Closed Bug 750231 Opened 8 years ago Closed 8 years ago

Opus crash illegal instruction [@quant_band]

Categories

(Core :: Audio/Video, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla15
Tracking Status
firefox15 + fixed
firefox16 + fixed
firefox-esr10 --- unaffected

People

(Reporter: posidron, Assigned: derf)

References

Details

(Keywords: crash, sec-critical, testcase, Whiteboard: [asan])

Attachments

(3 files)

Attached file testcase
Reproducible in ASAN builds. Due to a bug in ASAN it is right now not possible to provide values for the functions.
Attached file callstack
Haven't investigated too deeply, but this file does not crash opusdec (available from opus-tools: http://git.xiph.org/?p=users/greg/opus-tools.git).
Sorry, should have mentioned that I have deactivated the checksum verification inside the source.
(In reply to Christoph Diehl [:cdiehl] from comment #3)
> Sorry, should have mentioned that I have deactivated the checksum
> verification inside the source.

Yes, I ran it through rogg_crcfix. opusdec reported "Decoding error: corrupt stream" in a few places, but did not crash.
This bug has [asan] in whiteboard. You will need to test it with an ASAN build of Firefox or compile the decoder with ASAN.
(In reply to Christoph Diehl [:cdiehl] from comment #5)
> This bug has [asan] in whiteboard. You will need to test it with an ASAN
> build of Firefox or compile the decoder with ASAN.

That doesn't change the results. It also ran clean under valgrind with memcheck, exp-ptrcheck, and exp-sgcheck.
The only other thing I can think of is trying with different allocators and even trying with the pseudo-stack and ENABLE_VALGRIND.
I would recommend compiling a Firefox version with ASAN enabled on MacOSX. This is my environment. The bug itself is reproducible every time. Except that I have commented out the "goto" in https://hg.mozilla.org/mozilla-central/file/40455cbb1ad3/media/libogg/src/ogg_framing.c#l701 nothing was touched.
(In reply to Christoph Diehl [:cdiehl] from comment #8)
> I would recommend compiling a Firefox version with ASAN enabled on MacOSX.

Yes, that's probably the best idea. But since it doesn't look like the decoder state is getting corrupted by libopus itself (or it would happen in opusdec, also), I think this is rillian's bug to track down.
Blocks: fuzzing-opus
Assignee: nobody → giles
I have an ASAN OS X build from Monday, 4/30, and I get no crash with the attached testcase. I see a playback slider appear momentarily, which then goes away. No errors show up in console output.
Did you comment out the goto clause?
No, I did not. I'm using a "standard" ASAN build with no changed to pulled source. This only happens if you comment out a clause?
You will also need to apply the Opus patches from here: https://bugzilla.mozilla.org/show_bug.cgi?id=674225
I think I'll just wait for someone to fix the bug since it is assigned. :-)
That's fine. I don't have an asan build yet though.

Which llvm/clang/compiler-rt revision are you using?
https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer
In case of problems/info ping the author "decoder", he is also our ASAN maintainer.
Ok, I'm able to reproduce now, thanks to help from decoder, and no thanks to xcode version skew.
Ralph, is this crash exploitable? We can't tell much from the callstack.
I don't know, but given the illegal instruction, the stack's probably corrupted. Which would mean yes.
Okay, so I was finally able to get an ASAN build going on this aging MacBook loaner.

I think all of the ASAN crashes are simply stack overflows. Opus uses a fair amount of stack (a few dozen kB) and the decoder threads are all created with a mere 128 kB of stack space. That's normally plenty, but apparently ASAN makes things like alloca (or more specifically, C99 vararrays) use quite a bit more than normal. Simply increasing the stack to 1 MB makes the crash in this bug, and ever other open ASAN Opus crash go away.

Patch forthcoming (a non-clobber build takes over 20 minutes on this machine for even a single changed file).
My build still hasn't finished, but I need to run. This _should_ work.
Assignee: giles → tterribe
Status: NEW → ASSIGNED
Attachment #629534 - Flags: review?(kinetik)
Attachment #629534 - Flags: review?(kinetik) → review+
Fixed. I will mark the other bugs as resolved.
https://hg.mozilla.org/integration/mozilla-inbound/rev/902cd184dca8
Flags: in-testsuite-
Target Milestone: --- → mozilla15
https://hg.mozilla.org/mozilla-central/rev/902cd184dca8
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.