Closed Bug 1440347 Opened 2 years ago Closed 2 years ago

ASAN UAF in MediaEngineWebRTCMicrophoneSource functions that touch mAllocations

Categories

(Core :: WebRTC: Audio/Video, defect, P1)

60 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- fixed

People

(Reporter: bwc, Assigned: pehrsons)

References

Details

(Keywords: csectype-uaf, regression, sec-high)

Attachments

(1 file)

MediaEngineWebRTCMicrophoneSource::Allocate does not lock mMutex before appending to mAllocations, which can force a reallocation of the array and invalidate all references. Numerous UAF bugs result.

https://public-artifacts.taskcluster.net/VAM-5wfoSliBYlDPD9G6XA/0/public/logs/live_backing.log

https://public-artifacts.taskcluster.net/NyK6xCCgSsCZicdmNJC5Lg/0/public/logs/live_backing.log

I should also note that I observed this crash while investigating bug 1439655 through the use of this patch:

https://hg.mozilla.org/try/rev/6e70f64465fab331b57de1770bcfbbb028cdc469

I am unsure why this tiny modification in the VP8 code would bring this audio capture bug to the surface. It may be that this is the _real_ cause of our problems.
I am not seeing very many crashes in MediaEngineWebRTCMicrophoneSource on crash-stats for recent versions of Firefox, so maybe not that common in the wild.
I feel like I've seen a number of intermittent treeherder UAFs involving microphone stuff recently...
Group: core-security → media-core-security
This would be a regression from Bug 1299515 (landed Jan 31) - Turn off camera/microphone while all tracks are muted/disabled.
That would mean Firefox 60.
Flags: needinfo?(apehrson)
Keywords: regression
See Also: → 1299515
Version: 59 Branch → 60 Branch
Assignee: docfaraday → apehrson
Status: NEW → ASSIGNED
Rank: 5
Flags: needinfo?(apehrson)
Priority: -- → P1
Attachment #8953368 - Flags: review?(padenot) → review+
https://hg.mozilla.org/mozilla-central/rev/da9185249c90
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Duplicate of this bug: 1440012
Group: media-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.