1422389 - AddressSanitizer: negative-size-param near [@ mozilla::MediaEngineDefaultVideoSource::Notify]

Status: VERIFIED FIXED

(Core :: WebRTC: Audio/Video, defect, P1)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing mozilla-central rev 781485c695e1.

==2773==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f103d4e2563 bp 0x7f1039423300 sp 0x7f10394232e0 T2)
==2773==The signal is caused by a WRITE memory access.
==2773==Hint: address points to the zero page.
    #0 0x7f103d4e2562 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2534:13
    #1 0x7f103d4e7947 in OnChannelError /builds/worker/workspace/build/src/ipc/glue/MessageLink.cpp:393:12
    #2 0x7f103d4e7947 in non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError() /builds/worker/workspace/build/src/ipc/glue/MessageLink.cpp
    #3 0x7f103d48e107 in event_persist_closure /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1580:9
    #4 0x7f103d48e107 in event_process_active_single_queue /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1639
    #5 0x7f103d486005 in event_process_active /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c
    #6 0x7f103d486005 in event_base_loop /builds/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1961
    #7 0x7f103d444d53 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_libevent.cc:373:7
    #8 0x7f103d43efa9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #9 0x7f103d43efa9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #10 0x7f103d43efa9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #11 0x7f103d45e10f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #12 0x7f103d44fc4c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #13 0x7f105c5936b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #14 0x7f105b6153dc in clone /build/glibc-bfm8X4/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2534:13 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink()
Thread T2 (Chrome_~dThread) created by T0 (Web Content) here:
    #0 0x4a816d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f103d44d59f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7f103d44d59f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7f103d45daaf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7f103d45f92e in Run /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/child_thread.cc:27:12
    #5 0x7f103d45f92e in ChildProcess::ChildProcess(ChildThread*) /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/child_process.cc:20
    #6 0x7f103d4e9843 in mozilla::ipc::ProcessChild::ProcessChild(int) /builds/worker/workspace/build/src/ipc/glue/ProcessChild.cpp:24:5
    #7 0x7f1047fefc3a in ContentProcess /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:31:7
    #8 0x7f1047fefc3a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:640
    #9 0x4ee9f5 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #10 0x4ee9f5 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #11 0x7f105b52e82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

==2773==ABORTING
=================================================================
==2836==ERROR: AddressSanitizer: negative-size-param: (size=-1781331840)
    #0 0x4be3e1 in __asan_memset /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:27:3
    #1 0x7f04e15e8aa6 in AllocateSolidColorFrame /builds/worker/workspace/build/src/dom/media/webrtc/MediaEngineDefault.cpp:151:3
    #2 0x7f04e15e8aa6 in mozilla::MediaEngineDefaultVideoSource::Notify(nsITimer*) /builds/worker/workspace/build/src/dom/media/webrtc/MediaEngineDefault.cpp:263
    #3 0x7f04db2df03c in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:704:40
    #4 0x7f04db2ae699 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11
    #5 0x7f04db2be20e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #6 0x7f04db2d9f90 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #7 0x7f04dc14d405 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5
    #8 0x7f04dc0a2fa9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #9 0x7f04dc0a2fa9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #10 0x7f04dc0a2fa9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #11 0x7f04dc0c210f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #12 0x7f04dc0b3c4c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #13 0x7f04fb1f76b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #14 0x7f04fa2793dc in clone /build/glibc-bfm8X4/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x7f04572bf800 is located 0 bytes inside of 1622969536-byte region [0x7f04572bf800,0x7f04b7e884c0)
allocated by thread T35 (MediaManager) here:
    #0 0x4bee13 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7f04e15e8a90 in AllocateSolidColorFrame /builds/worker/workspace/build/src/dom/media/webrtc/MediaEngineDefault.cpp:150:31
    #2 0x7f04e15e8a90 in mozilla::MediaEngineDefaultVideoSource::Notify(nsITimer*) /builds/worker/workspace/build/src/dom/media/webrtc/MediaEngineDefault.cpp:263
    #3 0x7f04db2df03c in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:704:40
    #4 0x7f04db2ae699 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11
    #5 0x7f04db2be20e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #6 0x7f04db2d9f90 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #7 0x7f04dc14d405 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5
    #8 0x7f04dc0a2fa9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #9 0x7f04dc0a2fa9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #10 0x7f04dc0a2fa9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #11 0x7f04dc0c210f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #12 0x7f04dc0b3c4c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #13 0x7f04fb1f76b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T35 (MediaManager) created by T0 (file:// Content) here:
    #0 0x4a816d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f04dc0b159f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7f04dc0b159f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7f04dc0c1aaf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7f04e0f8e038 in mozilla::MediaManager::Get() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:1865:36
    #5 0x7f04e0eaeefe in mozilla::dom::MediaDevices::GetUserMedia(mozilla::dom::MediaStreamConstraints const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/MediaDevices.cpp:194:9
    #6 0x7f04deaeccaf in getUserMedia /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:185:45
    #7 0x7f04deaeccaf in mozilla::dom::MediaDevicesBinding::getUserMedia_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::MediaDevices*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:202
    #8 0x7f04e04866bf in mozilla::dom::GenericPromiseReturningBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3088:13
    #9 0x7f04e6f211a1 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #10 0x7f04e6f211a1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #11 0x7f04e71707bb in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2559:14
    #12 0x11a1ffe5453a  (<unknown module>)
    #13 0x621000d32e9f  (<unknown module>)
    #14 0x11a1ffe4e4e7  (<unknown module>)
    #15 0x7f04e719a46b in EnterBaseline /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:149:9
    #16 0x7f04e719a46b in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:226
    #17 0x7f04e6f15044 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2049:28
    #18 0x7f04e6ef3970 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #19 0x7f04e6f24071 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
    #20 0x7f04e6f2480f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:738:12
    #21 0x7f04e7a2f2f6 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4721:12
    #22 0x7f04de528a76 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:266:8
    #23 0x7f04e23b1f29 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2282:25
    #24 0x7f04e23ad422 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1924:10
    #25 0x7f04e238fe1a in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1625:10
    #26 0x7f04e238bd97 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
    #27 0x7f04dd341246 in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:226:18
    #28 0x7f04dd341246 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:735
    #29 0x7f04dd33a4ed in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:539:7
    #30 0x7f04dd3470ff in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:56:18
    #31 0x7f04db297934 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #32 0x7f04db2be20e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #33 0x7f04db2d9f90 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #34 0x7f04dc14c00a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #35 0x7f04dc0a2fa9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #36 0x7f04dc0a2fa9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #37 0x7f04dc0a2fa9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #38 0x7f04e253da8a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #39 0x7f04e6c542eb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:865:22
    #40 0x7f04dc0a2fa9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #41 0x7f04dc0a2fa9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #42 0x7f04dc0a2fa9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #43 0x7f04e6c53cdd in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:691:34
    #44 0x4ee9f5 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #45 0x4ee9f5 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #46 0x7f04fa19282f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: negative-size-param /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:27:3 in __asan_memset

Comment 1

[Ryan VanderMeulen [:RyanVM]]

INFO: Last good revision: db3ed1fdbbeaf5ab1e8fe454780146e7499be3db (2016-07-28)
INFO: First bad revision: 2ea3d51ba1bb9f5c3b6921c43ea63f70b4fdf5d2 (2016-07-29)
INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=db3ed1fdbbeaf5ab1e8fe454780146e7499be3db&tochange=2ea3d51ba1bb9f5c3b6921c43ea63f70b4fdf5d2

Looks like bug 1286096 touched MediaEngineDefault.cpp in that range.

Comment 2

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

STRs are even simpler: window.navigator.mediaDevices.getUserMedia({ video: { height: 1708492701}, fake: true });

Comment 3

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Attachment: limitfake.patch

Comment 4

[Munro Mengjue Chiang [:mchiang] Be Mozillian since 1/19/2018]

Comment on attachment 8933853 [details] [diff] [review]
limitfake.patch

Review of attachment 8933853 [details] [diff] [review]:
-----------------------------------------------------------------

It makes sense for me.

Comment 5

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Comment on attachment 8933853 [details] [diff] [review]
limitfake.patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: JS-controllable negative size memset.

[Feature/Bug causing the regression]: Bug 1286096
[User impact if declined]: Trivial to write JS that clears a lot of memory
[Is this code covered by automated tests?]: Yes, though only with default values (no constraints as input)
[Has the fix been verified in Nightly?]: No, only locally
[Needs manual test from QE? If yes, steps to reproduce]: See comment 2.
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: No
[Why is the change risky/not risky?]: Clamps inputs to sane (non-overflow) values. {fake:true} is a feature for testing. 
[String changes made/needed]: none

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Trivial to set a lot of memory to a changing solid color. Hard to inject anything of substance.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw? all but thunderbird

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Should apply trivially.

How likely is this patch to cause regressions; how much testing does it need?

Extremely unlikely. Test html attached.

Comment 6

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

memset is here https://hg.mozilla.org/mozilla-central/annotate/a21f4e2ce518/dom/media/webrtc/MediaEngineDefault.cpp#l151

Comment 7

[Al Billings [:abillings - ex-MoCo]]

Comment on attachment 8933853 [details] [diff] [review]
limitfake.patch

sec-approval+ for trunk.
I'll approve for beta as well. Release Management should approve for ESR52.

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/e71d69274afb19cd32a8fc0703b61f7582d10504
https://hg.mozilla.org/releases/mozilla-beta/rev/9d5bd4981da9

Comment 9

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/e71d69274afb

Comment 11

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8933853 [details] [diff] [review]
limitfake.patch

Sec-crit, ESR52+

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr52/rev/f8a6e1864832

Comment 13

[Oana Botisan, Desktop QA]

I managed to reproduce the bug using an older asan version of Nightly (2017-12-01) on Ubuntu 16.04 x64. When I copied the command from comment 2 in Web Console, the error appeared in the terminal and the tab crashed. 

I retested everything using the same method on asan versions of latest Nightly 59.0a1, beta 58.0b16 and esr 52.6.0 and the bug is not reproducing anymore. There is no error displayed in the terminal and the tab didn't crash.  

I will mark this bug as verified fixed.