New issue
Advanced search Search tips

Issue 820341 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use of an invalid mutex in media::AudioOutputDevice::NotifyRenderCallbackOfError

Project Member Reported by ClusterFuzz, Mar 9 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4614405673975808

Fuzzer: phoglund_webrtc_peerconnection
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Use of an invalid mutex
Crash Address: 
Crash State:
  media::AudioOutputDevice::NotifyRenderCallbackOfError
  media::AudioOutputDevice::OnDeviceAuthorized
  media::AudioOutputDevice::OnDeviceAuthorized
  
Sanitizer: thread (TSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=541800:541801

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4614405673975808

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Mar 9 2018

Components: Blink>Media>Audio Internals>Core
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Mar 9 2018

Labels: Test-Predator-Auto-Owner
Owner: maxmorin@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/a7c1c1850928f3560844ae85f2ea23803134e257 (Fix yet another AudioOutputDevice crash.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 9 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b305c700239b4010b25408f40e8359d82c9709d5

commit b305c700239b4010b25408f40e8359d82c9709d5
Author: Max Morin <maxmorin@chromium.org>
Date: Fri Mar 09 09:16:23 2018

Revert "Fix yet another AudioOutputDevice crash."

This reverts commit a7c1c1850928f3560844ae85f2ea23803134e257.

Reason for revert: Clusterfuzz reports...

Original change's description:
> Fix yet another AudioOutputDevice crash.
> 
> Bug is identical to the last :/. No idea why it's much more frequent with mojo,
> possibly a race is likely to happen when destroying a frame: |callback_| is
> destroyed due to frame being destroyed, and authorization is failed for the
> same reason. With the per process message filter, authorization wouldn't fail
> due to the frame being destructed.
> 
> Bug: 819277
> Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
> Change-Id: Ic17dc96d2c83a08732b43094bac2f2c3fa7035ad
> Reviewed-on: https://chromium-review.googlesource.com/951774
> Commit-Queue: Max Morin <maxmorin@chromium.org>
> Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#541801}

TBR=dalecurtis@chromium.org,maxmorin@chromium.org

Change-Id: I9bf3d357bd09ebd1fa60b4324d204da44b23b72a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 819277, 820276 , 820341 
Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Reviewed-on: https://chromium-review.googlesource.com/957042
Reviewed-by: Max Morin <maxmorin@chromium.org>
Commit-Queue: Max Morin <maxmorin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#542065}
[modify] https://crrev.com/b305c700239b4010b25408f40e8359d82c9709d5/media/audio/audio_output_device.cc
[modify] https://crrev.com/b305c700239b4010b25408f40e8359d82c9709d5/media/audio/audio_output_device.h
[modify] https://crrev.com/b305c700239b4010b25408f40e8359d82c9709d5/media/audio/audio_output_device_unittest.cc

Project Member

Comment 4 by sheriffbot@chromium.org, Mar 9 2018

Labels: M-66
Project Member

Comment 5 by sheriffbot@chromium.org, Mar 9 2018

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Mar 9 2018

Labels: Pri-1
Project Member

Comment 7 by ClusterFuzz, Mar 9 2018

ClusterFuzz has detected this issue as fixed in range 542064:542065.

Detailed report: https://clusterfuzz.com/testcase?key=4614405673975808

Fuzzer: phoglund_webrtc_peerconnection
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Use of an invalid mutex
Crash Address: 
Crash State:
  media::AudioOutputDevice::NotifyRenderCallbackOfError
  media::AudioOutputDevice::OnDeviceAuthorized
  media::AudioOutputDevice::OnDeviceAuthorized
  
Sanitizer: thread (TSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=541800:541801
Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=542064:542065

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4614405673975808

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Mar 9 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4614405673975808 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Mar 10 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 10 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Head Security_Impact-Beta
Labels: -ReleaseBlock-Stable -M-66 M-67
Project Member

Comment 12 by sheriffbot@chromium.org, Apr 27 2018

Labels: Merge-Request-67
Project Member

Comment 13 by sheriffbot@chromium.org, Apr 27 2018

Labels: -Merge-Request-67 Merge-Review-67 Hotlist-Merge-Review
This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
+awhalley@ for M67 merge review. 
Is ClusterFuzz still reproing this? Revert in comment 3 landed in time for M67.
Labels: -Merge-Review-67
Yeah, agree. Removing "Merge-Review-67" label per comment #15.
Project Member

Comment 17 by sheriffbot@chromium.org, Jun 16 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment