Closed Bug 1440347 Opened 2 years ago Closed 2 years ago
ASAN UAF in Media
Engine Web RTCMicrophone Source functions that touch m Allocations
MediaEngineWebRTCMicrophoneSource::Allocate does not lock mMutex before appending to mAllocations, which can force a reallocation of the array and invalidate all references. Numerous UAF bugs result. https://public-artifacts.taskcluster.net/VAM-5wfoSliBYlDPD9G6XA/0/public/logs/live_backing.log https://public-artifacts.taskcluster.net/NyK6xCCgSsCZicdmNJC5Lg/0/public/logs/live_backing.log I should also note that I observed this crash while investigating bug 1439655 through the use of this patch: https://hg.mozilla.org/try/rev/6e70f64465fab331b57de1770bcfbbb028cdc469 I am unsure why this tiny modification in the VP8 code would bring this audio capture bug to the surface. It may be that this is the _real_ cause of our problems.
I am not seeing very many crashes in MediaEngineWebRTCMicrophoneSource on crash-stats for recent versions of Firefox, so maybe not that common in the wild.
I feel like I've seen a number of intermittent treeherder UAFs involving microphone stuff recently...
This would be a regression from Bug 1299515 (landed Jan 31) - Turn off camera/microphone while all tracks are muted/disabled. That would mean Firefox 60.
2 years ago
Attachment #8953368 - Flags: review?(padenot) → review+
2 years ago
Duplicate of this bug: 1440012
You need to log in before you can comment on or make changes to this bug.