Closed
Bug 820990
Opened 12 years ago
Closed 12 years ago
WebRTC use-after-free crash [@mozilla::NrIceCtx::EmitAllCandidates]
Categories
(Core :: WebRTC: Networking, defect, P1)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox18 | --- | disabled |
| firefox19 | --- | disabled |
| firefox20 | + | fixed |
| firefox21 | --- | fixed |
| firefox22 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | disabled |
People
(Reporter: posidron, Assigned: ekr)
References
Details
(4 keywords, Whiteboard: [WebRTC] [blocking-webrtc+][asan][qa-][adv-main20-])
Attachments
(3 files, 4 obsolete files)
|
9.46 KB,
text/plain
|
Details | |
|
2.25 KB,
text/html
|
Details | |
|
1.57 KB,
patch
|
Details | Diff | Splinter Review |
alloc: ./media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:248
PeerConnectionImpl::PeerConnectionImpl()
: mRole(kRoleUnknown)
, mCall(NULL)
, mReadyState(kNew)
, mIceState(kIceGathering)
, mPCObserver(NULL)
, mWindow(NULL)
, mIdentity(NULL)
, mSTSThread(NULL)
, mMedia(new PeerConnectionMedia(this)) {
MOZ_ASSERT(NS_IsMainThread());
}
free: ./media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.h:349
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(PeerConnectionMedia)
re-use: ./media/mtransport/nricectx.cpp:377
SignalGatheringCompleted(this);
Tested with m:i changeset: 115815:ec65853affc8
|
Reporter | |
Comment 1•12 years ago
|
||
Perhaps it is important to mention that the sdp attribute for the offer in setLocalDescription() was empty. @rforbes SEED: 1355341643.91 Fault was detected on test 7
|
||
Updated•12 years ago
|
status-firefox17:
--- → unaffected
status-firefox18:
--- → disabled
status-firefox19:
--- → disabled
status-firefox20:
--- → affected
tracking-firefox20:
--- → +
|
|
Reporter | |
Comment 2•12 years ago
|
||
|
||
Updated•12 years ago
|
Assignee: nobody → ekr
Priority: -- → P1
Whiteboard: [WebRTC] [blocking-webrtc+]
|
||
Comment 3•12 years ago
|
||
(In reply to Christoph Diehl [:cdiehl] from comment #2) > Created attachment 692842 [details] > testcase Do you have any steps to perform with that testcase? I can't get my nightly on OS X to crash loading and reloading the testcase a couple of times.
Flags: in-testsuite?
|
|
Reporter | |
Comment 4•12 years ago
|
||
It's a use-after-free bug, you need an ASan build to catch it.
|
Assignee | |
Comment 5•12 years ago
|
||
I think this is a dup of: 822158. Let's revisit once that's fixed.
|
|
Reporter | |
Comment 6•12 years ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #5) > I think this is a dup of: 822158. Let's revisit once that's fixed. 822158 would be the dup..
|
||
Updated•12 years ago
|
Whiteboard: [WebRTC] [blocking-webrtc+] → [WebRTC] [blocking-webrtc+][fuzzblocker]
|
|
||
Updated•12 years ago
|
Keywords: csec-uaf
Whiteboard: [WebRTC] [blocking-webrtc+][fuzzblocker] → [WebRTC] [blocking-webrtc+][fuzzblocker][asan]
|
|
Reporter | |
Comment 7•12 years ago
|
||
This bug needs some priority, we are crashing here almost on every testcase at this location. We are not able to make a step forward in fuzzing as long this isn't fixed.
|
||
Comment 8•12 years ago
|
||
(In reply to Christoph Diehl [:cdiehl] from comment #7) > This bug needs some priority, we are crashing here almost on every testcase > at this location. We are not able to make a step forward in fuzzing as long > this isn't fixed. We're prioritizing solving this and Bug 822158. We hope to have a solution soon.
|
|
Reporter | |
Comment 9•12 years ago
|
||
This got now fixed by the patch of bug 822158.
|
|
Reporter | |
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
Whiteboard: [WebRTC] [blocking-webrtc+][fuzzblocker][asan] → [WebRTC] [blocking-webrtc+][fuzzblocker][asan][qa-]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [WebRTC] [blocking-webrtc+][fuzzblocker][asan][qa-] → [WebRTC] [blocking-webrtc+][asan][qa-]
|
|
||
Comment 12•11 years ago
|
||
|
|
||
Updated•11 years ago
|
Attachment #709605 -
Attachment is obsolete: true
|
|
||
Comment 13•11 years ago
|
||
|
|
||
Updated•11 years ago
|
Attachment #709607 -
Attachment is obsolete: true
|
|
||
Comment 14•11 years ago
|
||
|
|
||
Updated•11 years ago
|
Attachment #709608 -
Flags: review?(rjesup)
|
|
||
Comment 15•11 years ago
|
||
Comment on attachment 709608 [details] [diff] [review] Crashtest v1 One small nit I just saw...let me fix that
Attachment #709608 -
Attachment is obsolete: true
Attachment #709608 -
Flags: review?(rjesup)
|
|
||
Comment 16•11 years ago
|
||
|
|
||
Comment 17•11 years ago
|
||
Comment on attachment 709613 [details] [diff] [review] Crashtest v1 This time I got it right.
Attachment #709613 -
Flags: review?(rjesup)
|
|
||
Comment 18•11 years ago
|
||
Comment on attachment 709613 [details] [diff] [review] Crashtest v1 Actually I just realized what I did here won't work. Let me fix this again...
Attachment #709613 -
Attachment is obsolete: true
Attachment #709613 -
Flags: review?(rjesup)
|
|
||
Comment 19•11 years ago
|
||
|
|
||
Comment 20•11 years ago
|
||
Comment on attachment 709622 [details] [diff] [review] Crashtest v2 Now I think I got it right.
Attachment #709622 -
Flags: review?(rjesup)
|
|
||
Comment 21•11 years ago
|
||
Comment on attachment 709622 [details] [diff] [review] Crashtest v2 Review of attachment 709622 [details] [diff] [review]: ----------------------------------------------------------------- I don't see how this properly tests the ASAN-requiring bug here... How was this verified?
|
|
||
Comment 22•11 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #21) > Comment on attachment 709622 [details] [diff] [review] > Crashtest v2 > > Review of attachment 709622 [details] [diff] [review]: > ----------------------------------------------------------------- > > I don't see how this properly tests the ASAN-requiring bug here... How was > this verified? I reduced Christophl's test case to only execution path that was possible in the code, which is what this HTML test case in the crashtest is. When addStream was being called on a closed peer connection, an exception fires indicating that the stream is already closed. So nothing after v0.addStream(v5) ever executes in the test case shown. We also know the error callback never fires, so none of that code executes, so we remove that as well. The only possibility is that when this crash did happen, it happened in a situation such that addStream happened after the close in some weird race condition case. I guess I need more info on where the crash failed then.
|
|
||
Comment 23•11 years ago
|
||
Comment on attachment 709622 [details] [diff] [review] Crashtest v2 Removing review - I think more info is needed here to confirm where the crash was failing in the attached test case.
Attachment #709622 -
Flags: review?(rjesup)
|
|
||
Comment 24•11 years ago
|
||
Christophl - Can you provide some input at what point that the crash failed? I'm having some difficulty confirming if the crashtest I have falls in line with the crash filed here.
Flags: needinfo?(cdiehl)
|
|
Reporter | |
Comment 25•11 years ago
|
||
Hm, not sure where exactly the crash triggered, sorry. Note, that you will need an ASan build to reproduce this crash.
Flags: needinfo?(cdiehl)
|
||
Comment 26•11 years ago
|
||
Is this fixed by bug 822158? If so, please update the status-firefox20 flag to 'fixed', otherwise nominate additional fixes for uplift to branches.
|
|
||
Updated•11 years ago
|
status-b2g18:
--- → disabled
status-firefox21:
--- → fixed
status-firefox22:
--- → fixed
status-firefox-esr17:
--- → unaffected
|
||
Updated•11 years ago
|
Whiteboard: [WebRTC] [blocking-webrtc+][asan][qa-] → [WebRTC] [blocking-webrtc+][asan][qa-][adv-main20-]
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•