Closed Bug 813435 Opened 12 years ago Closed 12 years ago

Heap-use-after-free in mozilla::MediaDecoderStateMachine::StopAudioThread

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr17 18+ fixed
b2g18 --- fixed

People

(Reporter: inferno, Unassigned)

References

Details

(4 keywords, Whiteboard: [asan] fixed by 794426)

Attachments

(1 file)

Testcase
321.79 KB, application/java-archive
Details
Attached file Testcase 
Reproduces on trunk if run on simultaneous firefox instances(like 12-15) (timing related)
=================================================================
==24793== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fbe8d1c2ab8 at pc 0x7fbed150c5c6 bp 0x7fffeab041b0 sp 0x7fffeab041a8
READ of size 8 at 0x7fbe8d1c2ab8 thread T0
    #0 0x7fbed150c5c5 in Enter src/../../dist/include/mozilla/ReentrantMonitor.h:71
    #1 0x7fbed150c5c5 in ~ReentrantMonitorAutoExit src/content/media/VideoUtils.h:60
    #2 0x7fbed150c5c5 in ~ReentrantMonitorAutoExit src/content/media/VideoUtils.h:59
    #3 0x7fbed150c5c5 in mozilla::MediaDecoderStateMachine::StopAudioThread() src/content/media/MediaDecoderStateMachine.cpp:1559
0x7fbe8d1c2ab8 is located 120 bytes inside of 240-byte region [0x7fbe8d1c2a40,0x7fbe8d1c2b30)
freed by thread T0 here:
    #0 0x426020 in __interceptor_free
    #1 0x7fbed14f0a76 in mozilla::MediaDecoder::Release() src/content/media/MediaDecoder.cpp:106
    #2 0x7fbed2cba232 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:221
    #3 0x7fbed2d82068 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:474
    #4 0x7fbed150c510 in mozilla::MediaDecoderStateMachine::StopAudioThread() src/content/media/MediaDecoderStateMachine.cpp:1558
previously allocated by thread T0 here:
    #0 0x4260e0 in malloc
    #1 0x7fbed6e35148 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
Shadow byte and word:
  0x1ff7d1a38557: fd
  0x1ff7d1a38550: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff7d1a38530: fa fa fa fa fa fa fa fa
  0x1ff7d1a38538: fa fa fa fa fa fa fa fa
  0x1ff7d1a38540: fa fa fa fa fa fa fa fa
  0x1ff7d1a38548: fd fd fd fd fd fd fd fd
=>0x1ff7d1a38550: fd fd fd fd fd fd fd fd
  0x1ff7d1a38558: fd fd fd fd fd fd fd fd
  0x1ff7d1a38560: fd fd fd fd fd fd fd fd
  0x1ff7d1a38568: fa fa fa fa fa fa fa fa
  0x1ff7d1a38570: fa fa fa fa fa fa fa fa
Stats: 653M malloced (602M for red zones) by 1191669 calls
Stats: 66M realloced by 70405 calls
Stats: 535M freed by 838501 calls
Stats: 500M really freed by 795436 calls
Stats: 357M (91608 full pages) mmaped in 678 calls
  mmaps   by size class: 7:315315; 8:102350; 9:18414; 10:12264; 11:9435; 12:3328; 13:1344; 14:2528; 15:304; 16:992; 17:468; 18:50; 19:37; 20:21; 21:2; 22:1;
  mallocs by size class: 7:743566; 8:286483; 9:56838; 10:33027; 11:42678; 12:8754; 13:6193; 14:5405; 15:924; 16:4873; 17:2672; 18:124; 19:103; 20:25; 21:3; 22:1;
  frees   by size class: 7:497847; 8:212678; 9:43393; 10:23153; 11:38569; 12:6380; 13:5544; 14:3020; 15:685; 16:4609; 17:2431; 18:88; 19:78; 20:23; 21:2; 22:1;
  rfrees  by size class: 7:470873; 8:202292; 9:41303; 10:22061; 11:37485; 12:5954; 13:5276; 14:2904; 15:636; 16:4109; 17:2380; 18:74; 19:66; 20:22; 21:1;
Stats: malloc large: 8725 small slow: 15650
==24793== ABORTING
Fwiw, I can't reproduce it in a local Linux64 debug ASAN build.
Severity: normal → critical
Component: General → Video/Audio
Keywords: crash, testcase
Product: Firefox → Core
Whiteboard: [asan]
(In reply to Mats Palmgren [:mats] from comment #1)
> Fwiw, I can't reproduce it in a local Linux64 debug ASAN build.

It reproduces reliably on two of my physical boxes when run with like 14 instances on a -O2 optimized release build. it was giving me trouble on -O1 build, so does not surprise me that a even slower debug build is not reproducing. Some of the instances crash on a null as well.
Attachment #683444 - Attachment mime type: application/x-zip-compressed → application/java-archive
going to call this sec-high rather than sec-critical only because it appears to require getting the timing right in order to trigger.
Keywords: sec-high
Can we get this assigned to someone to work on? There hasn't been real activity in a month here.
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #5)
> The patch in bug 794426 might fix this.

If you can cc me on that bug, i can help to verify the patch (since Mats was having trouble reproducing this).
Verified on trunk (which has the fix) that this testcase does not crash.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Flags: sec-bounty?
status-b2g18: --- → fixed
status-firefox-esr17: --- → fixed
tracking-firefox-esr17: --- → 18+
Depends on: 794426
Whiteboard: [asan] → [asan] fixed by 794426
Flags: sec-bounty? → sec-bounty-
Bounty non-qual because it was fixed by an earlier security bug's fix.
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: