Closed Bug 894348 Opened 12 years ago Closed 12 years ago

MediaRecorder use-after-free crash [@mozilla::MediaStream::GraphImpl]

Categories

(Core :: Audio/Video: Recording, defect)

Product:
Core
Component:
Audio/Video: Recording
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla25
Tracking Flags:
Tracking Status
firefox22 --- unaffected
firefox23 --- unaffected
firefox24 --- unaffected
firefox25 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected
b2g18-v1.0.0 --- unaffected
b2g18-v1.0.1 --- unaffected
b2g-v1.1hd --- unaffected

People

(Reporter: posidron, Assigned: rlin)

References

Details

(4 keywords)

Attachments

(3 files, 3 obsolete files)

testcase
430 bytes, text/html
Details
callstack
11.35 KB, text/plain
Details
check-in.patch
3.98 KB, patch
Details | Diff | Splinter Review
Attached file testcase
alloc & free: dom/bindings/MediaRecorderBinding.cpp:356 static bool start(JSContext* cx, JS::Handle<JSObject*> obj, mozilla::dom::MediaRecorder* self, const JSJitMethodCallArgs& args) { Optional<int32_t > arg0; if (0 < args.length()) { arg0.Construct(); if (!ValueToPrimitive<int32_t, eDefault>(cx, args.handleAt(0), &arg0.Value())) { return false; } } ErrorResult rv; * self->Start(Constify(arg0), rv); [...] re-use: content/media/MediaStreamGraph.cpp:1495 MediaStream::GraphImpl() { * return mGraph; } Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/860f92c88a13
Attached file callstack
Keywords: sec-critical
Hi Christoph, It seems like a F5 reload stress test, right?
Attached patch patch v1 with test case (obsolete) — Splinter Review
oh, wrong usage of poniter.... BTW, Do you know how to test this behavior with mochitest?
Attachment #777631 - Flags: feedback?(roc)
(In reply to Randy Lin [:rlin] from comment #3) > BTW, Do you know how to test this behavior with mochitest? Not really, let's Cc Jason Smith.
(In reply to Randy Lin [:rlin] from comment #2) > Hi Christoph, > It seems like a F5 reload stress test, right? In my tries, only one reload was necessary.
Comment on attachment 777631 [details] [diff] [review] patch v1 with test case Review of attachment 777631 [details] [diff] [review]: ----------------------------------------------------------------- The code change is correct (ew!) but the test doesn't work since it will constantly reload. You could try making the reference to the MediaRecorder be a local variable in a function that you call once. After the function is called, do SpecialPowers.gc() and that should destroy the ProcessedMediaStream too early. Hopefully that would make us crash most of the time.
Attachment #777631 - Flags: feedback?(roc) → feedback+
Blocks: 803414
Blocks: 894413
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #6) > Comment on attachment 777631 [details] [diff] [review] > patch v1 with test case > > Review of attachment 777631 [details] [diff] [review]: > ----------------------------------------------------------------- > > The code change is correct (ew!) but the test doesn't work since it will > constantly reload. > > You could try making the reference to the MediaRecorder be a local variable > in a function that you call once. After the function is called, do > SpecialPowers.gc() and that should destroy the ProcessedMediaStream too > early. Hopefully that would make us crash most of the time. Another idea I have would be to do this with a crash test and local storage to re-run the same crashtest a few times on each reload. See http://hg.mozilla.org/mozilla-central/file/16375716cc69/dom/media/tests/crashtests/801227.html as an example of a crashtest that demonstrated a way to do this.
Nice work. Does this affect any branches?
(In reply to David Bolter [:davidb] from comment #8) > Nice work. Does this affect any branches? Should only be affecting trunk. The Media Recorder API landed in the Firefox 25 timeframe.
Attached patch patvh v2 (obsolete) — Splinter Review
Use for loop and force gc to capture this crash.
Attachment #777631 - Attachment is obsolete: true
Attachment #778248 - Flags: review?(roc)
Comment on attachment 778248 [details] [diff] [review] patvh v2 Review of attachment 778248 [details] [diff] [review]: ----------------------------------------------------------------- Can kick off a try run with this? This is the first time we are checking in a MediaRecorder test into the tree, so there potentially could be other failures we might see on try. ::: content/media/test/test-MediaRecorder-reload.html @@ +28,5 @@ > + try { o1 = o0.mozCaptureStreamUntilEnded(); } catch(e) { } > + try { o2 = new MediaRecorder(o1) } catch(e) { } > + try { o2.start(2048) } catch(e) { } > + try { o2.start(0) } catch(e) { } > + SpecialPowers.gc(); Did you confirm this test invokes the crash without your fix applied? @@ +30,5 @@ > + try { o2.start(2048) } catch(e) { } > + try { o2.start(0) } catch(e) { } > + SpecialPowers.gc(); > + } > + ok(true, "pass the crash test"); If you are intending to do a crashtest, why not actually use the framework here?
Attachment #778248 - Flags: review+ → review?(roc)
Comment on attachment 778248 [details] [diff] [review] patvh v2 Ack. Bugzilla conflict. Sorry about that.
Attachment #778248 - Flags: review?(roc) → review+
(In reply to Jason Smith [:jsmith] from comment #11) > Comment on attachment 778248 [details] [diff] [review] > patvh v2 > > Review of attachment 778248 [details] [diff] [review]: > ----------------------------------------------------------------- > > Can kick off a try run with this? This is the first time we are checking in > a MediaRecorder test into the tree, so there potentially could be other > failures we might see on try. > > ::: content/media/test/test-MediaRecorder-reload.html > @@ +28,5 @@ > > + try { o1 = o0.mozCaptureStreamUntilEnded(); } catch(e) { } > > + try { o2 = new MediaRecorder(o1) } catch(e) { } > > + try { o2.start(2048) } catch(e) { } > > + try { o2.start(0) } catch(e) { } > > + SpecialPowers.gc(); > > Did you confirm this test invokes the crash without your fix applied? > > @@ +30,5 @@ > > + try { o2.start(2048) } catch(e) { } > > + try { o2.start(0) } catch(e) { } > > + SpecialPowers.gc(); > > + } > > + ok(true, "pass the crash test"); > > If you are intending to do a crashtest, why not actually use the framework > here? I have tested this before apply the fix and can capture this crash.
Oh, more crash was found after run test case on different platform, I will fix it also. https://tbpl.mozilla.org/?tree=Try&rev=919b234f6115
Thanks for doing that try run - good to see we found more crashes. Crash info from try run: PROCESS-CRASH | Shutdown | application crashed [@ nsTArray_Impl<nsAutoPtr<mozilla::DOMMediaStream::OnTracksAvailableCallback>, nsTArrayInfallibleAllocator>::Clear()] 03:52:59 WARNING - PROCESS-CRASH | Shutdown | application crashed [@ mozilla::DOMMediaStream::NotifyMediaStreamGraphShutdown()] 04:13:36 WARNING - PROCESS-CRASH | Shutdown | application crashed [@ nsAutoPtr<mozilla::DOMMediaStream::OnTracksAvailableCallback>::`scalar deleting destructor'(unsigned int) + 0xc] 03:19:18 WARNING - PROCESS-CRASH | Shutdown | application crashed [@ 0x7b68404a] 03:50:37 WARNING - PROCESS-CRASH | Shutdown | application crashed [@ nsTArray_Impl<nsAutoPtr<mozilla::DOMMediaStream::OnTracksAvailableCallback>, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int)]
Attached patch patch v3 (obsolete) — Splinter Review
Fix crash, also fix memory leaks problem. try result. https://tbpl.mozilla.org/?tree=Try&rev=9a3bea311de9
Attachment #778248 - Attachment is obsolete: true
Attachment #778862 - Flags: review?(roc)
Comment on attachment 778862 [details] [diff] [review] patch v3 Review of attachment 778862 [details] [diff] [review]: ----------------------------------------------------------------- ::: content/media/MediaRecorder.cpp @@ +115,5 @@ > > MediaRecorder::~MediaRecorder() > { > + if (mTrackUnionStream) > + mTrackUnionStream->Destroy(); {}
Attachment #778862 - Flags: review?(roc) → review+
Attached patch check-in.patchSplinter Review
carry reviewer, fix nits.
Attachment #778862 - Attachment is obsolete: true
This needs sec-approval, no?
Keywords: checkin-needed
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #19) > This needs sec-approval, no? MediaRecorder currently only exists on trunk. According to my understanding of <https://wiki.mozilla.org/Security/Bug_Approval_Process>, that means it does not need sec-approval. I'll leave it up to rlin if he wants to ask for it anyway.
status-b2g18: --- → unaffected
status-b2g18-v1.0.0: --- → unaffected
status-b2g18-v1.0.1: --- → unaffected
status-b2g-v1.1hd: --- → unaffected
status-firefox22: --- → unaffected
status-firefox23: --- → unaffected
status-firefox24: --- → unaffected
status-firefox25: --- → affected
status-firefox-esr17: --- → unaffected
Confirmed that with dveditz. I'll land next time I get a chance.
Keywords: checkin-needed
Thanks Timothy, The mediaRecorder only affect the trunk right now.
No longer blocks: 803414
https://hg.mozilla.org/mozilla-central/rev/2e6ca2dc655e
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox25: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Verified via mochitest on landing.
Status: RESOLVED → VERIFIED
Component: Video/Audio → Video/Audio: Recording
No longer blocks: MediaRecording
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: