Closed Bug 1509442 (CVE-2018-18503) Opened 2 years ago Closed 2 years ago

checkImpl fail in JS_GetArrayBufferViewBuffer

Categories

(Core :: Web Audio, defect)

61 Branch
defect
Not set
normal

Tracking

()

VERIFIED FIXED
mozilla66
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 + verified
firefox66 + verified

People

(Reporter: nils, Assigned: mrbkap)

References

Details

(Keywords: crash, regression, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main65+])

Attachments

(4 files)

The following testcase crashes the latest ASAN build of Firefox 65.0a1 (SourceStamp=8b245cc1086f912f84b54a6af13f015404af8e14).

crash.html:
<script>
function start() {
	o5=new AudioContext();
	o291=new Float32Array(0);
	o388=document.write("");
	o389=o5.createBuffer(2,22050,44100);
	o420=new AudioBufferSourceNode(o5, {buffer:o389,detune:27});
	o389.copyToChannel(o291,1,0);
	o420.buffer=o389;
}
</script>
<body onload="start()"></body>

ASAN output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==11985==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x562eb6d524e1 bp 0x7fff4e01db30 sp 0x7fff4e01db30 T0)
==11985==The signal is caused by a WRITE memory access.
==11985==Hint: address points to the zero page.
    #0 0x562eb6d524e0 in MOZ_CrashOOL(char const*, int, char const*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:311:3
    #1 0x562eb6d523ed in MOZ_CrashPrintf /builds/worker/workspace/build/src/mfbt/Assertions.cpp:52:3
JavaScript error: resource://gre/modules/addons/XPIProvider.jsm, line 2581: TypeError: addon is null; can't access its "seen" property
    #2 0x7f5ee68bad22 in fail /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:55:9
    #3 0x7f5ee68bad22 in check /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:71
    #4 0x7f5ee68bad22 in check /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:85
    #5 0x7f5ee68bad22 in checkImpl<JS::Handle<JSObject *>> /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:208
    #6 0x7f5ee68bad22 in check<JS::Handle<JSObject *> > /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:217
    #7 0x7f5ee68bad22 in JS_GetArrayBufferViewBuffer(JSContext*, JS::Handle<JSObject*>, bool*) /builds/worker/workspace/build/src/js/src/vm/ArrayBufferViewObject.cpp:222
    #8 0x7f5ee0747408 in mozilla::dom::AudioBuffer::StealJSArrayDataIntoSharedChannels(JSContext*) /builds/worker/workspace/build/src/dom/media/webaudio/AudioBuffer.cpp:406:21
    #9 0x7f5ee074e5a2 in GetThreadSharedChannelsForRate /builds/worker/workspace/build/src/dom/media/webaudio/AudioBuffer.cpp:435:9
    #10 0x7f5ee074e5a2 in mozilla::dom::AudioBufferSourceNode::SendBufferParameterToStream(JSContext*) /builds/worker/workspace/build/src/dom/media/webaudio/AudioBufferSourceNode.cpp:722
    #11 0x7f5edc129f94 in SetBuffer /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/AudioBufferSourceNode.h:52:5
    #12 0x7f5edc129f94 in mozilla::dom::AudioBufferSourceNode_Binding::set_buffer(JSContext*, JS::Handle<JSObject*>, mozilla::dom::AudioBufferSourceNode*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/AudioBufferSourceNodeBinding.cpp:368
    #13 0x7f5edee54450 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3320:8
    #14 0x7f5ee825b77d in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
    #15 0x7f5ee825b77d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560
    #16 0x7f5ee8260805 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:614:12
    #17 0x7f5ee8260805 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:634
    #18 0x7f5ee8260805 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:776
    #19 0x7f5ee6c6aa9d in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:3017:10
    #20 0x7f5ee6c62085 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:3047:20
    #21 0x7f5ee823ab16 in SetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:298:12
    #22 0x7f5ee823ab16 in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:277
    #23 0x7f5ee823ab16 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3271
    #24 0x7f5ee8228976 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:12
    #25 0x7f5ee825c121 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:587:15
    #26 0x7f5ee825dda2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:634:10
    #27 0x7f5ee721b3b6 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2988:12
    #28 0x7f5ede463bf9 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37
    #29 0x7f5edf6f0859 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #30 0x7f5edf6edae9 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214:12
    #31 0x7f5edf6a1c2a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1115:52
    #32 0x7f5edf6a4227 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1317:15
    #33 0x7f5edf6859d6 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #34 0x7f5edf6859d6 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:425
    #35 0x7f5edf683c58 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:642:16
    #36 0x7f5edf68a6b0 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1164:11
    #37 0x7f5ee23ee9ee in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1165:7
    #38 0x7f5ee564f033 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7052:21
    #39 0x7f5ee564a859 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6843:7
    #40 0x7f5ee5653657 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #41 0x7f5eda363a05 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1310:3
    #42 0x7f5eda3625ec in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:853:14
    #43 0x7f5eda35df38 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:742:9
    #44 0x7f5eda36088e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:631:5
    #45 0x7f5eda362114 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #46 0x7f5ed7ca19f7 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:628:28
    #47 0x7f5edbd360c7 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8505:18
    #48 0x7f5edbd360c7 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8427
    #49 0x7f5edbd10099 in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5306:3
    #50 0x7f5edbe7000b in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1191:12
    #51 0x7f5edbe7000b in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1197
    #52 0x7f5edbe7000b in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1242
    #53 0x7f5ed79dc7e5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #54 0x7f5ed7a19c18 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1244:14
    #55 0x7f5ed7a229cd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
    #56 0x7f5ed8c9bb3f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #57 0x7f5ed8b96d5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #58 0x7f5ed8b96d5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #59 0x7f5ed8b96d5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #60 0x7f5ee1b5a6d3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #61 0x7f5ee644f56e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:961:22
    #62 0x7f5ed8b96d5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #63 0x7f5ed8b96d5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #64 0x7f5ed8b96d5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #65 0x7f5ee644e5c1 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:787:34
    #66 0x562eb6cdf864 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #67 0x562eb6cdf864 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #68 0x7f5efb04fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #69 0x562eb6c04eec in _start (/home/nils/fuzzer3/firefox/firefox+0x2deec)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:311:3 in MOZ_CrashOOL(char const*, int, char const*)
==11985==ABORTING
Attached file ASAN output
Version: 64 Branch → 65 Branch
INFO: Last good revision: a1869efdd7aa8162dd68eb47288dffc528ce7980
INFO: First bad revision: ca5da952ff4c690bd34336b8a8aafec06b01e0e8
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a1869efdd7aa8162dd68eb47288dffc528ce7980&tochange=ca5da952ff4c690bd34336b8a8aafec06b01e0e8

Not sure if this bug should be moved into DOM or not...
Blocks: 1451913
Group: core-security → media-core-security
Has Regression Range: --- → yes
Flags: in-testsuite?
Keywords: crash, regression
Version: 65 Branch → 61 Branch
Blake: The testcase doesn't mention service workers, but the change in the regression window was about that. Also crashing on a compartment-mismatch check (that doesn't run in release builds). Can you help us understand what's going on here?
Flags: needinfo?(mrbkap)
Keywords: sec-high
Assignee: nobody → mrbkap
Flags: needinfo?(mrbkap)
This is subtle and related to patch 3 from bug 1451913. Before that patch, any objects created from an AudioContext (in this testcase, the AudioBuffer) would be created in the compartment of the global the AudioContext was constructed in (i.e. the original inner window, before document.write()). After the patch, we create those subobjects in the compartment of the *new* inner window. That's fine, as we'll happily wrap those objects in CCWs when they're returned, but there's a problem with the line `o420.buffer=o389;` Because we're still running in a function created before the document.write() (in the *old* inner window's compartment), we have a CCW around o389 that the binding layer unwraps to get at the underlying AudioBuffer. We then call into the code that deals with its JS buffers, assuming that we're in its global. Unfortunately, we're not and we assert. I suspect that we might have hit this assertion if we had chrome code manipulating content AudioContext and AudioBuffers.

After reading the code, it looks like all of the other uses of mJSChannels has the AudioBuffer as the `this` object, so we'll have to be in its own compartment, so it should be sufficient to patch `AudioBuffer::StealJSArrayDataIntoSharedChannels` to enter the correct compartment (or, realm, really).
Component: Audio/Video → Web Audio
Comment on attachment 9028804 [details]
Bug 1509442 - Enter a realm here. r=qDot

[Security Approval Request]

How easily could an exploit be constructed based on the patch?: This is a compartment mismatch but I think it's difficult to see how it's possible to cause it just by reading this patch (there aren't any pointers to document.open). I think it would be difficult to write an exploit because of that fact.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No

Which older supported branches are affected by this flaw?: 61

If not all supported branches, which bug introduced the flaw?: Bug 1451913

Do you have backports for the affected branches?: No

If not, how different, hard to create, and risky will they be?: I would expect them to be easy to create and not risky.

How likely is this patch to cause regressions; how much testing does it need?: This patch should be very safe. In the common case it should be a no-op.
Attachment #9028804 - Flags: sec-approval?
We're past the last beta for 64.  Is there a strong reason not to leave this for 65?
Flags: needinfo?(mrbkap)
(In reply to Julien Cristau [:jcristau] from comment #7)
> We're past the last beta for 64.  Is there a strong reason not to leave this
> for 65?

I had the same remark. This is too late for the current cycle without it being a potential 0day or otherwise super important to get in.
We can certainly leave this for 65.
Flags: needinfo?(mrbkap)
Sec-approval+ for trunk. We'll want a beta patch made and nominated as well.
Attachment #9028804 - Flags: sec-approval? → sec-approval+
Comment on attachment 9028804 [details]
Bug 1509442 - Enter a realm here. r=qDot

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Bug 1451913

User impact if declined: Potential crash visiting certain sites.

Is this code covered by automated tests?: No

Has the fix been verified in Nightly?: No

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Please see comment 6.

String changes made/needed:
Attachment #9028804 - Flags: approval-mozilla-beta?
This landed yesterday: https://hg.mozilla.org/integration/autoland/rev/134d6c86e984adc8e26c6c799867e256b8f15d7b

And got backed out for browser_webAudio_silentData.js failures: https://hg.mozilla.org/integration/autoland/rev/8d24aeda8861e73c1491f5c45f4e57c2a77422d5
Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&searchStr=linux%2Cx64%2Copt%2Cmochitests%2Cwith%2Ce10s%2Ctest-linux64%2Fopt-mochitest-browser-chrome-e10s-3%2Cm-e10s%28bc3%29&fromchange=41e4eb2f9e476f279defec74ef328f2b707b0b65&tochange=8d24aeda8861e73c1491f5c45f4e57c2a77422d5&selectedJob=217801334
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=217801334&repo=autoland&lineNumber=7738


[task 2018-12-19T00:33:46.554Z] 00:33:46     INFO - TEST-START | toolkit/content/tests/browser/browser_webAudio_silentData.js
[task 2018-12-19T00:33:47.043Z] 00:33:47     INFO - GECKO(10903) | ###!!! [Parent][MessageChannel] Error: (msgtype=0x1E0087,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
[task 2018-12-19T00:34:31.591Z] 00:34:31     INFO - TEST-INFO | started process screentopng
[task 2018-12-19T00:34:32.406Z] 00:34:32     INFO - TEST-INFO | screentopng: exit 0
[task 2018-12-19T00:34:32.406Z] 00:34:32     INFO - Buffered messages logged at 00:33:46
[task 2018-12-19T00:34:32.406Z] 00:34:32     INFO - Entering test bound testSilentAudioContext
[task 2018-12-19T00:34:32.406Z] 00:34:32     INFO - - create new tab -
[task 2018-12-19T00:34:32.406Z] 00:34:32     INFO - - create audio context -
[task 2018-12-19T00:34:32.408Z] 00:34:32     INFO - - check AudioContext's state -
[task 2018-12-19T00:34:32.408Z] 00:34:32     INFO - Buffered messages logged at 00:33:47
[task 2018-12-19T00:34:32.409Z] 00:34:32     INFO - Console message: [JavaScript Error: "remote browser crashed while on about:blank
[task 2018-12-19T00:34:32.409Z] 00:34:32     INFO - " {file: "chrome://mochikit/content/mochitest-e10s-utils.js" line: 8}]
[task 2018-12-19T00:34:32.409Z] 00:34:32     INFO - e10s_init/<@chrome://mochikit/content/mochitest-e10s-utils.js:8:5
[task 2018-12-19T00:34:32.409Z] 00:34:32     INFO - EventListener.handleEvent*e10s_init@chrome://mochikit/content/mochitest-e10s-utils.js:6:3
[task 2018-12-19T00:34:32.411Z] 00:34:32     INFO - testInit@chrome://mochikit/content/browser-test.js:102:5
[task 2018-12-19T00:34:32.412Z] 00:34:32     INFO - setTimeout handler*@chrome://mochikit/content/browser-test.js:22:1
[task 2018-12-19T00:34:32.413Z] 00:34:32     INFO - loadChromeScripts@jar:file:///tmp/tmpzfWLG_.mozrunner/extensions/mochikit@mozilla.org.xpi!/api.js:15:3
[task 2018-12-19T00:34:32.414Z] 00:34:32     INFO - loadMochitest@jar:file:///tmp/tmpzfWLG_.mozrunner/extensions/mochikit@mozilla.org.xpi!/api.js:111:3
[task 2018-12-19T00:34:32.415Z] 00:34:32     INFO - @tests/mochitest/runtests.py:1735:1
[task 2018-12-19T00:34:32.416Z] 00:34:32     INFO - @tests/mochitest/runtests.py:1714:2
[task 2018-12-19T00:34:32.417Z] 00:34:32     INFO - evaluate.sandbox/promise<@chrome://marionette/content/evaluate.js:128:13
[task 2018-12-19T00:34:32.418Z] 00:34:32     INFO - evaluate.sandbox@chrome://marionette/content/evaluate.js:97:17
[task 2018-12-19T00:34:32.419Z] 00:34:32     INFO - GeckoDriver.prototype.execute_@chrome://marionette/content/driver.js:1029:19
[task 2018-12-19T00:34:32.423Z] 00:34:32     INFO - async*GeckoDriver.prototype.executeScript@chrome://marionette/content/driver.js:899:24
[task 2018-12-19T00:34:32.423Z] 00:34:32     INFO - Async*despatch@chrome://marionette/content/server.js:290:20
[task 2018-12-19T00:34:32.424Z] 00:34:32     INFO - async*execute@chrome://marionette/content/server.js:263:11
[task 2018-12-19T00:34:32.428Z] 00:34:32     INFO - async*onPacket/<@chrome://marionette/content/server.js:236:15
[task 2018-12-19T00:34:32.429Z] 00:34:32     INFO - async*onPacket@chrome://marionette/content/server.js:235:8
[task 2018-12-19T00:34:32.430Z] 00:34:32     INFO - _onJSONObjectReady/<@chrome://marionette/content/transport.js:493:9
[task 2018-12-19T00:34:32.436Z] 00:34:32     INFO - 
[task 2018-12-19T00:34:32.437Z] 00:34:32     INFO - Buffered messages finished
[task 2018-12-19T00:34:32.440Z] 00:34:32     INFO - TEST-UNEXPECTED-FAIL | toolkit/content/tests/browser/browser_webAudio_silentData.js | Test timed out -
Flags: needinfo?(mrbkap)
Flags: needinfo?(mrbkap)
Attachment #9028804 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/integration/autoland/rev/cdadd4fd29737444e41f5d6f3617e9d415f611b1
https://hg.mozilla.org/mozilla-central/rev/cdadd4fd2973
Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Please nominate this for Beta approval when you get a chance.
Flags: needinfo?(mrbkap)
Comment on attachment 9028804 [details]
Bug 1509442 - Enter a realm here. r=qDot


[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Bug 1451913

User impact if declined: Potential crash visiting certain sites.

Is this code covered by automated tests?: No

Has the fix been verified in Nightly?: No

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Please see comment 6.

String changes made/needed:
Flags: needinfo?(mrbkap)
Attachment #9028804 - Flags: approval-mozilla-beta?
Comment on attachment 9028804 [details]
Bug 1509442 - Enter a realm here. r=qDot

[Triage Comment]
Fixes a sec-high. Approved for 65.0b7.
Attachment #9028804 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [post-critsmash-triage]
Does this need manual qa? I've tried to execute the available test case on 65.0b7, however when I start the ASAN build my machine freeze and I need to hard reset it.
(In reply to Stefan [:StefanG_QA] from comment #18)
> Does this need manual qa? I've tried to execute the available test case on
> 65.0b7, however when I start the ASAN build my machine freeze and I need to
> hard reset it.

I don't know why your ASAN build wouldn't work. We should definitely add a crashtest for this after we make this bug public, there's no reason we can't have an automated test for this.
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65+]
Alias: CVE-2018-18503

I was able to test this on the below builds using the provided crash.html file in comment0. When loading the mentioned file, Firefox does not crash.

Mozilla/5.0 (x11; Linux x84_64; rv:66.0) Gecko/20100101 Firefox /66.0 (20181221093752)
Mozilla/5.0 (x11; Linux x84_64; rv:65.0) Gecko/20100101 Firefox /65.0 (20190103150357)

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Flags: sec-bounty?

qDot: the original crash here appears to be triggering an intentional crash assert. Is that a runtime assert as well? If the intentional crash is going to protect us I'm unsure how this gets a sec-high rating. Is there some other way around it?

Flags: needinfo?(kyle)

I'm not aware of another way around it offhand.

Flags: needinfo?(kyle)

lowering to sec-moderate. We think the runtime assert protects us so sec-high is not appropriate, but it's still concerning enough that there was a compartment mismatch in the first place that might have bitten us in other ways that we still want to award a bug bounty.

Flags: sec-bounty? → sec-bounty+
Keywords: sec-highsec-moderate

Just noticed that the crashtest for this was sitting in my phab dashboard as "needs to land". Blake left before this got landed, and it passes try:

https://treeherder.mozilla.org/#/jobs?repo=try&author=kmachulis%40mozilla.com&selectedJob=236731500

I'll go ahead and approve the Lando stack now.

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.