Closed Bug 1678504 Opened 4 years ago Closed 2 years ago

heap-use-after-free in [@ mozilla::camera::VideoEngine::GetOrCreateVideoCaptureDeviceInfo]

Categories

(Core :: WebRTC: Audio/Video, defect)

Product:
Core
Component:
WebRTC: Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox85 --- wontfix
firefox86 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf, sec-high)

This was found while reducing another test case. I am currently trying to find a reliable test case to reduce.

==17214==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0001a9380 at pc 0x7f59d430ed1f bp 0x7f599e6661f0 sp 0x7f599e6661e8
READ of size 8 at 0x60e0001a9380 thread T205 (VideoCapture)
    #0 0x7f59d430ed1e in swap<webrtc::VideoCaptureModule::DeviceInfo *> /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/move.h:199:13
    #1 0x7f59d430ed1e in swap /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/shared_ptr_base.h:1274:2
    #2 0x7f59d430ed1e in std::enable_if<__sp_is_constructible<webrtc::VideoCaptureModule::DeviceInfo, webrtc::VideoCaptureModule::DeviceInfo>::value, void>::type std::__shared_ptr<webrtc::VideoCaptureModule::DeviceInfo, (__gnu_cxx::_Lock_policy)2>::reset<webrtc::VideoCaptureModule::DeviceInfo>(webrtc::VideoCaptureModule::DeviceInfo*) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/shared_ptr_base.h:1243:22
    #3 0x7f59d42fdd27 in mozilla::camera::VideoEngine::GetOrCreateVideoCaptureDeviceInfo() /gecko/dom/media/systemservices/VideoEngine.cpp:189:19
    #4 0x7f59d431e330 in operator() /gecko/dom/media/systemservices/CamerasParent.cpp:448:34
    #5 0x7f59d431e330 in mozilla::media::LambdaRunnable<mozilla::camera::CamerasParent::RecvNumberOfCaptureDevices(mozilla::camera::CaptureEngine const&)::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/media/MediaUtils.h:76:27
    #6 0x7f59cd8211f7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1194:14
    #7 0x7f59cd82c2ac in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #8 0x7f59ceb23c72 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:332:5
    #9 0x7f59cea1a371 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #10 0x7f59cea1a371 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #11 0x7f59cea1a371 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #12 0x7f59cea3ada8 in base::Thread::ThreadMain() /gecko/ipc/chromium/src/base/thread.cc:191:16
    #13 0x7f59cea2ccbc in ThreadFunc(void*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #14 0x7f59ea18d608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
    #15 0x7f59e9d56292 in clone /build/glibc-ZN95T4/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60e0001a9380 is located 32 bytes inside of 160-byte region [0x60e0001a9360,0x60e0001a9400)
freed by thread T205 (VideoCapture) here:
    #0 0x55ffc54b5b3d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x7f59d42fe7eb in AssignWithAddref /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:166:5
    #2 0x7f59d42fe7eb in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:120:5
    #3 0x7f59d42fe7eb in mozilla::camera::CamerasParent::CloseEngines() /gecko/dom/media/systemservices/CamerasParent.cpp:412:16
    #4 0x7f59d431c7da in operator() /gecko/dom/media/systemservices/CamerasParent.cpp:219:15
    #5 0x7f59d431c7da in mozilla::media::LambdaRunnable<mozilla::camera::CamerasParent::StopVideoCapture()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/media/MediaUtils.h:76:27
    #6 0x7f59cd8211f7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1194:14
    #7 0x7f59cd80a211 in NS_ProcessNextEvent /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #8 0x7f59cd80a211 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventTarget.cpp:93:9)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:362:25
    #9 0x7f59cd80a211 in mozilla::ThreadEventTarget::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/ThreadEventTarget.cpp:92:5
    #10 0x7f59cd81d8d9 in nsThread::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/nsThread.cpp:705:24
    #11 0x7f59cd8172c6 in NS_DispatchToMainThread(already_AddRefed<nsIRunnable>&&, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:265:18
    #12 0x7f59d4315ed2 in webrtc::DesktopDeviceInfoImpl::InitializeTabList() /gecko/dom/media/systemservices/video_engine/tab_capturer.cc:234:3
    #13 0x7f59d8a253dc in Init /gecko/third_party/libwebrtc/webrtc/modules/desktop_capture/desktop_device_info.cc:232:3
    #14 0x7f59d8a253dc in webrtc::DesktopDeviceInfoImpl::Create() /gecko/third_party/libwebrtc/webrtc/modules/desktop_capture/linux/desktop_device_info_x11.cc:18:49
    #15 0x7f59d4310729 in webrtc::BrowserDeviceInfoImpl::Init() /gecko/dom/media/systemservices/video_engine/desktop_capture_impl.cc:218:42
    #16 0x7f59d430edaa in webrtc::DesktopCaptureImpl::CreateDeviceInfo(int, webrtc::CaptureDeviceType) /gecko/dom/media/systemservices/video_engine/desktop_capture_impl.cc:315:60
    #17 0x7f59d42fdd1c in mozilla::camera::VideoEngine::GetOrCreateVideoCaptureDeviceInfo() /gecko/dom/media/systemservices/VideoEngine.cpp:189:25
    #18 0x7f59d431e330 in operator() /gecko/dom/media/systemservices/CamerasParent.cpp:448:34
    #19 0x7f59d431e330 in mozilla::media::LambdaRunnable<mozilla::camera::CamerasParent::RecvNumberOfCaptureDevices(mozilla::camera::CaptureEngine const&)::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/media/MediaUtils.h:76:27
    #20 0x7f59cd8211f7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1194:14
    #21 0x7f59cd82c2ac in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #22 0x7f59ceb23c72 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:332:5
    #23 0x7f59cea1a371 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #24 0x7f59cea1a371 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #25 0x7f59cea1a371 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #26 0x7f59cea3ada8 in base::Thread::ThreadMain() /gecko/ipc/chromium/src/base/thread.cc:191:16
    #27 0x7f59cea2ccbc in ThreadFunc(void*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #28 0x7f59ea18d608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8

previously allocated by thread T205 (VideoCapture) here:
    #0 0x55ffc54b5dbd in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x55ffc54fa5ed in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f59d42fd5a5 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f59d42fd5a5 in mozilla::camera::VideoEngine::Create(mozilla::UniquePtr<webrtc::Config const, mozilla::DefaultDelete<webrtc::Config const> >&&) /gecko/dom/media/systemservices/VideoEngine.cpp:214:20
    #4 0x7f59d42fcd58 in mozilla::camera::CamerasParent::SetupEngine(mozilla::camera::CaptureEngine) /gecko/dom/media/systemservices/CamerasParent.cpp:360:14
    #5 0x7f59d42fef66 in mozilla::camera::CamerasParent::EnsureInitialized(int) /gecko/dom/media/systemservices/CamerasParent.cpp:427:8
    #6 0x7f59d431e30b in operator() /gecko/dom/media/systemservices/CamerasParent.cpp:447:29
    #7 0x7f59d431e30b in mozilla::media::LambdaRunnable<mozilla::camera::CamerasParent::RecvNumberOfCaptureDevices(mozilla::camera::CaptureEngine const&)::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/media/MediaUtils.h:76:27
    #8 0x7f59cd8211f7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1194:14
    #9 0x7f59cd82c2ac in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #10 0x7f59ceb23c72 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:332:5
    #11 0x7f59cea1a371 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #12 0x7f59cea1a371 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #13 0x7f59cea1a371 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #14 0x7f59cea3ada8 in base::Thread::ThreadMain() /gecko/ipc/chromium/src/base/thread.cc:191:16
    #15 0x7f59cea2ccbc in ThreadFunc(void*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #16 0x7f59ea18d608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8

Thread T205 (VideoCapture) created by T0 here:
    #0 0x55ffc54a082a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f59cea26aec in CreateThread /gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7f59cea26aec in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7f59cea3a5cd in base::Thread::StartWithOptions(base::Thread::Options const&) /gecko/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7f59d432ca65 in operator() /gecko/dom/media/systemservices/CamerasParent.cpp:1118:39
    #5 0x7f59d432ca65 in mozilla::media::LambdaRunnable<mozilla::camera::CamerasParent::CamerasParent()::$_14>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/media/MediaUtils.h:76:27
    #6 0x7f59cd7f8b69 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:450:16
    #7 0x7f59cd7f5627 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:720:26
    #8 0x7f59cd7f3567 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:579:15
    #9 0x7f59cd7f39bd in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:373:36
    #10 0x7f59cd800651 in operator() /gecko/xpcom/threads/TaskController.cpp:120:37
    #11 0x7f59cd800651 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #12 0x7f59cd82108b in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1194:14
    #13 0x7f59cd82c2ac in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #14 0x7f59ceb2249f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #15 0x7f59cea1a371 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #16 0x7f59cea1a371 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #17 0x7f59cea1a371 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #18 0x7f59d58771e7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #19 0x7f59d9372d9a in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:270:30
    #20 0x7f59d9596c0f in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5105:22
    #21 0x7f59d9598fcb in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5297:8
    #22 0x7f59d95998d3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5353:21
    #23 0x55ffc54e9025 in do_main /gecko/browser/app/nsBrowserApp.cpp:218:22
    #24 0x55ffc54e9025 in main /gecko/browser/app/nsBrowserApp.cpp:336:16
    #25 0x7f59e9c5b0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

A Pernosco session is available here: https://pernos.co/debug/pXnyxjjYB83DZpobN-HfYQ/index.html

Keywords: sec-high

The severity field is not set for this bug.
:jib, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jib)
Flags: needinfo?(jib)

Marking as S2 for now, until we can find out if this is a regression or not. If it's not I'd say S3.

Severity: -- → S2

Hey Tyson, did you manage to generate a good test case here?

Blocks: media-triage
Flags: needinfo?(twsmith)
Blocks: webrtc-triage
No longer blocks: media-triage

(In reply to Jim Mathies [:jimm] from comment #4)

Hey Tyson, did you manage to generate a good test case here?

No sorry, this issue has only be reported once by the fuzzers and the test case is not reliable enough to reduce. Does the Pernosco session contain enough information to address the issue?

Flags: needinfo?(twsmith)
Keywords: stalled
No longer blocks: webrtc-triage
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.