heap-use-after-free in mozilla::OggDemuxer::RangeEndTime

VERIFIED FIXED in Firefox 53

Status

()

P1
normal
Rank:
10
VERIFIED FIXED
2 years ago
a year ago

People

(Reporter: inferno, Assigned: gerald)

Tracking

({csectype-uaf, regression, sec-high})

unspecified
mozilla54
csectype-uaf, regression, sec-high
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox-esr45 unaffected, firefox52 unaffected, firefox-esr52 unaffected, firefox53+ verified, firefox54 verified)

Details

(Whiteboard: [fixed in 54 by bug 1319987])

Attachments

(4 attachments, 5 obsolete attachments)

(Reporter)

Description

2 years ago
==145946==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e0000f8828 at pc 0x7f449caf1f65 bp 0x7f44531e5cc0 sp 0x7f44531e5cb8
READ of size 8 at 0x61e0000f8828 thread T108 (MediaPD~oder #1)
    #0 0x7f449caf1f64 in Lock objdir-ff-asan/dist/include/mozilla/Mutex.h:69:25
    #1 0x7f449caf1f64 in BaseAutoLock objdir-ff-asan/dist/include/mozilla/Mutex.h:164
    #2 0x7f449caf1f64 in mozilla::EnableIf<((mozilla::DispatchPolicy)1)==((mozilla::DispatchPolicy)1), void>::Type mozilla::MediaEventSourceImpl<(mozilla::DispatchPolicy)1, (mozilla::ListenerPolicy)1, void>::NotifyInternal<(mozilla::DispatchPolicy)1, bool>(mozilla::IntegralConstant<mozilla::DispatchPolicy, (mozilla::DispatchPolicy)1>, bool&&) dom/media/MediaEventSource.h:502
    #3 0x7f449ceac622 in Notify<bool> objdir-ff-asan/dist/include/MediaEventSource.h:540:5
    #4 0x7f449ceac622 in Notify objdir-ff-asan/dist/include/MediaEventSource.h:577
    #5 0x7f449ceac622 in SetChained dom/media/ogg/OggDemuxer.cpp:599
    #6 0x7f449ceac622 in mozilla::OggDemuxer::RangeEndTime(mozilla::TrackInfo::TrackType, long, long, bool) dom/media/ogg/OggDemuxer.cpp:1587
    #7 0x7f449cea29e7 in RangeEndTime dom/media/ogg/OggDemuxer.cpp:1467:21
    #8 0x7f449cea29e7 in mozilla::OggDemuxer::ReadMetadata() dom/media/ogg/OggDemuxer.cpp:564
    #9 0x7f449cea1497 in mozilla::OggDemuxer::Init() dom/media/ogg/OggDemuxer.cpp:197:7
    #10 0x7f449cc4132c in operator() dom/media/MediaFormatReader.cpp:702:47
    #11 0x7f449cc4132c in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_5, mozilla::MozPromise<nsresult, mozilla::MediaResult, true> >::Run() objdir-ff-asan/dist/include/mozilla/MozPromise.h:1147
    #12 0x7f44980527a1 in mozilla::TaskQueue::Runner::Run() xpcom/threads/TaskQueue.cpp:232:12
    #13 0x7f449807fd42 in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:226:14
    #14 0x7f44980805cc in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:153:15
    #15 0x7f4498065295 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1213:14
    #16 0x7f44980e6cea in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:381:10
    #17 0x7f4498df8850 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:338:20
    #18 0x7f4498d6cd3e in RunInternal ipc/chromium/src/base/message_loop.cc:238:10
    #19 0x7f4498d6cd3e in RunHandler ipc/chromium/src/base/message_loop.cc:231
    #20 0x7f4498d6cd3e in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211
    #21 0x7f449805ea6c in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:467:11
    #22 0x7f44aebd82f5 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:216:5
    #23 0x7f44b2498183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
    #24 0x7f44b159937c in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa37c)

0x61e0000f8828 is located 936 bytes inside of 2584-byte region [0x61e0000f8480,0x61e0000f8e98)
freed by thread T0 (Web Content) here:
    #0 0x4dc330 in __interceptor_free /build/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47
    #1 0x7f449cadc5f7 in Release dom/media/MediaDecoderReader.h:94:3
    #2 0x7f449cadc5f7 in Release objdir-ff-asan/dist/include/mozilla/RefPtr.h:40
    #3 0x7f449cadc5f7 in Release objdir-ff-asan/dist/include/mozilla/RefPtr.h:399
    #4 0x7f449cadc5f7 in ~RefPtr objdir-ff-asan/dist/include/mozilla/RefPtr.h:78
    #5 0x7f449cadc5f7 in ~MediaDecoderReaderWrapper dom/media/MediaDecoderReaderWrapper.cpp:19
    #6 0x7f449cadc5f7 in Release dom/media/MediaDecoderReaderWrapper.h:32
    #7 0x7f449cadc5f7 in Release objdir-ff-asan/dist/include/mozilla/RefPtr.h:40
    #8 0x7f449cadc5f7 in Release objdir-ff-asan/dist/include/mozilla/RefPtr.h:399
    #9 0x7f449cadc5f7 in ~RefPtr objdir-ff-asan/dist/include/mozilla/RefPtr.h:78
    #10 0x7f449cadc5f7 in mozilla::MediaDecoderStateMachine::~MediaDecoderStateMachine() dom/media/MediaDecoderStateMachine.cpp:2354
    #11 0x7f449caddbad in mozilla::MediaDecoderStateMachine::~MediaDecoderStateMachine() dom/media/MediaDecoderStateMachine.cpp:2347:1
    #12 0x7f449caafd3b in Release dom/media/MediaDecoderStateMachine.h:139:3
    #13 0x7f449caafd3b in Release objdir-ff-asan/dist/include/mozilla/RefPtr.h:40
    #14 0x7f449caafd3b in Release objdir-ff-asan/dist/include/mozilla/RefPtr.h:399
    #15 0x7f449caafd3b in assign_assuming_AddRef objdir-ff-asan/dist/include/mozilla/RefPtr.h:65
    #16 0x7f449caafd3b in assign_with_AddRef objdir-ff-asan/dist/include/mozilla/RefPtr.h:56
    #17 0x7f449caafd3b in operator= objdir-ff-asan/dist/include/mozilla/RefPtr.h:191
    #18 0x7f449caafd3b in mozilla::MediaDecoder::SetStateMachine(mozilla::MediaDecoderStateMachine*) dom/media/MediaDecoder.cpp:1431
    #19 0x7f449caad906 in mozilla::MediaDecoder::FinishShutdown() dom/media/MediaDecoder.cpp:578:3
    #20 0x7f449cb16587 in InvokeCallbackMethod<mozilla::MediaDecoder, void (mozilla::MediaDecoder::*)(), const bool &> objdir-ff-asan/dist/include/mozilla/MozPromise.h:473:5
    #21 0x7f449cb16587 in mozilla::MozPromise<bool, bool, false>::MethodThenValue<mozilla::MediaDecoder, void (mozilla::MediaDecoder::*)(), void (mozilla::MediaDecoder::*)()>::DoResolveOrRejectInternal(mozilla::MozPromise<bool, bool, false>::ResolveOrRejectValue const&) objdir-ff-asan/dist/include/mozilla/MozPromise.h:506
    #22 0x7f449806fa10 in mozilla::MozPromise<bool, bool, false>::ThenValueBase::DoResolveOrReject(mozilla::MozPromise<bool, bool, false>::ResolveOrRejectValue const&) objdir-ff-asan/dist/include/mozilla/MozPromise.h:404:30
    #23 0x7f449806f219 in mozilla::MozPromise<bool, bool, false>::ThenValueBase::ResolveOrRejectRunnable::Run() objdir-ff-asan/dist/include/mozilla/MozPromise.h:328:21
    #24 0x7f4498065295 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1213:14
    #25 0x7f44980e6cea in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:381:10
    #26 0x7f4498df7341 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:96:21
    #27 0x7f4498d6cd3e in RunInternal ipc/chromium/src/base/message_loop.cc:238:10
    #28 0x7f4498d6cd3e in RunHandler ipc/chromium/src/base/message_loop.cc:231
    #29 0x7f4498d6cd3e in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211
    #30 0x7f449dd5567a in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27
    #31 0x7f449fdeebf2 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:924:22
    #32 0x7f4498d6cd3e in RunInternal ipc/chromium/src/base/message_loop.cc:238:10
    #33 0x7f4498d6cd3e in RunHandler ipc/chromium/src/base/message_loop.cc:231
    #34 0x7f4498d6cd3e in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211
    #35 0x7f449fdedfc3 in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:756:34
    #36 0x518fda in content_process_main browser/app/../../ipc/contentproc/plugin-container.cpp:115:19
    #37 0x518fda in main browser/app/nsBrowserApp.cpp:429
    #38 0x7f44b14c0f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

previously allocated by thread T0 (Web Content) here:
    #0 0x4dc688 in malloc /build/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x51a59d in moz_xmalloc memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f449ce9dd68 in operator new objdir-ff-asan/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f449ce9dd68 in mozilla::OggDecoder::CreateStateMachine() dom/media/ogg/OggDecoder.cpp:20
    #4 0x7f449caaff7a in mozilla::MediaDecoder::Load(nsIStreamListener**) dom/media/MediaDecoder.cpp:608:19
    #5 0x7f449c85bd05 in mozilla::dom::HTMLMediaElement::FinishDecoderSetup(mozilla::MediaDecoder*, mozilla::MediaResource*, nsIStreamListener**) dom/html/HTMLMediaElement.cpp:4584:27
    #6 0x7f449c8435c5 in mozilla::dom::HTMLMediaElement::InitializeDecoderForChannel(nsIChannel*, nsIStreamListener**) dom/html/HTMLMediaElement.cpp:4553:10
    #7 0x7f449c842264 in mozilla::dom::HTMLMediaElement::MediaLoadListener::OnStartRequest(nsIRequest*, nsISupports*) dom/html/HTMLMediaElement.cpp:531:7
    #8 0x7f44981e80e4 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) netwerk/base/nsBaseChannel.cpp:810:25
    #9 0x7f4498230659 in nsInputStreamPump::OnStateStart() netwerk/base/nsInputStreamPump.cpp:524:25
    #10 0x7f449822fc12 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/nsInputStreamPump.cpp:426:25
    #11 0x7f449801ed2d in nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp:95:20
    #12 0x7f4498065295 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1213:14
    #13 0x7f44980e6cea in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:381:10
    #14 0x7f44980635d9 in nsThread::Shutdown() xpcom/threads/nsThread.cpp:983:5
    #15 0x7f449808132e in nsThreadPool::Shutdown() xpcom/threads/nsThreadPool.cpp:328:17
    #16 0x7f449807a322 in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:791:12
    #17 0x7f449807a322 in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:797
    #18 0x7f449807a322 in mozilla::detail::RunnableMethodImpl<nsresult (nsIThreadPool::*)(), true, false>::Run() objdir-ff-asan/dist/include/nsThreadUtils.h:826
    #19 0x7f4498065295 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1213:14
    #20 0x7f44980e6cea in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:381:10
    #21 0x7f4498df7341 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:96:21
    #22 0x7f4498d6cd3e in RunInternal ipc/chromium/src/base/message_loop.cc:238:10
    #23 0x7f4498d6cd3e in RunHandler ipc/chromium/src/base/message_loop.cc:231
    #24 0x7f4498d6cd3e in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211
    #25 0x7f449dd5567a in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27
    #26 0x7f449fdeebf2 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:924:22
    #27 0x7f4498d6cd3e in RunInternal ipc/chromium/src/base/message_loop.cc:238:10
    #28 0x7f4498d6cd3e in RunHandler ipc/chromium/src/base/message_loop.cc:231
    #29 0x7f4498d6cd3e in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211
    #30 0x7f449fdedfc3 in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:756:34
    #31 0x518fda in content_process_main browser/app/../../ipc/contentproc/plugin-container.cpp:115:19
    #32 0x518fda in main browser/app/nsBrowserApp.cpp:429
    #33 0x7f44b14c0f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

Thread T108 (MediaPD~oder #1) created by T105 (MediaPl~back #1) here:
    #0 0x43544d in __interceptor_pthread_create /build/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245
    #1 0x7f44aebd50e2 in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7f44aebd4cfe in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7f44980607a6 in nsThread::Init() xpcom/threads/nsThread.cpp:643:8
    #4 0x7f449807d649 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:260:22
    #5 0x7f449807ef16 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) xpcom/threads/nsThreadPool.cpp:107:26
    #6 0x7f44980808ca in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) xpcom/threads/nsThreadPool.cpp:275:5
    #7 0x7f44980685fc in mozilla::SharedThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) objdir-ff-asan/dist/include/mozilla/SharedThreadPool.h:71:68
    #8 0x7f44980514e5 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) xpcom/threads/TaskQueue.cpp:114:26
    #9 0x7f449806946d in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) objdir-ff-asan/dist/include/mozilla/TaskQueue.h:67:21
    #10 0x7f449cc255ca in mozilla::AutoTaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) objdir-ff-asan/dist/include/AutoTaskQueue.h:34:17
    #11 0x7f449cb88278 in InvokeAsync<(lambda at dom/media/MediaFormatReader.cpp:697:22)> objdir-ff-asan/dist/include/mozilla/MozPromise.h:1188:12
    #12 0x7f449cb88278 in InvokeAsync<(lambda at dom/media/MediaFormatReader.cpp:697:22)> objdir-ff-asan/dist/include/mozilla/MozPromise.h:1205
    #13 0x7f449cb88278 in mozilla::MediaFormatReader::DemuxerProxy::Init() dom/media/MediaFormatReader.cpp:696
    #14 0x7f449cb8eb83 in mozilla::MediaFormatReader::AsyncReadMetadata() dom/media/MediaFormatReader.cpp:980:39
    #15 0x7f449cb3ec1d in applyImpl<mozilla::MediaDecoderReader, RefPtr<mozilla::MozPromise<RefPtr<mozilla::MetadataHolder>, mozilla::MediaResult, true> > (mozilla::MediaDecoderReader::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:791:12
    #16 0x7f449cb3ec1d in apply<mozilla::MediaDecoderReader, RefPtr<mozilla::MozPromise<RefPtr<mozilla::MetadataHolder>, mozilla::MediaResult, true> > (mozilla::MediaDecoderReader::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:797
    #17 0x7f449cb3ec1d in Invoke objdir-ff-asan/dist/include/mozilla/MozPromise.h:1019
    #18 0x7f449cb3ec1d in mozilla::detail::ProxyRunnable<mozilla::MozPromise<RefPtr<mozilla::MetadataHolder>, mozilla::MediaResult, true>, RefPtr<mozilla::MozPromise<RefPtr<mozilla::MetadataHolder>, mozilla::MediaResult, true> > (mozilla::MediaDecoderReader::*)(), mozilla::MediaDecoderReader>::Run() objdir-ff-asan/dist/include/mozilla/MozPromise.h:1039
    #19 0x7f449806c4c8 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() objdir-ff-asan/dist/include/mozilla/TaskDispatcher.h:193:37
    #20 0x7f44980527a1 in mozilla::TaskQueue::Runner::Run() xpcom/threads/TaskQueue.cpp:232:12
    #21 0x7f449807fd42 in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:226:14
    #22 0x7f44980805cc in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:153:15
    #23 0x7f4498065295 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1213:14
    #24 0x7f44980e6cea in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:381:10
    #25 0x7f4498df8850 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:338:20
    #26 0x7f4498d6cd3e in RunInternal ipc/chromium/src/base/message_loop.cc:238:10
    #27 0x7f4498d6cd3e in RunHandler ipc/chromium/src/base/message_loop.cc:231
    #28 0x7f4498d6cd3e in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211
    #29 0x7f449805ea6c in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:467:11
    #30 0x7f44aebd82f5 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:216:5
    #31 0x7f44b2498183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)

Thread T105 (MediaPl~back #1) created by T0 (Web Content) here:
    #0 0x43544d in __interceptor_pthread_create /build/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245
    #1 0x7f44aebd50e2 in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7f44aebd4cfe in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7f44980607a6 in nsThread::Init() xpcom/threads/nsThread.cpp:643:8
    #4 0x7f449807d649 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:260:22
    #5 0x7f449807ef16 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) xpcom/threads/nsThreadPool.cpp:107:26
    #6 0x7f44980808ca in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) xpcom/threads/nsThreadPool.cpp:275:5
    #7 0x7f44980685fc in mozilla::SharedThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) objdir-ff-asan/dist/include/mozilla/SharedThreadPool.h:71:68
    #8 0x7f44980514e5 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) xpcom/threads/TaskQueue.cpp:114:26
    #9 0x7f449806946d in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) objdir-ff-asan/dist/include/mozilla/TaskQueue.h:67:21
    #10 0x7f449806ad7a in DispatchTaskGroup objdir-ff-asan/dist/include/mozilla/TaskDispatcher.h:245:13
    #11 0x7f449806ad7a in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() objdir-ff-asan/dist/include/mozilla/TaskDispatcher.h:91
    #12 0x7f449806a95d in reset objdir-ff-asan/dist/include/mozilla/Maybe.h:419:17
    #13 0x7f449806a95d in mozilla::XPCOMThreadWrapper::FireTailDispatcher() xpcom/threads/AbstractThread.cpp:80
    #14 0x7f449806d682 in applyImpl<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:791:12
    #15 0x7f449806d682 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:797
    #16 0x7f449806d682 in mozilla::detail::RunnableMethodImpl<void (mozilla::XPCOMThreadWrapper::*)(), true, false>::Run() objdir-ff-asan/dist/include/nsThreadUtils.h:826
    #17 0x7f4497f2acb3 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue() xpcom/base/CycleCollectedJSContext.cpp:1336:12
    #18 0x7f449976ea81 in XPCJSContext::AfterProcessTask(unsigned int) js/xpconnect/src/XPCJSContext.cpp:3610:30
    #19 0x7f4498065743 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1229:24
    #20 0x7f44980e6cea in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:381:10
    #21 0x7f44980635d9 in nsThread::Shutdown() xpcom/threads/nsThread.cpp:983:5
    #22 0x7f449808132e in nsThreadPool::Shutdown() xpcom/threads/nsThreadPool.cpp:328:17
    #23 0x7f449807a322 in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:791:12
    #24 0x7f449807a322 in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:797
    #25 0x7f449807a322 in mozilla::detail::RunnableMethodImpl<nsresult (nsIThreadPool::*)(), true, false>::Run() objdir-ff-asan/dist/include/nsThreadUtils.h:826
    #26 0x7f4498065295 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1213:14
    #27 0x7f44980e6cea in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:381:10
    #28 0x7f4498df7341 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:96:21
    #29 0x7f4498d6cd3e in RunInternal ipc/chromium/src/base/message_loop.cc:238:10
    #30 0x7f4498d6cd3e in RunHandler ipc/chromium/src/base/message_loop.cc:231
    #31 0x7f4498d6cd3e in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211
    #32 0x7f449dd5567a in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27
    #33 0x7f449fdeebf2 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:924:22
    #34 0x7f4498d6cd3e in RunInternal ipc/chromium/src/base/message_loop.cc:238:10
    #35 0x7f4498d6cd3e in RunHandler ipc/chromium/src/base/message_loop.cc:231
    #36 0x7f4498d6cd3e in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211
    #37 0x7f449fdedfc3 in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:756:34
    #38 0x518fda in content_process_main browser/app/../../ipc/contentproc/plugin-container.cpp:115:19
    #39 0x518fda in main browser/app/nsBrowserApp.cpp:429
    #40 0x7f44b14c0f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-use-after-free objdir-ff-asan/dist/include/mozilla/Mutex.h:69:25 in Lock
Shadow bytes around the buggy address:
  0x0c3c800170b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c800170c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c800170d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c800170e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c800170f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3c80017100: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c3c80017110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80017120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80017130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80017140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80017150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==145946==ABORTING
(Reporter)

Comment 1

2 years ago
Created attachment 8822613 [details]
test.zip.001
(Reporter)

Comment 2

2 years ago
Created attachment 8822614 [details]
test.zip.002

Zip is broken into a split archive due to 10 mb upload limit.
Group: core-security → media-core-security
Keywords: csectype-uaf, regressionwindow-wanted
jya, gerald - you're the last two playing in this file.  Thoughts?
Rank: 10
Component: Audio/Video → Audio/Video: Playback
Flags: needinfo?(jyavenard)
Flags: needinfo?(gsquelart)
Priority: -- → P1
(Assignee)

Comment 4

2 years ago
Looks like the OggDemuxer is still going through its Init trying to ReadMetadata and notifying an on-seekable MediaSourceEvent (given by the OggDecoder); But the OggDecoder has already gone through Shutdown and FinishShutdown, which destroyed the mutex used by the MediaSourceEvent.
In short, there's a race between in-progress initialization and early shutdown.

But Jean-Yves has more intimate knowledge of this machinery, so I'll let him analyze deeper.
(Or please let me know if you'd like me to look further into it.)
Flags: needinfo?(gsquelart)
Flags: sec-bounty?
Keywords: sec-high
Gerald, can you look deeper?  jya is very busy I think
Flags: needinfo?(gsquelart)
need to disconnect the MediaSourceEvent and check that we're shutdown I guess
Flags: needinfo?(jyavenard)
(Assignee)

Comment 7

2 years ago
Working on it.
Assignee: nobody → gsquelart
Flags: needinfo?(gsquelart)
(Assignee)

Comment 8

2 years ago
Created attachment 8828230 [details] [diff] [review]
1326372.patch

Commit description: "Reset OggDemuxer chaining events on decoder shutdown"
(Kept short, not to reveal more details about the sec issue.)


When the OggDecoder creates the MediaFormatReader (MFR) and OggDemuxer, it makes the OggDemuxer's MediaEventProducer pointers point directly at the MFR MediaEventProducer concrete members.

During the demuxer's asynchronous Init, it may dereference and call a MediaEventProducer.

The problem with the huge test case here is that the demuxer Init takes a very long time, during which the test page forces a reload, which shuts down and destroys the MFR. But then later on the demuxer Init has progressed on a separate task queue, and now wants to dereference and call a MediaEventProducer, but it has been destroyed with the MediaFormatReader!

In this patch, the OggDecoder remembers the OggDemuxer it created, and when the decoder gets destroyed it resets the demuxer's MediaEventProducer pointers to nullptr, so they don't point at the about-to-be-destroyed MFR.
A mutex ensures that changing and using the MediaEventProducer pointers is done safely.

The solution proposed here assumes that when the MFR is destroyed, the associated OggDecoder is destroyed too. Also it assumes that the OggDecoder can only create one OggDemuxer.
If these assumptions are not valid, we will need another solution!
(E.g.: Add a method that the MFR can call on the demuxer at shutdown time, in this case to reset the bad pointers; or please let me know of a better solution.)
Attachment #8828230 - Flags: review?(jyavenard)
The issue at hand wouldn't just occur with the Ogg stuff, but any other thing where the demuxer's can survive the MFR being shutdown.

We've had other crash reports on the matter.

All of this follow bug 1319992 where the demuxer was moved to its own task queue.

Seeing that those changes were made for bug 1295921 which is still pending (and whose utility/priority is still dubious) I propose with revert 1319992 instead and re-assess the use instead later.

Anthony, Dan, what do you think?
Flags: needinfo?(dglastonbury)
Flags: needinfo?(ajones)
(In reply to Jean-Yves Avenard [:jya] from comment #9)
> Anthony, Dan, what do you think?

Backing out sounds reasonable to me.
Flags: needinfo?(ajones)
I've had another though about it, taking a similar approach to what I've done in bug 1319987; that is to make shutdown asynchronous. MediaFormatReader::Shutdown will only resolve its promise once the demuxer proxy has completed and destroyed the demuxer.
Flags: needinfo?(dglastonbury)
I will do a backout however for aurora (53) as the asynchronous shutdown is too complicated to do without bug 1319987
This sounds pretty bad in terms of exploitability and we want this fixed ASAP
jya, can you take another look at this bug?
Flags: needinfo?(jyavenard)
the issue can't occur with bug 1319987 in.. I'll work on a backport in the next few days.
status-firefox54: --- → fixed
Whiteboard: [fixed in 54 by bug 1319987]
It sounds like only 53 is affected at this point. Please update the flags if that's wrong.

[Tracking Requested - why for this release]: sec-high
status-firefox52: --- → unaffected
status-firefox53: --- → affected
status-firefox-esr45: --- → unaffected
status-firefox-esr52: --- → unaffected
tracking-firefox53: --- → ?
(Assignee)

Comment 16

2 years ago
(In reply to Jean-Yves Avenard [:jya] from comment #14)
> the issue can't occur with bug 1319987 in.. I'll work on a backport in the
> next few days.

Bug 1319987 landed 7 days ago, please remember to backport it! (I'm not explicitly linking this sec bug with that non-sec bug.)
Assignee: gsquelart → jyavenard
(Assignee)

Comment 17

2 years ago
After discussion with Jean-Yves and as per comment 9, the best solution should be to revert bug 1319992 (parts 1-4, maybe not 5) on aurora only.
I'll give it a go today...
Assignee: jyavenard → gsquelart
Flags: needinfo?(jyavenard)
(Assignee)

Comment 18

2 years ago
Comment on attachment 8828230 [details] [diff] [review]
1326372.patch

Removing old proposed patch.
Attachment #8828230 - Attachment is obsolete: true
Attachment #8828230 - Flags: review?(jyavenard)
(Assignee)

Comment 19

2 years ago
Created attachment 8837037 [details] [diff] [review]
P1. Backed out changeset 4ea0f7d805d9 bug 1319995-P4

P1. Backed out changeset 4ea0f7d805d9 bug 1319995-P4
Attachment #8837037 - Flags: review?(jyavenard)
(Assignee)

Comment 20

2 years ago
Created attachment 8837038 [details] [diff] [review]
P2. Backed out changeset 909eee913f30 bug 1319995-P3

P2. Backed out changeset 909eee913f30 bug 1319995-P3
Attachment #8837038 - Flags: review?(jyavenard)
(Assignee)

Comment 21

2 years ago
Created attachment 8837039 [details] [diff] [review]
P3. Backed out changeset 7df4d36392e7 bug 1319995-P2

P3. Backed out changeset 7df4d36392e7 bug 1319995-P2
Attachment #8837039 - Flags: review?(jyavenard)
(Assignee)

Comment 22

2 years ago
Created attachment 8837040 [details] [diff] [review]
P4. Backed out changeset 19c468c32d03 bug 1319995-P1

P4. Backed out changeset 19c468c32d03 bug 1319995-P1
Attachment #8837040 - Flags: review?(jyavenard)
(Assignee)

Comment 23

2 years ago
Tested locally with the test.zip POC, no more crashes. Other media tests passed.
Comment on attachment 8837037 [details] [diff] [review]
P1. Backed out changeset 4ea0f7d805d9 bug 1319995-P4

shouldn't you include the original commit log?
Attachment #8837037 - Flags: review?(jyavenard) → review+
Comment on attachment 8837039 [details] [diff] [review]
P3. Backed out changeset 7df4d36392e7 bug 1319995-P2

could keep this one in.. it's just (correct) comments
Attachment #8837039 - Flags: review?(jyavenard) → review+
Comment on attachment 8837038 [details] [diff] [review]
P2. Backed out changeset 909eee913f30 bug 1319995-P3

that one too could be kept...
Attachment #8837038 - Flags: review?(jyavenard) → review+
Attachment #8837040 - Flags: review?(jyavenard) → review+
(Assignee)

Comment 27

2 years ago
Created attachment 8837371 [details] [diff] [review]
1326372-aurora-1.patch

P1. Backed out changeset 4ea0f7d805d9 bug 1319995-P4

Rebased, added original commit description, carrying r+ from comment 24.
Attachment #8837037 - Attachment is obsolete: true
Attachment #8837371 - Flags: review+
(Assignee)

Comment 28

2 years ago
Created attachment 8837372 [details] [diff] [review]
1326372-aurora-2.patch

P2. Backed out changeset 19c468c32d03 bug 1319995-P1

Removed unneeded backouts of parts 2 and 3.

Rebased, added original commit description, carrying r+ from comment 26.
Attachment #8837038 - Attachment is obsolete: true
Attachment #8837039 - Attachment is obsolete: true
Attachment #8837040 - Attachment is obsolete: true
Attachment #8837372 - Flags: review+
(Assignee)

Comment 29

2 years ago
Comment on attachment 8837371 [details] [diff] [review]
1326372-aurora-1.patch

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1319995
[User impact if declined]: Potential UAF when decoder is destroyed while initial metadata parsing is still running
[Is this code covered by automated tests?]: Yes, media tests and others
[Has the fix been verified in Nightly?]: N/A, this patch is intended for Aurora only
[Needs manual test from QE? If yes, steps to reproduce]: Not sure if it is necessary (I've tested it locally); If yes, see steps in comment 0 (Basically: Unzip the attached test files, open in Aurora, wait a few seconds, it shouldn't crash after this patch is applied)
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: Very low risk
[Why is the change risky/not risky?]: It is "only" a backout of some extra functionality that was not strictly needed by itself (it was a first step towards another yet-incomplete feature); other features that may have been back-ported since shouldn't rely on the original patch
[String changes made/needed]: None
Attachment #8837371 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 30

2 years ago
Comment on attachment 8837371 [details] [diff] [review]
1326372-aurora-1.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Very low chance I think.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No, it's a straight backout of big patches. It points at the extra demuxing thread being an issue, but not what can be wrong with it.

Which older supported branches are affected by this flaw?
Only Aurora-53. The UAF was fixed in Nightly-54 as a side-effect of bug 1319987.

If not all supported branches, which bug introduced the flaw?
Bug 1319992, landed in 53

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
This patch is intended for Aurora-53.

How likely is this patch to cause regressions; how much testing does it need?
Unlikely, as it's a backout of some extra functionality that was not strictly needed by itself (it was a first step towards another yet-incomplete feature); other features that may have been back-ported since shouldn't rely on the original patch that is being backed out.
Attachment #8837371 - Flags: sec-approval?
(Assignee)

Comment 31

2 years ago
Comment on attachment 8837372 [details] [diff] [review]
1326372-aurora-2.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Very low chance I think.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No, it's a straight backout of big patches. It points at the extra demuxing thread being an issue, but not what can be wrong with it.

Which older supported branches are affected by this flaw?
Only Aurora-53. The UAF was fixed in Nightly-54 as a side-effect of bug 1319987.

If not all supported branches, which bug introduced the flaw?
Bug 1319992, landed in 53

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
This patch is intended for Aurora-53.

How likely is this patch to cause regressions; how much testing does it need?
Unlikely, as it's a backout of some extra functionality that was not strictly needed by itself (it was a first step towards another yet-incomplete feature); other features that may have been back-ported since shouldn't rely on the original patch that is being backed out.


Approval Request Comment
[Feature/Bug causing the regression]: Bug 1319995
[User impact if declined]: Potential UAF when decoder is destroyed while initial metadata parsing is still running
[Is this code covered by automated tests?]: Yes, media tests and others
[Has the fix been verified in Nightly?]: N/A, this patch is intended for Aurora only
[Needs manual test from QE? If yes, steps to reproduce]: Not sure if it is necessary (I've tested it locally); If yes, see steps in comment 0 (Basically: Unzip the attached test files, open in Aurora, wait a few seconds, it shouldn't crash after this patch is applied)
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: Very low risk
[Why is the change risky/not risky?]: It is "only" a backout of some extra functionality that was not strictly needed by itself (it was a first step towards another yet-incomplete feature); other features that may have been back-ported since shouldn't rely on the original patch
[String changes made/needed]: None
Attachment #8837372 - Flags: sec-approval?
Attachment #8837372 - Flags: approval-mozilla-aurora?
tracking-firefox53: ? → +
Attachment #8837372 - Flags: sec-approval?
Attachment #8837372 - Flags: sec-approval+
Attachment #8837372 - Flags: approval-mozilla-aurora?
Attachment #8837372 - Flags: approval-mozilla-aurora+
Attachment #8837371 - Flags: sec-approval?
Attachment #8837371 - Flags: sec-approval+
Attachment #8837371 - Flags: approval-mozilla-aurora?
Attachment #8837371 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 33

2 years ago
Fixed in 54 thanks to bug 1319987.
Fixed in 53 by backing out bug 1319995.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Blocks: 1319992
Flags: sec-bounty? → sec-bounty+
Keywords: regressionwindow-wanted → regression
Group: media-core-security → core-security-release
(Assignee)

Comment 34

a year ago
Too late now, but JW noticed that the commit messages are wrong: They mention bug 1319995, but it should have been bug 1319992.

It landed a while ago, so I guess there's nothing we can do now.
Except maybe add a comment to bug 1319995, to redirect people to bug 1319992 in case they went there because of the patch? :-)
Reproduced on Nightly 2017-01-01, Win 10.
Verified fixed Fx 53b10, 54.0a2 (2017-04-11) Win 10, Ubuntu 14.04, OS X 10.12.
Status: RESOLVED → VERIFIED
status-firefox53: fixed → verified
status-firefox54: fixed → verified
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.