Closed Bug 1890134 Opened 6 months ago Closed 6 months ago

stack-use-after-scope [@ mozilla::IsWidevineKeySystem]

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox124 --- unaffected
firefox125 --- unaffected
firefox126 --- fixed

People

(Reporter: tsmith, Assigned: alwu)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [fixed in bug 1890070])

Found with m-c 20240406-a1630c7af1b6 (--enable-address-sanitizer --enable-fuzzing)

This was found by visiting a live website with an ASan build.

STR:

  • Launch browser and visit site

This issue was triggered by visiting a nsfw site.

==7508==ERROR: AddressSanitizer: stack-use-after-scope on address 0x00bbfedfc778 at pc 0x7ffbe767418e bp 0x00bbfedfc1e0 sp 0x00bbfedfc228
READ of size 4 at 0x00bbfedfc778 thread T0
    #0 0x7ffbe767418d in mozilla::detail::nsTStringLengthStorage<char16_t>::operator unsigned long long /builds/worker/checkouts/gecko/xpcom/string/nsTStringRepr.h:93
    #1 0x7ffbe767418d in mozilla::detail::nsTStringRepr<char16_t>::EqualsASCII(char const *, unsigned __int64) const /builds/worker/checkouts/gecko/xpcom/string/nsTStringRepr.cpp:83
    #2 0x7ffbeedb33bf in mozilla::detail::nsTStringRepr<char16_t>::EqualsLiteral /builds/worker/workspace/obj-build/dist/include/nsTStringRepr.h:290
    #3 0x7ffbeedb33bf in mozilla::IsWidevineKeySystem /builds/worker/checkouts/gecko/dom/media/eme/EMEUtils.cpp:50
    #4 0x7ffbeedb33bf in mozilla::KeySystemConfig::Supports(class nsTSubstring<char16_t> const &) /builds/worker/checkouts/gecko/dom/media/eme/KeySystemConfig.cpp:47
    #5 0x7ffbeedbc79c in mozilla::KeySystemConfig::CreateKeySystemConfigs(class nsTArray<struct mozilla::KeySystemConfigRequest> const &) /builds/worker/checkouts/gecko/dom/media/eme/KeySystemConfig.cpp:237
    #6 0x7ffbeedd9cb5 in mozilla::dom::GetSupportedKeySystemConfigs /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccess.cpp:286
    #7 0x7ffbeedda6cf in mozilla::dom::MediaKeySystemAccess::GetSupportedConfig(struct mozilla::dom::MediaKeySystemAccessRequest *, bool, class mozilla::dom::Document const *) /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccess.cpp:1080
    #8 0x7ffbeede2eab in mozilla::dom::MediaKeySystemAccessManager::RequestMediaKeySystemAccess(class mozilla::UniquePtr<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest, class mozilla::DefaultDelete<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest>>) /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:499
    #9 0x7ffbeede0fe4 in mozilla::dom::MediaKeySystemAccessManager::OnDoesWindowSupportProtectedMedia(bool, class mozilla::UniquePtr<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest, class mozilla::DefaultDelete<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest>>) /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:209
    #10 0x7ffbeee17ac9 in mozilla::dom::MediaKeySystemAccessManager::CheckDoesWindowSupportProtectedMedia::<lambda_7>::operator() /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:184
    #11 0x7ffbeee17ac9 in mozilla::MozPromise<bool,mozilla::ipc::ResponseRejectReason,1>::InvokeMethod /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:651
    #12 0x7ffbeee17ac9 in mozilla::MozPromise<bool,mozilla::ipc::ResponseRejectReason,1>::InvokeCallbackMethod /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:682
    #13 0x7ffbeee17ac9 in mozilla::MozPromise<bool,mozilla::ipc::ResponseRejectReason,1>::ThenValue<`lambda at /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:168:7'>::DoResolveOrRejectInternal /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:921
    #14 0x7ffbe869625b in mozilla::MozPromise<bool, enum mozilla::ipc::ResponseRejectReason, 1>::ThenValueBase::ResolveOrRejectRunnable::Run(void) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:487
    #15 0x7ffbe793e18e in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:578
    #16 0x7ffbe791ad1f in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:905
    #17 0x7ffbe7916d1b in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:728
    #18 0x7ffbe79176f4 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514
    #19 0x7ffbe7941e91 in mozilla::TaskController::TaskController::<lambda_5>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232
    #20 0x7ffbe7941e91 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:232:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548
    #21 0x7ffbe79715bb in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199
    #22 0x7ffbe79830fa in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480
    #23 0x7ffbe90ed6a7 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #24 0x7ffbe8ffa303 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370
    #25 0x7ffbe8ffa303 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363
    #26 0x7ffbe8ffa0ca in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345
    #27 0x7ffbf1aee63c in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #28 0x7ffbf1d78997 in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:822
    #29 0x7ffbf600fc6e in XRE_RunAppShell(void) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712
    #30 0x7ffbe8ffa303 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370
    #31 0x7ffbe8ffa303 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363
    #32 0x7ffbe8ffa0ca in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345
    #33 0x7ffbf600f207 in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647
    #34 0x7ff6575b2893 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57
    #35 0x7ff6575b2893 in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375
    #36 0x7ff6575b161a in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:174
    #37 0x7ff6576a00a7 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #38 0x7ff6576a00a7 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #39 0x7ffc30694caf  (C:\Windows\System32\KERNEL32.DLL+0x180014caf)
    #40 0x7ffc322fe8aa  (C:\Windows\SYSTEM32\ntdll.dll+0x18007e8aa)

Address 0x00bbfedfc778 is located in stack of thread T0 at offset 184 in frame
    #0 0x7ffbeedd903f in mozilla::dom::GetSupportedKeySystemConfigs /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccess.cpp:236

  This frame has 14 object(s):
    [32, 33) 'agg.tmp.i.i151'
    [48, 49) 'agg.tmp.i.i136'
    [64, 65) 'agg.tmp.i.i115'
    [80, 81) 'agg.tmp.i.i100'
    [96, 97) 'agg.tmp.i.i86'
    [112, 113) 'agg.tmp.i.i72'
    [128, 129) 'agg.tmp.i.i'
    [144, 152) 'requests' (line 238)
    [176, 328) 'ref.tmp11' (line 250) <== Memory access at offset 184 is inside this variable
    [400, 552) 'ref.tmp17' (line 254)
    [624, 776) 'ref.tmp22' (line 257)
    [848, 1000) 'ref.tmp31' (line 264)
    [1072, 1224) 'ref.tmp45' (line 274)
    [1296, 1448) 'ref.tmp53' (line 280)
Component: Audio/Video: Playback → Audio/Video: GMP

alwu, would you have any thoughts here?

Flags: needinfo?(alwu)

Already addressed this in bug 1890070.

Status: NEW → RESOLVED
Closed: 6 months ago
Flags: needinfo?(alwu)
Resolution: --- → FIXED
Assignee: nobody → alwu
Group: media-core-security → core-security-release
status-firefox124: --- → unaffected
status-firefox125: --- → unaffected
status-firefox-esr115: --- → unaffected
Depends on: 1890070
Target Milestone: --- → 126 Branch
Keywords: sec-high
Whiteboard: [fixed in bug 1890070]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.