Closed Bug 1671923 Opened 4 years ago Closed 4 years ago

ThreadSanitizer: data race on secondary_sinks_ [@RtpVideoStreamReceiver::RemoveSecondarySink] vs [@RtpVideoStreamReceiver::OnRtpPacket]

Categories

(Core :: WebRTC: Audio/Video, defect, P1)

Product:
Core
Component:
WebRTC: Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
84 Branch
Tracking Flags:
Tracking Status
firefox-esr78 83+ fixed
firefox81 --- wontfix
firefox82 --- wontfix
firefox83 + fixed
firefox84 + fixed

People

(Reporter: bwc, Assigned: bwc)

References

(Blocks 1 open bug)

Details

(Keywords: sec-high, Whiteboard: [sec-survey][adv-main83+r][adv-esr78.5+r])

Attachments

(2 files)

try output
24.04 KB, text/plain
Details
Bug 1671923: Lock to protect secondary_sinks_ r?dminor
47 bytes, text/x-phabricator-request
tjr
: approval-mozilla-beta+
tjr
: approval-mozilla-esr78+
tjr
: sec-approval+
Details | Review
Attached file try output 

    
    

    
  
We seem to be locking that mutex everywhere else we use |secondary_sinks_|, so maybe the fix is simply to do that. I suppose there's a chance of causing a deadlock bug though.


Assignee: nobody → docfaraday
Severity: -- → S2
Priority: -- → P1

    
    

    
  
Is upstream affected by this?



    
    

    
  
It looks like the current version of webrtc.org is assuming that all accesses are coming from a single thread (a worker thread inside webrtc.org); this is going to pose a bit of a problem for our update to webrtc.org. Just a heads up.


https://source.chromium.org/chromium/chromium/src/+/master:third_party/webrtc/video/rtp_video_stream_receiver.h;l=377;bpv=1;bpt=1?q=secondary_sinks_&ss=chromium



    
    

    
  
It looks like we're going to either be forced to make a lot of invasive modifications to webrtc.org, or we're going to have to find a way to play along with their threading model (ie; we're going to need to dispatch our tasks to their threads). How hard is the latter going to be?


Flags: needinfo?(dminor)

    
    

    
  
That isn't really a simple question to answer, but I'm not sure if we have much choice but to move to their threading model eventually if we want to continue to be able to update from upstream. They've been tightening up threading assertions with each release and we've had to disable them locally, which is obviously not idea. The last time I looked at this (Bug 1499379) a large source of the pain was the way we gather stats, but I'm not sure if that is still the case.


I'm still looking at rebasing our changes on top of the new upstream. Once that is done, I'll start looking into API changes we need to make, which would include making our threading model align better with theirs.


For now, I'd just fix this problem in whatever way is convenient with our current version of libwebrtc.


Flags: needinfo?(dminor)

    
    

    
  


  
Depends on D94155



    
    

    
  
Try looks ok here.



    
    

    
  
Marking sec-high because this could cause UAF.


Keywords: sec-high

    
    

    
  
Comment on attachment 9182704 [details]

Bug 1671923: Lock to protect secondary_sinks_ r?dminor


Security Approval Request


    

  • How easily could an exploit be constructed based on the patch?: Triggering this bug would probably be somewhat hard timing-wise, since the window of opportunity is narrow. The patch is very simple, and the sec flaw is pretty obvious given the patch.
    • 

  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
    • 

  • Which older supported branches are affected by this flaw?: all
    • 

  • If not all supported branches, which bug introduced the flaw?: None
    • 

  • Do you have backports for the affected branches?: No
    • 

  • If not, how different, hard to create, and risky will they be?: Probably trivial.
    • 

  • How likely is this patch to cause regressions; how much testing does it need?: There is a chance that this could result in deadlock bugs, but it looks like this chance is small.
    • 




        Attachment #9182704 -
        Flags: sec-approval?

    
    

    
  
Comment on attachment 9182704 [details]

Bug 1671923: Lock to protect secondary_sinks_ r?dminor


Approved to land and uplift



        Attachment #9182704 -
        Flags: sec-approval?

        Attachment #9182704 -
        Flags: sec-approval+

        Attachment #9182704 -
        Flags: approval-mozilla-esr78+

        Attachment #9182704 -
        Flags: approval-mozilla-beta+

    
    

    
  
https://hg.mozilla.org/integration/autoland/rev/a13c03cd62a535a892ca6571ebff6c9af8c0096f

https://hg.mozilla.org/mozilla-central/rev/a13c03cd62a5


Group: core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago

          status-firefox84:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch

    
    

    
  
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.


Please visit this google form to reply.


Flags: needinfo?(docfaraday)
Whiteboard: [sec-survey]

    
  
Flags: needinfo?(docfaraday)
Whiteboard: [sec-survey] → [sec-survey][adv-main83+r]
Whiteboard: [sec-survey][adv-main83+r] → [sec-survey][adv-main83+r][adv-esr78.5+r]
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: