Closed Bug 1606148 Opened 4 years ago Closed 4 years ago

addition of unsigned offset to 0xe4e4e4e4e4e4e4e4 overflowed to 0x8181818181818164 in [@ mozilla::dom::PrepareBufferArrays]

Categories

(Core :: Web Audio, defect, P1)

Product:
Core
Component:
Web Audio
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox72 --- unaffected
firefox73 --- unaffected
firefox74 --- fixed

People

(Reporter: tsmith, Assigned: karlt)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-uninitialized, sec-high, Whiteboard: [post-critsmash-triage])

Attachments

(2 files)

Bug 1606148 align ProcessBlocksOnPorts() Span parameter lengths with number of inputs and outputs r?padenot
47 bytes, text/x-phabricator-request
Details | Review
Bug 1606148 test AudioWorkletNode with 0 inputs and >1 outputs r?padenot
47 bytes, text/x-phabricator-request
Details | Review

I'm marking this as s-s since 0xe4 is the malloc fill byte used by ASan so this might be more than undefined behavior. Perhaps pointer math being performed on a value read from uninitialized memory?

Unfortunately the test case is large and does not seem to trigger the issue. The fuzzers have seen it 2x so far about a week apart.

Stack is from m-c 20191225-6f0d0f918cbf

/src/obj-firefox/dist/include/mozilla/Vector.h:496:19: runtime error: addition of unsigned offset to 0xe4e4e4e4e4e4e4e4 overflowed to 0x8181818181818164
    #0 0x7fd3b93a9b26 in end /src/obj-firefox/dist/include/mozilla/Vector.h:496:19
    #1 0x7fd3b93a9b26 in mozilla::dom::PrepareBufferArrays(JSContext*, mozilla::Span<mozilla::AudioBlock const, 18446744073709551615ul>, mozilla::dom::WorkletNodeEngine::Ports*, mozilla::dom::ArrayElementInit) /src/dom/media/webaudio/AudioWorkletNode.cpp:220:27
    #2 0x7fd3b93a86b3 in mozilla::dom::WorkletNodeEngine::ProcessBlocksOnPorts(mozilla::AudioNodeTrack*, mozilla::Span<mozilla::AudioBlock const, 18446744073709551615ul>, mozilla::Span<mozilla::AudioBlock, 18446744073709551615ul>, bool*) /src/dom/media/webaudio/AudioWorkletNode.cpp:354:8
    #3 0x7fd3b93860be in mozilla::AudioNodeTrack::ProcessInput(long, long, unsigned int) /src/dom/media/webaudio/AudioNodeTrack.cpp:525:18
    #4 0x7fd3b8d4527e in mozilla::MediaTrackGraphImpl::ProduceDataForTracksBlockByBlock(unsigned int, int) /src/dom/media/MediaTrackGraph.cpp:1081:13
    #5 0x7fd3b8d49e77 in mozilla::MediaTrackGraphImpl::Process(mozilla::AudioMixer*) /src/dom/media/MediaTrackGraph.cpp:1245:11
    #6 0x7fd3b8d4b6ad in mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*) /src/dom/media/MediaTrackGraph.cpp:1367:3
    #7 0x7fd3b8994b45 in mozilla::GraphRunner::Run() /src/dom/media/GraphRunner.cpp:111:32
    #8 0x7fd3b242f0d7 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1241:14
    #9 0x7fd3b24398dc in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #10 0x7fd3b365ffb2 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:302:20
    #11 0x7fd3b35579e7 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #12 0x7fd3b35579e7 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308:3
    #13 0x7fd3b35579e7 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290:3
    #14 0x7fd3b24281fa in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:459:11
    #15 0x7fd3d5e3625e in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #16 0x7fd3d5a7d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #17 0x7fd3d4a5b88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Assignee: nobody → karlt
Status: NEW → ASSIGNED

Nightly-only feature disabled by default is an "unusual software configuration" for "mitigating circumstances that severely reduce the
effectiveness of the exploit, then the exploit could be reduced by one level of severity." IIUC our release builds also init malloced memory, in which case the address cannot be controlled by content. There is a write to 0xe4e4e4e4.

See also bug 1591254. Blocks bug 1062849.

Keywords: sec-highsec-moderate

I see what you are saying with respect to the rating, but we usually rate things as though they were enabled, and then just mark "disabled" everywhere it is appropriate. (It won't need sec-approval because it doesn't affect any non-Nightly branch.)

status-firefox72: --- → unaffected
status-firefox73: affectedunaffected
status-firefox74: --- → disabled
Keywords: sec-moderatesec-high

The priority flag is not set for this bug.
:padenot, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(padenot)
Flags: needinfo?(padenot)
Priority: -- → P1

P1 but not particularly critical since this is behind a flag, but it's also being worked on right now. I could land right now, but I don't know what Karl has in mind for landing this.

Hi Paul, Given this is a sec-high (even though it's just in Nightly), I'd prefer for you to land this now and then follow up with Karl when he's back from PTO (with a new bug and patch) if he wants to do something differently before we let this ride the trains to release.

Regressions: 1611932
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: