Closed
Bug 1415582
Opened 7 years ago
Closed 7 years ago
Cleanup WebRTCGMP decoder initialization to match Encoder side
Categories
(Core :: WebRTC: Audio/Video, defect, P1)
Tracking
()
People
(Reporter: jesup, Assigned: jesup)
References
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [adv-main58+][adv-esr52.6+][post-critsmash-triage])
Crash Data
Attachments
(1 file)
1.83 KB,
patch
|
bwc
:
review+
gchang
:
approval-mozilla-beta+
gchang
:
approval-mozilla-esr52+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
This was missed when mirroring encoder-side fixes in bug 1182289 to the decoder side. Important since Init is async.
Possible UAF. Might cause nullptr crashes at [@ mozilla::WebrtcGmpVideoDecoder::GmpInitDone ]
Assignee | ||
Updated•7 years ago
|
Crash Signature: [@ mozilla::WebrtcGmpVideoDecoder::GmpInitDone ]
Rank: 5
status-firefox56:
--- → wontfix
status-firefox57:
--- → wontfix
status-firefox58:
--- → affected
status-firefox-esr52:
--- → affected
Priority: -- → P1
Assignee | ||
Comment 1•7 years ago
|
||
Attachment #8926434 -
Flags: review?(docfaraday)
Comment 2•7 years ago
|
||
Comment on attachment 8926434 [details] [diff] [review]
Mirror changes done to Encoder InitDone to decoder
Review of attachment 8926434 [details] [diff] [review]:
-----------------------------------------------------------------
Hopefully this won't leak stuff, but I guess we'll see from the tests.
Attachment #8926434 -
Flags: review?(docfaraday) → review+
Assignee | ||
Comment 3•7 years ago
|
||
Comment on attachment 8926434 [details] [diff] [review]
Mirror changes done to Encoder InitDone to decoder
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Quite tough. We move something to a RefPtr, but it would be tricky to get any control over how fast it inits; you could try to close off the device fast enough to recycle the pipeline the GmpVideoDecoder, but that would not be easy. And then you'd have to re-fill it with an attack.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Other than it makes a bare ptr a refptr in a callback, no.
Which older supported branches are affected by this flaw? All
If not all supported branches, which bug introduced the flaw?
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Trivial
How likely is this patch to cause regressions; how much testing does it need? Little possiblity for regressions other than leaks, and I don't see any leaks running mochitests.
Attachment #8926434 -
Flags: sec-approval?
Comment 4•7 years ago
|
||
Sec-approval+ for checkin on November 28, two weeks into the new cycle. Please do not check in before that date.
We'll want this on other branches so branch patches should be made and nominated at that time as well.
status-firefox59:
--- → affected
tracking-firefox58:
--- → +
tracking-firefox59:
--- → +
tracking-firefox-esr52:
--- → ?
Whiteboard: [checkin on 11/28]
Updated•7 years ago
|
Attachment #8926434 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Comment 5•7 years ago
|
||
Comment on attachment 8926434 [details] [diff] [review]
Mirror changes done to Encoder InitDone to decoder
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: UAFs
Fix Landed on Version: will be 59
Risk to taking this patch (and alternatives if risky): No risk
String or UUID changes made by this patch: none
Approval Request Comment
[Feature/Bug causing the regression]: Bug 1182289
[User impact if declined]: UAFs
[Is this code covered by automated tests?]: yes though they don't hit it
[Has the fix been verified in Nightly?]: No
[Needs manual test from QE? If yes, steps to reproduce]: no (no STR)
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: Adds refptrs
[String changes made/needed]: none
Attachment #8926434 -
Flags: approval-mozilla-esr52?
Attachment #8926434 -
Flags: approval-mozilla-beta?
Comment 6•7 years ago
|
||
Whiteboard: [checkin on 11/28]
Comment 7•7 years ago
|
||
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Updated•7 years ago
|
Group: media-core-security → core-security-release
Comment 8•7 years ago
|
||
Comment on attachment 8926434 [details] [diff] [review]
Mirror changes done to Encoder InitDone to decoder
Fix a sec-high. Beta58+ & ESR52+.
Attachment #8926434 -
Flags: approval-mozilla-esr52?
Attachment #8926434 -
Flags: approval-mozilla-esr52+
Attachment #8926434 -
Flags: approval-mozilla-beta?
Attachment #8926434 -
Flags: approval-mozilla-beta+
Updated•7 years ago
|
Comment 9•7 years ago
|
||
uplift |
Comment 10•7 years ago
|
||
uplift |
Updated•7 years ago
|
Whiteboard: [adv-main58+][adv-esr52.6+]
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main58+][adv-esr52.6+] → [adv-main58+][adv-esr52.6+][post-critsmash-triage]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•