Closed Bug 883938 Opened 8 years ago Closed 8 years ago

ASAN heap-use-after-free in mozilla::StreamBuffer::FindTrack

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 883591

People

(Reporter: nils, Unassigned)

Details

(4 keywords, Whiteboard: [asan][sg:dupe 883591][blocking-webaudio-])

Attachments

(1 file)

testcase (crashes firefox)
280 bytes, text/plain
Details 
The attached testcase crashes Firefox nightly with the following ASAN output:

=================================================================
==52600== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f98c4117860 at pc 0x7f98e1d674e4 bp 0x7f98cd3ca240 sp 0x7f98cd3ca238
READ of size 8 at 0x7f98c4117860 thread T22
    #0 0x7f98e1d674e3 in nsTArray_base<nsTArrayInfallibleAllocator>::Length() const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/../../dist/include/nsTArray.h:363:0
    #1 0x7f98e1d674e3 in mozilla::StreamBuffer::FindTrack(int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/StreamBuffer.cpp:54:0
    #2 0x7f98e1db515d in mozilla::dom::MediaStreamDestinationEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/webaudio/MediaStreamAudioDestinationNode.cpp:45:0
0x7f98c4117860 is located 32 bytes inside of 368-byte region [0x7f98c4117840,0x7f98c41179b0)
freed by thread T22 here:
    #0 0x441570 in __interceptor_free ??:?
    #1 0x7f98e1d5db49 in mozilla::MediaStream::Release() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.h:262:0
    #2 0x7f98e1d5db49 in ~nsRefPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/../../dist/include/nsAutoPtr.h:880:0
    #3 0x7f98e1d5db49 in ~nsRefPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/../../dist/include/nsAutoPtr.h:878:0
    #4 0x7f98e1d5db49 in nsTArrayElementTraits<nsRefPtr<mozilla::MediaStream> >::Destruct(nsRefPtr<mozilla::MediaStream>*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/../../dist/include/nsTArray.h:526:0
    #5 0x7f98e1d5db49 in nsTArray_Impl<nsRefPtr<mozilla::MediaStream>, nsTArrayInfallibleAllocator>::DestructRange(unsigned int, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/../../dist/include/nsTArray.h:1393:0
    #6 0x7f98e1d5db49 in nsTArray_Impl<nsRefPtr<mozilla::MediaStream>, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/../../dist/include/nsTArray.h:1110:0
previously allocated by thread T0 here:
    #0 0x441630 in malloc ??:?
    #1 0x7f98e90813a8 in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/memory/mozalloc/mozalloc.cpp:54:0
Thread T22 created by T0 here:
    #0 0x43d834 in __interceptor_pthread_create ??:?
    #1 0x7f98eaa6cc13 in _PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/nsprpub/pr/src/pthreads/ptthread.c:444:0
    #2 0x7f98eaa6c6e7 in PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/nsprpub/pr/src/pthreads/ptthread.c:527:0
Shadow byte and word:
  0x1ff318822f0c: fd
  0x1ff318822f08: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff318822ee8: fa fa fa fa fa fa fa fa
  0x1ff318822ef0: fa fa fa fa fa fa fa fa
  0x1ff318822ef8: fa fa fa fa fa fa fa fa
  0x1ff318822f00: fa fa fa fa fa fa fa fa
=>0x1ff318822f08: fd fd fd fd fd fd fd fd
  0x1ff318822f10: fd fd fd fd fd fd fd fd
  0x1ff318822f18: fd fd fd fd fd fd fd fd
  0x1ff318822f20: fd fd fd fd fd fd fd fd
  0x1ff318822f28: fd fd fd fd fd fd fd fd
Stats: 669M malloced (622M for red zones) by 1647305 calls
Stats: 110M realloced by 172786 calls
Stats: 629M freed by 1436803 calls
Stats: 593M really freed by 1342673 calls
Stats: 250M (64157 full pages) mmaped in 492 calls
  mmaps   by size class: 7:257985; 8:128961; 9:31713; 10:11242; 11:7140; 12:2944; 13:2880; 14:704; 15:496; 16:672; 17:212; 18:28; 19:8; 20:4; 21:1;
  mallocs by size class: 7:882003; 8:486267; 9:116492; 10:60848; 11:47682; 12:19408; 13:21786; 14:5730; 15:2438; 16:2558; 17:2013; 18:53; 19:17; 20:9; 21:1;
  frees   by size class: 7:750499; 8:435578; 9:98916; 10:55368; 11:44842; 12:18281; 13:21019; 14:5537; 15:2250; 16:2446; 17:2003; 18:45; 19:13; 20:9;
  rfrees  by size class: 7:707172; 8:402585; 9:88776; 10:52163; 11:42596; 12:17541; 13:20244; 14:5257; 15:2033; 16:2340; 17:1909; 18:40; 19:9; 20:8;
Stats: malloc large: 7089 small slow: 26778
==52600== ABORTING
I can not reproduce it with hg.mozilla.org/integration/mozilla-inbound/rev/f0db2c84b4d1
Do you have an ASAN build? I tested on 64-Bit Linux
Keywords: crash, testcase
Whiteboard: [asan]
We have about a month's worth of nightly ASAN builds at
https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/, although christoph probably uses his own builds. If so could be an opt-vs-debug asan build difference.

We have debug asan builds at
https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-dbg-asan/
(In reply to Nils from comment #4)
> Just reprod with latest debug build from:
> 
> https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-
> central-linux64-dbg-asan/1371217208/

createMediaStreamDestination() was not yet implemented in this build:
line 6: o116.createMediaStreamDestination is not a function


I can reproduce with:

https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-dbg-asan/1371463872/firefox-24.0a1.en-US.linux-x86_64-asan.tar.bz2 


This is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=883591
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 883591
Group: core-security
Keywords: csec-uaf, sec-critical
Whiteboard: [asan] → [asan][sg:dupe 883591]
Whiteboard: [asan][sg:dupe 883591] → [asan][sg:dupe 883591][blocking-webaudio-]
You need to log in before you can comment on or make changes to this bug.