Closed Bug 805279 Opened 12 years ago Closed 12 years ago

WebRTC crash [@webrtc::Trace::Add]

Categories

(Core :: WebRTC, defect)

Product:
Core
Component:
WebRTC
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla19
Tracking Flags:
Tracking Status
firefox18 --- disabled
firefox19 --- verified
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Unassigned)

References

Details

(Keywords: crash, sec-low, testcase, Whiteboard: [asan][qa-][adv-main19-])

Attachments

(3 files)

testcase
1.11 KB, text/html
Details
callstack
6.07 KB, text/plain
Details
make sure we pass values for formatted log messages
1.43 KB, patch
derf
: review+
dveditz
: sec-approval+
Details | Diff | Splinter Review
Attached file testcase 
      No description provided.
Attached file callstack 

    
    

    
  
Bug is in upstream code at video_capture_qtkit.mm:154

        WEBRTC_TRACE(webrtc::kTraceError, webrtc::kTraceVideoCapture, _id,
                     "Failed to set capture device %s (unique ID %s) even "
                     "though it was a valid return from "
                     "VideoCaptureMacQTKitInfo");

Note the two %s's but no parameters for them.

Mild security risk (leak of info from random memory).  log routine uses vsnprintf() so it won't copy past the end of the buffer.  sec-low I'd think.
Group: core-security

    
    

    
  
My internal voice said look at the printf() function but then only noticed 0x000000000070 and figured this won't be also a format string issue in 2012.

Shouldn't this have been popped up in a static code analyzer?

    
    

    
  
@decoder: There are some ObjC files present in WebRTC and I am not sure how your MacOS situation is - perhaps we might miss some bugs here.

        Attachment #674989 -
        Flags: review?(tterribe)

    
    

    
  
Comment on attachment 674989 [details] [diff] [review]
make sure we pass values for formatted log messages

This problem also still exists upstream. Please file an issue with them.

        Attachment #674989 -
        Flags: review?(tterribe) → review+

    
    

    
  
Issue 1002 in their tracker, soon to be made hidden

    
    

    
  
Comment on attachment 674989 [details] [diff] [review]
make sure we pass values for formatted log messages

[Security approval request comment]
How easily can the security issue be deduced from the patch?
Trivially, though the testcase may not be obvious.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Yes

Which older supported branches are affected by this flaw?
17, 18 - though webrtc is preffed off by default in both.

If not all supported branches, which bug introduced the flaw?
WebRTC checkin and turning the build pref on.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
No special backport needed, trivial to apply.
Only is an issue if the user turns on the pref, and you can force the device open to fail (which might just be possible; see the testcase).

How likely is this patch to cause regressions; how much testing does it need?
Nil likelihood of regressions.

        Attachment #674989 -
        Flags: sec-approval?

    
    

    
  
Christoph, the testcase you provided here is it a shutdown crash for you?

    
    

    
  
(In reply to Henrik Skupin (:whimboo) from comment #9)
> Christoph, the testcase you provided here is it a shutdown crash for you?

Do you mean if the crash happens while you shutdown Firefox? No. 
Although it takes a few seconds till you get the crash.
I also wasn't able to reproduce it without the onconnection event handlers.

Can not reproduce this anymore with m-c changeset: 111360:58c8080a1a7c

    
    

    
  
(In reply to Randell Jesup [:jesup] from comment #3)
> Mild security risk (leak of info from random memory).  log routine uses
> vsnprintf() so it won't copy past the end of the buffer.  sec-low I'd think.

The log isn't available to web content, is it? If not then it's not even a potential memory leak. sec-approval+

          status-firefox-esr10:
          --- → unaffected

          status-firefox19:
          --- → affected
Keywords: sec-low

        Attachment #674989 -
        Flags: sec-approval? → sec-approval+

    
    

    
  
(In reply to Christoph Diehl [:cdiehl] from comment #10)
> Do you mean if the crash happens while you shutdown Firefox? No. 
> Although it takes a few seconds till you get the crash.
> I also wasn't able to reproduce it without the onconnection event handlers.
> 
> Can not reproduce this anymore with m-c changeset: 111360:58c8080a1a7c

For me it only crashed on shutdown. I let the testcase run for a couple of minutes before. Interesting.

    
    

    
  
Just tested again and the browser crashes on shutdown after I run the testcase once.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/8e03750d5434
Status: NEW → RESOLVED
Closed: 12 years ago

          status-firefox19:
          affectedfixed
Resolution: --- → FIXED
Keywords: verifyme

    
    

    
  
Once verified this should be uplifted to Aurora/18

    
    

    
  
Verified on trunk 11/1 by running the test case attached a few times to make sure no crash happens.
Status: RESOLVED → VERIFIED

          status-firefox19:
          fixedverified
Keywords: verifyme
Flags: in-testsuite?

    
    

    
  
Tried to reproduce the crash to get a crashtest for this on the 10/24 build - I'm not getting a crash.
Flags: in-testsuite?

    
    

    
  
Are you using an ASan enabled build?

    
    

    
  
(In reply to Christoph Diehl [:cdiehl] from comment #19)
> Are you using an ASan enabled build?

Ah, that would explain why I can't reproduce this. Are our mochitests ran against asan builds?
Whiteboard: [asan]

    
    

    
  
No; so far as I know, we have no good way to automate asan tests (and due to CPU use we might not even if the were possible).

    
    

    
  
(In reply to Jason Smith [:jsmith] from comment #20)

> 
> Ah, that would explain why I can't reproduce this. Are our mochitests ran
> against asan builds?

If your mochitests are part of the regular mozilla-central tree, then they are pushed to try at least once a day on Linux 64 bit with ASan enabled.
Flags: in-testsuite?
Status: VERIFIED → RESOLVED
Closed: 12 years ago12 years ago
Whiteboard: [asan] → [asan][qa-]

    
    

    
  
How is status 18 "affected" when this is pref'd off? We mark these as "disabled" for that status.

          status-firefox18:
          affecteddisabled
Whiteboard: [asan][qa-] → [asan][qa-][adv-main19-]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: