Closed
Bug 1429216
Opened 7 years ago
Closed 7 years ago
UAF due to webrtc codec init failure
Categories
(Core :: WebRTC, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox58 | --- | fixed |
| firefox59 | --- | fixed |
People
(Reporter: jesup, Assigned: jesup)
References
()
Details
(Keywords: crash, csectype-uaf, sec-high)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
4.48 KB,
patch
|
drno
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1426449 +++
If InitEncode() fails, in non-debug builds, a race is set up where a pending OnBitrateUpdated will try to access the temporal_layers_, which failure of SetSendCodec() will cause to be deleted before OnBitrateUpdated runs. This causes a UAF.
Also, generally clean up and exit on failure.
InitEncode shouldn't fail -- but if it does (and there are a lot of ways it can), we should handle it smoothly.
|
Assignee | |
Comment 1•7 years ago
|
||
works fine if I force the InitEncode to fail now
Attachment #8941199 -
Flags: review?(drno)
|
|
Assignee | |
Comment 2•7 years ago
|
||
forgot to include the .h file
Attachment #8941201 -
Flags: review?(drno)
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8941199 -
Attachment is obsolete: true
Attachment #8941199 -
Flags: review?(drno)
|
||
Comment 3•7 years ago
|
||
Comment on attachment 8941201 [details] [diff] [review]
handle RegisterSendCodec() failure better in non-debug builds
Review of attachment 8941201 [details] [diff] [review]:
-----------------------------------------------------------------
LGTM
Attachment #8941201 -
Flags: review?(drno) → review+
|
|
||
Comment 4•7 years ago
|
||
Randell is this something we would want to upstream?
Flags: needinfo?(rjesup)
|
|
Assignee | |
Comment 5•7 years ago
|
||
Yes, though there are probably cleaner ways to do with (with larger changes), so they may not want to take it as-is - but that's up to them; we should put it up.
Note: this is a sec issue. We should try to coordinate this with Google, though they don't seem to handle sec issues in the webrtc code in the same way we do.
Flags: needinfo?(rjesup) → needinfo?(dminor)
|
|
Assignee | |
Comment 6•7 years ago
|
||
Sec and beta requests are in bug 1426449
|
||
Comment 7•7 years ago
|
||
Upstream bug filed: https://bugs.chromium.org/p/webrtc/issues/detail?id=8754
Flags: needinfo?(dminor)
|
|
||
Updated•7 years ago
|
Rank: 9
|
|
Assignee | |
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox58:
--- → fixed
status-firefox59:
--- → fixed
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
Group: media-core-security → core-security-release
|
||
Updated•7 years ago
|
status-firefox-esr52:
--- → unaffected
Target Milestone: --- → mozilla59
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•6 years ago
|
Type: enhancement → defect
You need to log in
before you can comment on or make changes to this bug.
Description
•