addition of unsigned offset to 0xe4e4e4e4e4e4e4e4 overflowed to 0x8181818181818164 in [@ mozilla::dom::PrepareBufferArrays]
Categories
(Core :: Web Audio, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox72 | --- | unaffected |
firefox73 | --- | unaffected |
firefox74 | --- | fixed |
People
(Reporter: tsmith, Assigned: karlt)
References
(Blocks 2 open bugs)
Details
(Keywords: csectype-uninitialized, sec-high, Whiteboard: [post-critsmash-triage])
Attachments
(2 files)
I'm marking this as s-s since 0xe4 is the malloc fill byte used by ASan so this might be more than undefined behavior. Perhaps pointer math being performed on a value read from uninitialized memory?
Unfortunately the test case is large and does not seem to trigger the issue. The fuzzers have seen it 2x so far about a week apart.
Stack is from m-c 20191225-6f0d0f918cbf
/src/obj-firefox/dist/include/mozilla/Vector.h:496:19: runtime error: addition of unsigned offset to 0xe4e4e4e4e4e4e4e4 overflowed to 0x8181818181818164
#0 0x7fd3b93a9b26 in end /src/obj-firefox/dist/include/mozilla/Vector.h:496:19
#1 0x7fd3b93a9b26 in mozilla::dom::PrepareBufferArrays(JSContext*, mozilla::Span<mozilla::AudioBlock const, 18446744073709551615ul>, mozilla::dom::WorkletNodeEngine::Ports*, mozilla::dom::ArrayElementInit) /src/dom/media/webaudio/AudioWorkletNode.cpp:220:27
#2 0x7fd3b93a86b3 in mozilla::dom::WorkletNodeEngine::ProcessBlocksOnPorts(mozilla::AudioNodeTrack*, mozilla::Span<mozilla::AudioBlock const, 18446744073709551615ul>, mozilla::Span<mozilla::AudioBlock, 18446744073709551615ul>, bool*) /src/dom/media/webaudio/AudioWorkletNode.cpp:354:8
#3 0x7fd3b93860be in mozilla::AudioNodeTrack::ProcessInput(long, long, unsigned int) /src/dom/media/webaudio/AudioNodeTrack.cpp:525:18
#4 0x7fd3b8d4527e in mozilla::MediaTrackGraphImpl::ProduceDataForTracksBlockByBlock(unsigned int, int) /src/dom/media/MediaTrackGraph.cpp:1081:13
#5 0x7fd3b8d49e77 in mozilla::MediaTrackGraphImpl::Process(mozilla::AudioMixer*) /src/dom/media/MediaTrackGraph.cpp:1245:11
#6 0x7fd3b8d4b6ad in mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*) /src/dom/media/MediaTrackGraph.cpp:1367:3
#7 0x7fd3b8994b45 in mozilla::GraphRunner::Run() /src/dom/media/GraphRunner.cpp:111:32
#8 0x7fd3b242f0d7 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1241:14
#9 0x7fd3b24398dc in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#10 0x7fd3b365ffb2 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:302:20
#11 0x7fd3b35579e7 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#12 0x7fd3b35579e7 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308:3
#13 0x7fd3b35579e7 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290:3
#14 0x7fd3b24281fa in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:459:11
#15 0x7fd3d5e3625e in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#16 0x7fd3d5a7d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#17 0x7fd3d4a5b88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Nightly-only feature disabled by default is an "unusual software configuration" for "mitigating circumstances that severely reduce the
effectiveness of the exploit, then the exploit could be reduced by one level of severity." IIUC our release builds also init malloced memory, in which case the address cannot be controlled by content. There is a write to 0xe4e4e4e4.
See also bug 1591254. Blocks bug 1062849.
Assignee | ||
Comment 2•4 years ago
|
||
Assignee | ||
Comment 3•4 years ago
|
||
Depends on D59190
Comment 4•4 years ago
|
||
I see what you are saying with respect to the rating, but we usually rate things as though they were enabled, and then just mark "disabled" everywhere it is appropriate. (It won't need sec-approval because it doesn't affect any non-Nightly branch.)
Comment 5•4 years ago
|
||
The priority flag is not set for this bug.
:padenot, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Comment 6•4 years ago
|
||
P1 but not particularly critical since this is behind a flag, but it's also being worked on right now. I could land right now, but I don't know what Karl has in mind for landing this.
Comment 7•4 years ago
|
||
Hi Paul, Given this is a sec-high (even though it's just in Nightly), I'd prefer for you to land this now and then follow up with Karl when he's back from PTO (with a new bug and patch) if he wants to do something differently before we let this ride the trains to release.
Comment 8•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/fced6b877c6c111787e8d8f19cd447037cd687f9
https://hg.mozilla.org/integration/autoland/rev/9bca5d9745aa75ce3acdb294d695c288b7b2a9c0
https://hg.mozilla.org/mozilla-central/rev/fced6b877c6c
https://hg.mozilla.org/mozilla-central/rev/9bca5d9745aa
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Description
•