Closed Bug 876273 Opened 11 years ago Closed 11 years ago

WebAudio use-after-free crash [@mozilla::::MediaStreamGraphShutDownRunnable::Run]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox22 --- disabled
firefox23 - disabled
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: ehsan.akhgari)

References

Details

(Keywords: crash, csectype-uaf, sec-critical, Whiteboard: [adv-main24-])

Attachments

(2 files)

callstack
7.76 KB, text/plain
Details
Patch (v1)
1.46 KB, patch
roc
: review+
Details | Diff | Splinter Review
Attached file callstack 
This crash is very similar to bug 875221 but it happened while processing different Audio node objects - see frame #6 in the stack of alloc and free. The re-use condition differs here too.


alloc: ./content/media/webaudio/AudioDestinationNode.cpp:188

AudioDestinationNode::AudioDestinationNode(AudioContext* aContext,
                                           bool aIsOffline,
                                           uint32_t aNumberOfChannels,
                                           uint32_t aLength,
                                           float aSampleRate)
[...]
  MediaStreamGraph* graph = aIsOffline ?
*                           MediaStreamGraph::CreateNonRealtimeInstance() :
                            MediaStreamGraph::GetInstance();


free: ./content/media/MediaStreamGraph.cpp:1525

void
MediaStream::Destroy()
{
[...]
*  GraphImpl()->AppendMessage(new Message(this));
[...]
}


re-use: ./content/media/MediaStreamGraph.cpp:1199

class MediaStreamGraphShutDownRunnable : public nsRunnable {
public:
  MediaStreamGraphShutDownRunnable(MediaStreamGraphImpl* aGraph) : mGraph(aGraph) {}
  NS_IMETHOD Run()
  {
    NS_ASSERTION(mGraph->mDetectedNotRunning,
                 "We should know the graph thread control loop isn't running!");

*   mGraph->ShutdownThreads();
[...]


Tested with m-i changeset: 132982:ce25da24ba1c
I have a dollar here which says this is a dupe of bug 875221.  :-)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
The fuzzer is still hitting this crash.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
I owe you a dollar then.  :-)
Keywords: testcase-wanted
So this crash is caused because we start to use the code in MediaStreamGraphShutDownRunnable to delete the graph, but then we end up in the case where the last media stream is deleted and so we delete the graph, and later on when we get to run MediaStreamGraphShutDownRunnable the graph is already deleted.

roc, what is the reliable condition to check for if I want to know which one of the shutdown paths will be taken by the graph?
Flags: needinfo?(roc)
I think in MediaStreamGraphImpl::AppendMessage, the check for IsEmpty() should also check mLifecycleState >= LIFECYCLE_WAITING_FOR_STREAM_DESTRUCTION before deleting the graph.
Flags: needinfo?(roc)
Attached patch Patch (v1)Splinter Review 
You're right!
Assignee: nobody → ehsan
Status: REOPENED → ASSIGNED
Attachment #756092 - Flags: review?(roc)
https://hg.mozilla.org/mozilla-central/rev/08523c04d61a
Status: ASSIGNED → RESOLVED
Closed: 11 years ago11 years ago
status-firefox24: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
No longer tracking for FF23
tracking-firefox23: +-
Whiteboard: [adv-main24-]
Group: core-security
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: