Closed Bug 1435036 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:4419:7 in ChromeAffectingStateChanged

Categories

(Core :: WebRTC, defect, P1, critical)

59 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- wontfix
firefox60 + fixed
firefox61 + fixed

People

(Reporter: jkratzer, Assigned: pehrsons)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [fuzzblocker][adv-main60+][post-critsmash-triage])

Attachments

(3 files, 2 obsolete files)

Found while fuzzing mozilla-central rev 5201997e7e01.  Currently reducing the testcase.  Will update once complete.

==7626==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000443ec0 at pc 0x7f16838b7bf5 bp 0x7ffc1220f3b0 sp 0x7ffc1220f3a8
READ of size 1 at 0x606000443ec0 thread T0 (file:// Content)
    #0 0x7f16838b7bf4 in ChromeAffectingStateChanged /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:4419:7
    #1 0x7f16838b7bf4 in mozilla::SourceListener::StopTrack(int) /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:3952
    #2 0x7f1683908fbc in mozilla::GetUserMediaStreamRunnable::Run()::LocalTrackSource::Stop() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:1267:24
    #3 0x7f16839573a9 in mozilla::dom::MediaStreamTrackSource::UnregisterSink(mozilla::dom::MediaStreamTrackSource::Sink*) /builds/worker/workspace/build/src/dom/media/MediaStreamTrack.h:229:7
    #4 0x7f1683956bcf in mozilla::dom::MediaStreamTrack::Destroy() /builds/worker/workspace/build/src/dom/media/MediaStreamTrack.cpp:160:14
    #5 0x7f16839579e5 in mozilla::dom::MediaStreamTrack::cycleCollection::Unlink(void*) /builds/worker/workspace/build/src/dom/media/MediaStreamTrack.cpp:181:8
    #6 0x7f167db63a24 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3401:26
    #7 0x7f167db666ad in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3769:24
    #8 0x7f167db6a2f0 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4315:21
    #9 0x7f1680fd324c in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1505:3
    #10 0x7f1680b1747b in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1298:3
    #11 0x7f167dcfdb71 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #12 0x7f167f732da0 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1948:12
    #13 0x7f167f732da0 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1267
    #14 0x7f167f732da0 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1234
    #15 0x7f167f739603 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:929:12
    #16 0x7f1689793b74 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #17 0x7f1689793b74 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #18 0x7f168977d59b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #19 0x7f168977d59b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
    #20 0x7f168975fa39 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #21 0x7f1689793d31 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #22 0x7f16897949d3 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #23 0x7f168a3975c5 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2978:12
    #24 0x7f167f64a350 in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
    #25 0x2a0ae118fde5  (<unknown module>)

0x606000443ec0 is located 32 bytes inside of 56-byte region [0x606000443ea0,0x606000443ed8)
freed by thread T48 (MediaManager) here:
    #0 0x4c6fc2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f1683907bd2 in operator delete /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:183:12
    #2 0x7f1683907bd2 in Release /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:488
    #3 0x7f1683907bd2 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:41
    #4 0x7f1683907bd2 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:398
    #5 0x7f1683907bd2 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:79
    #6 0x7f1683907bd2 in mozilla::GetUserMediaStreamRunnable::~GetUserMediaStreamRunnable() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:1127
    #7 0x7f1683907e8d in mozilla::GetUserMediaStreamRunnable::~GetUserMediaStreamRunnable() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:1127:33
    #8 0x7f167dce9bec in mozilla::Runnable::Release() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:50:1
    #9 0x7f168390a6f0 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:41:11
    #10 0x7f168390a6f0 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:398
    #11 0x7f168390a6f0 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:79
    #12 0x7f168390a6f0 in ~ /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:1378
    #13 0x7f168390a6f0 in ~LambdaTask /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/media/MediaTaskUtils.h:24
    #14 0x7f168390a6f0 in mozilla::media::LambdaTask<mozilla::GetUserMediaStreamRunnable::Run()::{lambda()#1}>::~LambdaTask() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/media/MediaTaskUtils.h:24
    #15 0x7f167dce9bec in mozilla::Runnable::Release() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:50:1
    #16 0x7f167dcd1707 in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:313:7
    #17 0x7f167dcd1707 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1046
    #18 0x7f167dced5a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #19 0x7f167eb7f6af in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:334:20
    #20 0x7f167ead15f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #21 0x7f167ead15f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #22 0x7f167ead15f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #23 0x7f167eaf0b5f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #24 0x7f167eae25cc in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #25 0x7f169df906b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c7303 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f7dcd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7f16838a16c7 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:159:12
    #3 0x7f16838a16c7 in mozilla::MediaManager::GetUserMedia(nsPIDOMWindowInner*, mozilla::dom::MediaStreamConstraints const&, nsIDOMGetUserMediaSuccessCallback*, nsIDOMGetUserMediaErrorCallback*, mozilla::dom::CallerType) /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:2620
    #4 0x7f1683775948 in mozilla::dom::MediaDevices::GetUserMedia(mozilla::dom::MediaStreamConstraints const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/MediaDevices.cpp:194:30
    #5 0x7f168148bea2 in getUserMedia /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:192:45
    #6 0x7f168148bea2 in mozilla::dom::MediaDevicesBinding::getUserMedia_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::MediaDevices*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:209
    #7 0x7f1682cf2f0a in mozilla::dom::GenericPromiseReturningBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3083:13
    #8 0x7f1689793b74 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #9 0x7f1689793b74 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #10 0x7f16897949d3 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #11 0x7f168a750b4c in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:176:12
    #12 0x7f168a6e1ef6 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
    #13 0x7f168a6f8a06 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:511:21
    #14 0x7f168a6fb7f3 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:770:12
    #15 0x7f1689794192 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #16 0x7f1689794192 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:455
    #17 0x7f1689a281cf in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2375:14
    #18 0x2a0ae115460a  (<unknown module>)
    #19 0x621000ef3c1f  (<unknown module>)
    #20 0x2a0ae114e4e7  (<unknown module>)
    #21 0x7f1689a54cc0 in EnterBaseline /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:150:9
    #22 0x7f1689a54cc0 in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:227
    #23 0x7f1689788d8e in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2049:28
    #24 0x7f168975fa39 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #25 0x7f1689796d25 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
    #26 0x7f168979751d in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:738:12
    #27 0x7f168a3b401b in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4734:12
    #28 0x7f1680fea956 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:266:8
    #29 0x7f1684b5d6dd in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2286:25
    #30 0x7f1684b57919 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1929:10
    #31 0x7f1684b54c63 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1572:10
    #32 0x7f1684b394be in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1307:10
    #33 0x7f1684b385d9 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
    #34 0x7f167fde934b in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:247:18
    #35 0x7f167fde934b in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:736

Thread T48 (MediaManager) created by T0 (file:// Content) here:
    #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f167eadff2f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7f167eadff2f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7f167eaf04ff in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7f168389c542 in mozilla::MediaManager::Get() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:2025:36
    #5 0x7f168377592e in mozilla::dom::MediaDevices::GetUserMedia(mozilla::dom::MediaStreamConstraints const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/MediaDevices.cpp:194:9
    #6 0x7f168148bea2 in getUserMedia /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:192:45
    #7 0x7f168148bea2 in mozilla::dom::MediaDevicesBinding::getUserMedia_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::MediaDevices*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:209
    #8 0x7f1682cf2f0a in mozilla::dom::GenericPromiseReturningBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3083:13
    #9 0x7f1689793b74 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #10 0x7f1689793b74 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #11 0x7f16897949d3 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #12 0x7f168a750b4c in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:176:12
    #13 0x7f168a6e1ef6 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
    #14 0x7f168a6f8a06 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:511:21
    #15 0x7f168a6fb7f3 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:770:12
    #16 0x7f1689794192 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #17 0x7f1689794192 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:455
    #18 0x7f1689a281cf in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2375:14
    #19 0x2a0ae115460a  (<unknown module>)
    #20 0x621001e5541f  (<unknown module>)
    #21 0x2a0ae114e4e7  (<unknown module>)
    #22 0x7f1689a54cc0 in EnterBaseline /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:150:9
    #23 0x7f1689a54cc0 in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:227
    #24 0x7f1689788d8e in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2049:28
    #25 0x7f168975fa39 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #26 0x7f1689796d25 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
    #27 0x7f168979751d in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:738:12
    #28 0x7f168a3b401b in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4734:12
    #29 0x7f1680fea956 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:266:8
    #30 0x7f1684b5d6dd in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2286:25
    #31 0x7f1684b57919 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1929:10
    #32 0x7f1684b54c63 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1572:10
    #33 0x7f1684b394be in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1307:10
    #34 0x7f1684b385d9 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
    #35 0x7f167fde934b in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:247:18
    #36 0x7f167fde934b in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:736
    #37 0x7f167fde25b4 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:540:7
    #38 0x7f167fdef96f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:57:18
    #39 0x7f167dca9420 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:395:25
    #40 0x7f167dcd156b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #41 0x7f167dced5a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #42 0x7f167eb7e2aa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #43 0x7f167ead15f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #44 0x7f167ead15f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #45 0x7f167ead15f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #46 0x7f1684d9b68a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #47 0x7f16894732eb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:873:22
    #48 0x7f167ead15f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #49 0x7f167ead15f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #50 0x7f167ead15f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #51 0x7f1689472cd1 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:699:34
    #52 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #53 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #54 0x7f169cf2b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:4419:7 in ChromeAffectingStateChanged
Shadow bytes around the buggy address:
  0x0c0c80080780: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c0c80080790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800807a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800807b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800807c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c800807d0: fa fa fa fa fd fd fd fd[fd]fd fd fa fa fa fa fa
  0x0c0c800807e0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c800807f0: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80080800: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c80080810: 00 00 00 00 00 00 01 fa fa fa fa fa 00 00 00 00
  0x0c0c80080820: 00 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7626==ABORTING
Attached file trigger.html
Group: core-security → media-core-security
Keywords: csectype-uaf
FYI
Flags: needinfo?(jib)
Flags: needinfo?(apehrson)
Thanks. Looks like it's mine.
Assignee: nobody → apehrson
Flags: needinfo?(jib)
Flags: needinfo?(apehrson)
Rank: 8
Priority: -- → P1
Attached file testcase.txt
I have added another test case. The crash is a tiny bit different but I think it is still a dupe. Could somebody verify that?

thanks!
Whiteboard: [fuzzblocker]
Andreas, can you give this a priority bump?
We want security bugs to be addressed timely and this one is particularly useful to get fixed because it's occurring often enough to block the fuzzers from poking at other code.
Flags: needinfo?(apehrson)
Yes, sorry for this taking so long. I've been battling plenty of fires, but this is now next on my list.
Status: NEW → ASSIGNED
Flags: needinfo?(apehrson)
FWIW this triggers an assert in a debug build. I've made crashtests out of the test cases and will start working on a fix.
This is very similar to bug 1429507. With the same fix the tests seem to pass, but they enter an infinite loop of reloads that I'll have to break in order to land them.
Attached patch Add crashtest (obsolete) — Splinter Review
I'm moving the patches I had for bug 1429507 here and squashing them to one, just in case.
Attachment #8959233 - Flags: review?(jib)
Comment on attachment 8953716 [details]
testcase.txt

Lgtm, though we probably shouldn't land this from a sec high bug, since it pinpoints the problem and could be turned into an exploit.

I suggest holding it back and landing it from another bug later once active releases are running fixed code.
Attachment #8953716 - Flags: review+
Comment on attachment 8953716 [details]
testcase.txt

Uh, reviewed wrong patch.
Attachment #8953716 - Flags: review+
Comment on attachment 8959233 [details] [diff] [review]
Add crashtest

Review of attachment 8959233 [details] [diff] [review]:
-----------------------------------------------------------------

Lgtm, though we probably shouldn't land this from a sec high bug, since it pinpoints the problem and could be turned into an exploit.

I suggest holding it back and landing it from another bug later once active releases are running fixed code.
Attachment #8959233 - Flags: review?(jib) → review+
Comment on attachment 8959234 [details] [diff] [review]
Check for the same window listener rather than just the window id in MediaManager

Review of attachment 8959234 [details] [diff] [review]:
-----------------------------------------------------------------

I think we need to replace this fine commit message with something obtuse that doesn't point to how to repro, otherwise this looks good to me.

::: dom/media/MediaManager.cpp
@@ +3172,5 @@
>  
> +bool
> +MediaManager::IsWindowListenerStillActive(GetUserMediaWindowListener* aListener)
> +{
> +  return aListener && aListener == GetWindowListener(aListener->WindowID());

Allowing IsWindowListenerStillActive(nullptr) seems weird, but appropriate for an uplift patch.

We should perhaps add a MOZ_DIAGNOSTIC_ASSERT here.
Attachment #8959234 - Flags: review?(jib) → review+
(In reply to Jan-Ivar Bruaroey [:jib] (needinfo? me) from comment #15)
> Comment on attachment 8959234 [details] [diff] [review]
> Check for the same window listener rather than just the window id in
> MediaManager
> 
> Review of attachment 8959234 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> I think we need to replace this fine commit message with something obtuse
> that doesn't point to how to repro, otherwise this looks good to me.

Sure. I first wrote the patch (and commit message) for bug 1429507 which is not a sec bug. I also have the fuzz test from that bug as a working crashtest which I plan to publish after this has landed and gotten uplifted. I could do the same for the crashtest patch here.


> ::: dom/media/MediaManager.cpp
> @@ +3172,5 @@
> >  
> > +bool
> > +MediaManager::IsWindowListenerStillActive(GetUserMediaWindowListener* aListener)
> > +{
> > +  return aListener && aListener == GetWindowListener(aListener->WindowID());
> 
> Allowing IsWindowListenerStillActive(nullptr) seems weird, but appropriate
> for an uplift patch.
> 
> We should perhaps add a MOZ_DIAGNOSTIC_ASSERT here.

Will do.
Carries forward r=jib.

Note that I intend to move the crashtest to bug 1429507 and land it after this is through.


[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not easy.
One can possibly infer that window ids are not strong enough and with some knowledge of how windows work in a browser, and by reading code surrounding the patch, trigger a UAF without too much trouble. But then doing something useful with that UAF would be hard.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No

Which older supported branches are affected by this flaw?
55 and up

If not all supported branches, which bug introduced the flaw?
Bug 1320994

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Simple and not risky. I haven't tried to rebase on them but 60 is trivial and 59 should only affect surrounding code.

How likely is this patch to cause regressions; how much testing does it need?
Not likely. There's a small chance of mainly a leak since the patch extends the lifetime of an object. It should not affect the lifetime of its members however.
Attachment #8959233 - Attachment is obsolete: true
Attachment #8959234 - Attachment is obsolete: true
Attachment #8960114 - Flags: sec-approval?
Attachment #8960114 - Flags: review+
sec-approval+ for landing on trunk. Do not land ANY crashtest until we *ship* a release with the fix (not just after this gets ported to branches). We don't want to 0day ourselves with our own test.

Please nominate a beta patch for this as well.
Attachment #8960114 - Flags: sec-approval? → sec-approval+
Comment on attachment 8960114 [details] [diff] [review]
Check for the same window listener rather than just the window id in MediaManager

This applies cleanly on beta.

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1320994
[User impact if declined]: Applications could trigger a UAF at will
[Is this code covered by automated tests?]: I have two crashtests to land once this fix ships
[Has the fix been verified in Nightly?]: No, but I have verified it locally with the attached test cases on both m-b and m-c.
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: No
[Why is the change risky/not risky?]: There's a small chance of mainly a leak since the patch extends the lifetime of an object. It should not affect the lifetime of this object's members however.
[String changes made/needed]: None
Attachment #8960114 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/37039eaf5248
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Comment on attachment 8960114 [details] [diff] [review]
Check for the same window listener rather than just the window id in MediaManager

Approved for 60.0b6. Looking forward to when the crashtest can land.
Attachment #8960114 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Group: media-core-security → core-security-release
Whiteboard: [fuzzblocker] → [fuzzblocker][adv-main60+]
Flags: qe-verify-
Whiteboard: [fuzzblocker][adv-main60+] → [fuzzblocker][adv-main60+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.