Closed Bug 1660000 Opened 5 years ago Closed 1 year ago

AddressSanitizer: heap-buffer-overflow /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22:3 in __asan_memcpy

Categories

(Core :: Audio/Video: MediaStreamGraph, defect, P3)

Product:
Core
Component:
Audio/Video: MediaStreamGraph
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1605894
Tracking Flags:
Tracking Status
firefox81 --- disabled
firefox82 --- disabled
firefox83 --- disabled
firefox84 --- disabled

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [this is sec-high when enabled by default][bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.zip
273.30 KB, application/zip
Details

Found while fuzzing mozilla-central rev 483ef87aa6e8. I'm currently reducing the testcase and will attach it here once complete.

==9318==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x618002272b90 at pc 0x55736e3f6e6a bp 0x7fd24842f150 sp 0x7fd24842e918
READ of size 512 at 0x618002272b90 thread T125 (GraphRunner)
    #0 0x55736e3f6e69 in __asan_memcpy /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22:3
    #1 0x7fd293c52a25 in PodCopy<float> /builds/worker/workspace/obj-build/dist/include/mozilla/PodOperations.h:108:5
    #2 0x7fd293c52a25 in mozilla::AudioSegment::Mix(mozilla::AudioMixer&, unsigned int, unsigned int) /gecko/dom/media/AudioSegment.cpp:147:11
    #3 0x7fd293c517ac in mozilla::AudioCaptureTrack::ProcessInput(long, long, unsigned int) /gecko/dom/media/AudioCaptureTrack.cpp:97:13
    #4 0x7fd29413cc70 in mozilla::MediaTrackGraphImpl::ProduceDataForTracksBlockByBlock(unsigned int, int) /gecko/dom/media/MediaTrackGraph.cpp:1130:13
    #5 0x7fd2941416d7 in mozilla::MediaTrackGraphImpl::Process(mozilla::AudioMixer*) /gecko/dom/media/MediaTrackGraph.cpp:1296:11
    #6 0x7fd294143012 in mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*) /gecko/dom/media/MediaTrackGraph.cpp:1425:3
    #7 0x7fd293d7168b in mozilla::GraphRunner::Run() /gecko/dom/media/GraphRunner.cpp:116:32
    #8 0x7fd28d3d1f0c in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1242:14
    #9 0x7fd28d3dcdfc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #10 0x7fd28e7b5914 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:332:5
    #11 0x7fd28e694e97 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #12 0x7fd28e694e97 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #13 0x7fd28e694e97 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #14 0x7fd28d3ca89e in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:450:10
    #15 0x7fd2a7370d3e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #16 0x7fd2aac85608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
    #17 0x7fd2aa84e102 in clone /build/glibc-YYA7BZ/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x618002272b90 is located 0 bytes to the right of 784-byte region [0x618002272880,0x618002272b90)
allocated by thread T125 (GraphRunner) here:
    #0 0x55736e3f7a0d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x55736e42dafd in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fd2948dc7a9 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fd2948dc7a9 in Create /gecko/dom/media/SharedBuffer.h:80:15
    #4 0x7fd2948dc7a9 in mozilla::AudioSourcePullListener::NotifyPull(mozilla::MediaTrackGraph*, long, long) /gecko/dom/media/webrtc/MediaEngineDefault.cpp:502:33
    #5 0x7fd29413f42d in mozilla::SourceMediaTrack::PullNewData(long) /gecko/dom/media/MediaTrackGraph.cpp:2534:8
    #6 0x7fd29413d94c in mozilla::MediaTrackGraphImpl::UpdateGraph(long) /gecko/dom/media/MediaTrackGraph.cpp:1188:34
    #7 0x7fd294142f9f in mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*) /gecko/dom/media/MediaTrackGraph.cpp:1420:3
    #8 0x7fd293d7168b in mozilla::GraphRunner::Run() /gecko/dom/media/GraphRunner.cpp:116:32
    #9 0x7fd28d3d1f0c in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1242:14
    #10 0x7fd28d3dcdfc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #11 0x7fd28e7b5914 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:332:5
    #12 0x7fd28e694e97 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #13 0x7fd28e694e97 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #14 0x7fd28e694e97 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #15 0x7fd28d3ca89e in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:450:10
    #16 0x7fd2a7370d3e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #17 0x7fd2aac85608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)

Thread T125 (GraphRunner) created by T0 (file:// Content) here:
    #0 0x55736e3e21ba in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7fd2a73611e5 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fd2a735215e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fd28d3cd597 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:667:8
    #4 0x7fd28d3dba5a in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:629:12
    #5 0x7fd28d3e6bfa in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:161:57
    #6 0x7fd293d6ff50 in NS_NewNamedThread<12> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:85:10
    #7 0x7fd293d6ff50 in mozilla::GraphRunner::Create(mozilla::MediaTrackGraphImpl*) /gecko/dom/media/GraphRunner.cpp:37:7
    #8 0x7fd29415a39d in mozilla::MediaTrackGraphImpl::MediaTrackGraphImpl(mozilla::MediaTrackGraph::GraphDriverType, mozilla::MediaTrackGraph::GraphRunType, int, unsigned int, void const*, mozilla::AbstractThread*) /gecko/dom/media/MediaTrackGraph.cpp:3023:26
    #9 0x7fd29415be40 in mozilla::MediaTrackGraph::GetInstance(mozilla::MediaTrackGraph::GraphDriverType, nsPIDOMWindowInner*, int, void const*) /gecko/dom/media/MediaTrackGraph.cpp:3165:17
    #10 0x7fd2947ea692 in mozilla::dom::AudioDestinationNode::AudioDestinationNode(mozilla::dom::AudioContext*, bool, bool, unsigned int, unsigned int) /gecko/dom/media/webaudio/AudioDestinationNode.cpp:329:28
    #11 0x7fd2947dd2c2 in mozilla::dom::AudioContext::AudioContext(nsPIDOMWindowInner*, bool, unsigned int, unsigned int, float) /gecko/dom/media/webaudio/AudioContext.cpp:177:22
    #12 0x7fd2947df2e7 in mozilla::dom::AudioContext::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::AudioContextOptions const&, mozilla::ErrorResult&) /gecko/dom/media/webaudio/AudioContext.cpp:278:11
    #13 0x7fd29176a4d9 in mozilla::dom::AudioContext_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/AudioContextBinding.cpp:854:58
    #14 0x7fd29988e64e in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
    #15 0x7fd29988e64e in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:523:8
    #16 0x7fd29988e64e in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /gecko/js/src/vm/Interpreter.cpp:727:10
    #17 0x7fd29988dd34 in js::ConstructFromStack(JSContext*, JS::CallArgs const&) /gecko/js/src/vm/Interpreter.cpp:754:10
    #18 0x7fd29985bd3b in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3326:16
    #19 0x7fd299856c19 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:468:13
    #20 0x7fd29988b5e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:636:13
    #21 0x7fd29988d7c8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #22 0x7fd29988daa6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
    #23 0x7fd299ee05c0 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/SelfHosting.cpp:1683:10
    #24 0x7fd299b0de1c in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /gecko/js/src/vm/AsyncFunction.cpp:128:8
    #25 0x7fd299c578c4 in AsyncFunctionPromiseReactionJob /gecko/js/src/builtin/Promise.cpp:1696:12
    #26 0x7fd299c578c4 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /gecko/js/src/builtin/Promise.cpp:1852:12
    #27 0x7fd29988b491 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
    #28 0x7fd29988b491 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:599:12
    #29 0x7fd29988d7c8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #30 0x7fd29988daa6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
    #31 0x7fd299a2ce30 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2831:10
    #32 0x7fd291eaab3b in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:28:8
    #33 0x7fd28d1e78d6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:91:12
    #34 0x7fd28d1e78d6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:104:12
    #35 0x7fd28d1e78d6 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /gecko/xpcom/base/CycleCollectedJSContext.cpp:211:18
    #36 0x7fd28d1c7c42 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /gecko/xpcom/base/CycleCollectedJSContext.cpp:646:17
    #37 0x7fd29311f4c5 in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:232:7
    #38 0x7fd29311f4c5 in mozilla::dom::CallbackObject::CallSetup::~CallSetup() /gecko/dom/bindings/CallbackObject.cpp:393:11
    #39 0x7fd295287179 in mozilla::dom::MozObserverCallback::Observe(nsISupports*, nsTString<char> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/JSActorBinding.h:255:3
    #40 0x7fd295284984 in Observe /builds/worker/workspace/obj-build/dist/include/mozilla/dom/JSActorBinding.h:267:12
    #41 0x7fd295284984 in mozilla::dom::JSWindowActorProtocol::Observe(nsISupports*, char const*, char16_t const*) /gecko/dom/ipc/jsactor/JSWindowActorProtocol.cpp:233:21
    #42 0x7fd28d28f0c3 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /gecko/xpcom/ds/nsObserverList.cpp:65:19
    #43 0x7fd28d296672 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /gecko/xpcom/ds/nsObserverService.cpp:287:19
    #44 0x7fd29423cf87 in mozilla::dom::MediaKeySystemAccess::NotifyObservers(nsPIDOMWindowInner*, nsTSubstring<char16_t> const&, mozilla::dom::MediaKeySystemStatus) /gecko/dom/media/eme/MediaKeySystemAccess.cpp:1164:10
    #45 0x7fd29424c223 in mozilla::dom::MediaKeys::OnCDMCreated(unsigned int, unsigned int) /gecko/dom/media/eme/MediaKeys.cpp:497:3
    #46 0x7fd2942c2639 in mozilla::ChromiumCDMProxy::OnCDMCreated(unsigned int) /gecko/dom/media/gmp/ChromiumCDMProxy.cpp:155:12
    #47 0x7fd294302d7f in mozilla::ChromiumCDMProxy::Init(unsigned int, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&)::$_11::operator()() const::'lambda'(RefPtr<mozilla::gmp::ChromiumCDMParent>)::operator()(RefPtr<mozilla::gmp::ChromiumCDMParent>) const::'lambda'(bool)::operator()(bool) const /gecko/dom/media/gmp/ChromiumCDMProxy.cpp:115:31
    #48 0x7fd294301eb4 in InvokeMethod<(lambda at /builds/worker/checkouts/gecko/dom/media/gmp/ChromiumCDMProxy.cpp:98:23), void ((lambda at /builds/worker/checkouts/gecko/dom/media/gmp/ChromiumCDMProxy.cpp:98:23)::*)(bool) const, bool> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:553:12
    #49 0x7fd294301eb4 in InvokeCallbackMethod<false, (lambda at /builds/worker/checkouts/gecko/dom/media/gmp/ChromiumCDMProxy.cpp:98:23), void ((lambda at /builds/worker/checkouts/gecko/dom/media/gmp/ChromiumCDMProxy.cpp:98:23)::*)(bool) const, bool, RefPtr<mozilla::MozPromise<bool, mozilla::MediaResult, true>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:584:5
    #50 0x7fd294301eb4 in mozilla::MozPromise<bool, mozilla::MediaResult, true>::ThenValue<mozilla::ChromiumCDMProxy::Init(unsigned int, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&)::$_11::operator()() const::'lambda'(RefPtr<mozilla::gmp::ChromiumCDMParent>)::operator()(RefPtr<mozilla::gmp::ChromiumCDMParent>) const::'lambda'(bool), mozilla::ChromiumCDMProxy::Init(unsigned int, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&)::$_11::operator()() const::'lambda'(RefPtr<mozilla::gmp::ChromiumCDMParent>)::operator()(RefPtr<mozilla::gmp::ChromiumCDMParent>) const::'lambda'(mozilla::MediaResult)>::DoResolveOrRejectInternal(mozilla::MozPromise<bool, mozilla::MediaResult, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:769:9
    #51 0x7fd28f9f70e1 in mozilla::MozPromise<bool, mozilla::MediaResult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:410:21
    #52 0x7fd28d3968bd in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #53 0x7fd28d3a1029 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:242:16
    #54 0x7fd28d39d515 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:512:26
    #55 0x7fd28d39b3d2 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:371:15
    #56 0x7fd28d39b80f in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:168:36
    #57 0x7fd28d3ace64 in operator() /gecko/xpcom/threads/TaskController.cpp:86:37
    #58 0x7fd28d3ace64 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_5>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #59 0x7fd28d3d1f0c in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1242:14
    #60 0x7fd28d3dcdfc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #61 0x7fd28e7b3b84 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:109:5
    #62 0x7fd28e694e97 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #63 0x7fd28e694e97 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #64 0x7fd28e694e97 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #65 0x7fd295a19498 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #66 0x7fd299618706 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #67 0x7fd28e694e97 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #68 0x7fd28e694e97 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #69 0x7fd28e694e97 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #70 0x7fd299617cef in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #71 0x55736e42a6f3 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #72 0x55736e42a6f3 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #73 0x7fd2aa7530b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c3080446520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3080446530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3080446540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3080446550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3080446560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3080446570: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3080446580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3080446590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c30804465a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c30804465b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c30804465c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==9318==ABORTING
Group: core-security → media-core-security
Attached file testcase.zip
Flags: in-testsuite?
Keywords: testcase-wantedbugmon
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200819212829-b0888d07df69. Failed to bisect testcase (Start build crashes!): > Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224) > End: 157db696462d8a98905d0f8697088aa97cb6e08f (20200819100116) > BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False)

Jason indicated the following prefs for reproing

user_pref("media.autoplay.default", 0);
user_pref("media.autoplay.enabled.user-gestures-needed", false);
user_pref("media.getusermedia.audiocapture.enabled", true);
user_pref("media.getusermedia.browser.enabled", true);
user_pref("media.navigator.permission.disabled", true);

Dump of info from having a look at this with a swag of symbols optimised out. I'm breakpointing at https://searchfox.org/mozilla-central/rev/62f6cc5d9c829bc0c6f18e25f93203a98681ac97/dom/media/AudioSegment.cpp#147

  • Following this breakpoint we always crash on ASAN (i.e. the first PodCopy is always fatal).
  • We're calling into the mix code with aOutputChannels=1[0].
  • I see frames having different values: 1024, 640, 128 across different repros. Regardless of the value we always crash after.
  • If I step into PodCopy I can see dst and src mozilla::PodCopy<float> (aDst=0x7f446e9c5310, aSrc=0x619000982690, aNElem=<optimized out>). If I then proceed to the crash and compare the crashing address ==62334==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000982a90 at pc 0x562b803a3e2a bp 0x7f446e9c52d0 sp 0x7f446e9c4a98 -- crash address looks close to our aSrc value. While aNElem is optimized out, I can get its value from frames in the frame above. In this case frames is 512. Comparing addresses: (src) 0x619000982a90 - (crash addr) 0x619000982690 = 0x400 = 1024. The third arg we give to memcopy is aNElem * sizeof(T) or 512 * 4 = 2048 in this case. So there's something wrong with our src and/or the length we're trying to read.

This looks media graph related, which is not my area of expertise. Karl, is this something you're familiar with? Would you be able to take a crack at this?

[0] https://searchfox.org/mozilla-central/rev/19c23d725f27d0989e4a60f36d64004cebb39736/dom/media/AudioCaptureTrack.cpp#97

Component: Audio/Video → Audio/Video: MediaStreamGraph
Flags: needinfo?(karlt)

There's some work remaining before "media.getusermedia.audiocapture.enabled" is ready for use.
Adding this to the list.

Blocks: 1156472
Flags: needinfo?(karlt)

It looks like that pref is false by default, so I'll mark this as disabled.

status-firefox81: affecteddisabled
status-firefox82: --- → disabled

Hi Karl and Paul -- When are we likely to ship media.getusermedia.audiocapture? Is someone actively working on it, or is it paused? Thanks!

Flags: needinfo?(padenot)
Flags: needinfo?(karlt)

I'm waiting for clear directions on this, we can start as soon as we decide that we want to ship.

Flags: needinfo?(padenot)
Flags: needinfo?(drno)
Flags: needinfo?(astevenson)

It's not clear when the front end team would plan to ship Tab Sharing, which is related to the audiocapture feature. Tab Sharing requires UX resources as well and the team is constrained currently. I don't expect that work to happen this quarter, but if it changes I will let you know.

Flags: needinfo?(astevenson)
Flags: needinfo?(karlt)

Hey Dan, What's the best way to mark this bug such that it's clear that this bug isn't in Nightly, Beta, or Release? In fact, we have no plans to ship it currently. (See comment 9.) This bug is being shown every week in the sec-high bug report, and so it's effectively adding noise to the signal of that report. Thanks.

Flags: needinfo?(dveditz)

We mark the appropriate status fields as "disabled" and then not worry about the "noise" -- a bug or two overcount doesn't make much difference, and people can check the status. This bug is currently not blocking any future work that might be a forcing function for re-counting it so that makes me even more reluctant to downgrade it (it was marked blocking bug 1156472, but that bug is now fixed so this clearly wasn't a blocker and now likely people won't find this bug from there anymore).

If you really want it off your plate then

  • this needs to block a feature-enabling bug that's open and being tracked (trello card maybe?)
  • we comment in the Whiteboard that "this is sec-high when enabled by default"
  • then we could downgrade it to sec-moderate

(I guess the bug to block would be an "enable XXX by default" bug)

status-firefox83: --- → disabled
status-firefox84: --- → disabled
Flags: needinfo?(dveditz)
Blocks: 1685232
Keywords: sec-highsec-moderate
Whiteboard: [bugmon:bisected,confirmed] → [this is sec-high when enabled by default][bugmon:bisected,confirmed]
Severity: normal → S4
Flags: needinfo?(drno)
Priority: -- → P3
No longer blocks: 1685232

This is the same issue as bug 1605894. AudioSegment::Mix() is not expecting 16-bit audio, which the fake microphone delivers.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1605894
Resolution: --- → DUPLICATE
Group: media-core-security

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: