Intermittent SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy
Categories
(Core :: Graphics: Layers, defect, P2)
Tracking
()
People
(Reporter: aryx, Assigned: sotaro)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf, intermittent-failure, sec-high, Whiteboard: [post-critsmash-triage])
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
abillings
:
sec-approval+
|
Details |
Updated•7 years ago
|
Comment 1•7 years ago
|
||
Updated•7 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 3•6 years ago
|
||
Assignee | ||
Comment 4•6 years ago
|
||
Comment 5•6 years ago
|
||
Comment 6•6 years ago
|
||
Comment 7•6 years ago
|
||
Updated•6 years ago
|
Comment 8•6 years ago
|
||
Timothy, would you be able to help determine if this bug is actionable?
Comment 9•6 years ago
|
||
I don't know anything about getUserMedia and I'm not really familiar with any of the code in the stack trace. There's probably a better person than me to look into this. Perhaps Sotaro can help or redirect to someone who can?
Assignee | ||
Comment 10•6 years ago
|
||
MediaEngineTabVideoSource::Draw() allocates a buffer with "MakeUniqueFallible<unsigned char[]>(mDataSize)" and the buffer is held as UniquePtr<unsigned char[]> in MediaEngineTabVideoSource. It seems to cause the problem. A lifetime of the buffer is limited to MediaEngineTabVideoSource, but SourceSurfaceImage could live longer than the MediaEngineTabVideoSource.
Assignee | ||
Comment 11•6 years ago
|
||
Assignee | ||
Comment 12•6 years ago
|
||
Assignee | ||
Comment 13•6 years ago
|
||
Snapshot() does not always allocate new buffer for SourceSurface. It seemed to cause the problem.
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 14•6 years ago
|
||
Bug 1530928 was created for handling TextureClient recycling in SharedRGBImage.
Assignee | ||
Updated•6 years ago
|
Updated•6 years ago
|
Assignee | ||
Comment 15•6 years ago
|
||
Assignee | ||
Comment 16•6 years ago
|
||
Comment on attachment 9046617 [details]
Bug 1440038 - Use SharedRGBImage in MediaEngineTabVideoSource
Security Approval Request
- How easily could an exploit be constructed based on the patch?: It seems not easy. We do not know the specific STR to reproduce the problem. By default it is not exposed at the moment due to security and UI reasons.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: Firefox 31
- If not all supported branches, which bug introduced the flaw?: Bug 960524
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: It is easy to create a patch. It seems not risky.
- How likely is this patch to cause regressions; how much testing does it need?: It seems not cause the regression, the patch is relatively simple. test_getUserMedia_basicTabshare.html already does a test of MediaEngineTabVideoSource.
Assignee | ||
Updated•6 years ago
|
Comment 17•6 years ago
|
||
Thanks for fixing this Sotaro!
Comment 18•6 years ago
|
||
Sec-approval+ for trunk. I marked other branches as "disabled" since it is behind a pref by default but we should consider patching this on ESR60 and Beta.
Updated•6 years ago
|
Assignee | ||
Comment 19•6 years ago
|
||
Reporter | ||
Comment 20•6 years ago
|
||
Comment 21•6 years ago
|
||
Doesn't seem worth uplifting if it requires a non-default pref to be set. Feel free to nominate the patch for approval if you feel strongly otherwise, however.
Updated•6 years ago
|
Updated•5 years ago
|
Updated•4 years ago
|
Description
•