Heap-buffer-overflow in mozilla::dom::OfflineDestinationNodeEngine::ProduceAudioBlock

RESOLVED FIXED in Firefox 24

Status

()

Core
Web Audio
--
critical
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: Atte Kettunen, Assigned: Away for a while)

Tracking

(4 keywords)

unspecified
mozilla24
x86_64
All
crash, csectype-bounds, sec-critical, testcase
Points:
---
Bug Flags:
sec-bounty +
in-testsuite +

Firefox Tracking Flags

(firefox21 unaffected, firefox22 disabled, firefox23+ disabled, firefox24 fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [asan][adv-main24-])

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
Created attachment 755290 [details]
Repro-file

Tested on:

OS: Ubuntu 12.04

Firefox: 

ASAN opt-build https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369790612/

ASAN bebug-build https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-dbg-asan/1369811142/


ASAN-report:(opt-build)

==31180== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f5b0d2405d0 at pc 0x7f5b27169492 bp 0x7f5b017a1330 sp 0x7f5b017a1328
READ of size 8 at 0x7f5b0d2405d0 thread T67
    #0 0x7f5b27169491 in mozilla::dom::OfflineDestinationNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/content/media/webaudio/AudioDestinationNode.cpp:67
0x7f5b0d2405d0 is located 0 bytes to the right of 16-byte region [0x7f5b0d2405c0,0x7f5b0d2405d0)
allocated by thread T67 here:
    #0 0x441520 in __interceptor_malloc ??:0
    #1 0x7f5b2e38d3a8 in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/memory/mozalloc/mozalloc.cpp:54
.
.
.

ASAN-report: (debug-build)

Assertion failure: i < Length() (invalid array index), at ../../dist/include/nsTArray.h:734
ASAN:SIGSEGV
=================================================================
==31638== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe6a24dec7e sp 0x7fe673fe7d40 bp 0x7fe673fe7d50 T26)
AddressSanitizer can not provide additional info.
    #0 0x7fe6a24dec7d in nsTArray_Impl<void const*, nsTArrayInfallibleAllocator>::ElementAt(unsigned int) const /builds/slave/m-cen-l64-dbg-asan-00000000000/build/../../dist/include/nsTArray.h:734
    #1 0x7fe6a256f05d in mozilla::dom::OfflineDestinationNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/webaudio/AudioDestinationNode.cpp:67
    #2 0x7fe6a24da4c8 in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/AudioNodeStream.cpp:425
    #3 0x7fe6a2541222 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, int, long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:937
    #4 0x7fe6a2541c6a in mozilla::MediaStreamGraphImpl::RunThread() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1038
    #5 0x7fe6a2550748 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1184
.
.
.
This is not reproducible anymore.

Tested with m-i changeset: 133183:1c67a51e0fe5
Oh, pardon. This one is still reproducible with m-i changeset: 133183:1c67a51e0fe5
Blocks: 779297
Severity: normal → critical
Keywords: crash, testcase
OS: Linux → All
Could you look at this, Ehsan?  Thanks.
Assignee: nobody → ehsan
(Assignee)

Updated

4 years ago
Attachment #755290 - Attachment mime type: text/plain → text/html
(Assignee)

Comment 4

4 years ago
Created attachment 755546 [details] [diff] [review]
Patch (v1)

I don't think there is any point in checking the testcase itself in.
Attachment #755546 - Flags: review?(roc)
Attachment #755546 - Flags: review?(roc) → review+
(Assignee)

Comment 5

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/06889c22f8c6
https://hg.mozilla.org/mozilla-central/rev/06889c22f8c6
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox24: --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
(Reporter)

Comment 7

4 years ago
Did this bug have any security impact?
(In reply to Atte Kettunen from comment #7)
> Did this bug have any security impact?

Yes it did - I only forgot to set the necessary keywords here. Give it a day or two so that the right people can look into it. ;-)
Keywords: csec-bounds, sec-critical
(Assignee)

Comment 9

4 years ago
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
Flags: sec-bounty?
(In reply to Christoph Diehl [:cdiehl] from comment #8)
> (In reply to Atte Kettunen from comment #7)
> > Did this bug have any security impact?
> 
> Yes it did - I only forgot to set the necessary keywords here. Give it a day
> or two so that the right people can look into it. ;-)

Not much to do other than maybe port to Aurora. It is fixed on trunk.
status-firefox21: --- → unaffected
status-firefox22: --- → disabled
status-firefox23: --- → affected
status-firefox-esr17: --- → unaffected
tracking-firefox23: --- → ?
Whiteboard: [asan]
Flags: sec-bounty? → sec-bounty+
Please nominate for uplift to aurora.
tracking-firefox23: ? → +
(Assignee)

Comment 13

4 years ago
Christoph, can you please check whether the bug is reproducible on Aurora?
Flags: needinfo?(cdiehl)
Yes, will do.
Flags: needinfo?(cdiehl)
(In reply to :Ehsan Akhgari (needinfo? me!) from comment #13)
> Christoph, can you please check whether the bug is reproducible on Aurora?

I couldn't reproduce it against http://hg.mozilla.org/releases/mozilla-aurora/rev/7c1737dc2232
(Assignee)

Comment 16

4 years ago
Thanks!
status-firefox23: affected → unaffected
status-firefox23: unaffected → disabled
Whiteboard: [asan] → [asan][adv-main24-]
status-b2g18: --- → unaffected
Group: core-security
You need to log in before you can comment on or make changes to this bug.