UAF Crash when playing a live video [@ std::_Rb_tree_increment ] with DataChannelConnection::CloseAll() on the stack
Categories
(Core :: WebRTC: Networking, defect, P2)
Tracking
()
People
(Reporter: julienw, Assigned: bwc)
References
Details
(Keywords: csectype-uaf, sec-high)
Crash Data
Crashes when playing a live video on https://www.france.tv/sport/cyclisme/tour-de-france/7320005-direct-interactif-etape-19-albertville-la-plagne.html. The video was in PiP mode if that's useful.
The crash is https://crash-stats.mozilla.org/report/index/80ea0567-068c-4c41-b9fa-39ae50250725
I'm on Linux, firefox nightly from July 20.
|
Reporter | |
Comment 1•9 months ago
|
||
I also got this crash yesterday: https://crash-stats.mozilla.org/report/index/911dc48c-b11a-4a84-a52b-32c610250724
I'm not sure it's related because I didn't notice it yesterday, but I was watching a video on the same site and I remember it got interrupted at one point.
|
||
Updated•9 months ago
|
|
||
Comment 2•9 months ago
|
||
I don’t see any media-related stacks in the crash reports — they’re all related to DataChannel. It looks more like a data race in the network layer.
|
||
Comment 3•9 months ago
|
||
This signature goes back a long way, but with different calling stacks. The older ones don't mention DataChannel, but the crashes in 141 and 142 have the same stack involving DataChannelConnection::CloseAll, which is also in the stack for the signature in comment 1 and bug 1979072. That bug is in WebRTC, and bug 1738931 fixed in Firefox 96 also mentioned this signature and was in WebRTC. I'm moving this back to the media team.
Some of the crashes in recent versions crash on the UAF marker
bp-17a92379-4871-4cca-9490-310e00250725
bp-c6a7c5da-a737-429d-b5b4-6976f0250724
This might be a dupe of bug 1979072, but we'll track it as its own sec-high UAF bug while it's not.
|
|
||
Comment 4•9 months ago
|
||
Julien: Is there any kind of interactive chat functionality or anything like that on that site? I don't see any features that might be related to WebRTC at the moment, but there's no active video and I don't have a login so maybe it comes and goes.
|
|
Reporter | |
Comment 5•9 months ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4)
Julien: Is there any kind of interactive chat functionality or anything like that on that site? I don't see any features that might be related to WebRTC at the moment, but there's no active video and I don't have a login so maybe it comes and goes.
As a matter of fact there is a live chat functionality indeed.
|
||
Updated•9 months ago
|
|
||
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
|
||
Comment 6•8 months ago
|
||
For the webrtc portion this does seem to be a dup of bug 1979072, we will want to look and see if we see the same crash with datachannel in builds 143 up to know if the fix does not apply.
Daniel: Do you see any crashes that I am not on builds that contain the patch from 1979072?
Julien: Have you seen the crash on 143 or latest nightly?
|
|
Reporter | |
Comment 7•8 months ago
|
||
Ah well since the Tour de France ended I hadn't used the website anymore . And I don't think there's any on the same site currently, this is only during some major sport events.
So I can't tell, sorry.
|
Assignee | |
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Comment 9•8 months ago
|
||
I don't see any of the UAF crashes after the fix for bug 1979072 landed in the 142 RC, or any with DataChannelConnection::CloseAll() on the stack like Julien's even if they aren't UAF crashes. Duping seems right.
There are still some near-null crashes with this signature that appear completely unrelated and not a security worry. They have TaskController::DoExecuteNextTaskOnlyMainThreadInternal() on the stack and many of them also have suspected bitflips.
|
|
||
Updated•24 days ago
|
Description
•