Closed Bug 1879093 (CVE-2024-4764) Opened 1 year ago Closed 9 months ago

Firefox crashes with two open Meet tabs and taking my AirPods out

Categories

(Core :: WebRTC: Audio/Video, defect)

Product:
Core
Component:
WebRTC: Audio/Video
Platform:
Desktop
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox125 --- wontfix
firefox126 --- fixed

People

(Reporter: jib, Assigned: pehrsons)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: csectype-race, regression, sec-high, Whiteboard: [adv-main126+])

Crash Data

Attachments

(1 file)

advisory.txt
180 bytes, text/plain
Details

STR (require AirPods or possibly similar bluetooth headset):

  1. Leave already-paired AirPods in their case
  2. Go to https://meet.google.com/
  3. Click New Meeting / Start an instant meeting
  4. Allow camera and microphone and stay in the lobby
  5. Duplicate the tab and repeat step 4 there.
  6. Make macOS connect with the AirPods by taking them out of their case

Expected result: No crash

Actual result: Firefox crashes with bp-e86fd0af-cf11-49db-883f-ad3010240206

If it doesn't crash in in step 6, put the airpods back in their case (sometimes crashes then) and repeat step 6.

Flags: needinfo?(apehrson)

This involving two tabs should mean that we are recreating VoiceProcessingIO AudioUnits on two separate threads in the parent process. The cubeb-coreaudio-rs backend serializes operations per-stream. Maybe if we serialize them on the same thread it won't crash. I have some prior work for this so if I can reproduce I'll see how it helps.

Assignee: nobody → apehrson
Status: NEW → ASSIGNED
Group: core-security

Is this like a use after free then? Or is it being more or less safely caught?

Keywords: csectype-race, sec-high

Based on the mac crash info in the report, this appears safely caught. But I don't think we can assume all paths from this STR will be safely caught. Adding some more crash signatures that are all from macOS 14.

In particular [@ AudioDSP@0x3ffb34 ] looks dead on like a UAF, and involves tearing down an audio unit. Step 6 in the STR would trigger that code path so might be a related failure mode here.

Crash Signature: [@ _dispatch_semaphore_dispose.cold.1 ] → [@ _dispatch_semaphore_dispose.cold.1 ] [@ libdispatch.dylib@0x39b50 ] [@ libdispatch.dylib@0x32e11 ] [@ AudioDSP@0xcd3d ] [@ AudioDSP@0x3ffb34 ] [@ AudioDSP@0x770498 ]
Severity: -- → S2
Blocks: meet

Bug 1880244 might help here, since it will make us create and destroy vpio audio units much less.

Depends on: 1880244
Flags: needinfo?(apehrson)

Patches being developed in the parent.

Duplicate of this bug: 1889245

We're not sure if the parent bug's changes will fully address the crash signature here. Waiting to see as that work rolls out.

We think this is fixed in 126.

126 is looking clean. resolving.

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED

Can you clarify the status of ESR115 for this bug given that this is rated sec-high?

Group: media-core-security → core-security-release
status-firefox125: --- → wontfix
status-firefox126: --- → fixed
status-firefox-esr115: --- → ?
Flags: needinfo?(apehrson)
Target Milestone: --- → 126 Branch
status-firefox-esr115: ?unaffected
Flags: needinfo?(apehrson)
Keywords: regression
Regressed by: 1670633
QA Whiteboard: [post-critsmash-triage]
Whiteboard: [adv-main126+]
Alias: CVE-2024-4764
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: