Heap-use-after-free in MediaStream::Init




5 years ago
25 days ago


(Reporter: Abhishek Arya, Assigned: roc)




Firefox Tracking Flags

(firefox17 affected)


(Whiteboard: [asan])



5 years ago
Reproduces on trunk once in a while. Haven't got any reliable testcase yet.

==7499== ERROR: AddressSanitizer heap-use-after-free on address 0x7fbba1a006e8 at pc 0x7fbbcb890d42 bp 0x7fbb9b767200 sp 0x7fbb9b7671f8
READ of size 8 at 0x7fbba1a006e8 thread T16
    #0 0x7fbbcb890d42 in nsTArray_base<nsTArrayDefaultAllocator>::Length() const /src/../../../dist/include/nsTArray.h:192
    #1 0x7fbbcca9b370 in mozilla::MediaStream::Init() /src/content/media/MediaStreamGraph.cpp:1665
    #2 0x7fbbcca99a8e in mozilla::MediaStreamGraphImpl::RunThread() /src/content/media/MediaStreamGraph.cpp:1299
    #3 0x7fbbccaa1c6a in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /src/content/media/MediaStreamGraph.cpp:1447
    #4 0x7fbbcd8e7f4d in NS_ProcessNextEvent_P(nsIThread*, bool) /src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:220
    #5 0x7fbbcd9753dd in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:256
    #6 0x7fbbd2b818cb in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:159
    #7 0x428adc in __asan::AsanThread::ThreadStart() ??:0
0x7fbba1a006e8 is located 104 bytes inside of 240-byte region [0x7fbba1a00680,0x7fbba1a00770)
freed by thread T16 here:
    #0 0x425a42 in free ??:0
    #1 0x7fbbcca9d84c in mozilla::MediaStream::Release() /src/../../dist/include/MediaStreamGraph.h:208
previously allocated by thread T0 here:
    #0 0x425b02 in __interceptor_malloc ??:0
    #1 0x7fbbd0fff3f0 in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:57
    #2 0x7fbbcc494bfb in nsHTMLMediaElement::CaptureStreamInternal(bool) /src/content/html/content/src/nsHTMLMediaElement.cpp:1528
    #3 0x7fbbcc495201 in nsHTMLMediaElement::MozCaptureStreamUntilEnded(nsIDOMMediaStream**) /src/content/html/content/src/nsHTMLMediaElement.cpp:1551
    #4 0x7fbbcd9a2616 in NS_InvokeByIndex_P /src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165
    #5 0x7fbbccdd88b8 in CallMethodHelper::Invoke() /src/js/xpconnect/src/XPCWrappedNative.cpp:3118
    #6 0x7fbbccde6dde in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1480
    #7 0x7fbbce7803ff in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) /src/js/src/jscntxtinlines.h:389
    #8 0x7fbbce7756a2 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /src/js/src/jsinterp.cpp:2408
    #9 0x7fbbce761539 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /src/js/src/jsinterp.cpp:302
    #10 0x7fbbce7819a9 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /src/js/src/jsinterp.cpp:486
    #11 0x7fbbce9da1a6 in EvalKernel(JSContext*, JS::CallArgs const&, EvalType, js::StackFrame*, JS::Handle<JSObject*>) /src/js/src/builtin/Eval.cpp:280
    #12 0x7fbbce9da440 in js::DirectEval(JSContext*, JS::CallArgs const&) /src/js/src/builtin/Eval.cpp:330
    #13 0x7fbbce761539 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /src/js/src/jsinterp.cpp:302
    #14 0x7fbbce7819a9 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /src/js/src/jsinterp.cpp:486
    #15 0x7fbbce781d61 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /src/js/src/jsinterp.cpp:523
    #16 0x7fbbce683279 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) /src/js/src/jsapi.cpp:5658
    #17 0x7fbbce683f93 in JS_EvaluateUCScriptForPrincipalsVersionOrigin /src/js/src/jsapi.cpp:5739
    #18 0x7fbbcc600137 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) /src/dom/base/nsJSEnvironment.cpp:1508
    #19 0x7fbbcc65caee in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) /src/dom/base/nsGlobalWindow.cpp:9548
    #20 0x7fbbcc64c375 in nsGlobalWindow::RunTimeout(nsTimeout*) /src/dom/base/nsGlobalWindow.cpp:9809
    #21 0x7fbbcc65bf98 in nsGlobalWindow::TimerCallback(nsITimer*, void*) /src/dom/base/nsGlobalWindow.cpp:10077
    #22 0x7fbbcd980ae4 in nsTimerImpl::Fire() /src/xpcom/threads/nsTimerImpl.cpp:473
    #23 0x7fbbcd981036 in nsTimerEvent::Run() /src/xpcom/threads/nsTimerImpl.cpp:559
    #24 0x7fbbcd977014 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:624
Thread T16 created by T0 here:
    #0 0x421645 in pthread_create ??:0
    #1 0x7fbbd2b7d7cd in _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:393
    #2 0x7fbbd2b7d24b in PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:476
    #3 0x7fbbcd975cd9 in nsThread::Init() /src/xpcom/threads/nsThread.cpp:323
    #4 0x7fbbcd979b88 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /src/xpcom/threads/nsThreadManager.cpp:215
==7499== ABORTING
Stats: 246M malloced (276M for red zones) by 475659 calls
Stats: 36M realloced by 19401 calls
Stats: 208M freed by 166730 calls
Stats: 73M really freed by 66292 calls
Stats: 484M (123990 full pages) mmaped in 121 calls
  mmaps   by size class: 8:376809; 9:32764; 10:12285; 11:10235; 12:3072; 13:2560; 14:1280; 15:384; 16:448; 17:1248; 18:224; 19:40; 20:16; 21:2;
  mallocs by size class: 8:400849; 9:38953; 10:13110; 11:12823; 12:3041; 13:2691; 14:1593; 15:380; 16:631; 17:1306; 18:222; 19:42; 20:17; 21:1;
  frees   by size class: 8:113816; 9:25962; 10:9078; 11:9562; 12:2143; 13:2444; 14:1287; 15:326; 16:574; 17:1290; 18:196; 19:39; 20:13;
  rfrees  by size class: 8:45152; 9:8600; 10:3973; 11:5699; 12:643; 13:581; 14:632; 15:128; 16:310; 17:561; 18:6; 19:6; 20:1;
Stats: malloc large: 1588 small slow: 2164
Shadow byte and word:
  0x1ff7743400dd: fd
  0x1ff7743400d8: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff7743400b8: fa fa fa fa fa fa fa fa
  0x1ff7743400c0: fa fa fa fa fa fa fa fa
  0x1ff7743400c8: fa fa fa fa fa fa fa fa
  0x1ff7743400d0: fd fd fd fd fd fd fd fd
=>0x1ff7743400d8: fd fd fd fd fd fd fd fd
  0x1ff7743400e0: fd fd fd fd fd fd fd fd
  0x1ff7743400e8: fd fd fd fd fd fd fd fd
  0x1ff7743400f0: fa fa fa fa fa fa fa fa
  0x1ff7743400f8: fa fa fa fa fa fa fa fa
Component: General → Video/Audio
Keywords: sec-critical, testcase-wanted
Product: Firefox → Core
Provisionally assigning to Robert.
Assignee: nobody → roc
status-firefox17: --- → affected
Whiteboard: [asan]
Abhishek, have you found a testcase yet?

Comment 3

5 years ago
I had extremely flaky repro that used to reproduce on my slow bots, i tested with trunk and it does not reproduce at all after tons of retries :) This bug used to hit once in a few days, but completely stopped for some time now. i think MediaStreamGraph patches in https://bugzilla.mozilla.org/show_bug.cgi?id=779721 might have fixed it since it landed a day later.

Comment 5

5 years ago
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #4)
> So, WORKSFORME then?

Sounds good. feel free to close the bug. upto you, if you want to consider idea of merging back to branches if any of those MediaStreamGraph patches correlate with the cause of this security bug.
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME


2 years ago
Group: core-security → core-security-release
Keywords: testcase-wanted
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.