Closed Bug 1662760 Opened 4 years ago Closed 4 years ago

AddressSanitizer: heap-use-after-free [@ fetch_add] with WRITE of size 8

Categories

(Core :: Audio/Video: MediaStreamGraph, defect, P1)

Product:
Core
Component:
Audio/Video: MediaStreamGraph
Version:
60 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 82+ fixed
firefox81 --- wontfix
firefox82 --- fixed
firefox83 --- fixed

People

(Reporter: jkratzer, Assigned: pehrsons)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:confirm][post-critsmash-triage][sec-survey][adv-main82+r][adv-esr78.4+r])

Attachments

(1 file)

Bug 1662760 - Add dedicated setup method to audio and video receivers. r?padenot
47 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-beta+
jcristau
: approval-mozilla-esr78+
tjr
: sec-approval+
Details | Review

Found while fuzzing mozilla-central rev 2766680ff190. I'm currently reducing the testcase and will attach it once complete.

==24376==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000434c28 at pc 0x7f46f36c9a05 bp 0x7fff01a04670 sp 0x7fff01a04668
WRITE of size 8 at 0x608000434c28 thread T0 (file:// Content)
    #0 0x7f46f36c9a04 in fetch_add /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/atomic_base.h:514:16
    #1 0x7f46f36c9a04 in operator++ /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:354:19
    #2 0x7f46f36c9a04 in AddRef /gecko/dom/media/MediaTrackListener.h:38:3
    #3 0x7f46f36c9a04 in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:39
    #4 0x7f46f36c9a04 in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:380:35
    #5 0x7f46f36c9a04 in RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:109:7
    #6 0x7f46f36c9a04 in mozilla::MediaPipelineReceiveAudio::MediaPipelineReceiveAudio(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, RefPtr<mozilla::MediaTransportHandler>, RefPtr<nsISerialEventTarget>, RefPtr<nsISerialEventTarget>, RefPtr<mozilla::AudioSessionConduit>, RefPtr<mozilla::dom::MediaStreamTrack> const&, nsMainThreadPtrHandle<nsIPrincipal> const&) /gecko/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp:1528:7
    #7 0x7f46f3749927 in mozilla::dom::RTCRtpReceiver::RTCRtpReceiver(nsPIDOMWindowInner*, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, mozilla::MediaTransportHandler*, mozilla::JsepTransceiver*, nsISerialEventTarget*, nsISerialEventTarget*, mozilla::MediaSessionConduit*) /gecko/media/webrtc/signaling/src/peerconnection/RTCRtpReceiver.cpp:111:21
    #8 0x7f46f3756dc9 in mozilla::TransceiverImpl::TransceiverImpl(nsPIDOMWindowInner*, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, mozilla::MediaTransportHandler*, mozilla::JsepTransceiver*, nsISerialEventTarget*, nsISerialEventTarget*, mozilla::dom::MediaStreamTrack*, mozilla::WebRtcCallWrapper*) /gecko/media/webrtc/signaling/src/peerconnection/TransceiverImpl.cpp:78:11
    #9 0x7f46f3724344 in mozilla::PeerConnectionMedia::AddTransceiver(mozilla::JsepTransceiver*, mozilla::dom::MediaStreamTrack*, RefPtr<mozilla::TransceiverImpl>*) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp:622:45
    #10 0x7f46f3724028 in mozilla::PeerConnectionImpl::CreateTransceiverImpl(mozilla::JsepTransceiver*, mozilla::dom::MediaStreamTrack*, mozilla::ErrorResult&) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:982:17
    #11 0x7f46f372a7ac in mozilla::PeerConnectionImpl::SetRemoteDescription(int, char const*) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:1442:11
    #12 0x7f46f58f9558 in mozilla::PeerConnectionImpl::SetRemoteDescription(int, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.h:256:10
    #13 0x7f46f58f91b3 in mozilla::dom::PeerConnectionImpl_Binding::setRemoteDescription(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/PeerConnectionImplBinding.cpp:286:24
    #14 0x7f46f6b9f308 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3227:13
    #15 0x7f46fd24ab68 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
    #16 0x7f46fd24ab68 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:599:12
    #17 0x7f46fd24ce8b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #18 0x7f46fd233c01 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:668:10
    #19 0x7f46fd233c01 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3336:16
    #20 0x7f46fd2147d0 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:468:13
    #21 0x7f46fd24acf9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:636:13
    #22 0x7f46fd24ce8b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #23 0x7f46fd24d210 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
    #24 0x7f46fd5c44d7 in js::PromiseObject::create(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool) /gecko/js/src/builtin/Promise.cpp:2444:15
    #25 0x7f46fd60e186 in PromiseConstructor(JSContext*, unsigned int, JS::Value*) /gecko/js/src/builtin/Promise.cpp:2365:7
    #26 0x7f46fd24db78 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
    #27 0x7f46fd24db78 in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:523:8
    #28 0x7f46fd24db78 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /gecko/js/src/vm/Interpreter.cpp:708:14
    #29 0x7f46fd24d4b3 in js::ConstructFromStack(JSContext*, JS::CallArgs const&) /gecko/js/src/vm/Interpreter.cpp:754:10
    #30 0x7f46fd219dbc in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3326:16
    #31 0x7f46fd2147d0 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:468:13
    #32 0x7f46fd24acf9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:636:13
    #33 0x7f46fd24ce8b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #34 0x7f46fd24d210 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
    #35 0x7f46fd8afc94 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/SelfHosting.cpp:1694:10
    #36 0x7f46fe1c331d in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Value*, JS::MutableHandle<JS::Value>) /gecko/js/src/jit/VMFunctions.cpp:1014:10
    #37 0x7f46682fdaff  (<unknown module>)

0x608000434c28 is located 8 bytes inside of 96-byte region [0x608000434c20,0x608000434c80)
freed by thread T0 (file:// Content) here:
    #0 0x55a5d9f5d3ed in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x7f46f7b63da7 in Release /gecko/dom/media/MediaTrackListener.h:38:3
    #2 0x7f46f7b63da7 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
    #3 0x7f46f7b63da7 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
    #4 0x7f46f7b63da7 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
    #5 0x7f46f7b63da7 in ~Message /gecko/dom/media/MediaTrackGraph.cpp:2190:9
    #6 0x7f46f7b63da7 in mozilla::MediaTrack::AddListener(mozilla::MediaTrackListener*)::Message::~Message() /gecko/dom/media/MediaTrackGraph.cpp:2190:9
    #7 0x7f46f7b1f503 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:460:5
    #8 0x7f46f7b1f503 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:302:7
    #9 0x7f46f7b1f503 in ~UniquePtr /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:253:18
    #10 0x7f46f7b1f503 in mozilla::MediaTrack::AddListener(mozilla::MediaTrackListener*) /gecko/dom/media/MediaTrackGraph.cpp:2201:3
    #11 0x7f46f36c9e77 in mozilla::MediaPipelineReceiveAudio::PipelineListener::PipelineListener(RefPtr<nsISerialEventTarget>, RefPtr<mozilla::dom::MediaStreamTrack> const&, RefPtr<mozilla::MediaSessionConduit>, nsMainThreadPtrHandle<nsIPrincipal> const&) /gecko/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp:1365:14
    #12 0x7f46f36c9719 in mozilla::MediaPipelineReceiveAudio::MediaPipelineReceiveAudio(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, RefPtr<mozilla::MediaTransportHandler>, RefPtr<nsISerialEventTarget>, RefPtr<nsISerialEventTarget>, RefPtr<mozilla::AudioSessionConduit>, RefPtr<mozilla::dom::MediaStreamTrack> const&, nsMainThreadPtrHandle<nsIPrincipal> const&) /gecko/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp:1528:30
    #13 0x7f46f3749927 in mozilla::dom::RTCRtpReceiver::RTCRtpReceiver(nsPIDOMWindowInner*, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, mozilla::MediaTransportHandler*, mozilla::JsepTransceiver*, nsISerialEventTarget*, nsISerialEventTarget*, mozilla::MediaSessionConduit*) /gecko/media/webrtc/signaling/src/peerconnection/RTCRtpReceiver.cpp:111:21
    #14 0x7f46f3756dc9 in mozilla::TransceiverImpl::TransceiverImpl(nsPIDOMWindowInner*, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, mozilla::MediaTransportHandler*, mozilla::JsepTransceiver*, nsISerialEventTarget*, nsISerialEventTarget*, mozilla::dom::MediaStreamTrack*, mozilla::WebRtcCallWrapper*) /gecko/media/webrtc/signaling/src/peerconnection/TransceiverImpl.cpp:78:11
    #15 0x7f46f3724344 in mozilla::PeerConnectionMedia::AddTransceiver(mozilla::JsepTransceiver*, mozilla::dom::MediaStreamTrack*, RefPtr<mozilla::TransceiverImpl>*) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp:622:45
    #16 0x7f46f3724028 in mozilla::PeerConnectionImpl::CreateTransceiverImpl(mozilla::JsepTransceiver*, mozilla::dom::MediaStreamTrack*, mozilla::ErrorResult&) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:982:17
    #17 0x7f46f372a7ac in mozilla::PeerConnectionImpl::SetRemoteDescription(int, char const*) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:1442:11
    #18 0x7f46f58f9558 in mozilla::PeerConnectionImpl::SetRemoteDescription(int, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.h:256:10
    #19 0x7f46f58f91b3 in mozilla::dom::PeerConnectionImpl_Binding::setRemoteDescription(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/PeerConnectionImplBinding.cpp:286:24
    #20 0x7f46f6b9f308 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3227:13
    #21 0x7f46fd24ab68 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
    #22 0x7f46fd24ab68 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:599:12
    #23 0x7f46fd24ce8b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #24 0x7f46fd233c01 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:668:10
    #25 0x7f46fd233c01 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3336:16
    #26 0x7f46fd2147d0 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:468:13
    #27 0x7f46fd24acf9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:636:13
    #28 0x7f46fd24ce8b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #29 0x7f46fd24d210 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8

previously allocated by thread T0 (file:// Content) here:
    #0 0x55a5d9f5d66d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x55a5d9f9395d in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f46f36c964d in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f46f36c964d in mozilla::MediaPipelineReceiveAudio::MediaPipelineReceiveAudio(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, RefPtr<mozilla::MediaTransportHandler>, RefPtr<nsISerialEventTarget>, RefPtr<nsISerialEventTarget>, RefPtr<mozilla::AudioSessionConduit>, RefPtr<mozilla::dom::MediaStreamTrack> const&, nsMainThreadPtrHandle<nsIPrincipal> const&) /gecko/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp:1528:26
    #4 0x7f46f3749927 in mozilla::dom::RTCRtpReceiver::RTCRtpReceiver(nsPIDOMWindowInner*, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, mozilla::MediaTransportHandler*, mozilla::JsepTransceiver*, nsISerialEventTarget*, nsISerialEventTarget*, mozilla::MediaSessionConduit*) /gecko/media/webrtc/signaling/src/peerconnection/RTCRtpReceiver.cpp:111:21
    #5 0x7f46f3756dc9 in mozilla::TransceiverImpl::TransceiverImpl(nsPIDOMWindowInner*, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, mozilla::MediaTransportHandler*, mozilla::JsepTransceiver*, nsISerialEventTarget*, nsISerialEventTarget*, mozilla::dom::MediaStreamTrack*, mozilla::WebRtcCallWrapper*) /gecko/media/webrtc/signaling/src/peerconnection/TransceiverImpl.cpp:78:11
    #6 0x7f46f3724344 in mozilla::PeerConnectionMedia::AddTransceiver(mozilla::JsepTransceiver*, mozilla::dom::MediaStreamTrack*, RefPtr<mozilla::TransceiverImpl>*) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp:622:45
    #7 0x7f46f3724028 in mozilla::PeerConnectionImpl::CreateTransceiverImpl(mozilla::JsepTransceiver*, mozilla::dom::MediaStreamTrack*, mozilla::ErrorResult&) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:982:17
    #8 0x7f46f372a7ac in mozilla::PeerConnectionImpl::SetRemoteDescription(int, char const*) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:1442:11
    #9 0x7f46f58f9558 in mozilla::PeerConnectionImpl::SetRemoteDescription(int, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /gecko/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.h:256:10
    #10 0x7f46f58f91b3 in mozilla::dom::PeerConnectionImpl_Binding::setRemoteDescription(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/PeerConnectionImplBinding.cpp:286:24
    #11 0x7f46f6b9f308 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3227:13
    #12 0x7f46fd24ab68 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
    #13 0x7f46fd24ab68 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:599:12
    #14 0x7f46fd24ce8b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #15 0x7f46fd233c01 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:668:10
    #16 0x7f46fd233c01 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3336:16
    #17 0x7f46fd2147d0 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:468:13
    #18 0x7f46fd24acf9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:636:13
    #19 0x7f46fd24ce8b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #20 0x7f46fd24d210 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
    #21 0x7f46fd5c44d7 in js::PromiseObject::create(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool) /gecko/js/src/builtin/Promise.cpp:2444:15
    #22 0x7f46fd60e186 in PromiseConstructor(JSContext*, unsigned int, JS::Value*) /gecko/js/src/builtin/Promise.cpp:2365:7

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/atomic_base.h:514:16 in fetch_add
Shadow bytes around the buggy address:
  0x0c108007e930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108007e940: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108007e950: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108007e960: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c108007e970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c108007e980: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c108007e990: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108007e9a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c108007e9b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108007e9c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108007e9d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
Keywords: bugmon
Group: core-security → media-core-security
Keywords: sec-high

Hey Dan, can you find an owner for this? It's a sec-high. Thanks!

Flags: needinfo?(dminor)

This is a little outside of my area. Andreas or Byron, do either of you have some time to investigate this? Thanks!

Flags: needinfo?(docfaraday)
Flags: needinfo?(dminor)
Flags: needinfo?(apehrson)

Looks like this RefPtr is constructed and destroyed from this path before being assigned to the member RefPtr.

So the refcount goes like:
PipelineListener ctor does new: 0
AddListener::Message: 1
AddListener::~Message (after RunDuringShutdown): 0 (destroyed)
PipelineListener ctor continues with RefPtr(): 1 (UAF)

One question that arises is how this could happen after MTG shutdown.

Adding some MTG people to CC. Jason, did you manage to reduce this?

Severity: normal → S3
Component: WebRTC → Audio/Video: MediaStreamGraph
Flags: needinfo?(jkratzer)
Flags: needinfo?(docfaraday)
Flags: needinfo?(apehrson)
Priority: -- → P1

For now I'm thinking of reworking the PipelineListener ctor to avoid using this before having run to completion (and the callsite having done its AddRef). Either by proxying the MediaTrackListener interface through a new member, or by lifting the AddListener call up to the parent.

Assignee: nobody → apehrson
Status: NEW → ASSIGNED

I audited all calls to AppendMessage and didn't find any cases of passing this in the ctor apart from MediaPipelineReceiveAudio::PipelineListener (seen in the stack trace above) and MediaPipelineReceiveVideo::PipelineListener which is the video version.

This seems like a regression from d0172a1b5d (bug 1408294).

status-firefox81: --- → affected
status-firefox-esr78: --- → affected
Keywords: regression
Regressed by: 1408294
Version: Trunk → 60 Branch
Has Regression Range: --- → yes

(In reply to Andreas Pehrson [:pehrsons] from comment #3)

Looks like this RefPtr is constructed and destroyed from this path before being assigned to the member RefPtr.

So the refcount goes like:
PipelineListener ctor does new: 0
AddListener::Message: 1
AddListener::~Message (after RunDuringShutdown): 0 (destroyed)
PipelineListener ctor continues with RefPtr(): 1 (UAF)

One question that arises is how this could happen after MTG shutdown.

Adding some MTG people to CC. Jason, did you manage to reduce this?

Andreas, no unfortunately not. Reduction fails to minimize the testcase enough to identify the exact cause of the issue. I've also tried over the course of several days to get a pernosco session for this issue but have been unable to do so.

Flags: needinfo?(jkratzer)

Comment on attachment 9179630 [details]
Bug 1662760 - Add dedicated setup method to audio and video receivers. r?padenot

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Understanding the failure mode is fairly easy. Constructing something that reaches the trigger conditions would be difficult and highly timing dependent.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all (introduced in 60)
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: They either apply directly, or can be trivially created.
  • How likely is this patch to cause regressions; how much testing does it need?: Very low risk given its simplicity.
Attachment #9179630 - Flags: sec-approval?
Attachment #9179630 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/mozilla-central/rev/e4b87a2e0f2c

Group: media-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox83: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

Comment on attachment 9179630 [details]
Bug 1662760 - Add dedicated setup method to audio and video receivers. r?padenot

Beta/Release Uplift Approval Request

  • User impact if declined: Possible UAF.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Trivial change.
  • String changes made/needed:

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Possible UAF.
  • Fix Landed on Version: 83
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Trivial change.
  • String or UUID changes made by this patch:
Attachment #9179630 - Flags: approval-mozilla-esr78?
Attachment #9179630 - Flags: approval-mozilla-beta?

(In reply to Andreas Pehrson [:pehrsons] from comment #12)

Comment on attachment 9179630 [details]

  • Has the fix been verified in Nightly?: No

Perhaps the fuzzing team can help to verify this in Nightly. Jason?

Flags: needinfo?(jkratzer)

Comment on attachment 9179630 [details]
Bug 1662760 - Add dedicated setup method to audio and video receivers. r?padenot

approved for 82.0b9 and 78.4.0esr

Attachment #9179630 - Flags: approval-mozilla-esr78?
Attachment #9179630 - Flags: approval-mozilla-esr78+
Attachment #9179630 - Flags: approval-mozilla-beta?
Attachment #9179630 - Flags: approval-mozilla-beta+

(In reply to Andreas Pehrson [:pehrsons] from comment #13)

(In reply to Andreas Pehrson [:pehrsons] from comment #12)

Comment on attachment 9179630 [details]

  • Has the fix been verified in Nightly?: No

Perhaps the fuzzing team can help to verify this in Nightly. Jason?

I have been unable to reproduce this issue on the latest nightly build.

Flags: needinfo?(jkratzer)
Flags: qe-verify-
Whiteboard: [bugmon:confirm] → [bugmon:confirm][post-critsmash-triage]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(apehrson)
Whiteboard: [bugmon:confirm][post-critsmash-triage] → [bugmon:confirm][post-critsmash-triage][sec-survey]
Flags: needinfo?(apehrson)
Whiteboard: [bugmon:confirm][post-critsmash-triage][sec-survey] → [bugmon:confirm][post-critsmash-triage][sec-survey][adv-main82+r]
Whiteboard: [bugmon:confirm][post-critsmash-triage][sec-survey][adv-main82+r] → [bugmon:confirm][post-critsmash-triage][sec-survey][adv-main82+r][adv-esr78.4+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: