Closed Bug 1378826 Opened 7 years ago Closed 7 years ago

Removing the last track from a recorder results in crash

Categories

(Core :: Audio/Video: Recording, defect, P1)

Product:
Core
Component:
Audio/Video: Recording
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox-esr52 55+ verified
firefox54 --- wontfix
firefox55 + verified
firefox56 + verified

People

(Reporter: bryce, Assigned: bryce)

Details

(4 keywords, Whiteboard: [adv-main55+][adv-esr52.3+])

Attachments

(3 files)

ProofOfConcept.html
1.77 KB, text/html
Details
Remove direct track listeners for video tracks if MediaRecorder is notified of their removal
1.29 KB, patch
jesup
: review+
dveditz
: approval-mozilla-beta+
lizzard
: approval-mozilla-esr52+
dveditz
: sec-approval+
Details | Diff | Splinter Review
Add test for removal of video tracks during recording
2.55 KB, patch
jesup
: review+
Details | Diff | Splinter Review
Attached file ProofOfConcept.html 
Performing the following results in a use after free:
- Create a media recorder with a stream with a single video track
- Remove the track from the stream
- Stop the media recorder

See the attached proof of concept (beware, this will crash your FireFox). To recreate the bug start a recording then click the break button.

This looks like an issue with MediaRecorder clean up/notify track removed. The recorder will not clean up the listener on the video track due to the track being removed[1]. As such the listener will still be used even after the recorder is gone and has freed related structures.

[1]: https://searchfox.org/mozilla-central/source/dom/media/MediaRecorder.cpp#848
I'm going to grab this. Current plan is that we can perform checks when notifying that a track is removed to avoid this.

Setting this to sec-high based on UAF. :jesup, can you change the level as you think appropriate?
Assignee: nobody → bvandyk
status-firefox54: --- → affected
status-firefox55: --- → affected
status-firefox56: --- → affected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(rjesup)
Keywords: sec-high
Group: core-security → media-core-security
Flags: needinfo?(rjesup)
Keywords: crash, csectype-uaf, testcase
Attachment #8884995 - Flags: review?(rjesup) → review+
Please request security-approval to land, and consider asking for beta approval
Rank: 12
Priority: -- → P1
Comment on attachment 8884995 [details] [diff] [review]
Remove direct track listeners for video tracks if MediaRecorder is notified of their removal

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
- The patch itself doesn't make clear that a UAF is involved, rather that a listener is not being removed. However, to invoke the scenario that this patch protects against is quite easy (as shown by the attached proof of concept), though not a normal usage of the MediaRecorder.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
- I don't think so, aside from the current bug comment being a secure big (this one). I have omitted reference to the UAF from the patch comment and am explicitly holding off on adding a crash test until we're landed (to be done in a follow up bug).

Which older supported branches are affected by this flaw?
- 54, 55.

If not all supported branches, which bug introduced the flaw?
- The bug appears to have been introduced between 52 and 53. Issue may have been introduced earlier but become more obvious at that stage, however. Specific regression range and discussion at end of this comment.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
- I believe the current patch will resolve the issue in older branches and does not require a separate, specific backport.

How likely is this patch to cause regressions; how much testing does it need?
- Low. The recording machinery the patch interacts with is complicated, but the patch itself is simple (less than 10 lines). I have manually tested this patch, and the MediaRecorder has automated test suites which provide some coverage for other regressions once this goes into nightly.

Approval Request Comment
[Feature/Bug causing the regression]: See regression range and discussion at end of comment.
[User impact if declined]: A use after free is exposed.
[Is this code covered by automated tests?]: No, I am holding off on adding a test to avoid painting a target. However, an automated crash test can be created from the proof of concept attached.
[Has the fix been verified in Nightly?]: Locally by myself.
[Needs manual test from QE? If yes, steps to reproduce]: Yes, the steps detailed in the original comment will verify the fix. 
[List of other uplifts needed for the feature/fix]: The included patch.
[Is the change risky?]: Low risk.
[Why is the change risky/not risky?]: The change is small, but it does deal with complicated machinery (media recording and associated state).
[String changes made/needed]: None.

---

A bisection in mozregression show this being introduced in the range of: https://hg.mozilla.org/integration/mozilla-inbound/json-pushes?changeset=9ea8e4f2edae49b3e46b71130f2c4303eafdf1bc&full=1

However, after looking at those patches I wonder if the issue still exists before these changes. These changes add the use of a monitor which is where the crashes are happening in my test, but I do not believe they introduce the UAF.

That said, the versions mentioned above are certainly affected. I'm going to investigate further and will follow up should I find that esr 52 is impacted.
Attachment #8884995 - Flags: sec-approval?
Attachment #8884995 - Flags: approval-mozilla-beta?
Comment on attachment 8884995 [details] [diff] [review]
Remove direct track listeners for video tracks if MediaRecorder is notified of their removal

sec-approval=dveditz
a=dveditz to land on beta.
Attachment #8884995 - Flags: sec-approval?
Attachment #8884995 - Flags: sec-approval+
Attachment #8884995 - Flags: approval-mozilla-beta?
Attachment #8884995 - Flags: approval-mozilla-beta+
If this affects ESR 52 we'll want to hit the 52.3 release that ships when Firefox 55 does. fwiw I couldn't get the POC to crash on ESR 52, but I did get an InvalidState message once or twice.
tracking-firefox55: ?+
tracking-firefox56: ?+
tracking-firefox-esr52: --- → 55+
https://hg.mozilla.org/mozilla-central/rev/1362c0928dc1
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
After more investigation I believe I'm reproing the crash on ESR[1]. I had to run through the proof of concept a fair number of times to do so (~10). It seems to be happening less often due to the ops performed on the freed object. Looking at the code some more I think it is the case that the regression range above is a red herring and that this has been around for much longer.

[1]: https://crash-stats.mozilla.com/report/index/e8e44331-1320-4ca8-b539-f79140170712
status-firefox-esr52: ?affected
Comment on attachment 8884995 [details] [diff] [review]
Remove direct track listeners for video tracks if MediaRecorder is notified of their removal

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: sechigh
Fix Landed on Version: 56, uplifted to 55
Risk to taking this patch (and alternatives if risky): Low. The change is small, but it does deal with complicated machinery (media recording and associated state).
String or UUID changes made by this patch: None.

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8884995 - Flags: approval-mozilla-esr52?
Comment on attachment 8884995 [details] [diff] [review]
Remove direct track listeners for video tracks if MediaRecorder is notified of their removal

We should take this fix on esr also for 52.3.0 since this is a sec-high issue and fixed for 55.
Attachment #8884995 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
This is the first time I've been involved with an ESR uplift. Please advise should I need do anything more or if I've overlooked anything.
status-firefox-esr52: affectedcheckin-pending
Group: media-core-security → core-security-release
Flags: qe-verify+
Whiteboard: [adv-main55+][adv-esr52.3+]
Reproduced the crash on an affected build (54.0.1, 20170628075643, 90f18f9c15f7) [1] using the test case from Comment 0 on Windows 10 x64.

I can confirm the test case is no longer crashing on Windows 10 x64, Ubuntu 16.04 x64 and macOS 10.12 using:
    - 52.2esr (20170723091719, 3856be3d222f)
    - 55.0b10 (20170717063821, e26b1f5d635e)
    - 56.0a1 (2017-07-23, 20170723030206)

[1] bp-84570390-f785-48a9-92aa-bc69c1170724
Status: RESOLVED → VERIFIED
status-firefox55: fixedverified
status-firefox56: fixedverified
status-firefox-esr52: fixedverified
Flags: qe-verify+
Comment on attachment 8899672 [details] [diff] [review]
Add test for removal of video tracks during recording

Follow up crash test now that this fix has been landed for some time. Going to request review, sec approval, then checkin as per initial fix. Please advise should a different procedure be followed.
Attachment #8899672 - Flags: review?(rjesup)
Attachment #8899672 - Flags: review?(rjesup) → review+
Comment on attachment 8899672 [details] [diff] [review]
Add test for removal of video tracks during recording

I am requesting sec approval with the primary goal of confirming enough time has passed that it is appropriate to land a test for this bug.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
- It's clear from this test how to recreate the exploit, though further effort would be required to abuse the UAF.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
- This is the just a follow up test. The comment is left somewhat vague to avoid mentioning security, but the nature of this test being a crash test does paint a target.

Which older supported branches are affected by this flaw?
- All supported branches are now patched via prior work on this bug.

If not all supported branches, which bug introduced the flaw?
- All supported branches should be immune to the tested bug.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
- No backport required.

How likely is this patch to cause regressions; how much testing does it need?
- This patch is a test that should not impact other tests or require special testing. Any issues/failures should be isolated to this test.
Attachment #8899672 - Flags: sec-approval?
I don't think we can approve the landing of tests yet. The build has only been out for a short while and the uptake it pretty low, AFAIK. NI? Ritu and Liz to get a sense of what uptake on 55 is.
Flags: needinfo?(rkothari)
Flags: needinfo?(lhenry)
We will likely be increasing rollout to 55 once 55.0.3 is out. Best to wait till a little while after we get 55.0.3 out the door.
Flags: needinfo?(rkothari)
Flags: needinfo?(lhenry)
Cheers. Will follow up after 55.0.3 has been out for awhile. What is the best way re-query around that time? Drop approval flag and raise again? needinfo?
You can just ni? me.
Comment on attachment 8899672 [details] [diff] [review]
Add test for removal of video tracks during recording

Clearing SA until later.
Attachment #8899672 - Flags: sec-approval?
Has a suitable amount of time passed that this would be safe to land?
Flags: needinfo?(abillings)
Yeah, should be fine. Please set the "in-testsuite" flag to '+' when you do.
Flags: needinfo?(abillings) → in-testsuite?
Flags: in-testsuite? → in-testsuite+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: