Closed
Bug 1440347
Opened 6 years ago
Closed 6 years ago
ASAN UAF in MediaEngineWebRTCMicrophoneSource functions that touch mAllocations
Categories
(Core :: WebRTC: Audio/Video, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox58 | --- | unaffected |
firefox59 | --- | unaffected |
firefox60 | --- | fixed |
People
(Reporter: bwc, Assigned: pehrsons)
References
Details
(Keywords: csectype-uaf, regression, sec-high)
Attachments
(1 file)
1.21 KB,
patch
|
padenot
:
review+
|
Details | Diff | Splinter Review |
MediaEngineWebRTCMicrophoneSource::Allocate does not lock mMutex before appending to mAllocations, which can force a reallocation of the array and invalidate all references. Numerous UAF bugs result. https://public-artifacts.taskcluster.net/VAM-5wfoSliBYlDPD9G6XA/0/public/logs/live_backing.log https://public-artifacts.taskcluster.net/NyK6xCCgSsCZicdmNJC5Lg/0/public/logs/live_backing.log I should also note that I observed this crash while investigating bug 1439655 through the use of this patch: https://hg.mozilla.org/try/rev/6e70f64465fab331b57de1770bcfbbb028cdc469 I am unsure why this tiny modification in the VP8 code would bring this audio capture bug to the surface. It may be that this is the _real_ cause of our problems.
Reporter | ||
Comment 1•6 years ago
|
||
I am not seeing very many crashes in MediaEngineWebRTCMicrophoneSource on crash-stats for recent versions of Firefox, so maybe not that common in the wild.
Comment 2•6 years ago
|
||
I feel like I've seen a number of intermittent treeherder UAFs involving microphone stuff recently...
Group: core-security → media-core-security
Keywords: csectype-uaf,
sec-high
Comment 3•6 years ago
|
||
This would be a regression from Bug 1299515 (landed Jan 31) - Turn off camera/microphone while all tracks are muted/disabled. That would mean Firefox 60.
status-firefox59:
--- → unaffected
status-firefox60:
--- → affected
Flags: needinfo?(apehrson)
Keywords: regression
See Also: → 1299515
Version: 59 Branch → 60 Branch
Assignee | ||
Updated•6 years ago
|
Assignee: docfaraday → apehrson
Status: NEW → ASSIGNED
Rank: 5
status-firefox58:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Flags: needinfo?(apehrson)
Priority: -- → P1
Assignee | ||
Comment 4•6 years ago
|
||
Attachment #8953368 -
Flags: review?(padenot)
Assignee | ||
Comment 5•6 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=881ed5eb68df7cf1a678565f486a8f3b33a93770
Updated•6 years ago
|
Attachment #8953368 -
Flags: review?(padenot) → review+
Assignee | ||
Comment 6•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/da9185249c90abe7539af85c77fc76bf0be28991
Comment 7•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/da9185249c90
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Updated•6 years ago
|
Group: media-core-security → core-security-release
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•