Closed Bug 1740361 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::MediaTransportHandlerIPC::GetIceStats]

Categories

(Core :: WebRTC: Networking, defect)

Product:
Core
Component:
WebRTC: Networking
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: jib, Assigned: bwc)

References

Details

(Keywords: csectype-wildptr, sec-high)

Crash Data

Attachments

(1 obsolete file)

UAF

Crash report: bp-47753228-ed0b-4f69-b71d-3496d0211104

Reason: EXCEPTION_ACCESS_VIOLATION_WRITE

Top 10 frames of crashing thread:

0 	xul.dll 	mozilla::MediaTransportHandlerIPC::GetIceStats(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, double) 	dom/media/webrtc/jsapi/MediaTransportHandlerIPC.cpp:314 	context
1 	xul.dll 	mozilla::PeerConnectionImpl::GetStats(mozilla::dom::MediaStreamTrack*, bool) 	dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:2806 	cfi
2 	xul.dll 	static mozilla::PeerConnectionCtx::EverySecondTelemetryCallback_m(nsITimer*, void*) 	dom/media/webrtc/jsapi/PeerConnectionCtx.cpp:280 	cfi
3 	xul.dll 	nsTimerImpl::Fire(int) 	xpcom/threads/nsTimerImpl.cpp:620 	cfi
4 	xul.dll 	nsTimerEvent::Run() 	xpcom/threads/TimerThread.cpp:264 	cfi
5 	xul.dll 	mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) 	xpcom/threads/TaskController.cpp:805 	cfi
6 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp:1148 	cfi
7 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:107 	cfi
8 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:324 	cfi
9 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc:306 	cfi
10 	xul.dll 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp:137 	cfi
See Also: → 1739478

I don't see any definitive signs of a UAF (our poison value), but it's crashing on a nonsense pointer that doesn't have any clear relation to any register value. It's gotten ahold of a corrupt object somehow, but this could also be due to a buffer overflow, or it's uninitialized or something. (Unless we've missed a clue about UAFness here)

Group: core-security → media-core-security
Keywords: csectype-wildptr, sec-high
Crash Signature: [@ mozilla::MediaTransportHandlerIPC::GetIceStats ]

One crash in 6 months -- may not be very productive to chase this one down just from a crash report.

The severity field is not set for this bug.
:bwc, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(docfaraday)
No longer blocks: webrtc-triage
Severity: -- → S4
Keywords: stalled
Assignee: nobody → docfaraday
Status: NEW → ASSIGNED
Attachment #9258526 - Attachment is obsolete: true

The severity field for this bug is set to S4. However, the bug is flagged with the sec-high keyword.
:bwc, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(docfaraday)

This has not happened in a very long time, since 93 on crash-stats.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(docfaraday)
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: