Closed
Bug 966636
Opened 11 years ago
Closed 11 years ago
Heap-buffer-overflow in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBufferWithResampling
Categories
(Core :: Web Audio, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla30
| Tracking | Status | |
|---|---|---|
| firefox27 | --- | unaffected |
| firefox28 | + | verified |
| firefox29 | + | verified |
| firefox30 | + | verified |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
| b2g-v1.2 | --- | unaffected |
| b2g-v1.3 | --- | fixed |
| b2g-v1.3T | --- | fixed |
| b2g-v1.4 | --- | fixed |
People
(Reporter: attekett, Assigned: karlt)
References
Details
(5 keywords)
Attachments
(2 files)
|
1.19 KB,
text/html
|
Details | |
|
6.49 KB,
patch
|
padenot
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
Tested on:
OS: Ubuntu 12.04
Firefox: ASAN build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1391177067/
ASAN-report:
==13712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f426b940c7c at pc 0x7f42a49d0734 bp 0x7f4276c7fb30 sp 0x7f4276c7fb28
READ of size 4 at 0x7f426b940c7c thread T35 (MediaStreamGrph)
#0 0x7f42a49d0733 in speex_resampler_process_float /builds/slave/m-cen-l64-asan-000000000000000/build/media/libspeex_resampler/src/resample.c:897:0
#1 0x7f42a274c10f in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBufferWithResampling(mozilla::AudioNodeStream*, mozilla::AudioChunk*, unsigned int, unsigned long, unsigned long, unsigned int, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:215:0
#2 0x7f42a274b640 in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromBuffer(mozilla::AudioNodeStream*, mozilla::AudioChunk*, unsigned int, unsigned int*, long*, unsigned int, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:333:0
#3 0x7f42a274a243 in mozilla::dom::AudioBufferSourceNodeEngine::ProduceAudioBlock(mozilla::AudioNodeStream*, mozilla::AudioChunk const&, mozilla::AudioChunk*, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/content/media/webaudio/AudioBufferSourceNode.cpp:424:0
#4 0x7f42a26455e7 in mozilla::AudioNodeStream::ProduceOutput(long, long, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/content/media/AudioNodeStream.cpp:439:0
#5 0x7f42a26bfc91 in ProduceDataForStreamsBlockByBlock /builds/slave/m-cen-l64-asan-000000000000000/build/content/media/MediaStreamGraph.cpp:1098:0
.
.
.
|
||
Updated•11 years ago
|
Severity: normal → critical
|
|
||
Updated•11 years ago
|
Version: unspecified → Trunk
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → karlt
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 1•11 years ago
|
||
Regression from https://hg.mozilla.org/mozilla-central/rev/9b1da46deff2
Read of up to 512 bytes with offset from allocation and allocation size controlled
by content.
Blocks: 937057
status-firefox27:
--- → unaffected
status-firefox28:
--- → affected
status-firefox29:
--- → affected
Keywords: sec-critical → sec-high
|
|
Assignee | |
Comment 2•11 years ago
|
||
Attachment #8369868 -
Flags: review?(paul)
|
||
Updated•11 years ago
|
Priority: -- → P1
|
||
Updated•11 years ago
|
Attachment #8369868 -
Flags: review?(paul) → review+
|
|
Assignee | |
Comment 3•11 years ago
|
||
Comment on attachment 8369868 [details] [diff] [review]
rename resampling copy variables consistently and test remaining input better
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
This would require some effort to work out, but it is not too hard.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
The patch points to where the overflow happens, but not how to generate the overflow (switch buffers while processing latent samples from the resampler).
Which older supported branches are affected by this flaw?
28
If not all supported branches, which bug introduced the flaw?
bug 937057
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Patches applies to 28 cleanly.
How likely is this patch to cause regressions; how much testing does it need?
Nothing complicated in the patch, so unlikely to regress. There are several existing automated tests.
Attachment #8369868 -
Flags: sec-approval?
|
|
Assignee | |
Comment 4•11 years ago
|
||
29 is also affected and patch applies.
|
||
Comment 5•11 years ago
|
||
Is 29 Aurora now with Trunk being 30?
|
|
||
Updated•11 years ago
|
status-firefox30:
--- → affected
tracking-firefox28:
--- → +
tracking-firefox29:
--- → +
tracking-firefox30:
--- → +
|
|
||
Comment 6•11 years ago
|
||
Comment on attachment 8369868 [details] [diff] [review]
rename resampling copy variables consistently and test remaining input better
sec-approval+ for trunk. Please nominate patch(es) for 29 and 28 after it goes in.
Attachment #8369868 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 7•11 years ago
|
||
|
||
Comment 8•11 years ago
|
||
landed on central as https://hg.mozilla.org/mozilla-central/rev/ba2c4b5ff7d8
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
|
|
Assignee | |
Comment 9•11 years ago
|
||
Comment on attachment 8369868 [details] [diff] [review]
rename resampling copy variables consistently and test remaining input better
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 937057
User impact if declined: sec-high, comment 1
Testing completed (on m-c, etc.): on m-c
Risk to taking this patch (and alternatives if risky):
Nothing complicated in the patch, so unlikely to regress. There are several existing automated tests.
String or IDL/UUID changes made by this patch: none
Attachment #8369868 -
Flags: approval-mozilla-beta?
Attachment #8369868 -
Flags: approval-mozilla-b2g28?
Attachment #8369868 -
Flags: approval-mozilla-aurora?
|
|
||
Updated•11 years ago
|
Attachment #8369868 -
Flags: approval-mozilla-beta?
Attachment #8369868 -
Flags: approval-mozilla-beta+
Attachment #8369868 -
Flags: approval-mozilla-aurora?
Attachment #8369868 -
Flags: approval-mozilla-aurora+
|
||
Comment 10•11 years ago
|
||
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → fixed
status-b2g-v1.4:
--- → fixed
|
|
||
Comment 11•11 years ago
|
||
This was landed on mozilla-beta by karlt and then automatically merged to b2g28. Apparently the bug wasn't marked after landing on mozilla-beta.
https://hg.mozilla.org/releases/mozilla-beta/rev/de63d702095e
|
|
Assignee | |
Comment 12•11 years ago
|
||
|
|
Assignee | |
Updated•11 years ago
|
Attachment #8369868 -
Flags: approval-mozilla-b2g28?
|
|
||
Updated•11 years ago
|
status-firefox-esr24:
--- → unaffected
|
||
Updated•11 years ago
|
Flags: sec-bounty?
|
||
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•11 years ago
|
status-b2g-v1.3T:
--- → fixed
|
||
Comment 14•11 years ago
|
||
Confirmed crash on ASan build of Fx29, 2013-12-19.
Verified fixed on ASan builds of Fx29, 30 and 31, 2014-04-17.
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Comment 16•11 years ago
|
||
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 17•11 years ago
|
||
|
|
||
Updated•10 years ago
|
Group: core-security
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•