Closed Bug 1544023 Opened 6 years ago Closed 6 years ago

AddressSanitizer: heap-use-after-free [@ mozilla::MediaStreamGraphImpl::UpdateGraph] with WRITE of size 8

Categories

(Core :: Web Audio, defect, P1)

Product:
Core
Component:
Web Audio
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 + verified
firefox68 + verified

People

(Reporter: jkratzer, Assigned: alwu)

References

(Blocks 2 open bugs, Regression)

Details

(5 keywords)

Attachments

(4 files)

testcase.html
720 bytes, text/html
Details
prefs-default-e10s.js
14.17 KB, application/x-javascript
Details
Bug 1544023 - let AudioNode keep the reference of all AudioParams which belong to itself.
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
abillings
: sec-approval+
Details | Review
bug1544023-for-beta
15.79 KB, patch
pascalc
: approval-mozilla-beta+
Details | Diff | Splinter Review

Found while fuzzing mozilla-central rev c77962add953. I don't currently have a working testcase but will update if one becomes available.

==1902==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000d084d0 at pc 0x7fafbe3e9746 bp 0x7faf01506a90 sp 0x7faf01506a88
WRITE of size 8 at 0x614000d084d0 thread T20144 (MediaStreamGrph)
#0 0x7fafbe3e9745 in mozilla::MediaStreamGraphImpl::UpdateGraph(long) /src/dom/media/MediaStreamGraph.cpp:1257:28
#1 0x7fafbe3eced2 in mozilla::MediaStreamGraphImpl::OneIterationImpl(long) /src/dom/media/MediaStreamGraph.cpp:1399:3
#2 0x7fafbe0a257a in mozilla::ThreadedDriver::RunThread() /src/dom/media/GraphDriver.cpp:311:41
#3 0x7fafbe0b6a0d in mozilla::MediaStreamGraphInitThreadRunnable::Run() /src/dom/media/GraphDriver.cpp:208:14
#4 0x7fafb586d496 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1180:14
#5 0x7fafb587515d in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#6 0x7fafb6bd7421 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:303:20
#7 0x7fafb6aab79e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#8 0x7fafb6aab79e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#9 0x7fafb6aab79e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#10 0x7fafb58655f3 in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:454:11
#11 0x7fafdab8c5ad in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#12 0x7fafda7ce6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#13 0x7fafd97ac88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x614000d084d0 is located 144 bytes inside of 432-byte region [0x614000d08440,0x614000d085f0)
freed by thread T20144 (MediaStreamGrph) here:
#0 0x55786091d9e2 in free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x7fafbe3e7f0a in mozilla::MediaStreamGraphImpl::RunMessagesInQueue() /src/dom/media/MediaStreamGraph.cpp:1169:20
#2 0x7fafbe3ece88 in mozilla::MediaStreamGraphImpl::OneIterationImpl(long) /src/dom/media/MediaStreamGraph.cpp:1396:3
#3 0x7fafbe0a257a in mozilla::ThreadedDriver::RunThread() /src/dom/media/GraphDriver.cpp:311:41
#4 0x7fafbe0b6a0d in mozilla::MediaStreamGraphInitThreadRunnable::Run() /src/dom/media/GraphDriver.cpp:208:14
#5 0x7fafb586d496 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1180:14
#6 0x7fafb587515d in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#7 0x7fafb6bd7421 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:303:20
#8 0x7fafb6aab79e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#9 0x7fafb6aab79e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#10 0x7fafb6aab79e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#11 0x7fafb58655f3 in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:454:11
#12 0x7fafdab8c5ad in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#13 0x7fafda7ce6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

previously allocated by thread T0 (file:// Content) here:
#0 0x55786091dd63 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x5578609525fd in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:68:15
#2 0x7fafbeae7c47 in operator new /src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
#3 0x7fafbeae7c47 in mozilla::AudioNodeStream::Create(mozilla::dom::AudioContext*, mozilla::AudioNodeEngine*, unsigned int, mozilla::MediaStreamGraph*) /src/dom/media/webaudio/AudioNodeStream.cpp:76
#4 0x7fafbeb31de5 in mozilla::dom::AudioParam::Stream() /src/dom/media/webaudio/AudioParam.cpp:83:13
#5 0x7fafbeb3170c in mozilla::dom::AudioNode::Connect(mozilla::dom::AudioParam&, unsigned int, mozilla::ErrorResult&) /src/dom/media/webaudio/AudioNode.cpp:262:38
#6 0x7fafba393e1b in mozilla::dom::AudioNode_Binding::connect(JSContext*, JS::Handle<JSObject*>, mozilla::dom::AudioNode*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/AudioNodeBinding.cpp:384:17
#7 0x7fafbd150a81 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3150:13
#8 0x7fafc4968c77 in CallJSNative /src/js/src/vm/Interpreter.cpp:442:13
#9 0x7fafc4968c77 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:534
#10 0x7fafc4951491 in CallFromStack /src/js/src/vm/Interpreter.cpp:593:10
#11 0x7fafc4951491 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3072
#12 0x7fafc49330f8 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:422:10
#13 0x7fafc49695e8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:562:13
#14 0x7fafc496b232 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:605:8
#15 0x7fafc4b26920 in Call /src/js/src/vm/Interpreter.h:98:10
#16 0x7fafc4b26920 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /src/js/src/builtin/Promise.cpp:1697
#17 0x7fafc4968c77 in CallJSNative /src/js/src/vm/Interpreter.cpp:442:13
#18 0x7fafc4968c77 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:534
#19 0x7fafc496b232 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:605:8
#20 0x7fafc55b7ba9 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2621:10
#21 0x7fafbafad4bc in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/PromiseBinding.cpp:26:8
#22 0x7fafb5606079 in Call /src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12
#23 0x7fafb5606079 in Call /src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104
#24 0x7fafb5606079 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /src/xpcom/base/CycleCollectedJSContext.cpp:236
#25 0x7fafb55d861e in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /src/xpcom/base/CycleCollectedJSContext.cpp:599:17
#26 0x7fafbd9d044b in LeaveMicroTask /src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:212:7
#27 0x7fafbd9d044b in ~nsAutoMicroTask /src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:315
#28 0x7fafbd9d044b in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1047

Thread T20144 (MediaStreamGrph) created by T3718 (CubebOp~tion #2) here:
#0 0x55786090667d in pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7fafdab7e613 in _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:433:14
#2 0x7fafdab6809e in PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:518:12
#3 0x7fafb5868569 in nsThread::Init(nsTSubstring<char> const&) /src/xpcom/threads/nsThread.cpp:661:8
#4 0x7fafb5873e15 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /src/xpcom/threads/nsThreadManager.cpp:416:12
#5 0x7fafb5878fa4 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /src/xpcom/threads/nsThreadUtils.cpp:139:57
#6 0x7fafbe0a0d9e in NS_NewNamedThread<16> /src/obj-firefox/dist/include/nsThreadUtils.h:71:10
#7 0x7fafbe0a0d9e in mozilla::ThreadedDriver::Start() /src/dom/media/GraphDriver.cpp:226
#8 0x7fafbe0a7b66 in SwitchToNextDriver /src/dom/media/GraphDriver.cpp:108:17
#9 0x7fafbe0a7b66 in mozilla::AudioCallbackDriver::FallbackToSystemClockDriver() /src/dom/media/GraphDriver.cpp:1114
#10 0x7fafbe0a4fd0 in mozilla::AudioCallbackDriver::Init() /src/dom/media/GraphDriver.cpp:580:5
#11 0x7fafbe0a4599 in mozilla::AsyncCubebTask::Run() /src/dom/media/GraphDriver.cpp:436:21
#12 0x7fafb587a061 in nsThreadPool::Run() /src/xpcom/threads/nsThreadPool.cpp:244:14
#13 0x7fafb587af24 in non-virtual thunk to nsThreadPool::Run() /src/xpcom/threads/nsThreadPool.cpp
#14 0x7fafb586d496 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1180:14
#15 0x7fafb587515d in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#16 0x7fafb6bd7421 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:303:20
#17 0x7fafb6aab79e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#18 0x7fafb6aab79e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#19 0x7fafb6aab79e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#20 0x7fafb58655f3 in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:454:11
#21 0x7fafdab8c5ad in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#22 0x7fafda7ce6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T3718 (CubebOp~tion #2) created by T3717 (MediaStreamGrph) here:
#0 0x55786090667d in pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7fafdab7e613 in _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:433:14
#2 0x7fafdab6809e in PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:518:12
#3 0x7fafb5868569 in nsThread::Init(nsTSubstring<char> const&) /src/xpcom/threads/nsThread.cpp:661:8
#4 0x7fafb5873e15 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /src/xpcom/threads/nsThreadManager.cpp:416:12
#5 0x7fafb5878fa4 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /src/xpcom/threads/nsThreadUtils.cpp:139:57
#6 0x7fafb587883d in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /src/xpcom/threads/nsThreadPool.cpp:111:17
#7 0x7fafb587b1d5 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /src/xpcom/threads/nsThreadPool.cpp:290:5
#8 0x7fafbe0a8825 in Dispatch /src/obj-firefox/dist/include/nsIEventTarget.h:37:14
#9 0x7fafbe0a8825 in Dispatch /src/dom/media/GraphDriver.h:545
#10 0x7fafbe0a8825 in mozilla::AudioCallbackDriver::Start() /src/dom/media/GraphDriver.cpp:696
#11 0x7fafbe0a290b in SwitchToNextDriver /src/dom/media/GraphDriver.cpp:108:17
#12 0x7fafbe0a290b in mozilla::ThreadedDriver::RunThread() /src/dom/media/GraphDriver.cpp:324
#13 0x7fafbe0b6a0d in mozilla::MediaStreamGraphInitThreadRunnable::Run() /src/dom/media/GraphDriver.cpp:208:14
#14 0x7fafb586d496 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1180:14
#15 0x7fafb587515d in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#16 0x7fafb6bd7421 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:303:20
#17 0x7fafb6aab79e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#18 0x7fafb6aab79e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#19 0x7fafb6aab79e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#20 0x7fafb58655f3 in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:454:11
#21 0x7fafdab8c5ad in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#22 0x7fafda7ce6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T3717 (MediaStreamGrph) created by T3716 (CubebOp~tion #1) here:
#0 0x55786090667d in pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7fafdab7e613 in _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:433:14
#2 0x7fafdab6809e in PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:518:12
#3 0x7fafb5868569 in nsThread::Init(nsTSubstring<char> const&) /src/xpcom/threads/nsThread.cpp:661:8
#4 0x7fafb5873e15 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /src/xpcom/threads/nsThreadManager.cpp:416:12
#5 0x7fafb5878fa4 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /src/xpcom/threads/nsThreadUtils.cpp:139:57
#6 0x7fafbe0a0d9e in NS_NewNamedThread<16> /src/obj-firefox/dist/include/nsThreadUtils.h:71:10
#7 0x7fafbe0a0d9e in mozilla::ThreadedDriver::Start() /src/dom/media/GraphDriver.cpp:226
#8 0x7fafbe0a7b66 in SwitchToNextDriver /src/dom/media/GraphDriver.cpp:108:17
#9 0x7fafbe0a7b66 in mozilla::AudioCallbackDriver::FallbackToSystemClockDriver() /src/dom/media/GraphDriver.cpp:1114
#10 0x7fafbe0a4fd0 in mozilla::AudioCallbackDriver::Init() /src/dom/media/GraphDriver.cpp:580:5
#11 0x7fafbe0a4599 in mozilla::AsyncCubebTask::Run() /src/dom/media/GraphDriver.cpp:436:21
#12 0x7fafb587a061 in nsThreadPool::Run() /src/xpcom/threads/nsThreadPool.cpp:244:14
#13 0x7fafb587af24 in non-virtual thunk to nsThreadPool::Run() /src/xpcom/threads/nsThreadPool.cpp
#14 0x7fafb586d496 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1180:14
#15 0x7fafb587515d in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#16 0x7fafb6bd7421 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:303:20
#17 0x7fafb6aab79e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#18 0x7fafb6aab79e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#19 0x7fafb6aab79e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#20 0x7fafb58655f3 in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:454:11
#21 0x7fafdab8c5ad in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#22 0x7fafda7ce6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T3716 (CubebOp~tion #1) created by T0 (file:// Content) here:
#0 0x55786090667d in pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7fafdab7e613 in _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:433:14
#2 0x7fafdab6809e in PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:518:12
#3 0x7fafb5868569 in nsThread::Init(nsTSubstring<char> const&) /src/xpcom/threads/nsThread.cpp:661:8
#4 0x7fafb5873e15 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /src/xpcom/threads/nsThreadManager.cpp:416:12
#5 0x7fafb5878fa4 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /src/xpcom/threads/nsThreadUtils.cpp:139:57
#6 0x7fafb587883d in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /src/xpcom/threads/nsThreadPool.cpp:111:17
#7 0x7fafb587b1d5 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /src/xpcom/threads/nsThreadPool.cpp:290:5
#8 0x7fafbe0a8825 in Dispatch /src/obj-firefox/dist/include/nsIEventTarget.h:37:14
#9 0x7fafbe0a8825 in Dispatch /src/dom/media/GraphDriver.h:545
#10 0x7fafbe0a8825 in mozilla::AudioCallbackDriver::Start() /src/dom/media/GraphDriver.cpp:696
#11 0x7fafbe3ef554 in mozilla::MediaStreamGraphImpl::RunInStableState(bool) /src/dom/media/MediaStreamGraph.cpp:1727:17
#12 0x7fafbe41d46e in mozilla::(anonymous namespace)::MediaStreamGraphStableStateRunnable::Run() /src/dom/media/MediaStreamGraph.cpp:1591:15
#13 0x7fafb55d6097 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue() /src/xpcom/base/CycleCollectedJSContext.cpp:382:12
#14 0x7fafb55d91c2 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /src/xpcom/base/CycleCollectedJSContext.cpp:441:3
#15 0x7fafb7d46465 in XPCJSContext::AfterProcessTask(unsigned int) /src/js/xpconnect/src/XPCJSContext.cpp:1273:28
#16 0x7fafb586e159 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1240:24
#17 0x7fafb587515d in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#18 0x7fafbfbc1cc3 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2910:31)> /src/obj-firefox/dist/include/nsThreadUtils.h:348:25
#19 0x7fafbfbc1cc3 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) /src/dom/xhr/XMLHttpRequestMainThread.cpp:2910
#20 0x7fafbfbbf53d in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /src/dom/xhr/XMLHttpRequestMainThread.cpp:2684:11
#21 0x7fafbc3cbcba in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1345:9
#22 0x7fafbd150a81 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3150:13
#23 0x7fafc4968c77 in CallJSNative /src/js/src/vm/Interpreter.cpp:442:13
#24 0x7fafc4968c77 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:534
#25 0x7fafc5b3b02b in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /src/js/src/jit/BaselineIC.cpp:3879:10
#26 0x7faf6b8e8887 (<unknown module>)
#27 0x6290016aa2cf (<unknown module>)
#28 0x7faf6b8e64de (<unknown module>)
#29 0x7fafc5d310e1 in EnterBaseline /src/js/src/jit/BaselineJIT.cpp:111:5
#30 0x7fafc5d310e1 in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /src/js/src/jit/BaselineJIT.cpp:189
#31 0x7fafc495d20d in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:1979:24
#32 0x7fafc49330f8 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:422:10
#33 0x7fafc49695e8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:562:13
#34 0x7fafc496b232 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:605:8
#35 0x7fafc55b7ba9 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2621:10
#36 0x7fafbc754770 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#37 0x7fafbd9d0202 in HandleEvent<mozilla::dom::EventTarget > /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#38 0x7fafbd9d0202 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener, mozilla::dom::Event*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1039
#39 0x7fafbd9d2833 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /src/dom/events/EventListenerManager.cpp:1240:17
#40 0x7fafbd9b2a00 in HandleEvent /src/obj-firefox/dist/include/mozilla/EventListenerManager.h:355:5
#41 0x7fafbd9b2a00 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:349
#42 0x7fafbd9b0c28 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:551:16
#43 0x7fafbd9b7993 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /src/dom/events/EventDispatcher.cpp:1046:11
#44 0x7fafc096b56a in nsDocumentViewer::LoadComplete(nsresult) /src/layout/base/nsDocumentViewer.cpp:1098:7
#45 0x7fafc37dda5c in nsDocShell::EndPageLoad(nsIWebProgress, nsIChannel*, nsresult) /src/docshell/base/nsDocShell.cpp:6594:21
#46 0x7fafc37dcb88 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp:6395:7
#47 0x7fafc37e26f7 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp
#48 0x7fafb84503a5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /src/uriloader/base/nsDocLoader.cpp:1313:3
#49 0x7fafb844ef8c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /src/uriloader/base/nsDocLoader.cpp:872:14
#50 0x7fafb844a0d7 in nsDocLoader::DocLoaderIsEmpty(bool) /src/uriloader/base/nsDocLoader.cpp:710:9
#51 0x7fafb844d1d5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /src/uriloader/base/nsDocLoader.cpp:598:5
#52 0x7fafb844eab4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /src/uriloader/base/nsDocLoader.cpp
#53 0x7fafb5b162b2 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /src/netwerk/base/nsLoadGroup.cpp:568:22
#54 0x7fafb9cfccda in DoUnblockOnload /src/dom/base/Document.cpp:7831:18
#55 0x7fafb9cfccda in mozilla::dom::Document::UnblockOnload(bool) /src/dom/base/Document.cpp:7763
#56 0x7fafb9cfb73f in mozilla::dom::Document::DispatchContentLoadedEvents() /src/dom/base/Document.cpp:4891:3
#57 0x7fafb9e004eb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#58 0x7fafb9e004eb in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1128
#59 0x7fafb9e004eb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1174
#60 0x7fafb582d455 in mozilla::SchedulerGroup::Runnable::Run() /src/xpcom/threads/SchedulerGroup.cpp:295:32
#61 0x7fafb586d496 in nsThread::ProcessNextEvent(bool, bool) /src/xpcom/threads/nsThread.cpp:1180:14
#62 0x7fafb587515d in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#63 0x7fafb6bd5cbf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
#64 0x7fafb6aab79e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#65 0x7fafb6aab79e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#66 0x7fafb6aab79e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#67 0x7fafc00bfcb3 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
#68 0x7fafc46820fe in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#69 0x7fafb6aab79e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#70 0x7fafb6aab79e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#71 0x7fafb6aab79e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#72 0x7fafc468128c in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:757:34
#73 0x557860950834 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#74 0x557860950834 in main /src/browser/app/nsBrowserApp.cpp:263
#75 0x7fafd96acb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /src/dom/media/MediaStreamGraph.cpp:1257:28 in mozilla::MediaStreamGraphImpl::UpdateGraph(long)
Shadow bytes around the buggy address:
0x0c2880199040: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2880199050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2880199060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2880199070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c2880199080: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2880199090: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0c28801990a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c28801990b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c28801990c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c28801990d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c28801990e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1902==ABORTING

Group: core-security → media-core-security
Keywords: sec-high
Priority: -- → P1

Paul, could you please have a look at which of the recent changes might be causing this?

Flags: needinfo?(padenot)

This is a UAF on a suspended stream, specifically an AudioParam stream:

#3 0x7fafbeae7c47 in mozilla::AudioNodeStream::Create(mozilla::dom::AudioContext*, mozilla::AudioNodeEngine*, unsigned int, mozilla::MediaStreamGraph*) /src/dom/media/webaudio/AudioNodeStream.cpp:76
#4 0x7fafbeb31de5 in mozilla::dom::AudioParam::Stream() /src/dom/media/webaudio/AudioParam.cpp:83:13
#5 0x7fafbeb3170c in mozilla::dom::AudioNode::Connect(mozilla::dom::AudioParam&, unsigned int, mozilla::ErrorResult&) /src/dom/media/webaudio/AudioNode.cpp:262:38

At MediaStreamGraph.cpp:1257 we see we're trying to write to a member of mSuspendedStreams. Last time there was something done at the intersection of suspended streams and AudioParams, it was a fix by Alastor.

We need to find a location where we can destroy a stream that is in the mSuspendedStreams array, without removing it from this array.

The iteration that crashed is a different iteration from the one that freed the MediaStream, but it's the same thread.

Alastor, does the above make sense to you? Do you think you could have a look?

Flags: needinfo?(padenot) → needinfo?(alwu)
Attached file testcase.html

I managed to get a working testcase. Testcase may require a few reloads to trigger.

Flags: in-testsuite?
Keywords: testcase-wanted

Yep, it seems to me that we released the stream without removing it from the mSuspendedStreams. As all stream should be removed from stream list [1] when we call stream's Destroy() [2], and now I still have not found the possible call path which could result in this issue.

It looks weird that we released the stream in the init thread runnable.

#4 0x7fafbe0b6a0d in mozilla::MediaStreamGraphInitThreadRunnable::Run() /src/dom/media/GraphDriver.cpp:208:14

In addition, I couldn't reproduce this issue by the test casse in comment3.

[1] https://searchfox.org/mozilla-central/rev/d33d470140ce3f9426af523eaa8ecfa83476c806/dom/media/MediaStreamGraph.cpp#115
[2] https://searchfox.org/mozilla-central/rev/d33d470140ce3f9426af523eaa8ecfa83476c806/dom/media/MediaStreamGraph.cpp#2015-2037

Hi, Jason,
What platform you are using when you got this issue? I can't reproduce this on OSX debug build Nightly.
Thank you.

Flags: needinfo?(jkratzer)

Hmm, no, the crash in bug1526044 was also called from the init thread runnable, so it seems a normal trigger point. I need to reproduce this issue on local in order to debug.

Attached file prefs-default-e10s.js

(In reply to Alastor Wu [:alwu] from comment #5)

Hi, Jason,
What platform you are using when you got this issue? I can't reproduce this on OSX debug build Nightly.
Thank you.

I am able to reliably reproduce this on Ubuntu 18.04 (x64) using the latest m-c nightly (20190417-bbca68b2af26). Additionally, these are the prefs I'm using.

Flags: needinfo?(jkratzer)

Ah, now I can reproduce this issue by setting pref media.autoplay.default=0.
Thank you.

Assignee: nobody → alwu
Flags: needinfo?(alwu)

So the problem here was caused by the incorrect suspended count. When we do AudioContext::GetAllStreams(), we only append the stream of AudioParam which has been connected to AudioNode. If the AudioParam doesn't connect with any other node, then we can't get its stream and opereate its suspended count.

For this crash, the things was that,

  1. source.connect(oscillator.frequency)
  • created the stream for AudioParam, and connected it to the mOutputParams
  • stream became active later, suspended count changed from 1(initial value) to 0
  1. source.disconnect()
  • removed the stream from mOutputParams
  1. SuspendFromChrome occured (not sure why this should happen)
  • we couldn't get the stream because the node had disconnected.
  • therefore, we DID NOT change suspended count here, which caused incorrect counting
  1. processor.connect(oscillator.frequency)
  • added the stream to the mOutputParams again
  1. ResumeFromChrome occured
  • we got the stream from mOutputParams, so its suspended count changed from 0 to -1 (wrong!)
  1. Suspend operation occured in StreamGraphThread (it was triggered by context.suspend().then(function (arg1) { }))
  • the stream's suspended count changed from -1 to 0
  • and added it to mSuspendedStreams
  1. when all stuffs were going to shutdown, the stream would be detroyed and disconnected, so the AudioNodeStream::RemoveInput() ran and finally it would trigger MediaStreamGraphImpl::IncrementSuspendCount()
  • the stream's suspended count changed from 0 to 1
  • but the stream was in the mSuspendedStreams, not in mStream, which caused assertion failed.

When we suspend or resume the AudioContext, it should affect ALL media streams which are belong to or are related to the AudioNode that are created by this AudioContext.

As AudioNode::OutputParams() can only return the connected AudioParams, it doesn't return the AudioParams which are belong to itself.
That means we would miss to apply the suspend/resume operation for those streams, and it would cause imbalancing suspended count.

Therefore, we let AudioNode to keep the reference of all its AudioParam, and return them to AudioContext in order to do the operation for all streams.

(In reply to Alastor Wu [:alwu] from comment #4)

It looks weird that we released the stream in the init thread runnable.

#4 0x7fafbe0b6a0d in mozilla::MediaStreamGraphInitThreadRunnable::Run() /src/dom/media/GraphDriver.cpp:208:14

This Runnable runs for the lifetime of the GraphDriver: it calls ThreadedDriver::RunThread that will loop and sleep until either the graph is shut down or it switches to another driver.

Attachment #9059169 - Attachment description: Bug 1544023 - let AudioNode keep the reference of all AudioParam which are belong to itself. → Bug 1544023 - let AudioNode keep the reference of all AudioParams which belong to itself.

Comment on attachment 9059169 [details]
Bug 1544023 - let AudioNode keep the reference of all AudioParams which belong to itself.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: These changes are internal changes inside the AudioContext, there is not anything could be used or attacked from JS side.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: 67
  • If not all supported branches, which bug introduced the flaw?: Bug 1524026
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: It's less likely to introduce a regression because we didn't introduce a behavior changes here. What the patch does is to introduce an array which is used to collect the reference of all AudioParam which belong to AudioNode itself.
Attachment #9059169 - Flags: sec-approval?

Comment on attachment 9059169 [details]
Bug 1544023 - let AudioNode keep the reference of all AudioParams which belong to itself.

sec-approval+ for trunk. Please nominate a beta patch as well.

Attachment #9059169 - Flags: sec-approval? → sec-approval+

Will ask for an approval after landing the patch in m-c.

https://hg.mozilla.org/integration/autoland/rev/db146a70077d0fef30987a87e7835e81fd6c5c54
https://hg.mozilla.org/mozilla-central/rev/db146a70077d

Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Comment on attachment 9060189 [details] [diff] [review]
bug1544023-for-beta

Beta/Release Uplift Approval Request

  • User impact if declined: Will have a crash.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): We didn't introduce any new functional changes, what this patch does is to add a new member to keep all the reference of AudioParams which belong to AudioNode in order to make sure the suspend count consistent.
  • String changes made/needed: none
Attachment #9060189 - Flags: approval-mozilla-beta?
Attachment #9059169 - Flags: approval-mozilla-beta?

Specifically, this is a UAF on an object that has a big vtable, I think it's quite severe.

Comment on attachment 9059169 [details]
Bug 1544023 - let AudioNode keep the reference of all AudioParams which belong to itself.

Fix for a 67 regression causing crashes, uplift accepted for 67 beta 14, thanks!

Attachment #9059169 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9060189 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

I will land a crashtest that covers this bug over in bug 1545133.

Flags: qe-verify+
QA Whiteboard: [qa-triaged]

Hi, I managed to reproduce this issue in an older version of Nightly after setting the media.autoplay.default=0 in about config, However I am unable to cause the crash in our latest Nightly 68.0a1 (2019-04-24) build or Beta 67.0b14 Using Ubuntu 18.04. I will mark this issue accordingly.

QA Whiteboard: [qa-triaged]
status-firefox67: fixedverified
status-firefox68: fixedverified
Flags: qe-verify+
Status: RESOLVED → VERIFIED
Group: core-security-release
Has Regression Range: --- → yes
Keywords: regression
Regressed by: 1524026
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: