uaf in webrtc::VideoStreamEncoder::RequestRefreshFrame
Categories
(Core :: WebRTC: Audio/Video, defect)
Tracking
()
People
(Reporter: mccr8, Assigned: mjf)
References
Details
(Keywords: csectype-uaf, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main109+r])
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
This Chrome bug on a UAF in WebRTC code is now public:
https://bugs.chromium.org/p/chromium/issues/detail?id=1357413
Here is the diff for the fix. We have the code in question in our tree.
The fix landed at the end of August, and it looks like our last WebRTC update (bug 1790097) was maybe from the end of June.
Comment 1•1 year ago
|
||
Can we get some guidance on what the urgency of this is? We're shipping 108/102.6esr on Tuesday and we also don't have a planned dot release this cycle.
Updated•1 year ago
|
Reporter | ||
Comment 2•1 year ago
|
||
Looking at the steps to reproduce in the first comment, it looks like some kind of race that can only happen if the machine is rather bogged down (they are running 10 copies of Chrome at once). Nobody except for the original reporter said they can actually reproduce the issue, though the original reporter was able to reproduce it enough to do a bisection. I'm not really sure what this "task safety declaration" thing is that they are tweaking.
Reporter | ||
Updated•1 year ago
|
Assignee | ||
Comment 3•1 year ago
|
||
We will be landing the v106 libwebrtc update that contains this fix after the thaw for Firefox 110.
Comment 4•1 year ago
|
||
Sounds like y'all are saying that we can just backport this for 109/102.7 during the upcoming cycle rather than trying to do anything for next week's releases then. Setting the flags accordingly, but feel free to correct me if I'm misunderstanding.
Reporter | ||
Comment 5•1 year ago
|
||
Yeah, I think that's fine.
Comment 6•1 year ago
|
||
Michael, when you get a chance, please upload and request approval on a cherry-pick patch here that we can use for landing on Beta and ESR. Thanks!
Updated•1 year ago
|
Comment 7•1 year ago
|
||
The bug is marked as tracked for firefox109 (beta). However, the bug still isn't assigned.
:jimm, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit auto_nag documentation.
Comment 8•1 year ago
|
||
Fix was landed on m-c by way of the below commit:
https://hg.mozilla.org/mozilla-central/rev/c31b3ae611ff143f079d42878a1a2305f6e71d47
Comment 9•1 year ago
|
||
Assignee | ||
Comment 10•1 year ago
|
||
The ESR uplift is, in my mind, not recommended. There are lots of things that have changed between ESR’s libwebrtc and the version this patch is fixing. Given that this is extremely difficult to repro, I don’t have confidence that this change would fix the issue in ESR and that it wouldn’t cause other issues given the threading nature of the change it fixes.
Assignee | ||
Comment 11•1 year ago
|
||
Comment on attachment 9309385 [details]
Bug 1804971 - Backport upstream WebRTC fix to Firefox 109. r=mjf
Beta/Release Uplift Approval Request
- User impact if declined: Possible UAF on heavily loaded systems.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Very small change that has been in production in upstream libwebrtc for a while now.
- String changes made/needed: n/a
- Is Android affected?: Unknown
Comment 12•1 year ago
|
||
Comment on attachment 9309385 [details]
Bug 1804971 - Backport upstream WebRTC fix to Firefox 109. r=mjf
Approved for 109.0b6. Thanks for the ESR102 clarification also.
Comment 13•1 year ago
|
||
uplift |
Updated•1 year ago
|
Updated•1 year ago
|
Updated•9 months ago
|
Description
•