Closed Bug 1722073 Opened 3 years ago Closed 3 years ago

AddressSanitizer: stack-use-after-scope [@ `anonymous namespace'::wasapi_find_matching_output_device] with READ of size 8

Categories

(Core :: Audio/Video: cubeb, defect, P1)

Product:
Core
Component:
Audio/Video: cubeb
Version:
Firefox 83
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
92 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- fixed
firefox90 --- wontfix
firefox91 + fixed
firefox92 + fixed
firefox93 --- fixed
firefox94 --- verified

People

(Reporter: cpeterson, Assigned: kinetik)

References

(Blocks 2 open bugs, Regression)

Details

(5 keywords, Whiteboard: [adv-main91+r])

Attachments

(4 files)

ff_asan_log.22284.submitted
21.55 KB, text/plain
Details
GitHub Pull Request
41 bytes, text/x-github-pull-request
Details | Review
Bug 1722073 - Uplift cubeb fix for WASAPI backend. r?#cubeb-reviewers
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review
asan bt headset.txt
39.47 KB, text/plain
Details

Steps to reproduce

  1. Install a Firefox Nightly ASan build from https://firefox-source-docs.mozilla.org/tools/sanitizer/asan_nightly.html. I'm testing on Windows 10.
  2. Set security.sandbox.content.win32k-disable pref = true.
  3. Restart Nightly ASan.
  4. Open about:support.

Result

The browser crashes 100% of the time.

I don't see a crash reporter UI. Do the Nightly ASan builds automatically submit their crash reports to https://anf1.fuzzing.mozilla.org/crashproxy/submit/ (the asanreporter.apiurl pref value)?

Severity: -- → S2

The Bugbug bot thinks this bug should belong to the 'Toolkit::Crash Reporting' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: General → Crash Reporting
Product: Firefox → Toolkit

I think it dumps an ASan report into a file but I'm not sure where it is.

Component: Crash Reporting → General
Product: Toolkit → Core

This crash requires both ASan and Win32k Lockdown (security.sandbox.content.win32k-disable pref = true).

Blocks: win32k-lockdown
Severity: S2 → --
Component: General → Security: Process Sandboxing

This is a stack-use-after-scope error in cubeb.

Component: Security: Process Sandboxing → Audio/Video: cubeb
Summary: AddressSanitizer: about:support crashes with ASan → AddressSanitizer: stack-use-after-scope [@ `anonymous namespace'::wasapi_find_matching_output_device] with READ of size 8
Group: media-core-security
ERROR: AddressSanitizer: stack-use-after-scope on address 0x00fe1a67e478 at pc 0x7ff92668d1a1 bp 0x00fe1a67e280 sp 0x00fe1a67e2c8
READ of size 8 at 0x00fe1a67e478 thread T57
    #0 0x7ff92668d1a0 in `anonymous namespace'::wasapi_find_matching_output_device /builds/worker/checkouts/gecko/media/libcubeb/src/cubeb_wasapi.cpp:2284
    #1 0x7ff92668d1a0 in `anonymous namespace'::setup_wasapi_stream /builds/worker/checkouts/gecko/media/libcubeb/src/cubeb_wasapi.cpp:2342
    #2 0x7ff926681a3d in `anonymous namespace'::wasapi_stream_init /builds/worker/checkouts/gecko/media/libcubeb/src/cubeb_wasapi.cpp:2598
    #3 0x7ff92665a949 in cubeb_stream_init /builds/worker/checkouts/gecko/media/libcubeb/src/cubeb.c:357
    #4 0x7ff9297feae3 in cubeb_core::context::ContextRef::stream_init /builds/worker/checkouts/gecko/third_party/rust/cubeb-core/src/context.rs:111
    #5 0x7ff9297feae3 in audioipc_server::server::CubebServer::process_stream_init /builds/worker/checkouts/gecko/third_party/rust/audioipc-server/src/server.rs:790
    #6 0x7ff9297feae3 in audioipc_server::server::CubebServer::process_msg /builds/worker/checkouts/gecko/third_party/rust/audioipc-server/src/server.rs:488
    #7 0x7ff929817085 in audioipc_server::server::{{impl}}::process::{{closure}} /builds/worker/checkouts/gecko/third_party/rust/audioipc-server/src/server.rs:379
    #8 0x7ff929817085 in audioipc_server::server::with_local_context::{{closure}} /builds/worker/checkouts/gecko/third_party/rust/audioipc-server/src/server.rs:202
    #9 0x7ff929817085 in std::thread::local::LocalKey<core::cell::RefCell<core::option::Option<audioipc_server::server::CubebContextState>>>::try_with /rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b\library\std\src\thread\local.rs:376

Looks like the relevant part is here:

  for (uint32_t i = 0; i < collection.count; i++) {
    cubeb_device_info dev = collection.device[i];
    if (dev.devid == input_device_id) {
      input_device = &dev; // <--- pointer to dev stored in input_device
      break;
    }
  }

Then later input_device is dereferenced.

There's a comment at the start of the function that says "Only try to match to an output device if the input device is a bluetooth device that is using the handsfree protocol". Do you have anything like that on your machine? That might explain why this wasn't detected in automation.

Flags: needinfo?(cpeterson)

(In reply to Andrew McCreight [:mccr8] from comment #7)

There's a comment at the start of the function that says "Only try to match to an output device if the input device is a bluetooth device that is using the handsfree protocol". Do you have anything like that on your machine? That might explain why this wasn't detected in automation.

Yes. I'm using a Bluetooth headset paired to my machine. I wonder if this bug is what causes my Bluetooth headset to play some static when I open about:support and it enumerates my output devices.

Looks like dev should probably be a pointer to local variable collection.device[i] instead of a copy inside the for loop:

https://searchfox.org/mozilla-central/rev/290f33a3245f61f34ec5f80f548e6584823ba9ad/media/libcubeb/src/cubeb_wasapi.cpp#2246-2247,2275,2277,2285

Flags: needinfo?(cpeterson)
Assignee: nobody → kinetik
Severity: -- → S2
Status: NEW → ASSIGNED
status-firefox90: ?affected
status-firefox91: ?affected
status-firefox-esr78: ?unaffected
Priority: -- → P1
Regressed by: 1663917
Hardware: Unspecified → All
Version: unspecified → Firefox 83
Has Regression Range: --- → yes
Keywords: regression
Attached file GitHub Pull Request
Depends on: 1722440

Comment on attachment 9233629 [details]
Bug 1722073 - Uplift cubeb fix for WASAPI backend. r?#cubeb-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: Potential crash or unexpected behaviour when using Bluetooth headset on Windows.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Very low risk, simple change to avoid using out-of-scope stack variable.
  • String changes made/needed: n/a

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Very simple and safe fix for potential crash or unexpected behaviour when using Bluetooth headset on Windows.
  • User impact if declined: Potential crash or unexpected behaviour when using Bluetooth headset on Windows.
  • Fix Landed on Version: 92
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Very low risk, simple change to avoid using out-of-scope stack variable.
  • String or UUID changes made by this patch: n/a
Attachment #9233629 - Flags: approval-mozilla-esr91?
Attachment #9233629 - Flags: approval-mozilla-beta?

92 is fixed via the libecubeb update in bug 1722440

status-firefox92: affectedfixed

Comment on attachment 9233629 [details]
Bug 1722073 - Uplift cubeb fix for WASAPI backend. r?#cubeb-reviewers

Approved for our last 91 beta thanks.

Attachment #9233629 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Group: media-core-security → core-security-release
status-firefox90: affectedwontfix
tracking-firefox91: --- → +
tracking-firefox92: --- → +

Comment on attachment 9233629 [details]
Bug 1722073 - Uplift cubeb fix for WASAPI backend. r?#cubeb-reviewers

This will ride to ESR91 via the Beta uplift already done.

Attachment #9233629 - Flags: approval-mozilla-esr91?
QA Whiteboard: [qa-triaged]
Flags: qe-verify+
Attached file asan bt headset.txt

Hey Chris, I was unable to reproduce this issue with a regular nightly build or asan build from (2021-07-23). I tried with two separate bt headphones with both builds and no crash ocurred (I'll attach the about:support data from the asan build) in Windows 10.

Can you please verify it on the latest builds ?

Flags: needinfo?(cpeterson)
Flags: qe-verify+

(In reply to Catalin Sasca, QA [:csasca] from comment #16)

Hey Chris, I was unable to reproduce this issue with a regular nightly build or asan build from (2021-07-23). I tried with two separate bt headphones with both builds and no crash ocurred (I'll attach the about:support data from the asan build) in Windows 10.

Can you please verify it on the latest builds ?

Unfortunately, I'm not able to test because I can no longer run ASan builds after I upgraded to Windows 11. I filed bug 1723593 for that issue.

Depends on: 1723593
Flags: needinfo?(cpeterson)
Whiteboard: [adv-main90+r]
Whiteboard: [adv-main90+r] → [adv-main91+r]

Resolving as fixed. ASan Nightly builds work on Windows 11 now (bug 1723593), so I was able to verify (in Nightly 94) that this bug is fixed.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox94: --- → verified
Resolution: --- → FIXED

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

status-firefox93: --- → ?
status-firefox-esr91: --- → fixed
Target Milestone: --- → 92 Branch
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: