
Flags: review+
Assignee | ||
Comment 12•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=22bf0fe65f482e0365d618334cb1e22090fd80fa
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Comment 13•8 years ago
|
||
This needs sec approval before it can land (or clarification that only Trunk is affected). https://wiki.mozilla.org/Security/Bug_Approval_Process
Keywords: checkin-needed
Updated•8 years ago
|
Blocks: 1286429
status-firefox50:
--- → unaffected
status-firefox51:
--- → affected
status-firefox52:
--- → affected
status-firefox-esr45:
--- → unaffected
tracking-firefox51:
--- → ?
tracking-firefox52:
--- → ?
tracking-firefox53:
--- → ?
Version: Trunk → 51 Branch
Updated•8 years ago
|
Assignee: rjesup → mchiang
Comment 14•8 years ago
|
||
I think we still want my patch - the Clears are redundant, and without thread assertions there's risk of future changes making this fail, so locking around the entire list access makes sense. Also, this will cause potential issues with static analysis. I presume the off-thread access to this list doesn't change the data pointed to by the list entries in any way visible to the code that reads it without a lock on MainThread. As ryan says, all sec-high and sec-crits that are in any branch other than Nightly need sec-approval before landing.
Flags: needinfo?(jib)
Comment 15•8 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #14) > I presume the off-thread access to this list doesn't change the data pointed > to by the list entries in any way visible to the code that reads it without > a lock on MainThread. So MediaEngineWebRTC::Shutdown() calls RemoveDeviceChangeCallback() for CamerasChild, and does so off-main-thread (via ShutdownTask::Run(), on the media thread). So I think the assertion there doesn't hold. We should take both patches.
Comment 16•8 years ago
|
||
Comment on attachment 8812704 [details] [diff] [review] Bug-1317670-call-MediaManager-RemoveDeviceChangeCallback-in-MediaDevices-dtor.patch Applies to both patches. [Security approval request comment] How easily could an exploit be constructed based on the patch? Even though the timing window is probably quite small here, and can't easily be widened AFAIK (delete navigator.mediaDevices didn't work from content script) this is still a Use-After-Free, so with a timely GC, I imagine it is still subject to the regular UAF exploits. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No more so than the code. Which older supported branches are affected by this flaw? 51 and 52 If not all supported branches, which bug introduced the flaw? Bug 1286429 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Should be the same. How likely is this patch to cause regressions; how much testing does it need? This is all proper intuitive cleanup and should need only basic testing.
Flags: needinfo?(jib)
Attachment #8812704 -
Flags: sec-approval?
Comment 17•8 years ago
|
||
Comment on attachment 8812538 [details] [diff] [review] imported patch Same
Attachment #8812538 -
Flags: sec-approval?
Comment 18•8 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #15) > (In reply to Randell Jesup [:jesup] from comment #14) > So MediaEngineWebRTC::Shutdown() calls RemoveDeviceChangeCallback() for > CamerasChild, and does so off-main-thread (via ShutdownTask::Run(), on the > media thread). So I think the assertion there doesn't hold. We should take > both patches. Note that CamerasChild and MediaManager classes each derive from DeviceChangeCallback independently, so changes in MediaManager::RemoveMediaDevicesCallback do not affect CamerasChild. Regardless, it's a safe and correct patch to take I think.
Comment 19•8 years ago
|
||
Though they do form a callback tree, which means OnDeviceChange() [1] may be called off thread () during MediaManager::RemoveMediaDevicesCallback if I understand correctly, so yes both patches please. [1] https://dxr.mozilla.org/mozilla-central/rev/0534254e9a40b4bade2577c631fe4cfa0b5db41d/dom/media/MediaManager.cpp#1957
Comment 20•8 years ago
|
||
Sorry I'm confusing myself with the various instances. There's a dispatch to main thread in that last link, which means the list in MediaManager is not walked in another thread. Either way.
Comment 22•8 years ago
|
||
Comment on attachment 8812704 [details] [diff] [review] Bug-1317670-call-MediaManager-RemoveDeviceChangeCallback-in-MediaDevices-dtor.patch sec-approval+ for trunk. Please nominate Beta and Aurora patches so we can avoid shipping this flaw.
Attachment #8812704 -
Flags: sec-approval? → sec-approval+
Updated•8 years ago
|
Updated•8 years ago
|
Attachment #8812538 -
Flags: sec-approval? → sec-approval+
Updated•8 years ago
|
Keywords: checkin-needed
Comment 23•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/70f538269f501ef0a6269966376a2c441f7e0c1e https://hg.mozilla.org/integration/mozilla-inbound/rev/01b543e78ae836f9d11f249d4324f75f15e4b12d
Keywords: checkin-needed
Comment 24•8 years ago
|
||
Comment on attachment 8812704 [details] [diff] [review] Bug-1317670-call-MediaManager-RemoveDeviceChangeCallback-in-MediaDevices-dtor.patch Approval Request Comment [Feature/regressing bug #]: bug 1286429 [User impact if declined]: Possibly exploitable UAF [Describe test coverage new/current, TreeHerder]: Tight timing hole found with a fuzzer; no direct coverage [Risks and why]: Low risk changes - add a wider lock around a lost access, ensure when a MediaDevices object is destroyed that it has been unregistered. [String/UUID change made/needed]: none
Attachment #8812704 -
Flags: approval-mozilla-beta?
Attachment #8812704 -
Flags: approval-mozilla-aurora?
Comment 25•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/01b543e78ae8 https://hg.mozilla.org/mozilla-central/rev/70f538269f50
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment 26•8 years ago
|
||
Comment on attachment 8812704 [details] [diff] [review] Bug-1317670-call-MediaManager-RemoveDeviceChangeCallback-in-MediaDevices-dtor.patch Fix a sec-high. Beta51+ and Aurora52+. Should be in 51 beta 4.
Attachment #8812704 -
Flags: approval-mozilla-beta?
Attachment #8812704 -
Flags: approval-mozilla-beta+
Attachment #8812704 -
Flags: approval-mozilla-aurora?
Attachment #8812704 -
Flags: approval-mozilla-aurora+
Comment 27•8 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/7fcfc4939f24 https://hg.mozilla.org/releases/mozilla-aurora/rev/2b50647ce630
Comment 28•8 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/fdb0e5daee38 https://hg.mozilla.org/releases/mozilla-beta/rev/814b871c8a17
Updated•8 years ago
|
Group: media-core-security → core-security-release
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•