Closed Bug 1756598 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-use-after-free [@ __atomic_add] through [@ mozilla::gl::GLContextEGL::CreateEGLPBufferOffscreenContextImpl] and FFmpegVideoDecoder with WRITE of size 4

Categories

(Core :: Audio/Video, defect, P3)

Product:
Core
Component:
Audio/Video
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- disabled
firefox99 --- disabled
firefox100 --- disabled
firefox101 --- disabled
firefox102 --- fixed

People

(Reporter: decoder, Assigned: stransky)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(2 files)

Detailed Crash Information
34.99 KB, text/plain
Details
Bug 1756598 [Linux] Make GL context creation thread safe r?sotaro
48 bytes, text/x-phabricator-request
Details | Review

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 99.0a1-20220208070047-https://hg.mozilla.org/mozilla-central/rev/a25fb4010591aab59ca028aa3a3be3bc7a8f3886.

For detailed crash information, see attachment.

This was already reported on Feburary 8, not sure if this might already be fixed.

Kelsey, maybe you could take a look? Thanks. There's both WebGL and FFmpegVideoDecoder stuff in the stack so I'm not sure exactly who might be best to look at it.

Flags: needinfo?(jgilbert)
Keywords: csectype-uaf, sec-high
Group: core-security → media-core-security

This is a race here: https://searchfox.org/mozilla-central/source/widget/gtk/DMABufSurface.cpp#63

Flags: needinfo?(jgilbert) → needinfo?(stransky)

Christian, is that a kind of static analysis or is that from actual Firefox run? It may be possible to hit the race here but we use only one decode thread with VA-API.

Flags: needinfo?(choller)
Assignee: nobody → stransky
Flags: needinfo?(stransky)

btw. multi-thread va-api decode may be enabled for Bug 1750388.

Flags: needinfo?(stransky)

(In reply to Martin Stránský [:stransky] (ni? me) from comment #4)

Christian, is that a kind of static analysis or is that from actual Firefox run? It may be possible to hit the race here but we use only one decode thread with VA-API.

This is from an actual run, like a crash report. But we do not have information about steps to reproduce, prefs, or who submitted it.

Flags: needinfo?(choller)
Blocks: egl-linux-vaapi
status-firefox99: affecteddisabled
Flags: needinfo?(stransky)

VA-API is disabled by default so we're no affected.

Severity: critical → S3
Priority: -- → P3

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:stransky, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(stransky)

(In reply to Release mgmt bot [:suhaib / :marco/ :calixte] from comment #8)

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:stransky, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

It's disabled by default and you need to try pretty hard to enable it so i think it's ok.

Flags: needinfo?(stransky)

Okay, I think I understand what's going on. Looks like two media playback happens on the same time so we use two surface pools but they share one GL context where we create the GL texture.

Comment on attachment 9273239 [details]
Bug 1756598 [Linux] Make GL context creation thread safe r?sotaro

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It's disabled by default, user need to flip pref and disable RDD sandbox.
    Then we can create a page where lot of video clips are played and that can be exploited - but it affects RDD process only.
    So I don't think it's actually exploitable.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?:
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Easy to backport.
  • How likely is this patch to cause regressions; how much testing does it need?: Not likely.
  • Is Android affected?: No
Attachment #9273239 - Flags: sec-approval?

Comment on attachment 9273239 [details]
Bug 1756598 [Linux] Make GL context creation thread safe r?sotaro

If the pref need to be modified from default, we don't need sec-approval and can land it.

Attachment #9273239 - Flags: sec-approval?

I'm also going to downgrade it to moderate

Keywords: sec-highsec-moderate

(In reply to Tom Ritter [:tjr] (ni for sec-approvals and such) from comment #14)

I'm also going to downgrade it to moderate

Is the downgrade here because it only affects RDD or because it requires a pref to be flipped?

Flags: needinfo?(tom)

pref flip - if you go and disable the RDD sandbox I think it's reasonable to say you've knowingly put your Firefox in a configuration where it's less secure and we shouldn't consider bugs in (only) that configuration as High.

Flags: needinfo?(tom)

[Linux] Make GL context creation thread safe r=sotaro,jgilbert
https://hg.mozilla.org/integration/autoland/rev/bef9104f01c528a0b0fac514ebcf35b505924224
https://hg.mozilla.org/mozilla-central/rev/bef9104f01c5

Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox102: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: