Closed Bug 1580156 (CVE-2019-13722) Opened 5 years ago Closed 5 years ago

Intermittent AddressSanitizer: stack-buffer-overflow Z:\task_1567613406\fetches\llvm-project\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:785 in __asan_wrap_memmove

Categories

(Core :: WebRTC, defect, P1)

Product:
Core
Component:
WebRTC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox-esr68 71+ fixed
firefox70 --- wontfix
firefox71 + fixed
firefox72 --- fixed

People

(Reporter: malexandru, Assigned: ng)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: Coordinate CVE w/Google [adv-main71+][adv-esr68.3+])

Attachments

(2 files, 1 obsolete file)

Bug 1580156 - set WebRTC thread name
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
RyanVM
: approval-mozilla-release-
RyanVM
: approval-mozilla-esr68+
tjr
: sec-approval+
Details | Review
advisory.txt
262 bytes, text/plain
Details

Failure log:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=265898248&repo=mozilla-central&lineNumber=5970

[task 2019-09-10T11:25:31.124Z] 11:25:31     INFO - REFTEST TEST-END | file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/837324.html
[task 2019-09-10T11:25:31.142Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:2169: CloseInt: Closing PeerConnectionImpl 5475ce64d06cefb1; ending call
[task 2019-09-10T11:25:31.142Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/jsep [1568114731112000 (id=2147486389 url=file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/837324.html]: stable -> closed
[task 2019-09-10T11:25:31.152Z] 11:25:31     INFO - REFTEST TEST-START | file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/855796.html
[task 2019-09-10T11:25:31.153Z] 11:25:31     INFO - REFTEST INFO | RESTORE PREFERENCE pref(media.getusermedia.insecure.enabled,false)
[task 2019-09-10T11:25:31.153Z] 11:25:31     INFO - REFTEST INFO | RESTORE PREFERENCE pref(media.devices.insecure.enabled,false)
[task 2019-09-10T11:25:31.153Z] 11:25:31     INFO - REFTEST INFO | RESTORE PREFERENCE pref(dom.disable_open_during_load,true)
[task 2019-09-10T11:25:31.153Z] 11:25:31     INFO - REFTEST INFO | RESTORE PREFERENCE pref(media.navigator.permission.disabled,false)
[task 2019-09-10T11:25:31.153Z] 11:25:31     INFO - REFTEST INFO | SET PREFERENCE pref(media.navigator.permission.disabled,true)
[task 2019-09-10T11:25:31.153Z] 11:25:31     INFO - REFTEST INFO | SET PREFERENCE pref(dom.disable_open_during_load,false)
[task 2019-09-10T11:25:31.154Z] 11:25:31     INFO - REFTEST INFO | SET PREFERENCE pref(media.devices.insecure.enabled,true)
[task 2019-09-10T11:25:31.154Z] 11:25:31     INFO - REFTEST INFO | SET PREFERENCE pref(media.getusermedia.insecure.enabled,true)
[task 2019-09-10T11:25:31.154Z] 11:25:31     INFO - REFTEST TEST-LOAD | file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/855796.html | 681 / 3815 (17%)
[task 2019-09-10T11:25:31.215Z] 11:25:31     INFO - Timecard created 1568114730.640000
[task 2019-09-10T11:25:31.215Z] 11:25:31     INFO -  Timestamp   | Delta       | Event                  | File                         | Function
[task 2019-09-10T11:25:31.216Z] 11:25:31     INFO - ==========================================================================================================
[task 2019-09-10T11:25:31.216Z] 11:25:31     INFO -     0.000000 |    0.000000 | Constructor Completed  | PeerConnectionImpl.cpp:332   | PeerConnectionImpl
[task 2019-09-10T11:25:31.217Z] 11:25:31     INFO -     0.001000 |    0.001000 | Initializing PC Ctx    | PeerConnectionImpl.cpp:458   | Initialize
[task 2019-09-10T11:25:31.218Z] 11:25:31     INFO -     0.016000 |    0.015000 | Set Remote Description | PeerConnectionImpl.cpp:1352  | SetRemoteDescription
[task 2019-09-10T11:25:31.218Z] 11:25:31     INFO -     0.021000 |    0.005000 | Create Answer          | PeerConnectionImpl.cpp:1230  | CreateAnswer
[task 2019-09-10T11:25:31.219Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:366: ~PeerConnectionImpl: PeerConnectionImpl destructor invoked for bd5bade776c49503
[task 2019-09-10T11:25:31.219Z] 11:25:31     INFO -     0.023000 |    0.002000 | Set Local Description  | PeerConnectionImpl.cpp:1264  | SetLocalDescription
[task 2019-09-10T11:25:31.219Z] 11:25:31     INFO -     0.565000 |    0.542000 | Destructor Invoked     | PeerConnectionImpl.cpp:341   | ~PeerConnectionImpl
[task 2019-09-10T11:25:31.219Z] 11:25:31     INFO - Timecard created 1568114730.637000
[task 2019-09-10T11:25:31.219Z] 11:25:31     INFO -  Timestamp   | Delta       | Event                  | File                         | Function
[task 2019-09-10T11:25:31.220Z] 11:25:31     INFO - ==========================================================================================================
[task 2019-09-10T11:25:31.220Z] 11:25:31     INFO -     0.000000 |    0.000000 | Constructor Completed  | PeerConnectionImpl.cpp:332   | PeerConnectionImpl
[task 2019-09-10T11:25:31.221Z] 11:25:31     INFO -     0.001000 |    0.001000 | Initializing PC Ctx    | PeerConnectionImpl.cpp:458   | Initialize
[task 2019-09-10T11:25:31.221Z] 11:25:31     INFO -     0.014000 |    0.013000 | Create Offer           | PeerConnectionImpl.cpp:1203  | CreateOffer
[task 2019-09-10T11:25:31.221Z] 11:25:31     INFO -     0.016000 |    0.002000 | Set Local Description  | PeerConnectionImpl.cpp:1264  | SetLocalDescription
[task 2019-09-10T11:25:31.221Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:366: ~PeerConnectionImpl: PeerConnectionImpl destructor invoked for 0e43752be1397981
[task 2019-09-10T11:25:31.221Z] 11:25:31     INFO -     0.029000 |    0.013000 | Set Remote Description | PeerConnectionImpl.cpp:1352  | SetRemoteDescription
[task 2019-09-10T11:25:31.221Z] 11:25:31     INFO -     0.570000 |    0.541000 | Destructor Invoked     | PeerConnectionImpl.cpp:341   | ~PeerConnectionImpl
[task 2019-09-10T11:25:31.222Z] 11:25:31     INFO - Timecard created 1568114729.700000
[task 2019-09-10T11:25:31.222Z] 11:25:31     INFO -  Timestamp   | Delta       | Event                 | File                         | Function
[task 2019-09-10T11:25:31.222Z] 11:25:31     INFO - ========================================================================================================
[task 2019-09-10T11:25:31.223Z] 11:25:31     INFO -     0.000000 |    0.000000 | Constructor Completed | PeerConnectionImpl.cpp:332   | PeerConnectionImpl
[task 2019-09-10T11:25:31.223Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:366: ~PeerConnectionImpl: PeerConnectionImpl destructor invoked for 9781d642b116421d
[task 2019-09-10T11:25:31.223Z] 11:25:31     INFO -     0.001000 |    0.001000 | Initializing PC Ctx   | PeerConnectionImpl.cpp:458   | Initialize
[task 2019-09-10T11:25:31.224Z] 11:25:31     INFO -     1.510000 |    1.509000 | Destructor Invoked    | PeerConnectionImpl.cpp:341   | ~PeerConnectionImpl
[task 2019-09-10T11:25:31.224Z] 11:25:31     INFO - Timecard created 1568114729.697000
[task 2019-09-10T11:25:31.224Z] 11:25:31     INFO -  Timestamp   | Delta       | Event                 | File                         | Function
[task 2019-09-10T11:25:31.224Z] 11:25:31     INFO - ========================================================================================================
[task 2019-09-10T11:25:31.224Z] 11:25:31     INFO -     0.000000 |    0.000000 | Constructor Completed | PeerConnectionImpl.cpp:332   | PeerConnectionImpl
[task 2019-09-10T11:25:31.224Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:366: ~PeerConnectionImpl: PeerConnectionImpl destructor invoked for 635b26a97135ff00
[task 2019-09-10T11:25:31.225Z] 11:25:31     INFO -     0.001000 |    0.001000 | Initializing PC Ctx   | PeerConnectionImpl.cpp:458   | Initialize
[task 2019-09-10T11:25:31.225Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:366: ~PeerConnectionImpl: PeerConnectionImpl destructor invoked for 1dcf6e904398bed1
[task 2019-09-10T11:25:31.225Z] 11:25:31     INFO -     1.515000 |    1.514000 | Destructor Invoked    | PeerConnectionImpl.cpp:341   | ~PeerConnectionImpl
[task 2019-09-10T11:25:31.225Z] 11:25:31     INFO - Timecard created 1568114730.156000
[task 2019-09-10T11:25:31.225Z] 11:25:31     INFO -  Timestamp   | Delta       | Event                  | File                         | Function
[task 2019-09-10T11:25:31.226Z] 11:25:31     INFO - ==========================================================================================================
[task 2019-09-10T11:25:31.226Z] 11:25:31     INFO -     0.000000 |    0.000000 | Constructor Completed  | PeerConnectionImpl.cpp:332   | PeerConnectionImpl
[task 2019-09-10T11:25:31.226Z] 11:25:31     INFO -     0.000000 |    0.000000 | Initializing PC Ctx    | PeerConnectionImpl.cpp:458   | Initialize
[task 2019-09-10T11:25:31.226Z] 11:25:31     INFO -     0.038000 |    0.038000 | Set Remote Description | PeerConnectionImpl.cpp:1352  | SetRemoteDescription
[task 2019-09-10T11:25:31.226Z] 11:25:31     INFO -     0.046000 |    0.008000 | Create Answer          | PeerConnectionImpl.cpp:1230  | CreateAnswer
[task 2019-09-10T11:25:31.226Z] 11:25:31     INFO -     0.048000 |    0.002000 | Set Local Description  | PeerConnectionImpl.cpp:1264  | SetLocalDescription
[task 2019-09-10T11:25:31.226Z] 11:25:31     INFO -     1.057000 |    1.009000 | Destructor Invoked     | PeerConnectionImpl.cpp:341   | ~PeerConnectionImpl
[task 2019-09-10T11:25:31.226Z] 11:25:31     INFO - Timecard created 1568114730.153000
[task 2019-09-10T11:25:31.226Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:366: ~PeerConnectionImpl: PeerConnectionImpl destructor invoked for 83fbda7d89987da6
[task 2019-09-10T11:25:31.226Z] 11:25:31     INFO -  Timestamp   | Delta       | Event                  | File                         | Function
[task 2019-09-10T11:25:31.229Z] 11:25:31     INFO -  Timestamp   | Delta       | Event                  | File                         | Function
[task 2019-09-10T11:25:31.229Z] 11:25:31     INFO - ==========================================================================================================
[task 2019-09-10T11:25:31.229Z] 11:25:31     INFO -     0.000000 |    0.000000 | Constructor Completed  | PeerConnectionImpl.cpp:332   | PeerConnectionImpl
[task 2019-09-10T11:25:31.229Z] 11:25:31     INFO -     0.000000 |    0.000000 | Initializing PC Ctx    | PeerConnectionImpl.cpp:458   | Initialize
[task 2019-09-10T11:25:31.230Z] 11:25:31     INFO -     0.017000 |    0.017000 | Set Remote Description | PeerConnectionImpl.cpp:1352  | SetRemoteDescription
[task 2019-09-10T11:25:31.230Z] 11:25:31     INFO -     0.023000 |    0.006000 | Create Answer          | PeerConnectionImpl.cpp:1230  | CreateAnswer
[task 2019-09-10T11:25:31.230Z] 11:25:31     INFO -     0.025000 |    0.002000 | Set Local Description  | PeerConnectionImpl.cpp:1264  | SetLocalDescription
[task 2019-09-10T11:25:31.230Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:366: ~PeerConnectionImpl: PeerConnectionImpl destructor invoked for 532f4660e9479377
[task 2019-09-10T11:25:31.230Z] 11:25:31     INFO -     0.803000 |    0.778000 | Destructor Invoked     | PeerConnectionImpl.cpp:341   | ~PeerConnectionImpl
[task 2019-09-10T11:25:31.231Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:366: ~PeerConnectionImpl: PeerConnectionImpl destructor invoked for e7621a79d5143084
[task 2019-09-10T11:25:31.231Z] 11:25:31     INFO - Timecard created 1568114730.415000
[task 2019-09-10T11:25:31.232Z] 11:25:31     INFO -  Timestamp   | Delta       | Event                  | File                         | Function
[task 2019-09-10T11:25:31.232Z] 11:25:31     INFO - ==========================================================================================================
[task 2019-09-10T11:25:31.233Z] 11:25:31     INFO -     0.000000 |    0.000000 | Constructor Completed  | PeerConnectionImpl.cpp:332   | PeerConnectionImpl
[task 2019-09-10T11:25:31.233Z] 11:25:31     INFO -     0.001000 |    0.001000 | Initializing PC Ctx    | PeerConnectionImpl.cpp:458   | Initialize
[task 2019-09-10T11:25:31.233Z] 11:25:31     INFO -     0.016000 |    0.015000 | Create Offer           | PeerConnectionImpl.cpp:1203  | CreateOffer
[task 2019-09-10T11:25:31.235Z] 11:25:31     INFO -     0.017000 |    0.001000 | Set Local Description  | PeerConnectionImpl.cpp:1264  | SetLocalDescription
[task 2019-09-10T11:25:31.235Z] 11:25:31     INFO -     0.031000 |    0.014000 | Set Remote Description | PeerConnectionImpl.cpp:1352  | SetRemoteDescription
[task 2019-09-10T11:25:31.235Z] 11:25:31     INFO -     0.812000 |    0.781000 | Destructor Invoked     | PeerConnectionImpl.cpp:341   | ~PeerConnectionImpl
[task 2019-09-10T11:25:31.299Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:331: PeerConnectionImpl: PeerConnectionImpl constructor for
[task 2019-09-10T11:25:31.299Z] 11:25:31     INFO - [Parent 4940: Socket Thread]: D/mtransport NrIceCtx static call to find local stun addresses
[task 2019-09-10T11:25:31.299Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:331: PeerConnectionImpl: PeerConnectionImpl constructor for
[task 2019-09-10T11:25:31.299Z] 11:25:31     INFO - [Parent 4940: Socket Thread]: D/mtransport NrIceCtx static call to find local stun addresses
[task 2019-09-10T11:25:31.303Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionMedia] PeerConnectionMedia.cpp:51: OnStunAddrsAvailable: receiving (4) stun addrs
[task 2019-09-10T11:25:31.303Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionMedia] PeerConnectionMedia.cpp:51: OnStunAddrsAvailable: receiving (4) stun addrs
[task 2019-09-10T11:25:31.352Z] 11:25:31     INFO - =================================================================
[task 2019-09-10T11:25:31.352Z] 11:25:31    ERROR - ==2848==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00be0083f748 at pc 0x7fffea890174 bp 0x00be0083ed20 sp 0x00be0083ed60
[task 2019-09-10T11:25:31.352Z] 11:25:31     INFO - READ of size 48 at 0x00be0083f748 thread T16777215
[task 2019-09-10T11:25:31.390Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|sdp_config] sdp_config.c:86: SDP: Initialized config pointer: 000012AAE9EA99D0
[task 2019-09-10T11:25:31.390Z] 11:25:31     INFO - [Child 2848: Main Thread]: E/signaling [main|SDP Parse] sdp_main.c:1339: SDP Parse Error  Warning: Transport protocol type unsupported (SCTP/DTLS)., line 28
[task 2019-09-10T11:25:31.391Z] 11:25:31     INFO - [Child 2848: Main Thread]: E/signaling [main|SDP Parse] sdp_main.c:1339: SDP Parse Error  Invalid port format (54054) specified for transport protocol (Unsupported), parse failed., line 28
[task 2019-09-10T11:25:31.391Z] 11:25:31     INFO - [Child 2848: Main Thread]: E/jsep [1568114731293000 (id=2147486391 url=file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/855796.html]: Failed to parse SDP: SDP Parse Error on line 28:  Warning: Transport protocol type unsupported (SCTP/DTLS).
[task 2019-09-10T11:25:31.391Z] 11:25:31     INFO - SDP Parse Error on line 28:  Invalid port format (54054) specified for transport protocol (Unsupported), parse failed.
[task 2019-09-10T11:25:31.392Z] 11:25:31     INFO - [Child 2848: Main Thread]: E/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:1296: SetLocalDescription: pc = 349dbfb9dfe631d0, error = Failed to parse SDP: SDP Parse Error on line 28:  Warning: Transport protocol type unsupported (SCTP/DTLS).
[task 2019-09-10T11:25:31.392Z] 11:25:31     INFO - SDP Parse Error on line 28:  Invalid port format (54054) specified for transport protocol (Unsupported), parse failed.
[task 2019-09-10T11:25:31.392Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:2169: CloseInt: Closing PeerConnectionImpl 349dbfb9dfe631d0; ending call
[task 2019-09-10T11:25:31.392Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/jsep [1568114731293000 (id=2147486391 url=file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/855796.html]: stable -> closed
[task 2019-09-10T11:25:31.392Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/signaling [main|PeerConnectionImpl] PeerConnectionImpl.cpp:2169: CloseInt: Closing PeerConnectionImpl 41fe6af6df86f0e0; ending call
[task 2019-09-10T11:25:31.392Z] 11:25:31     INFO - [Child 2848: Main Thread]: I/jsep [1568114731295000 (id=2147486391 url=file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/855796.html]: stable -> closed
[task 2019-09-10T11:25:31.402Z] 11:25:31     INFO - REFTEST TEST-PASS | file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/855796.html | (LOAD ONLY)
[task 2019-09-10T11:25:31.402Z] 11:25:31     INFO - REFTEST TEST-END | file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/855796.html
[task 2019-09-10T11:25:31.427Z] 11:25:31     INFO - REFTEST TEST-START | file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/860143.html

[task 2019-09-10T11:25:31.879Z] 11:25:31     INFO - REFTEST TEST-START | file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/1281695.html
[task 2019-09-10T11:25:31.880Z] 11:25:31     INFO - REFTEST INFO | RESTORE PREFERENCE pref(media.getusermedia.insecure.enabled,false)
[task 2019-09-10T11:25:31.882Z] 11:25:31     INFO - REFTEST INFO | RESTORE PREFERENCE pref(media.devices.insecure.enabled,false)
[task 2019-09-10T11:25:31.883Z] 11:25:31     INFO - REFTEST INFO | RESTORE PREFERENCE pref(dom.disable_open_during_load,true)
[task 2019-09-10T11:25:31.883Z] 11:25:31     INFO - REFTEST INFO | RESTORE PREFERENCE pref(media.navigator.permission.disabled,false)
[task 2019-09-10T11:25:31.883Z] 11:25:31     INFO - REFTEST INFO | SET PREFERENCE pref(media.navigator.permission.disabled,true)
[task 2019-09-10T11:25:31.884Z] 11:25:31     INFO - REFTEST INFO | SET PREFERENCE pref(dom.disable_open_during_load,false)
[task 2019-09-10T11:25:31.884Z] 11:25:31     INFO - REFTEST INFO | SET PREFERENCE pref(media.devices.insecure.enabled,true)
[task 2019-09-10T11:25:31.884Z] 11:25:31     INFO - REFTEST INFO | SET PREFERENCE pref(media.getusermedia.insecure.enabled,true)
[task 2019-09-10T11:25:31.884Z] 11:25:31     INFO - REFTEST TEST-LOAD | file:///Z:/task_1568114275/build/tests/reftest/tests/dom/media/tests/crashtests/1281695.html | 686 / 3815 (17%)
[task 2019-09-10T11:25:31.902Z] 11:25:31     INFO -     #2 0x7fffc0c03846 in rtc::PlatformThread::Run z:\build\build\src\media\webrtc\trunk\webrtc\rtc_base\platform_thread.cc:238
[task 2019-09-10T11:25:31.902Z] 11:25:31     INFO -     #3 0x7fffc0c0305d in rtc::PlatformThread::StartThread z:\build\build\src\media\webrtc\trunk\webrtc\rtc_base\platform_thread.cc:153
[task 2019-09-10T11:25:31.904Z] 11:25:31     INFO -     #4 0x7ffffff43033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2019-09-10T11:25:31.914Z] 11:25:31     INFO -     #5 0x7fffeb20f111 in patched_BaseThreadInitThunk z:\build\build\src\mozglue\build\WindowsDllBlocklist.cpp:603
[task 2019-09-10T11:25:31.916Z] 11:25:31     INFO -     #6 0x7ff802b31460 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2019-09-10T11:25:31.916Z] 11:25:31     INFO - Address 0x00be0083f748 is a wild pointer.
[task 2019-09-10T11:25:31.918Z] 11:25:31     INFO - SUMMARY: AddressSanitizer: stack-buffer-overflow Z:\task_1567613406\fetches\llvm-project\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:785 in __asan_wrap_memmove
[task 2019-09-10T11:25:31.919Z] 11:25:31     INFO - Shadow bytes around the buggy address:
[task 2019-09-10T11:25:31.919Z] 11:25:31     INFO -   0x02aca9f07e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-09-10T11:25:31.919Z] 11:25:31     INFO -   0x02aca9f07ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-09-10T11:25:31.920Z] 11:25:31     INFO -   0x02aca9f07eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-09-10T11:25:31.920Z] 11:25:31     INFO -   0x02aca9f07ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-09-10T11:25:31.921Z] 11:25:31     INFO -   0x02aca9f07ed0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2
[task 2019-09-10T11:25:31.922Z] 11:25:31     INFO - =>0x02aca9f07ee0: f8 f2 f8 f2 f2 f2 00 00 00[f2]f2 f2 f2 f2 f8 f8
[task 2019-09-10T11:25:31.922Z] 11:25:31     INFO -   0x02aca9f07ef0: f8 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
[task 2019-09-10T11:25:31.922Z] 11:25:31     INFO -   0x02aca9f07f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-09-10T11:25:31.923Z] 11:25:31     INFO -   0x02aca9f07f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-09-10T11:25:31.923Z] 11:25:31     INFO -   0x02aca9f07f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-09-10T11:25:31.923Z] 11:25:31     INFO -   0x02aca9f07f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-09-10T11:25:31.923Z] 11:25:31     INFO - Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2019-09-10T11:25:31.923Z] 11:25:31     INFO -   Addressable:           00
[task 2019-09-10T11:25:31.923Z] 11:25:31     INFO -   Partially addressable: 01 02 03 04 05 06 07
[task 2019-09-10T11:25:31.923Z] 11:25:31     INFO -   Heap left redzone:       fa
[task 2019-09-10T11:25:31.923Z] 11:25:31     INFO -   Freed heap region:       fd
[task 2019-09-10T11:25:31.923Z] 11:25:31     INFO -   Stack left redzone:      f1
[task 2019-09-10T11:25:31.923Z] 11:25:31     INFO -   Stack mid redzone:       f2
[task 2019-09-10T11:25:31.924Z] 11:25:31     INFO -   Stack right redzone:     f3
[task 2019-09-10T11:25:31.924Z] 11:25:31     INFO -   Stack after return:      f5
[task 2019-09-10T11:25:31.924Z] 11:25:31     INFO -   Stack use after scope:   f8
[task 2019-09-10T11:25:31.924Z] 11:25:31     INFO -   Global redzone:          f9
[task 2019-09-10T11:25:31.924Z] 11:25:31     INFO -   Global init order:       f6
[task 2019-09-10T11:25:31.924Z] 11:25:31     INFO -   Poisoned by user:        f7
[task 2019-09-10T11:25:31.924Z] 11:25:31     INFO -   Container overflow:      fc
[task 2019-09-10T11:25:31.924Z] 11:25:31     INFO -   Array cookie:            ac
[task 2019-09-10T11:25:31.924Z] 11:25:31     INFO -   Intra object redzone:    bb
[task 2019-09-10T11:25:31.924Z] 11:25:31     INFO -   ASan internal:           fe
[task 2019-09-10T11:25:31.924Z] 11:25:31     INFO -   Left alloca redzone:     ca
[task 2019-09-10T11:25:31.925Z] 11:25:31     INFO -   Right alloca redzone:    cb
[task 2019-09-10T11:25:31.925Z] 11:25:31     INFO -   Shadow gap:              cc
[task 2019-09-10T11:25:31.925Z] 11:25:31     INFO - ==2848==ABORTING
Group: core-security → media-core-security

Nico, could you please have a look what is going on here?

Flags: needinfo?(na-g)
Priority: -- → P1

Nils, ACK. I am looking now.

Flags: needinfo?(na-g)
Assignee: nobody → na-g

Update: I am still looking into this. The first error didn't leave many clues.

Any update? Just giving this a poke as it turned up in triage and is rated sec-high.

Flags: needinfo?(na-g)

Liz, I don't have any new info. I has only occurred once, I wasn't able to get this to reproduce, and I dug as far I as I could given the limited info. I am inclined to set this to stalled for now, if that works for you.

Flags: needinfo?(na-g) → needinfo?(lhenry)

OK, sounds reasonable.

status-firefox70: --- → wontfix
status-firefox71: --- → affected
Flags: needinfo?(lhenry)
Keywords: stalled

For easier readability, here is the ASan trace from the first log:

==2848==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00be0083f748 at pc 0x7fffea890174 bp 0x00be0083ed20 sp 0x00be0083ed60
READ of size 48 at 0x00be0083f748 thread T16777215
==2848==WARNING: Failed to use and restart external symbolizer!
    #0 0x7fffea89019c in __asan_wrap_memmove Z:\task_1567613406\fetches\llvm-project\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:785
    #1 0x7fffff91a37c in RaiseException+0x5c (C:\Windows\System32\KERNELBASE.dll+0x18003a37c)
    #2 0x7fffc0c03846 in rtc::PlatformThread::Run z:\build\build\src\media\webrtc\trunk\webrtc\rtc_base\platform_thread.cc:238
    #3 0x7fffc0c0305d in rtc::PlatformThread::StartThread z:\build\build\src\media\webrtc\trunk\webrtc\rtc_base\platform_thread.cc:153
    #4 0x7ffffff43033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
    #5 0x7fffeb20f111 in patched_BaseThreadInitThunk z:\build\build\src\mozglue\build\WindowsDllBlocklist.cpp:603
    #6 0x7ff802b31460 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
Address 0x00be0083f748 is a wild pointer.
SUMMARY: AddressSanitizer: stack-buffer-overflow Z:\task_1567613406\fetches\llvm-project\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:785 in __asan_wrap_memmove
Shadow bytes around the buggy address:
  0x02aca9f07e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02aca9f07ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02aca9f07eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02aca9f07ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02aca9f07ed0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2
=>0x02aca9f07ee0: f8 f2 f8 f2 f2 f2 00 00 00[f2]f2 f2 f2 f2 f8 f8
  0x02aca9f07ef0: f8 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x02aca9f07f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02aca9f07f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02aca9f07f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02aca9f07f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2848==ABORTING

The large thread number here in combination with a stack issue being reported makes me think of Windows-only problems we previously had with memory being reused from previous threads without the respective shadow memory being purged/updated. As far as I know, this has been fixed but maybe not entirely?

Maybe :dmajor has an idea?

Flags: needinfo?(dmajor)

This is a legitimate buffer size bug: sizeof(DWORD) here needs to be sizeof(ULONG_PTR) instead, according to MSDN's documentation. It would also be good to have the #pragma pack push/pop as well.

I looked at disassembly and confirmed that webrtc's call is passing 6 for the buffer size, while NSS's implementation, which follows the documentation, passes a size of only 3.

Nils, can your team take this to upstream? Note that due to some refactoring this code now lives at platform_thread_types.cc.

(Finally, it's worth mentioning that there is now a better API for this: SetThreadDescription, but it's only available in Windows 10, so most authors still keep the RaiseException code as a fallback)

Flags: needinfo?(dmajor) → needinfo?(drno)
Keywords: stalled

Nico, the bug assignee, is taking a look at this. Yes we will take care of notifying upstream.

Flags: needinfo?(drno)

Nils reached out to a contact maintaining the upstream library. Hopefully, we will hear back shortly and can engage on the issue.

Adding an upstream maintainer, Tommi.

Tommi, I think you will find the relevant information in comment #9.

Comment on attachment 9106809 [details]
Bug 1580156 - set WebRTC thread name

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I am not sure. There are a number of ways that a new thread could be spawned via JS interaction, starting a desktop capture, starting a call etc. These uses have different thread names that are all, as far as I can tell, string literals. There is very little control over the inputs to that function. Investigating this by looking at the code is made difficult by: 1) the number of places this can be triggered in the library, when we probably only exercise a small subset of them, and 2) the number of layers of indirection and proxy classes within the library.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which older supported branches are affected by this flaw?: all (this landed in FFx 53)
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: They should be trivial to create and apply, and they are low risk.
  • How likely is this patch to cause regressions; how much testing does it need?: Probably fairly low, as it is code that exists elsewhere in the tree. I have only tested this on my personal Windows 10-64bit machine, and have not pushed to try to test other Windows build targets.
Attachment #9106809 - Flags: sec-approval?

Comment on attachment 9106809 [details]
Bug 1580156 - set WebRTC thread name

Public upstream cleared to land and request uplift.

Attachment #9106809 - Flags: sec-approval? → sec-approval+

Comment on attachment 9106809 [details]
Bug 1580156 - set WebRTC thread name

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: ESR would have continued exposure to this (now public) flaw. See the sec-approval form for full details.
  • Fix Landed on Version:
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): See sec-approval risk, testing, and regression likely hood. It would be good if this could bake for a day on Nightly.
  • String or UUID changes made by this patch:

Beta/Release Uplift Approval Request

  • User impact if declined: Beta/Release would have continued exposure to this (now public) flaw. See the sec-approval form for full details.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): See sec-approval risk, testing, and regression likely hood. It would be good if this could bake for a day on Nightly.
  • String changes made/needed:
Attachment #9106809 - Flags: approval-mozilla-release?
Attachment #9106809 - Flags: approval-mozilla-esr68?
Attachment #9106809 - Flags: approval-mozilla-beta?

We and Google should use the same CVE for this fix. Nominally Google should be the CNA for this project, but sometimes they're happy to let us assign one rather than try to get through their process in time for our release. Check with them.

status-firefox-esr68: --- → affected
tracking-firefox71: --- → +
tracking-firefox-esr68: --- → 71+
Whiteboard: Coordinate CVE w/Google

Chrome has assigned CVE-2019-13722 and our tracking bug is crbug.com/1025089

Alias: CVE-2019-13722

https://hg.mozilla.org/integration/autoland/rev/0de59487070db211af91074884a00564363c8d85
https://hg.mozilla.org/mozilla-central/rev/0de59487070d

Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72

Comment on attachment 9106809 [details]
Bug 1580156 - set WebRTC thread name

Baked a few days on nightly, let's get it in beta 11 this week before RC week.

Attachment #9106809 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9106809 [details]
Bug 1580156 - set WebRTC thread name

Approved for 68.3esr also. No need for this on Release70, though.

Attachment #9106809 - Flags: approval-mozilla-release?
Attachment #9106809 - Flags: approval-mozilla-release-
Attachment #9106809 - Flags: approval-mozilla-esr68?
Attachment #9106809 - Flags: approval-mozilla-esr68+
Whiteboard: Coordinate CVE w/Google → Coordinate CVE w/Google [adv-main71+]
Attached file advisory.txt (obsolete) —

What should I write for this bug; since it's Chrome's CVE. Does it really matter; since we won't be reporting it to Mitre?

Attachment #9111831 - Flags: feedback?(dveditz)
Whiteboard: Coordinate CVE w/Google [adv-main71+] → Coordinate CVE w/Google [adv-main71+][adv-esr68.3+]
Attached file advisory.txt
Attachment #9111831 - Attachment is obsolete: true
Attachment #9111831 - Flags: feedback?(dveditz)

What should I write for this bug; since it's Chrome's CVE. Does it really matter; since we won't be reporting it to Mitre?

Flags: needinfo?(dveditz)
Group: core-security-release
Depends on: 1646904
No longer depends on: 1646904
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: