ThreadSanitizer: unlock of an unlocked mutex [@webrtc::GetWindowList]
Categories
(Core :: WebRTC: Audio/Video, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox81 | --- | fixed |
People
(Reporter: bwc, Assigned: bwc)
References
Details
Attachments
(4 files)
This looks pretty scary.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
From the log: Mutex M180560751542984000 is already destroyed.
so I guess a UAF. It is happening here at [1], the corresponding lock is at [2].
Upstream is substantially different: [3].
[1] https://searchfox.org/mozilla-central/rev/89814940895946b48b4c04c702efd2c676ec8e7e/media/webrtc/trunk/webrtc/modules/desktop_capture/linux/x_error_trap.cc#54
[2] https://searchfox.org/mozilla-central/rev/89814940895946b48b4c04c702efd2c676ec8e7e/media/webrtc/trunk/webrtc/modules/desktop_capture/linux/x_error_trap.cc#48
[3] https://source.chromium.org/chromium/chromium/src/+/master:third_party/webrtc/modules/desktop_capture/linux/x_error_trap.cc;l=40
Assignee | ||
Comment 3•4 years ago
|
||
Updated•4 years ago
|
Comment 4•4 years ago
|
||
I noticed we are still running enumeration code for application capture. I'm removing it in Bug 1652552. It runs after window enumeration, so I doubt it is causing any problems here, unless it ends up leaving things in a bad state for the next time window enumeration runs.
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 5•4 years ago
|
||
Just tested current m-c, it does not look like the landing of bug 1652552 fixed this problem. Looking closer...
Assignee | ||
Comment 6•4 years ago
|
||
I am not seeing any obvious way we could be UAFing here, but I do see that a third_party rust library (x11) is being used by webrtc.org here. Maybe webrtc.org's rust dependencies are not being instrumented properly?
Comment 7•4 years ago
|
||
There's no way that webrtc.org should be using rust. Are we linking against the wrong library?
Comment 8•4 years ago
|
||
I don't see any Rust code in the stacks, so I suspect that's not the issue. However, I do see libX11.so in the stacks, and that is of course not instrumented. For this particular error I believe that should not matter, however if libX11 does not use an intercepted function call (or that interception failed for some reason) to lock the mutex in the first place, then TSan will believe that it is unlocked despite it being locked.
We already suppress several stacks with third party libraries and errors about mutex usage.
If Dan thinks this could be a real uaf, then we should look closer, otherwise I'll be fine with mutex:libX11.so
in the suppression list.
Assignee | ||
Comment 9•4 years ago
|
||
(In reply to Dan Minor [:dminor] from comment #7)
There's no way that webrtc.org should be using rust. Are we linking against the wrong library?
I misread something, you're right I think.
Assignee | ||
Comment 10•4 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #8)
I don't see any Rust code in the stacks, so I suspect that's not the issue. However, I do see libX11.so in the stacks, and that is of course not instrumented. For this particular error I believe that should not matter, however if libX11 does not use an intercepted function call (or that interception failed for some reason) to lock the mutex in the first place, then TSan will believe that it is unlocked despite it being locked.
We already suppress several stacks with third party libraries and errors about mutex usage.
If Dan thinks this could be a real uaf, then we should look closer, otherwise I'll be fine with
mutex:libX11.so
in the suppression list.
That suppression does not seem to work; maybe because the only place libX11 shows up in the output is in the context information describing what created the mutex?
Comment 11•4 years ago
|
||
So if LockDisplay() has already succeeded, the only way I can think of that we'd UAF in UnlockDisplay() is if another thread was concurrently freeing the display. I thought all of the window enumeration stuff ran in the same thread. If that's the case, then this sounds like something we can just suppress. Maybe a couple of quick threading assertions in the SharedXDisplay destructor and in the XErrorTrap constructor would confirm this.
Comment 12•4 years ago
|
||
(In reply to Byron Campen [:bwc] from comment #10)
That suppression does not seem to work; maybe because the only place libX11 shows up in the output is in the context information describing what created the mutex?
Hm yes, that is possible. In that case, I guess we have to go with mutex:XErrorTrap
Assignee | ||
Comment 13•4 years ago
|
||
Depends on D84391
Updated•4 years ago
|
Assignee | ||
Comment 14•4 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=7d7284cc92d807848a1398be59a16514c18cac8f
Try seems to be about as expected.
Updated•4 years ago
|
Comment 16•4 years ago
|
||
The severity field is not set for this bug.
:jib, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 17•4 years ago
|
||
Pushed by bcampen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1aa3ff231258 Suppress error due to libX11 not being instrumented. r=decoder
Comment 18•4 years ago
|
||
bugherder |
Updated•2 months ago
|
Description
•