Open Bug 1740836 Opened 3 years ago Updated 5 months ago

Firefox MediaTrackGraphImpl::RunInStableState Out-Of-Bounds Read Remote Code Execution Vulnerability

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Type:
defect

Tracking

()

People

(Reporter: bo13oy, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, Whiteboard: [stack-exhaustion][reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

poc.html
293 bytes, text/html
Details
Attached file poc.html

Tested Version: MacOS Monterey(verion 12.0.1) memory 16G + macosx64-fuzzing-asan-opt(94.0.2 (64-bit)) => https://firefox-ci-tc.services.mozilla.com/tasks/index/gecko.v2.mozilla-release.latest.firefox/macosx64-fuzzing-asan-opt
Loading poc.html with firefox, the crash report is as follows:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==35275==ERROR: AddressSanitizer: SEGV on unknown address 0x0001017d2c60 (pc 0x000102b29949 bp 0x7ff7be8750a0 sp 0x7ff7be875090 T0)
==35275==The signal is caused by a READ memory access.
==35275==WARNING: failed to spawn external symbolizer (errno: 9)
==35275==WARNING: failed to spawn external symbolizer (errno: 9)
==35275==WARNING: failed to spawn external symbolizer (errno: 9)
==35275==WARNING: failed to spawn external symbolizer (errno: 9)
==35275==WARNING: failed to spawn external symbolizer (errno: 9)
==35275==WARNING: Failed to use and restart external symbolizer!
    #0 0x102b29949 in __asan::FlushToDeadThreadStats(__asan::AsanStats*)+0x19 (/Applications/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x4f949)
    #1 0x102b2b055 in __asan::AsanThread::Destroy()+0xa5 (/Applications/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x51055)
    #2 0x102b1a08c in wrap_pthread_create+0xec (/Applications/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x4008c)
    #3 0x1025b908f in _PR_CreateThread+0x4ef (/Applications/Nightly.app/Contents/MacOS/libnss3.dylib:x86_64+0x48b08f)
    #4 0x1025a11ce in PR_CreateThread+0xe (/Applications/Nightly.app/Contents/MacOS/libnss3.dylib:x86_64+0x4731ce)
    #5 0x124d446fe in nsThread::Init(nsTSubstring<char> const&)+0x16e (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x3bf6fe)
    #6 0x124d529be in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**)+0x3de (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x3cd9be)
    #7 0x124d5dac5 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int)+0x155 (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x3d8ac5)
    #8 0x12c41b725 in mozilla::ThreadedDriver::Start()+0x375 (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x7a96725)
    #9 0x12c83dfee in mozilla::MediaTrackGraphImpl::RunInStableState(bool)+0x151e (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x7eb8fee)
    #10 0x12c875fa7 in mozilla::(anonymous namespace)::MediaTrackGraphStableStateRunnable::Run()+0xd7 (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x7ef0fa7)
    #11 0x124ae8353 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue()+0x143 (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x163353)
    #12 0x124aec851 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int)+0xb1 (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x167851)
    #13 0x12735ece1 in XPCJSContext::AfterProcessTask(unsigned int)+0xf81 (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x29d9ce1)
    #14 0x124d4843b in nsThread::ProcessNextEvent(bool, bool*)+0x14fb (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x3c343b)
    #15 0x124d54a8d in NS_ProcessNextEvent(nsIThread*, bool)+0x11d (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x3cfa8d)
    #16 0x1262992e1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x441 (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x19142e1)
    #17 0x126155eb3 in MessageLoop::Run()+0x1d3 (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x17d0eb3)
    #18 0x12e9bf2df in nsBaseAppShell::Run()+0x4f (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0xa03a2df)
    #19 0x12eb24571 in nsAppShell::Run()+0x311 (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0xa19f571)
    #20 0x1329f199f in XRE_RunAppShell()+0x1ef (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0xe06c99f)
    #21 0x126155eb3 in MessageLoop::Run()+0x1d3 (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0x17d0eb3)
    #22 0x1329f0efb in XRE_InitChildProcess(int, char**, XREChildData const*)+0xd8b (/Applications/Nightly.app/Contents/MacOS/XUL:x86_64+0xe06befb)
    #23 0x101688d91 in main+0x1a1 (/Applications/Nightly.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x100000d91)
    #24 0x1049594fd  (/usr/lib/dyld:x86_64+0x54fd)

==35275==Register values:
rax = 0x0000000000000000  rbx = 0x00000001017d2c60  rcx = 0x00000000ffffffff  rdx = 0x0000000000000000
rdi = 0x0000000102cad340  rsi = 0x00000001bd17fe60  rbp = 0x00007ff7be8750a0  rsp = 0x00007ff7be875090
 r8 = 0x0000000000001003   r9 = 0x000000000000001e  r10 = 0x00007ff807d2a476  r11 = 0x0000000000000206
r12 = 0x00000001025ca8c0  r13 = 0x00007ff7be875960  r14 = 0x0000000102cad340  r15 = 0x00000001017c5000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/Applications/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x4f949) in __asan::FlushToDeadThreadStats(__asan::AsanStats*)+0x19
==35275==ABORTING

This vuln is discovered by bo13oy of Cyber Kunlun Lab.

Thanks.

Flags: sec-bounty?

In an opt build the child process was running at 100% CPU but I didn't see a crash before I killed it. The main parent process was never very busy, 1 or 2% CPU, but after a couple of minutes it was hung too and I couldn't switch to other tabs. Killing the child freed it up. We should spin out a separate bug about that, because we'd like stuck child processes to not kill the whole browser. Given the low CPU it was probably not flooded with messages like we've seen in other cases, but more likely something waiting for a response that should be more async.

Group: firefox-core-security → media-core-security
Component: Security → Audio/Video
Product: Firefox → Core

This is crashing inside ASan itself. The comment I found on the ASan source code for this method is "Flushes a given stats into accumulated stats of dead threads." Maybe this test case ends up creating lots of threads and it hits some kind of internal issue inside ASan?

Tyson, have you seen a crash like this while fuzzing?

Flags: needinfo?(twsmith)

No we are not seeing this, perhaps it is MacOS only?

I see a stack overflow on Linux:

==386118==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeb06e7fc8 (pc 0x5579917dab7e bp 0x7ffeb06e8810 sp 0x7ffeb06e7fd0 T0)
    #0 0x5579917dab7e in __asan_memmove /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30:3
    #1 0x7f9137dc644e in move /builds/worker/checkouts/gecko/xpcom/string/nsCharTraits.h:309:9
    #2 0x7f9137dc644e in nsTSubstring<char>::StartBulkWriteImpl(unsigned int, unsigned int, bool, unsigned int, unsigned int, unsigned int) /builds/worker/checkouts/gecko/xpcom/string/nsTSubstring.cpp:226:5
    #3 0x7f9137ddb804 in AssignASCII /builds/worker/checkouts/gecko/xpcom/string/nsTSubstring.cpp:437:12
    #4 0x7f9137ddb804 in nsTSubstring<char>::AssignASCII(char const*, unsigned int) /builds/worker/checkouts/gecko/xpcom/string/nsTSubstring.cpp:419:7
    #5 0x7f913806088a in AssignASCII /builds/worker/workspace/obj-build/dist/include/nsTSubstring.h:436:5
    #6 0x7f913806088a in mozilla::Runnable::GetName(nsTSubstring<char>&) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:77:11
    #7 0x7f91380608bc in non-virtual thunk to mozilla::Runnable::GetName(nsTSubstring<char>&) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp
    #8 0x7f913802179e in mozilla::XPCOMThreadWrapper::Runner::GetName(nsTSubstring<char>&) /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:219:16
    #9 0x7f913804cca4 in nsThread::GetLabeledRunnableName(nsIRunnable*, nsTSubstring<char>&, mozilla::EventQueuePriority) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:971:5
    #10 0x7f9138068573 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:454:5
    #11 0x7f913802e00d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
    #12 0x7f913802b568 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
    #13 0x7f913802bc79 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
    #14 0x7f9138071cb4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:127:37
    #15 0x7f9138071cb4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
    #16 0x7f913804e367 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1175:16
    #17 0x7f913804c213 in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #18 0x7f913804c213 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:867:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
    #19 0x7f913804c213 in nsThread::Shutdown() /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:865:3
    #20 0x7f913e1100f2 in mozilla::ThreadedDriver::Shutdown() /builds/worker/checkouts/gecko/dom/media/GraphDriver.cpp:157:14
    #21 0x7f913e4d89a9 in mozilla::(anonymous namespace)::MediaTrackGraphShutDownRunnable::Run() /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:1865:43
    #22 0x7f9138023140 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:227:35
    #23 0x7f913802143f in mozilla::XPCOMThreadWrapper::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:211:25
    #24 0x7f9138068642 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:468:16
    #25 0x7f913802e00d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
    #26 0x7f913802b568 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
    #27 0x7f913802bc79 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
    #28 0x7f9138071cb4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:127:37
    #29 0x7f9138071cb4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
    #30 0x7f913804e367 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1175:16
    #31 0x7f913804c213 in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #32 0x7f913804c213 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:867:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
    #33 0x7f913804c213 in nsThread::Shutdown() /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:865:3
    #34 0x7f913e1100f2 in mozilla::ThreadedDriver::Shutdown() /builds/worker/checkouts/gecko/dom/media/GraphDriver.cpp:157:14
    #35 0x7f913e4d89a9 in mozilla::(anonymous namespace)::MediaTrackGraphShutDownRunnable::Run() /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:1865:43
    #36 0x7f9138023140 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:227:35
    #37 0x7f913802143f in mozilla::XPCOMThreadWrapper::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:211:25
    #38 0x7f9138068642 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:468:16
    #39 0x7f913802e00d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
    #40 0x7f913802b568 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
    #41 0x7f913802bc79 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
    #42 0x7f9138071cb4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:127:37
    #43 0x7f9138071cb4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
    #44 0x7f913804e367 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1175:16
    #45 0x7f913804c213 in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #46 0x7f913804c213 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:867:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
    #47 0x7f913804c213 in nsThread::Shutdown() /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:865:3
    #48 0x7f913e1100f2 in mozilla::ThreadedDriver::Shutdown() /builds/worker/checkouts/gecko/dom/media/GraphDriver.cpp:157:14
    #49 0x7f913e4d89a9 in mozilla::(anonymous namespace)::MediaTrackGraphShutDownRunnable::Run() /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:1865:43
    #50 0x7f9138023140 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:227:35
    #51 0x7f913802143f in mozilla::XPCOMThreadWrapper::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:211:25
    #52 0x7f9138068642 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:468:16
    #53 0x7f913802e00d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
    #54 0x7f913802b568 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
    #55 0x7f913802bc79 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
    #56 0x7f9138071cb4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:127:37
    #57 0x7f9138071cb4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
    #58 0x7f913804e367 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1175:16
    #59 0x7f913804c213 in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
    #60 0x7f913804c213 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:867:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
    #61 0x7f913804c213 in nsThread::Shutdown() /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:865:3
    #62 0x7f913e1100f2 in mozilla::ThreadedDriver::Shutdown() /builds/worker/checkouts/gecko/dom/media/GraphDriver.cpp:157:14
    #63 0x7f913e4d89a9 in mozilla::(anonymous namespace)::MediaTrackGraphShutDownRunnable::Run() /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:1865:43
    #64 0x7f9138023140 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:227:35
    #65 0x7f913802143f in mozilla::XPCOMThreadWrapper::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:211:25
    #66 0x7f9138068642 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:468:16
    #67 0x7f913802e00d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
    #68 0x7f913802b568 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
    #69 0x7f913802bc79 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
    #70 0x7f9138071cb4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:127:37
Flags: needinfo?(twsmith)
Component: Audio/Video → Web Audio

This is a denial of service, and hangs the parent, but otherwise appears to be unexploitable resource exhaustion.

Blocks: eviltraps
Group: media-core-security
Type: task → defect
Keywords: csectype-dos
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [stack-exhaustion][reporter-external] [client-bounty-form] [verif?]
Severity: -- → S4
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: