Closed
Bug 1440347
Opened 7 years ago
Closed 7 years ago
ASAN UAF in MediaEngineWebRTCMicrophoneSource functions that touch mAllocations
Categories
(Core :: WebRTC: Audio/Video, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla60
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox58 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | fixed |
People
(Reporter: bwc, Assigned: pehrsons)
References
Details
(Keywords: csectype-uaf, regression, sec-high)
Attachments
(1 file)
|
1.21 KB,
patch
|
padenot
:
review+
|
Details | Diff | Splinter Review |
MediaEngineWebRTCMicrophoneSource::Allocate does not lock mMutex before appending to mAllocations, which can force a reallocation of the array and invalidate all references. Numerous UAF bugs result.
https://public-artifacts.taskcluster.net/VAM-5wfoSliBYlDPD9G6XA/0/public/logs/live_backing.log
https://public-artifacts.taskcluster.net/NyK6xCCgSsCZicdmNJC5Lg/0/public/logs/live_backing.log
I should also note that I observed this crash while investigating bug 1439655 through the use of this patch:
https://hg.mozilla.org/try/rev/6e70f64465fab331b57de1770bcfbbb028cdc469
I am unsure why this tiny modification in the VP8 code would bring this audio capture bug to the surface. It may be that this is the _real_ cause of our problems.
|
Reporter | |
Comment 1•7 years ago
|
||
I am not seeing very many crashes in MediaEngineWebRTCMicrophoneSource on crash-stats for recent versions of Firefox, so maybe not that common in the wild.
|
||
Comment 2•7 years ago
|
||
I feel like I've seen a number of intermittent treeherder UAFs involving microphone stuff recently...
Group: core-security → media-core-security
Keywords: csectype-uaf,
sec-high
|
||
Comment 3•7 years ago
|
||
This would be a regression from Bug 1299515 (landed Jan 31) - Turn off camera/microphone while all tracks are muted/disabled.
That would mean Firefox 60.
status-firefox59:
--- → unaffected
status-firefox60:
--- → affected
Flags: needinfo?(apehrson)
Keywords: regression
See Also: → 1299515
Version: 59 Branch → 60 Branch
|
Assignee | |
Updated•7 years ago
|
Assignee: docfaraday → apehrson
Status: NEW → ASSIGNED
Rank: 5
status-firefox58:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Flags: needinfo?(apehrson)
Priority: -- → P1
|
|
Assignee | |
Comment 4•7 years ago
|
||
Attachment #8953368 -
Flags: review?(padenot)
|
|
Assignee | |
Comment 5•7 years ago
|
||
|
||
Updated•7 years ago
|
Attachment #8953368 -
Flags: review?(padenot) → review+
|
|
Assignee | |
Comment 6•7 years ago
|
||
|
||
Comment 7•7 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
|
||
Updated•7 years ago
|
Group: media-core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•