UAF detected in media::WebmMuxer::~WebmMuxer by Dr. Memory |
||||||||
Issue descriptionFound in build: https://build.chromium.org/p/chromium.memory.fyi/builders/Windows%20Content%20Browser%20%28DrMemory%20full%29%20%283%29/builds/7729 UNADDRESSABLE ACCESS of freed memory: reading 0x0361c6e0-0x0361c6e4 4 byte(s) # 0 media.dll!mkvmuxer::Segment::WriteFramesAll [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:3799] # 1 media.dll!mkvmuxer::Segment::Finalize [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:2984] # 2 media.dll!media::WebmMuxer::~WebmMuxer [media\muxers\webm_muxer.cc:122] # 3 content.dll!media::WebmMuxer::`scalar deleting destructor' # 4 content.dll!content::MediaRecorderHandler::~MediaRecorderHandler [content\renderer\media\media_recorder_handler.cc:65] # 5 content.dll!content::MediaRecorderHandler::`vector deleting destructor' # 6 modules.dll!blink::MediaRecorder::stop [third_party\webkit\source\modules\mediarecorder\mediarecorder.cpp:283] # 7 webcore_shared.dll!blink::ContextLifecycleNotifier::notifyStoppingActiveDOMObjects [third_party\webkit\source\core\dom\contextlifecyclenotifier.cpp:97] # 8 webcore_shared.dll!blink::Document::detach [third_party\webkit\source\core\dom\document.cpp:2158] # 9 webcore_shared.dll!blink::LocalFrame::detach [third_party\webkit\source\core\frame\localframe.cpp:332] #10 webcore_shared.dll!blink::Page::willBeDestroyed [third_party\webkit\source\core\page\page.cpp:544] #11 blink_web.dll!blink::WebViewImpl::close [third_party\webkit\source\web\webviewimpl.cpp:1785] #12 content.dll!content::RenderWidget::Close [content\renderer\render_widget.cc:1421] #13 base.dll!base::debug::TaskAnnotator::RunTask [base\debug\task_annotator.cc:51] #14 scheduler.dll!scheduler::TaskQueueManager::ProcessTaskFromWorkQueue [components\scheduler\base\task_queue_manager.cc:289] #15 scheduler.dll!scheduler::TaskQueueManager::DoWork [components\scheduler\base\task_queue_manager.cc:201] #16 scheduler.dll!base::internal::Invoker<>::Run [base\bind_internal.h:364] #17 base.dll!base::debug::TaskAnnotator::RunTask [base\debug\task_annotator.cc:51] #18 base.dll!base::MessageLoop::RunTask [base\message_loop\message_loop.cc:475] #19 base.dll!base::MessageLoop::DeferOrRunPendingTask [base\message_loop\message_loop.cc:484] #20 base.dll!base::MessageLoop::DoDelayedWork [base\message_loop\message_loop.cc:639] #21 base.dll!base::MessagePumpDefault::Run [base\message_loop\message_pump_default.cc:37] #22 base.dll!base::MessageLoop::RunHandler [base\message_loop\message_loop.cc:439] #23 base.dll!base::MessageLoop::Run [base\message_loop\message_loop.cc:294] #24 content.dll!content::RendererMain [content\renderer\renderer_main.cc:199] #25 content.dll!content::RunNamedProcessTypeMain [content\app\content_main_runner.cc:420] #26 content.dll!content::ContentMainRunnerImpl::Run [content\app\content_main_runner.cc:787] #27 content.dll!content::ContentMain [content\app\content_main.cc:20] #28 content::LaunchTests [content\public\test\test_launcher.cc:523] #29 main [content\test\content_test_launcher.cc:131] Note: @0:02:17.146 in thread 836 Note: next higher malloc: 0x0361c740-0x0361c770 Note: prev lower malloc: 0x0361c420-0x0361c4f0 Note: 0x0361c6e0-0x0361c6e4 overlaps memory 0x0361c698-0x0361c6e4 that was freed here: Note: # 0 replace_operator_delete_nothrow [d:\drmemory_package\common\alloc_replace.c:2974] Note: # 1 ipc_mojo.dll!std::_Deallocate [c:\b\depot_tools\win_toolchain\vs_files\95ddda401ec5678f15eeed01d2bee08fcbc5ee97\vc\include\xmemory0:132] Note: # 2 ipc_mojo.dll!IPC::mojom::ChannelProxy::Receive [out\release\gen\ipc\mojo\ipc.mojom.cc:570] Note: # 3 ipc_mojo.dll!IPC::internal::MessagePipeReader::Send [ipc\mojo\ipc_message_pipe_reader.cc:104] Note: # 4 ipc_mojo.dll!IPC::ChannelMojo::Send [ipc\mojo\ipc_channel_mojo.cc:342] Note: # 5 ipc.dll!IPC::ChannelProxy::Context::OnSendMessage [ipc\ipc_channel_proxy.cc:197] Note: instruction: mov 0x48(%ecx) -> %eax The report came from the `WebRtcMediaRecorderTest.MediaRecorderResumeAndDataAvailable/3` test.
,
Jun 6 2016
,
Jun 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d88b1f23de9cf8fca50f288d85126d6691c2a67c commit d88b1f23de9cf8fca50f288d85126d6691c2a67c Author: Reilly Grant <reillyg@chromium.org> Date: Mon Jun 06 20:08:04 2016 Add suppressions for Dr. Memory failures. BUG= 617740 TBR=miu@chromium.org,mcasas@chromium.org Review URL: https://codereview.chromium.org/2040963006 . Cr-Commit-Position: refs/heads/master@{#398106} [modify] https://crrev.com/d88b1f23de9cf8fca50f288d85126d6691c2a67c/tools/valgrind/drmemory/suppressions_full.txt
,
Jun 20 2016
tomfinegan@ can you have a look at the callstack plz? Maybe WebmMuxer should follow a different destruction sequence...? see https://cs.chromium.org/chromium/src/media/muxers/webm_muxer.cc?q=~WebmMuxer&sq=package:chromium&l=118&dr=CSs : WebmMuxer::~WebmMuxer() { // No need to segment_.Finalize() since is not Seekable(), i.e. a live // stream, but is a good practice. DCHECK(thread_checker_.CalledOnValidThread()); segment_.Finalize(); }
,
Jun 21 2016
> tomfinegan@ can you have a look at the callstack plz? Maybe WebmMuxer should follow a different destruction sequence...? I don't think there's anything WebmMuxer can do here. It looks like this test is tickling a new bug in mkvmuxer. I'll file a bug upstream for this, and try to repro once my windows box is alive again (mid re-image).
,
Jun 21 2016
#5 JIC note that monorail supports other monorail projects in the "Blocked on" field, sth like webrtc:496 or libyuv:496 ;) cheers
,
Jun 21 2016
,
Jan 18 2017
,
Jan 18 2017
Bulk move Blink>MediaStream>Recording ---> Blink>MediaRecording
,
Jan 18 2017
Note that DrMemory bots are not supported anymore [1] in favour of ASAN/MSAN. [1] https://groups.google.com/a/chromium.org/forum/m/#!topic/chromium-dev/mwH45z-KGks
,
Jan 18 2017
WontFix, see #10 |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by reillyg@chromium.org
, Jun 6 2016