Closed
Bug 824971
Opened 12 years ago
Closed 12 years ago
Heap-use-after-free in mozilla::MediaInputPort::Disconnect
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox18 | --- | wontfix |
| firefox19 | - | wontfix |
| firefox20 | + | wontfix |
| firefox21 | + | unaffected |
| firefox22 | --- | unaffected |
| firefox-esr17 | --- | affected |
People
(Reporter: inferno, Assigned: roc)
Details
(Keywords: csectype-uaf, reporter-external, sec-critical, Whiteboard: [asan][fix-window-wanted])
Attachments
(2 files)
Reproduces on trunk. Just need to wait like 10-15 sec for the crash to happen.
>==2645== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fd213057680 at pc 0x7fd23d050cc2 bp 0x7fd2079f6620 sp 0x7fd2079f6618
>READ of size 8 at 0x7fd213057680 thread T33
> #0 0x7fd23d050cc1 in mozilla::MediaInputPort::Disconnect() src/content/media/MediaStreamGraph.cpp:2139
> #1 0x7fd23d05efcc in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() src/content/media/MediaStreamGraph.cpp:1531
> #2 0x7fd23e913c32 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:237
> #3 0x7fd23e9d8dbc in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:265
> #4 0x7fd2446f375c in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:156
> #5 0x415f3a in __asan::AsanThread::ThreadStart()
>0x7fd213057680 is located 0 bytes inside of 224-byte region [0x7fd213057680,0x7fd213057760)
>freed by thread T0 here:
> #0 0x411232 in __interceptor_free
> #1 0x7fd23d06fdfa in Release src/content/media/MediaStreamGraph.h:255
> #2 0x7fd23d06fdfa in ~nsRefPtr src/../../dist/include/nsAutoPtr.h:876
> #3 0x7fd23d06fdfa in ~nsRefPtr src/../../dist/include/nsAutoPtr.h:874
> #4 0x7fd23d06fdfa in ~OutputStreamData src/content/media/MediaDecoder.h:385
> #5 0x7fd23d06fdfa in ~OutputStreamData src/content/media/MediaDecoder.h:385
> #6 0x7fd23d06fdfa in Destruct src/../../dist/include/nsTArray.h:432
> #7 0x7fd23d06fdfa in DestructRange src/../../dist/include/nsTArray.h:1297
> #8 0x7fd23d06fdfa in nsTArray_Impl<mozilla::MediaDecoder::OutputStreamData, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int) src/../../dist/include/nsTArray.h:1017
>previously allocated by thread T0 here:
> #0 0x411312 in malloc
> #1 0x7fd242b8d148 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
>Thread T33 created by T0 here:
> #0 0x40d294 in __interceptor_pthread_create
> #1 0x7fd2446ef9ef in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:393
> #2 0x7fd2446ef44a in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:476
> #3 0x7fd23e9d9db9 in nsThread::Init() src/xpcom/threads/nsThread.cpp:331
>Shadow bytes around the buggy address:
> 0x1ffa4260ae80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1ffa4260ae90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1ffa4260aea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1ffa4260aeb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1ffa4260aec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>=>0x1ffa4260aed0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1ffa4260aee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1ffa4260aef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1ffa4260af00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1ffa4260af10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1ffa4260af20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap righ redzone: fb
> Freed Heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> ASan internal: fe
>Stats: 564M malloced (457M for red zones) by 577792 calls
>Stats: 53M realloced by 30247 calls
>Stats: 518M freed by 442226 calls
>Stats: 475M really freed by 416400 calls
>Stats: 319M (319M-0M) mmaped; 590 maps, 0 unmaps
> mmaps by size class: 8:165807; 9:21483; 10:6643; 11:7905; 12:1664; 13:2432; 14:2368; 15:256; 16:776; 17:460; 18:36; 19:36; 20:33; 21:4;
> mallocs by size class: 8:454528; 9:53836; 10:13671; 11:26416; 12:3999; 13:9684; 14:10353; 15:755; 16:2638; 17:1636; 18:111; 19:47; 20:114; 21:4;
> frees by size class: 8:338453; 9:43056; 10:9572; 11:24217; 12:2825; 13:9276; 14:9827; 15:613; 16:2534; 17:1614; 18:92; 19:44; 20:100; 21:3;
> rfrees by size class: 8:319051; 9:40842; 10:8940; 11:23374; 12:2613; 13:8183; 14:8642; 15:584; 16:2360; 17:1596; 18:85; 19:43; 20:84; 21:3;
>Stats: malloc large: 5305 small slow: 14753
>==2645== ABORTING
>
|
Reporter | |
Comment 1•12 years ago
|
||
Splitting archive because of 4 MB attachment limit
|
|
Reporter | |
Comment 2•12 years ago
|
||
Component: General → Video/Audio
Product: Firefox → Core
|
||
Updated•12 years ago
|
Whiteboard: [asan]
|
||
Comment 3•12 years ago
|
||
Guessing sec-critical. Hoping Chris can take a look.
Assignee: nobody → cpearce
Keywords: csec-uaf,
sec-critical
|
||
Comment 5•12 years ago
|
||
Roc: is this bug on old branches as well or in new code?
status-firefox21:
--- → affected
tracking-firefox21:
--- → +
Flags: needinfo?(roc)
Keywords: regressionwindow-wanted
|
Assignee | |
Comment 6•12 years ago
|
||
Goes back to 19 at least.
I couldn't reproduce on a regular Windows build. I need to try it in a Linux ASAN build.
Flags: needinfo?(roc)
|
|
Reporter | |
Comment 7•12 years ago
|
||
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #6)
> Goes back to 19 at least.
>
> I couldn't reproduce on a regular Windows build. I need to try it in a Linux
> ASAN build.
Just checked, it reproduces on trunk easily with linux asan build.
|
|
||
Comment 8•12 years ago
|
||
Matt agreed to try to find a regression window here. Tacking a needinfo on.
Flags: needinfo?(mwobensmith)
|
|
||
Updated•12 years ago
|
status-firefox19:
--- → affected
status-firefox20:
--- → affected
tracking-firefox19:
--- → -
tracking-firefox20:
--- → +
|
||
Comment 9•12 years ago
|
||
This crash happens even on a non-ASan build (Mac) with 17.0.2 ESR and 18.0.1 release.
Happy to run on ASan builds of the above, but I think we can confirm comment 5 and comment 6 with this information.
Flags: needinfo?(mwobensmith)
|
|
||
Updated•12 years ago
|
status-firefox18:
--- → wontfix
status-firefox-esr17:
--- → affected
|
||
Comment 10•12 years ago
|
||
Too late for 19b6, we'll keep tracking for 20.
|
|
Assignee | |
Comment 11•12 years ago
|
||
I cannot reproduce this on trunk with a Linux ASAN build.
|
|
Reporter | |
Comment 12•12 years ago
|
||
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #11)
> I cannot reproduce this on trunk with a Linux ASAN build.
Verified that it does not reproduce anymore on trunk. Previously it did however reproduce reliably, also confirmed by Matt in c#9.
|
|
||
Comment 13•12 years ago
|
||
Matt, please figure out which releases are still affected (20, 21?).
Flags: needinfo?(mwobensmith)
|
|
||
Comment 14•12 years ago
|
||
Haven't tried Linux, but on Mac, today's builds:
- ASan m-c 22.0a1 - assertion/errors - no crash
- Aurora 21.0a2 debug - no crash
- Beta 20.0 debug - crash
We don't have ASan builds for every release, but I hope this is helpful. I'm happy to do more of a deep dive on any release if need be.
More details below.
ASan m-c 22.0a1 2013-02-28:
WARNING: Load group requested for media element in inactive document.: file /builds/slave/try-osx64-double-000000000000000000/build/content/html/content/src/nsHTMLMediaElement.cpp, line 3365
WARNING: have unconstrained width; this should only result from very large sizes, not attempts at intrinsic width calculation: '(mFrameType == NS_CSS_FRAME_TYPE_INLINE && !frame->IsFrameOfType(nsIFrame::eReplaced)) || type == nsGkAtoms::textFrame || mComputedWidth != NS_UNCONSTRAINEDSIZE', file /builds/slave/try-osx64-double-000000000000000000/build/layout/generic/nsHTMLReflowState.cpp, line 377
###!!! ASSERTION: Our containing block must not have unconstrained width!: 'aCBSize.width != NS_UNCONSTRAINEDSIZE', file /builds/slave/try-osx64-double-000000000000000000/build/layout/base/nsLayoutUtils.cpp, line 3174
nsLineLayout: HTMLVideo(video)(0)@0x142942940 metrics=1073741824,60!
WARNING: Overflowed nscoord_MAX in conversion to nscoord width: file ../../dist/include/nsRect.h, line 131
Aurora 21.0a2 debug 2013-02-28:
No crash.
Beta 20.0 debug 2013-02-28:
Crash:
https://crash-stats.mozilla.com/report/index/2c88b193-5be3-4512-90f2-d14a52130228
Flags: needinfo?(mwobensmith)
|
|
||
Updated•12 years ago
|
|
|
Assignee | |
Comment 15•12 years ago
|
||
I guess one of our other fixes fixed this.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 16•12 years ago
|
||
sometime between 20 and 21 this got fixed. We need to identify that fix if we can and see if it's appropriate to backport to ESR-17 and the b2g18 branch.
Flags: needinfo?(mwobensmith)
Keywords: regressionwindow-wanted
Whiteboard: [asan] → [asan][fix-window-wanted]
|
|
||
Comment 17•12 years ago
|
||
I'm still working on this, but an update.
This crash is intermittent and can be hard to reproduce. It often takes a few tries on a given build to see a crash - anywhere between 30 seconds and 10 minutes until the crash occurs. Or, sometimes not at all.
All builds of 19 appear to be affected - including current release - as well as 20.
I'm still spending time on 21/22 to see if they are affected. Currently they seem not to be, but will update once I've gotten sufficient coverage.
Flags: needinfo?(mwobensmith)
|
|
||
Updated•12 years ago
|
|
||
Comment 18•12 years ago
|
||
If a fix-window proves to be too difficult to find, we'll likely wontfix entirely for ESR.
|
|
||
Comment 19•12 years ago
|
||
Well, in summary, it appears that all builds of 19/20 are affected, and no builds of 21/22 appear to be.
I'm not sure that makes sense to me, but after spending a lot of time on it, that's all I can come up with.
|
|
||
Comment 20•12 years ago
|
||
dveditz - do you agree with wontfixing for ESR17 based upon comment 18 and comment 19? Presumably we wouldn't open this bug up until ESR24 in that case.
Flags: needinfo?(dveditz)
|
|
||
Comment 21•12 years ago
|
||
That approach troubles me. Not so much about ESR given the lack of use, but if we don't know what fixed it there may not, in fact, be a fix. This particular testcase could just be masked.
I guess we just have to hope that if it's still lurking the fuzzers will pop it out on another testcase.
Jesse: does your fuzzer exercise MediaInputPort?
Flags: sec-bounty-
Flags: needinfo?(jruderman)
Flags: needinfo?(dveditz)
|
||
Comment 22•12 years ago
|
||
I don't know. Might improve when cdiehl and I merge his code into my DOM fuzzer.
Flags: needinfo?(jruderman)
|
||
Comment 23•12 years ago
|
||
Dropping QAWANTED since we've been unable to find a fix range narrower than what's indicated in comment 19 after considerable effort. Matt is still free to work on this bug as he chooses but I don't see much benefit in keeping this bug on QA's release tracking queue.
Keywords: qawanted
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•