Closed Bug 1611938 Opened 4 years ago Closed 4 years ago

UAF in webrtc::VideoStreamEncoder::OnEncodedImage

Categories

(Core :: WebRTC: Audio/Video, defect, P1)

Product:
Core
Component:
WebRTC: Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla77
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 + fixed
firefox77 + fixed

People

(Reporter: dminor, Assigned: dminor)

References

(Regression)

Details

(5 keywords, Whiteboard: [post-critsmash-triage][adv-main76+r])

Crash Data

Attachments

(1 file)

Bug 1611938 - Add mutex to WebrtcMediaDataEncoderCodec; r=jolin!
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
dveditz
: sec-approval+
Details | Review

The stack in Bug 1609026 has 0xE5s, looks like a late callback on sink_ at [1].

[1] https://searchfox.org/mozilla-central/rev/cbd110d718bc89a499d3f996af24532abbf6f8ea/media/webrtc/trunk/webrtc/video/video_stream_encoder.cc#849

+++ This bug was initially created as a clone of Bug #1609026 +++

Filed by: rmaries [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer.html#?job_id=284791141&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/YVIANJGZREWFSbPmxBs0Ow/runs/0/artifacts/public/logs/live_backing.log

[task 2020-01-14T03:01:35.080Z] 03:01:05 INFO - 193 INFO TEST-START | dom/media/tests/mochitest/test_peerConnection_basicAudioVideoNoBundleNoRtcpMux.html
[task 2020-01-14T03:01:35.080Z] 03:01:28 INFO - wait for org.mozilla.geckoview.test complete; top activity=com.bitbar.testdroid.monitor
[task 2020-01-14T03:01:35.080Z] 03:01:28 INFO - remoteautomation.py | Application ran for: 0:02:35.834112
[task 2020-01-14T03:01:35.080Z] 03:01:29 INFO - mozcrash Downloading symbols from: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/WfCI_DfZShGc0A2IjSyCWA/artifacts/public/build/target.crashreporter-symbols.zip
[task 2020-01-14T03:01:35.080Z] 03:01:31 INFO - mozcrash Copy/paste: /builds/task_1578970587/workspace/build/linux64-minidump_stackwalk /tmp/tmpZ92iJG/606d1973-360b-10c7-1805-cb7b4d9acb45.dmp /tmp/tmpKHQIF0
[task 2020-01-14T03:01:35.080Z] 03:01:35 INFO - mozcrash Saved minidump as /builds/task_1578970587/workspace/build/blobber_upload_dir/606d1973-360b-10c7-1805-cb7b4d9acb45.dmp
[task 2020-01-14T03:01:35.080Z] 03:01:35 INFO - mozcrash Saved app info as /builds/task_1578970587/workspace/build/blobber_upload_dir/606d1973-360b-10c7-1805-cb7b4d9acb45.extra
[task 2020-01-14T03:01:35.093Z] 03:01:35 WARNING - PROCESS-CRASH | dom/media/tests/mochitest/test_peerConnection_basicAudioVideoNoBundleNoRtcpMux.html | application crashed [@ webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Crash dump filename: /tmp/tmpZ92iJG/606d1973-360b-10c7-1805-cb7b4d9acb45.dmp
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Operating system: Android
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 0.0.0 Linux 4.4.56-g594d847d09a1 #1 SMP PREEMPT Thu Oct 26 22:34:08 UTC 2017 armv8l
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - CPU: arm
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - ARMv1 Qualcomm part(0x51008010) features: half,thumb,fastmult,vfpv2,edsp,neon,vfpv3,tls,vfpv4,idiva,idivt
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 8 CPUs
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - GPU: UNKNOWN
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Crash reason: SIGSEGV /SEGV_MAPERR
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Crash address: 0xe5e5e5ed
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Process uptime: not available
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Thread 71 (crashed)
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 0 libxul.so!webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*) [video_stream_encoder.cc:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 849 + 0x8]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r0 = 0xe5e5e5e5 r1 = 0xb87a488c r2 = 0xb40c09b8 r3 = 0xb40c0b70
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xb89d2000 r5 = 0xb40c09b8 r6 = 0xb40c09b8 r7 = 0xb40c08c8
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0xb40c0b54 r9 = 0xe68321b8 r10 = 0xb40c0b70 r12 = 0xca65fe9c
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - fp = 0xb89d2348 sp = 0xb40c08a0 lr = 0xc854acf7 pc = 0xc8566134
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: given as instruction pointer in context
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 1 libxul.so!non-virtual thunk to webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*) [video_stream_encoder.cc:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 0 + 0xd]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xb40c0aa0 r5 = 0x00000000 r6 = 0xb40c09b8 r7 = 0xb40c08e0
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0x000000ff r9 = 0xb40c0b70 r10 = 0xb40c0b54 fp = 0xb89d2348
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c08d0 lr = 0xc85661ab pc = 0xc85661ab
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 2 libxul.so!webrtc::VCMEncodedFrameCallback::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*) [generic_encoder.cc:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 410 + 0x5]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xc856619d r5 = 0x00000000 r6 = 0xb40c09b8 r7 = 0xb40c0a68
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0x000000ff r9 = 0xb40c0b70 r10 = 0xb40c0b54 fp = 0xb89d2348
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c08e8 lr = 0xc85374c9 pc = 0xc85374c9
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 3 libxul.so!mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaRawData> >, mozilla::MediaResult, true>::ThenValue<mozilla::WebrtcMediaDataEncoder::ProcessEncode(RefPtr<mozilla::MediaData> const&)::$_20, mozilla::WebrtcMediaDataEncoder::ProcessEncode(RefPtr<mozilla::MediaData> const&)::$_21>::DoResolveOrRejectInternal(mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaRawData> >, mozilla::MediaResult, true>::ResolveOrRejectValue&) [MozPromise.h:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 727 + 0x18d]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xb6ca8f40 r5 = 0xc8537411 r6 = 0xb5ef9880 r7 = 0xb40c11f0
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0xb6ca8f5c r9 = 0xb40c0ab8 r10 = 0x00000000 fp = 0xe68321b8
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c0a70 lr = 0xc75d0153 pc = 0xc75d0153
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 4 libxul.so!mozilla::MozPromise<bool, mozilla::MediaResult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() [MozPromise.h:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 403 + 0x5]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xb5ed6634 r5 = 0xb6ca8f40 r6 = 0xb5ed6638 r7 = 0xb40c1208
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0xb40c1214 r9 = 0xb5ed6620 r10 = 0xe68321b8 fp = 0x00000000
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c11f8 lr = 0xc75ceb99 pc = 0xc75ceb99
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 5 libxul.so!mozilla::TaskQueue::Runner::Run() [TaskQueue.cpp:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 207 + 0x9]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xb5ed6b40 r5 = 0xcb1237b4 r6 = 0xb6ceb100 r7 = 0xb40c1260
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0xb40c1214 r9 = 0xb5ed6620 r10 = 0xe68321b8 fp = 0x00000000
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c1210 lr = 0xc8d3d33d pc = 0xc8d3d33d
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 6 libxul.so!nsThreadPool::Run() [nsThreadPool.cpp:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 299 + 0x9]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xb6ae8400 r5 = 0x00000000 r6 = 0x00000000 r7 = 0xb40c1300
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0xb5ed6b40 r9 = 0x00000000 r10 = 0xb6c2d380 fp = 0x00000000
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c1268 lr = 0xc8a00cfd pc = 0xc8a00cfd
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 7 libxul.so!non-virtual thunk to nsThreadPool::Run() [nsThreadPool.cpp:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 0 + 0x9]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xb6ae8480 r5 = 0x00000000 r6 = 0xf61b725a r7 = 0xb40c1308
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0xb6ae84a8 r9 = 0x00000000 r10 = 0xe68321b8 fp = 0xb6ae8400
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c1308 lr = 0xc8d3ffeb pc = 0xc8d3ffeb
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 8 libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 1220 + 0x19]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xb6ae8480 r5 = 0x00000000 r6 = 0xf61b725a r7 = 0xb40c17f0
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0xb6ae84a8 r9 = 0x00000000 r10 = 0xe68321b8 fp = 0xb6ae8400
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c1310 lr = 0xc89ffef5 pc = 0xc89ffef5
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 9 libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 486 + 0x15]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0x00000001 r5 = 0xe68321b8 r6 = 0x00000000 r7 = 0xb40c1808
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0xb6c706b0 r9 = 0xb6ae8400 r10 = 0xc8a27375 fp = 0xc8a27421
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c17f8 lr = 0xc8a00921 pc = 0xc8a00921
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 10 libxul.so!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) [MessagePump.cpp:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 332 + 0x7]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xb6c706a0 r5 = 0xb40c1868 r6 = 0x00000000 r7 = 0xb40c1830
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0xb6c706b0 r9 = 0xb6ae8400 r10 = 0xc8a27375 fp = 0xc8a27421
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c1810 lr = 0xc8a2ccff pc = 0xc8a2ccff
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 11 libxul.so!MessageLoop::Run() [message_loop.cc:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 290 + 0x7]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xe68321b8 r5 = 0xb6ed2ea0 r6 = 0x00000000 r7 = 0xb40c1858
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0xe68321b8 r9 = 0x00000002 r10 = 0xcb256c69 fp = 0x00000000
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c1838 lr = 0xc8dce1ab pc = 0xc8dce1ab
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 12 libxul.so!nsThread::ThreadFunc(void*) [nsThread.cpp:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 464 + 0x3]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xb6ae8400 r5 = 0xb6ed2ea0 r6 = 0x00000000 r7 = 0xb40c1930
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r8 = 0xe68321b8 r9 = 0x00000002 r10 = 0xcb256c69 fp = 0x00000000
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - sp = 0xb40c1860 lr = 0xc8d3e0e3 pc = 0xc8d3e0e3
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - 13 libnss3.so!_pt_root [ptthread.c:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 201 + 0x5]
[task 2020-01-14T03:01:35.093Z] 03:01:35 INFO - r4 = 0xb8975780 r5 = 0xcb2fe738 r6 = 0x00002632 r7 = 0xb40c1950
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - r8 = 0x00000000 r9 = 0x00000002 r10 = 0xcb256c69 fp = 0x00000000
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - sp = 0xb40c1938 lr = 0xcb256d0b pc = 0xcb256d0b
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - 14 libc.so + 0x47947
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - r4 = 0xb40c1970 r5 = 0xb40c1970 r6 = 0xb40c1970 r7 = 0x00000078
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - r8 = 0x00001e77 r9 = 0x00002629 r10 = 0xcb256c69 fp = 0x00000000
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - sp = 0xb40c1958 lr = 0xe67e1949 pc = 0xe67e1949
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - Found by: call frame info
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - 15 libc.so + 0x4792f
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - sp = 0xb40c195c pc = 0xe67e1931
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - Found by: stack scanning
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - 16 libc.so + 0x1b381
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - sp = 0xb40c1960 pc = 0xe67b5383
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - Found by: stack scanning
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - 17 libc.so + 0x4792f
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - sp = 0xb40c1968 pc = 0xe67e1931
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - Found by: stack scanning
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - 18 libnss3.so!pt_recvfrom_cont [ptio.c:a89ab01aec47fc6f457ddf6bfd2650e407f169d3 : 0 + 0x7]
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - sp = 0xb40c19a4 pc = 0xcb256c69
[task 2020-01-14T03:01:35.102Z] 03:01:35 INFO - Found by: stack scanning

Bug 1612593 looks like the same problem.

Group: core-security → media-core-security

There are a number of potential call sites into VideoStreamEncoder::OnEncodedImage, but running mochitests on the Android hardware in automation, we're almost certainly hitting it through [1]. I ran a try run with an assert just before that call site to double check [2]. It looks like we've recently had to fix some problems with late callbacks here in Bug 1599799.

[1] https://searchfox.org/mozilla-central/rev/a1592902acabf9bded973067133baaac1457f3d3/media/webrtc/signaling/src/media-conduit/WebrtcMediaDataEncoderCodec.cpp#305
[2] https://treeherder.mozilla.org/#/jobs?repo=try&revision=8cc25c80a98b610fd842316e08ce79b10f603917.

Component: WebRTC → WebRTC: Audio/Video

Bug 1612593 is also this issue.

And another: bug 1613223.

Two more: bug 1613816 and bug 1613737.

Something similar: Bug 1617367.

Crash Signature: [@ webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)] → [@ webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)] [@ 0x0] [@ 0x62000000]
Crash Signature: [@ webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)] [@ 0x0] [@ 0x62000000] → [@ webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)] [@ 0x0] [@ 0x62000000]
Crash Signature: [@ webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)] [@ 0x0] [@ 0x62000000] → [@ webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)] [@ 0x0] [@ 0x62000000] [@ mozilla::WebrtcMediaDataEncoder::ProcessEncode(RefPtr<mozilla::MediaData> cons…
Crash Signature: [@ webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)] [@ 0x0] [@ 0x62000000] [@ mozilla::WebrtcMediaDataEncoder::ProcessEncode(RefPtr<mozilla::MediaData> cons… → [@ webrtc::VideoStreamEncoder::OnEncodedImage]
Crash Signature: [@ webrtc::VideoStreamEncoder::OnEncodedImage] → [@ webrtc::VideoStreamEncoder::OnEncodedImage] [@ mozilla::WebrtcMediaDataEncoder::ProcessEncode(RefPtr<mozilla::MediaData> const&)]
Crash Signature: [@ webrtc::VideoStreamEncoder::OnEncodedImage] [@ mozilla::WebrtcMediaDataEncoder::ProcessEncode(RefPtr<mozilla::MediaData> const&)] → [@ webrtc::VideoStreamEncoder::OnEncodedImage] [@ mozilla::WebrtcMediaDataEncoder::ProcessEncode(RefPtr<mozilla::MediaData> const&)] [@ webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFr…

I think the problem here is that the rest of webrtc.org code expects that no callback will occur once the callback has been set to nullptr. That is the case for all of the existing calls to RegisterEncodeCompleteCallback, and also see the comment here [1]. In WebrtcMediaDataEncoderCodec the call to RegisterEncodeCompleteCallback dispatches setting the callback to a task queue. If there are still frames to be delivered in the task queue, that will occur before the callback is reset but after RegisterEncodeCompleteCallback returns, which causes the use after free we're seeing. In WebrtcGmpVideoCodec, we take a lock to prevent this from happening [3]. Ideally we'd avoid locking in ProcessEncode, but I'm not sure if the TaskQueue in use supports sync dispatch.

[1] https://searchfox.org/mozilla-central/rev/b712398b7fae54ef377a558d6f16dede7a7f8530/media/webrtc/trunk/webrtc/media/engine/simulcast_encoder_adapter.cc#176
[2] https://searchfox.org/mozilla-central/rev/8526066f548af9ec3ebb462ff73c47ccc183f533/media/webrtc/signaling/src/media-conduit/WebrtcMediaDataEncoderCodec.cpp#158
[3] https://searchfox.org/mozilla-central/rev/8526066f548af9ec3ebb462ff73c47ccc183f533/media/webrtc/signaling/src/media-conduit/WebrtcGmpVideoCodec.cpp#488

Crash Signature: [@ webrtc::VideoStreamEncoder::OnEncodedImage] [@ mozilla::WebrtcMediaDataEncoder::ProcessEncode(RefPtr<mozilla::MediaData> const&)] [@ webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const* → [@ webrtc::VideoStreamEncoder::OnEncodedImage] [@ mozilla::WebrtcMediaDataEncoder::ProcessEncode(RefPtr<mozilla::MediaData> const&)] [@ webrtc::VideoStreamEncoder::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*
Crash Signature: , webrtc::RTPFragmentationHeader const*)] → , webrtc::RTPFragmentationHeader const*)] [@ dalvik-main space (region space) (deleted) + 0x34024e8]
Crash Signature: , webrtc::RTPFragmentationHeader const*)] [@ dalvik-main space (region space) (deleted) + 0x34024e8] → , webrtc::RTPFragmentationHeader const*)] [@ dalvik-main space (region space) (deleted) + 0x34024e8] [@ webrtc::VCMEncodedFrameCallback::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)]
Crash Signature: , webrtc::RTPFragmentationHeader const*)] [@ dalvik-main space (region space) (deleted) + 0x34024e8] [@ webrtc::VCMEncodedFrameCallback::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)] → , webrtc::RTPFragmentationHeader const*)] [@ dalvik-main space (region space) (deleted) + 0x34024e8] [@ webrtc::VCMEncodedFrameCallback::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)] …
Crash Signature: , webrtc::RTPFragmentationHeader const*)] [@ rtc::PlatformThread::GetThreadRef() const] → , webrtc::RTPFragmentationHeader const*)] [@ rtc::PlatformThread::GetThreadRef() const] [@ 0x0] [@ 0x62000000]

Comment on attachment 9136734 [details]
Bug 1611938 - Add mutex to WebrtcMediaDataEncoderCodec; r=jolin!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: You could infer that there was a race condition with shutting down the encoder but I'm not sure how easily that would be exploitable.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: 75,76
  • If not all supported branches, which bug introduced the flaw?: Bug 1599799
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Same patch should apply.
  • How likely is this patch to cause regressions; how much testing does it need?: This is unlikely to cause regressions. We have coverage in CI for this.
Attachment #9136734 - Flags: sec-approval?

Comment on attachment 9136734 [details]
Bug 1611938 - Add mutex to WebrtcMediaDataEncoderCodec; r=jolin!

sec-approval+, a=dveditz

Attachment #9136734 - Flags: sec-approval? → sec-approval+
Crash Signature: , webrtc::RTPFragmentationHeader const*)] [@ dalvik-main space (region space) (deleted) + 0x34024e8] [@ webrtc::VCMEncodedFrameCallback::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)] … → , webrtc::RTPFragmentationHeader const*)] [@ dalvik-main space (region space) (deleted) + 0x34024e8] [@ webrtc::VCMEncodedFrameCallback::OnEncodedImage(webrtc::EncodedImage const&, webrtc::CodecSpecificInfo const*, webrtc::RTPFragmentationHeader const*)…
status-firefox75: --- → affected
status-firefox76: --- → affected
status-firefox77: --- → affected
status-firefox-esr68: --- → unaffected
tracking-firefox76: --- → +
Keywords: regression
Regressed by: 1599799
Has Regression Range: --- → yes

Yes, I'm having a look.

Flags: needinfo?(dminor)
Attachment #9136734 - Attachment description: Bug 1611938 - Change dispatches in WebrtcMediaDataEncoderCodec; r=jolin! → Bug 1611938 - Add mutex to WebrtcMediaDataEncoderCodec; r=jolin!

https://hg.mozilla.org/mozilla-central/rev/8cada78c7c19

Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox77: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla77

Please nominate this for Beta approval when you're comfortable doing so.

Flags: needinfo?(dminor)

Comment on attachment 9136734 [details]
Bug 1611938 - Add mutex to WebrtcMediaDataEncoderCodec; r=jolin!

Beta/Release Uplift Approval Request

  • User impact if declined: Crashes / security problems.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): By adding extra locking there is a chance of introducing deadlock. We already use the same locking pattern in WebrtcGmpVideoCodec so this should be safe.
  • String changes made/needed: None
Flags: needinfo?(dminor)
Attachment #9136734 - Flags: approval-mozilla-beta?

Comment on attachment 9136734 [details]
Bug 1611938 - Add mutex to WebrtcMediaDataEncoderCodec; r=jolin!

Approved for 76.0b7.

Attachment #9136734 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main76+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: