ThreadSanitizer: data race [@ ReverbInputBuffer::writeIndex] vs. [@ ReverbInputBuffer::write]
Categories
(Core :: Web Audio, defect)
Tracking
()
People
(Reporter: Gankra, Assigned: Gankra)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-race, sec-high, Whiteboard: [sec-survey][adv-main85+r][adv-esr78.7+r])
Attachments
(2 files)
|
73.60 KB,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
approval-mozilla-esr78+
tjr
:
sec-approval+
|
Details | Review |
Found while bringing up wpt under tsan. Tentatively marking as security in case this can cause buffer overruns.
It looks like m_writeIndex needs to be atomic. The documentation on writeIndex even says "Background threads can call this to check if there's anything to read". Not sure if a more robust synchronization of the state is also required.
This code is extremely old and pulled in from Chrome, so presumably they have fixed this issue upstream by now?
Permalinks to problematic lines:
General information about TSan reports
Why fix races?
Data races are undefined behavior and can cause crashes as well as correctness issues. Compiler optimizations can cause racy code to have unpredictable and hard-to-reproduce behavior.
Rating
If you think this race can cause crashes or correctness issues, it would be great to rate the bug appropriately as P1/P2 and/or indicating this in the bug. This makes it a lot easier for us to assess the actual impact that these reports make and if they are helpful to you.
False Positives / Benign Races
Typically, races reported by TSan are not false positives [1], but it is possible that the race is benign. Even in this case it would be nice to come up with a fix if it is easily doable and does not regress performance. Every race that we cannot fix will have to remain on the suppression list and slows down the overall TSan performance. Also note that seemingly benign races can possibly be harmful (also depending on the compiler, optimizations and the architecture) [2][3].
[1] One major exception is the involvement of uninstrumented code from third-party libraries.
[2] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
[3] How to miscompile programs with "benign" data races: https://www.usenix.org/legacy/events/hotpar11/tech/final_files/Boehm.pdf
Suppressing unfixable races
If the bug cannot be fixed, then a runtime suppression needs to be added in mozglue/build/TsanOptions.cpp. The suppressions match on the full stack, so it should be picked such that it is unique to this particular race. The bug number of this bug should also be included so we have some documentation on why this suppression was added.
|
||
Updated•3 years ago
|
|
|
||
Comment 1•3 years ago
|
||
Yeah, looks like you are right. It appears to be atomic now in Chromium: https://chromium.googlesource.com/chromium/src/+/HEAD/third_party/blink/renderer/platform/audio/reverb_input_buffer.h
| Comment hidden (obsolete) |
|
||
Updated•3 years ago
|
|
|
||
Comment 3•3 years ago
|
||
Oops, here's the actual commit that fixes the race: https://chromium.googlesource.com/chromium/src/+/e027b261dc44c339f395f2dba24c36923c405018
|
|
||
Updated•3 years ago
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 4•3 years ago
|
||
This mirrors the change made in https://chromium.googlesource.com/chromium/src/+/e027b261dc44c339f395f2dba24c36923c405018%5E%21/
Resolving an issue that chromium fixed in 2017, but was only now noticed in the firefox copy due to tsan. See also:
https://bugs.chromium.org/p/chromium/issues/detail?id=732918
I'm not sure why they changed the implementation to no longer silently drop writes that are too long, so I'm making the assertion a release one to be safe.
|
|
||
Comment 5•3 years ago
|
||
Chrome also only noticed it due to TSan. They filed it as a security bug, but it doesn't appear to have been assigned a rating.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
Comment on attachment 9193742 [details]
Bug 1682938 - fixup ReverbInputBuffer's writeIndex. r?mccr8
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Unclear. I expect this would mostly only allow you to read uninitialized/old waveform values into the sound system, creating some garbled noises. Google didn't do an analysis of how exploitable this was.
A comment I added indicates concurrency needs to be minded, but honestly that's just clear from patch making things atomic. I can remove it if desired, though.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all branches
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: It should backport cleanly to anything from 2019. Any earlier and some minor changes will need to be made for reformatting. Otherwise this code has largely been untouched since it was added.
- How likely is this patch to cause regressions; how much testing does it need?: It changes the "out of bounds write" behaviour from "silently dropping the write" to a release assert (because the chrome devs also applied that change). I'm not confident I've tested that it's fine sufficiently.
|
||
Comment 7•3 years ago
|
||
Comment on attachment 9193742 [details]
Bug 1682938 - fixup ReverbInputBuffer's writeIndex. r?mccr8
Approved to land and uplift
|
|
||
Updated•3 years ago
|
|
||
Comment 8•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Comment 9•3 years ago
|
||
|
||
Comment 10•3 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 11•3 years ago
|
||
| uplift | ||
|
|
||
Comment 12•3 years ago
|
||
| uplift | ||
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
Description
•