Closed Bug 1656063 Opened 4 years ago Closed 4 years ago

SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/dom/media/platforms/ffmpeg/ffvpx/FFVPXRuntimeLinker.cpp:128:21 in mozilla::FFVPXRuntimeLinker::GetRDFTFuncs(FFmpegRDFTFuncs*)

Categories

(Core :: Audio/Video, defect, P5)

Product:
Core
Component:
Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 --- wontfix
firefox79 --- wontfix
firefox80 --- wontfix
firefox81 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: padenot)

References

(Regression)

Details

(Keywords: csectype-race, regression, sec-high, Whiteboard: [post-critsmash-triage][adv-main81+r])

Attachments

(1 file)

Bug 1656063 - Only load function pointer in FFTBlock once. r?karlt
47 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
Summary: SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:649:20 in mozilla::MediaTrackGraphImpl::OpenAudioInputImpl(void const*, mozilla::AudioDataListener*) → SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/dom/media/platforms/ffmpeg/ffvpx/FFVPXRuntimeLinker.cpp:128:21 in mozilla::FFVPXRuntimeLinker::GetRDFTFuncs(FFmpegRDFTFuncs*)

Are we running init code multiple times here?

Component: WebRTC: Audio/Video → Audio/Video

This is a racy access to a function pointer.

Group: core-security
Assignee: nobody → padenot
Flags: needinfo?(padenot)
Group: core-security → media-core-security
Keywords: csectype-race, sec-high

Undefined behavior due to reading from memory that may be concurrently re-written with its existing value, but we'd be very unlucky if the compiler was doing something that would make this exploitable.

status-firefox79: --- → wontfix
status-firefox80: --- → wontfix
status-firefox81: --- → affected
status-firefox-esr68: --- → wontfix
status-firefox-esr78: --- → wontfix
Regressed by: 1476231
Has Regression Range: --- → yes
Keywords: regression

Comment on attachment 9167008 [details]
Bug 1656063 - Only load function pointer in FFTBlock once. r?karlt

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: https://bugzilla.mozilla.org/show_bug.cgi?id=1656063#c6 explains what is happening. It's reasonably easy to understand what's going on from the patch only, but it's a concurrent write of a pointer by the same value, from different threads, it's not horrible.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: This backports cleanly.
  • How likely is this patch to cause regressions; how much testing does it need?: I don't expect any regression.
Attachment #9167008 - Flags: sec-approval?

Comment on attachment 9167008 [details]
Bug 1656063 - Only load function pointer in FFTBlock once. r?karlt

Approved to land. If uplift is warranted (it seems from c6 this isn't likely exploitable?) feel free to request.

Attachment #9167008 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/integration/autoland/rev/af3620fc2747c1b4dbb72504fd731e9e4e3779d3
https://hg.mozilla.org/mozilla-central/rev/af3620fc2747

Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox81: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main81+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: