Closed Bug 1651678 Opened 4 years ago Closed 4 years ago

AddressSanitizer: heap-use-after-free [@ mozilla::MediaTrack::SetEnabled(mozilla::DisabledTrackMode)::Message::Run] with READ of size 8

Categories

(Core :: Audio/Video: MediaStreamGraph, defect)

Product:
Core
Component:
Audio/Video: MediaStreamGraph
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 79+ fixed
firefox78 --- wontfix
firefox79 + fixed
firefox80 + fixed

People

(Reporter: jkratzer, Assigned: padenot)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [sec-survey][adv-main79+r][adv-ESR78.1+r] )

Attachments

(1 file)

Bug 1651678. r?karlt
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr78+
dveditz
: sec-approval+
Details | Review

Found while fuzzing mozilla-central rev b54e100794ee. I currently have an unreduced testcase. Attempts at reducing this testcase several effect its reliability. I lieu of a testcase, I will upload a pernosco trace for this issue shortly.

==3289==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000005f040 at pc 0x7fc6115b63a0 bp 0x7fc5e23ce400 sp 0x7fc5e23ce3f8
READ of size 8 at 0x61000005f040 thread T55 (GraphRunner)
    #0 0x7fc6115b639f in mozilla::MediaTrack::SetEnabled(mozilla::DisabledTrackMode)::Message::Run() /gecko/dom/media/MediaTrackGraph.cpp:2306:35
    #1 0x7fc61154e3c8 in mozilla::MediaTrackGraphImpl::RunMessagesInQueue() /gecko/dom/media/MediaTrackGraph.cpp:1151:20
    #2 0x7fc611553f03 in mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*) /gecko/dom/media/MediaTrackGraph.cpp:1394:3
    #3 0x7fc61118188d in mozilla::GraphRunner::Run() /gecko/dom/media/GraphRunner.cpp:114:32
    #4 0x7fc60a7c2f05 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
    #5 0x7fc60a7cdc9c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #6 0x7fc60bb63d02 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:302:20
    #7 0x7fc60ba401f7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #8 0x7fc60ba401f7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #9 0x7fc60ba401f7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #10 0x7fc60a7bb8c7 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:447:10
    #11 0x7fc62fc4fd3e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #12 0x7fc62f8906da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #13 0x7fc62e86ea3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x61000005f040 is located 0 bytes inside of 192-byte region [0x61000005f040,0x61000005f100)
freed by thread T55 (GraphRunner) here:
    #0 0x55e74f23c7bd in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7fc61153d66b in Release /builds/worker/workspace/obj-build/dist/include/MediaTrackGraph.h:270:3
    #2 0x7fc61153d66b in mozilla::MediaTrackGraphImpl::RemoveTrackGraphThread(mozilla::MediaTrack*) /gecko/dom/media/MediaTrackGraph.cpp:119:3
    #3 0x7fc61154e3c8 in mozilla::MediaTrackGraphImpl::RunMessagesInQueue() /gecko/dom/media/MediaTrackGraph.cpp:1151:20
    #4 0x7fc611553f03 in mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*) /gecko/dom/media/MediaTrackGraph.cpp:1394:3
    #5 0x7fc61118188d in mozilla::GraphRunner::Run() /gecko/dom/media/GraphRunner.cpp:114:32
    #6 0x7fc60a7c2f05 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
    #7 0x7fc60a7cdc9c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #8 0x7fc60bb63d02 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:302:20
    #9 0x7fc60ba401f7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #10 0x7fc60ba401f7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #11 0x7fc60ba401f7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #12 0x7fc60a7bb8c7 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:447:10
    #13 0x7fc62fc4fd3e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #14 0x7fc62f8906da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

previously allocated by thread T0 (file:// Content) here:
    #0 0x55e74f23ca3d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x55e74f272b2d in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fc611529ab1 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fc611529ab1 in mozilla::MediaTrackGraph::CreateForwardedInputTrack(mozilla::MediaSegment::Type) /gecko/dom/media/MediaTrackGraph.cpp:3302:32
    #4 0x7fc610ef7747 in mozilla::dom::HTMLMediaElement::UpdateOutputTrackSources() /gecko/dom/html/HTMLMediaElement.cpp:3675:36
    #5 0x7fc610f16901 in mozilla::dom::HTMLMediaElement::MetadataLoaded(mozilla::MediaInfo const*, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> > const, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > const> >) /gecko/dom/html/HTMLMediaElement.cpp:5425:3
    #6 0x7fc610f07bcb in mozilla::dom::HTMLMediaElement::UpdateReadyStateInternal() /gecko/dom/html/HTMLMediaElement.cpp:5817:5
    #7 0x7fc610f583ce in mozilla::WatchManager<mozilla::dom::HTMLMediaElement>::PerCallbackWatcher::Notify()::'lambda'()::operator()() const /builds/worker/workspace/obj-build/dist/include/mozilla/StateWatching.h:248:38
    #8 0x7fc610f5805c in mozilla::detail::RunnableFunction<mozilla::WatchManager<mozilla::dom::HTMLMediaElement>::PerCallbackWatcher::Notify()::'lambda'()>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #9 0x7fc60a7a347a in mozilla::SimpleTaskQueue::DrainTasks() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:43:10
    #10 0x7fc60a7c6042 in nsThread::DrainDirectTasks() /gecko/xpcom/threads/nsThread.cpp:1450:16
    #11 0x7fc60a7c31e6 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1254:3
    #12 0x7fc60a7cdc9c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #13 0x7fc60bb6220f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #14 0x7fc60ba401f7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #15 0x7fc60ba401f7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #16 0x7fc60ba401f7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #17 0x7fc612e131c8 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #18 0x7fc6169be2a6 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #19 0x7fc60ba401f7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #20 0x7fc60ba401f7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #21 0x7fc60ba401f7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #22 0x7fc6169bd88f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #23 0x55e74f26f723 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #24 0x55e74f26f723 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #25 0x7fc62e76eb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

Thread T55 (GraphRunner) created by T0 (file:// Content) here:
    #0 0x55e74f2271ea in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7fc62fc401e5 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fc62fc3115e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fc60a7be5a7 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:659:8
    #4 0x7fc60a7cc8fa in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:623:12
    #5 0x7fc60a7d7a9a in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:161:57
    #6 0x7fc6111800e0 in NS_NewNamedThread<12> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:85:10
    #7 0x7fc6111800e0 in mozilla::GraphRunner::Create(mozilla::MediaTrackGraphImpl*) /gecko/dom/media/GraphRunner.cpp:37:7
    #8 0x7fc61156ae4b in mozilla::MediaTrackGraphImpl::MediaTrackGraphImpl(mozilla::MediaTrackGraph::GraphDriverType, mozilla::MediaTrackGraph::GraphRunType, int, unsigned int, void const*, mozilla::AbstractThread*) /gecko/dom/media/MediaTrackGraph.cpp:2981:26
    #9 0x7fc61156c950 in mozilla::MediaTrackGraph::GetInstance(mozilla::MediaTrackGraph::GraphDriverType, nsPIDOMWindowInner*, int, void const*) /gecko/dom/media/MediaTrackGraph.cpp:3121:17
    #10 0x7fc610f0466b in mozilla::dom::HTMLMediaElement::MozCaptureStreamUntilEnded(mozilla::ErrorResult&) /gecko/dom/html/HTMLMediaElement.cpp:3881:28
    #11 0x7fc6104235e9 in mozilla::dom::HTMLMediaElement_Binding::mozCaptureStreamUntilEnded(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLMediaElementBinding.cpp:2359:76
    #12 0x7fc610557f88 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3219:13
    #13 0x7fc616c2952b in CallJSNative /gecko/js/src/vm/Interpreter.cpp:484:13
    #14 0x7fc616c2952b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:576:12
    #15 0x7fc616c2b7c8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
    #16 0x7fc616c126b0 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:643:10
    #17 0x7fc616c126b0 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3296:16
    #18 0x7fc616bf6011 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:456:10
    #19 0x7fc616c2960d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:611:13
    #20 0x7fc616c2b7c8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:639:10
    #21 0x7fc616c2baa6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:656:8
    #22 0x7fc616dcf6c0 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2846:10
    #23 0x7fc61014d7ce in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
    #24 0x7fc610c55afd in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #25 0x7fc610c55524 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1082:43
    #26 0x7fc610c56d30 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1279:17
    #27 0x7fc610c44e8f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:355:17
    #28 0x7fc610c4362d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:557:16
    #29 0x7fc610c47b86 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1054:11
    #30 0x7fc610c4c8b9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
    #31 0x7fc60ea9772e in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:1300:17
    #32 0x7fc60e4f1797 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /gecko/dom/base/nsContentUtils.cpp:4050:28
    #33 0x7fc60e4f14d3 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /gecko/dom/base/nsContentUtils.cpp:4020:10
    #34 0x7fc60e7ac80e in mozilla::dom::Document::DispatchContentLoadedEvents() /gecko/dom/base/Document.cpp:7189:3
    #35 0x7fc60e879e34 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #36 0x7fc60e879e34 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #37 0x7fc60e879e34 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
    #38 0x7fc60a7880cd in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #39 0x7fc60a7920f9 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:209:16
    #40 0x7fc60a78e688 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:459:24
    #41 0x7fc60a78c9d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:337:20
    #42 0x7fc60a78cde3 in mozilla::TaskController::ProcessPendingMTTask() /gecko/xpcom/threads/TaskController.cpp:152:3
    #43 0x7fc60a79de8f in operator() /gecko/xpcom/threads/TaskController.cpp:82:37
    #44 0x7fc60a79de8f in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #45 0x7fc60a7c2f05 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
    #46 0x7fc60a7cdc9c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #47 0x7fc60bb6220f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #48 0x7fc60ba401f7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #49 0x7fc60ba401f7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #50 0x7fc60ba401f7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #51 0x7fc612e131c8 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #52 0x7fc6169be2a6 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #53 0x7fc60ba401f7 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #54 0x7fc60ba401f7 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #55 0x7fc60ba401f7 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #56 0x7fc6169bd88f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #57 0x55e74f26f723 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #58 0x55e74f26f723 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #59 0x7fc62e76eb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /gecko/dom/media/MediaTrackGraph.cpp:2306:35 in mozilla::MediaTrack::SetEnabled(mozilla::DisabledTrackMode)::Message::Run()
Shadow bytes around the buggy address:
  0x0c2080003db0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2080003dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2080003dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2080003de0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080003df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2080003e00: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c2080003e10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2080003e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2080003e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2080003e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2080003e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
Flags: in-testsuite?
Group: core-security → media-core-security
Keywords: sec-high

A test case/pernosco would be great. Looking at the stacks it appears we're freeing[0] a track that is then touched when we process messages[1]. This appears to be a media track graph/media stream graph issue, moving it to that component.

[0] https://searchfox.org/mozilla-central/rev/89814940895946b48b4c04c702efd2c676ec8e7e/dom/media/MediaTrackGraph.h#270
[1] https://searchfox.org/mozilla-central/rev/89814940895946b48b4c04c702efd2c676ec8e7e/dom/media/MediaTrackGraph.cpp#2306

Component: Audio/Video → Audio/Video: MediaStreamGraph

I finally managed to get a Pernosco session for this:
https://pernos.co/debug/E8EBBHwIHd8Okst6OkgBzw/index.html

This is optimized too much, all the important bits are unreadable.

Attached file Bug 1651678. r?karlt
Assignee: nobody → padenot
Status: NEW → ASSIGNED

This happens due to unintended behavior in MediaElementTrackSource, which null-checks mTrack, but mTrack is never null, and not even set to null in MediaElementTrackSource::Destroy().

That behavior was introduced at https://hg.mozilla.org/mozilla-central/rev/9114318b64930ec2e51c69567fa1281aa8f4f210#l1.66 .
A MediaElementTrackSource::Track() method was introduced at that time, and callers do not null check.
The MediaElementTrackSource is removed from HTMLMediaElement::mOutputTrackSources when Destroy() is triggered, but the MediaElementTrackSource is ref-counted, so I don't know whether or not there might be remaining owners after that point.

status-firefox-esr68: --- → unaffected
status-firefox-esr78: --- → affected
Regressed by: 1172394
Has Regression Range: --- → yes

In a debug build, an assertion would fail in AppendMessage().

Comment on attachment 9163782 [details]
Bug 1651678. r?karlt

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It's (I think) rather obvious that it's a UAF, but it's quite hard to trigger, any attempt at reducing the test case makes it go away.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?:
  • If not all supported branches, which bug introduced the flaw?: Bug 1172394
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: We already have a debug-only assert that would prevent this being exploitable in debug mode, and it's never failed outside of this bug, so we're quite confident it will work.
Attachment #9163782 - Flags: sec-approval?

Comment on attachment 9163782 [details]
Bug 1651678. r?karlt

sec-approval+ and beta uplift approval a=dveditz

Attachment #9163782 - Flags: sec-approval?
Attachment #9163782 - Flags: sec-approval+
Attachment #9163782 - Flags: approval-mozilla-beta+

Comment on attachment 9163782 [details]
Bug 1651678. r?karlt

Clearing my beta uplift approval. We're much later in this cycle than I thought (hello, 4 wk cycles!) and there are no more betas. Will need to get uplift approval from release-drivers.

Attachment #9163782 - Flags: approval-mozilla-beta+

Comment on attachment 9163782 [details]
Bug 1651678. r?karlt

Beta/Release Uplift Approval Request

  • User impact if declined: Hard to trigger UAF
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): There is a debug assert that blows up in this specific case, and has never blown up outside this fuzzer test case (iirc).
  • String changes made/needed:
Attachment #9163782 - Flags: approval-mozilla-beta?

Comment on attachment 9163782 [details]
Bug 1651678. r?karlt

Approved for 79.0rc1 and 78.1esr.

Attachment #9163782 - Flags: approval-mozilla-esr78+
Attachment #9163782 - Flags: approval-mozilla-beta?
Attachment #9163782 - Flags: approval-mozilla-beta+

https://hg.mozilla.org/integration/autoland/rev/b692924f814a0f2eccba17faf2d797fe70b5c7ca
https://hg.mozilla.org/mozilla-central/rev/b692924f814a

Group: media-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox80: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(padenot)
Whiteboard: [sec-survey]
Flags: needinfo?(padenot)
Whiteboard: [sec-survey] → [sec-survey][adv-main79+r]
Whiteboard: [sec-survey][adv-main79+r] → [sec-survey][adv-main79+r][adv-ESR78.1+r]
Group: core-security-release
Blocks: 1700075
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: