Closed Bug 1679560 Opened 4 years ago Closed 4 years ago

heap-use-after-free in [@ gfxFontCache::HashEntry::KeyEquals]

Categories

(Core :: Graphics: Text, defect)

defect

Tracking

()

VERIFIED FIXED
87 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- fixed
firefox87 --- verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed][sec-survey][adv-main86+r])

Attachments

(1 file)

No test case available at the moment. Prefs gfx.webrender.all=true and gfx.webrender.software=true were set.

==3258==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400019c488 at pc 0x7f9e3ac6bc38 bp 0x7ffeb651b130 sp 0x7ffeb651b128
READ of size 8 at 0x61400019c488 thread T0 (Web Content)
    #0 0x7f9e3ac6bc37 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7f9e3ac6bc37 in GetUnicodeRangeMap /builds/worker/workspace/obj-build/dist/include/gfxFont.h:1756:29
    #2 0x7f9e3ac6bc37 in gfxFontCache::HashEntry::KeyEquals(gfxFontCache::Key const*) const /gecko/gfx/thebes/gfxFont.cpp:220:55
    #3 0x7f9e37c1e94e in SearchTable<PLDHashTable::ForSearchOrRemove, (lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:498:7), (lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:499:7)> /gecko/xpcom/ds/PLDHashTable.cpp:373:11
    #4 0x7f9e37c1e94e in PLDHashTable::Search(void const*) const /gecko/xpcom/ds/PLDHashTable.cpp:496:10
    #5 0x7f9e3ac6ca50 in GetEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:211:16
    #6 0x7f9e3ac6ca50 in gfxFontCache::DestroyFont(gfxFont*) /gecko/gfx/thebes/gfxFont.cpp:282:29
    #7 0x7f9e3ac6c7ab in gfxFontCache::NotifyExpired(gfxFont*) /gecko/gfx/thebes/gfxFont.cpp:276:3
    #8 0x7f9e3ac2ff37 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::AgeOneGenerationLocked(detail::PlaceholderAutoLock const&) /builds/worker/workspace/obj-build/dist/include/nsExpirationTracker.h:261:7
    #9 0x7f9e3acb2c56 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::HandleTimeout() /builds/worker/workspace/obj-build/dist/include/nsExpirationTracker.h:442:7
    #10 0x7f9e37d6aad2 in nsTimerImpl::Fire(int) /gecko/xpcom/threads/nsTimerImpl.cpp:562:7
    #11 0x7f9e37d6a39d in nsTimerEvent::Run() /gecko/xpcom/threads/TimerThread.cpp:251:11
    #12 0x7f9e37d55069 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:452:16
    #13 0x7f9e37d51b27 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:722:26
    #14 0x7f9e37d4fa67 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:581:15
    #15 0x7f9e37d4febd in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:375:36
    #16 0x7f9e37d5cb84 in operator() /gecko/xpcom/threads/TaskController.cpp:125:37
    #17 0x7f9e37d5cb84 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:485:5
    #18 0x7f9e37d7d58b in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1196:14
    #19 0x7f9e37d887ac in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #20 0x7f9e3907d8d4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:109:5
    #21 0x7f9e38f757f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #22 0x7f9e38f757f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #23 0x7f9e38f757f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #24 0x7f9e3fdc8117 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #25 0x7f9e43ae929f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
    #26 0x7f9e38f757f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #27 0x7f9e38f757f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #28 0x7f9e38f757f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #29 0x7f9e43ae883c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:732:34
    #30 0x5589d1fa07fd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #31 0x5589d1fa0c37 in main /gecko/browser/app/nsBrowserApp.cpp:305:18
    #32 0x7f9e541b00b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    #33 0x5589d1ef4199 in _start (/home/worker/builds/m-c-20201126212448-fuzzing-asan-opt/firefox+0x5b199)

0x61400019c488 is located 72 bytes inside of 400-byte region [0x61400019c440,0x61400019c5d0)
freed by thread T0 (Web Content) here:
    #0 0x5589d1f6ddad in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x7f9e3ac6caad in gfxFontCache::DestroyFont(gfxFont*) /gecko/gfx/thebes/gfxFont.cpp:288:3
    #2 0x7f9e3ac6c7ab in gfxFontCache::NotifyExpired(gfxFont*) /gecko/gfx/thebes/gfxFont.cpp:276:3
    #3 0x7f9e3ac2ff37 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::AgeOneGenerationLocked(detail::PlaceholderAutoLock const&) /builds/worker/workspace/obj-build/dist/include/nsExpirationTracker.h:261:7
    #4 0x7f9e3acb2c56 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::HandleTimeout() /builds/worker/workspace/obj-build/dist/include/nsExpirationTracker.h:442:7
    #5 0x7f9e37d6aad2 in nsTimerImpl::Fire(int) /gecko/xpcom/threads/nsTimerImpl.cpp:562:7
    #6 0x7f9e37d6a39d in nsTimerEvent::Run() /gecko/xpcom/threads/TimerThread.cpp:251:11
    #7 0x7f9e37d55069 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:452:16
    #8 0x7f9e37d51b27 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:722:26
    #9 0x7f9e37d4fa67 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:581:15
    #10 0x7f9e37d4febd in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:375:36
    #11 0x7f9e37d5cb84 in operator() /gecko/xpcom/threads/TaskController.cpp:125:37
    #12 0x7f9e37d5cb84 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:485:5
    #13 0x7f9e37d7d58b in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1196:14
    #14 0x7f9e37d887ac in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #15 0x7f9e3907d8d4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:109:5
    #16 0x7f9e38f757f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #17 0x7f9e38f757f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #18 0x7f9e38f757f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #19 0x7f9e3fdc8117 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #20 0x7f9e43ae929f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
    #21 0x7f9e38f757f1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #22 0x7f9e38f757f1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #23 0x7f9e38f757f1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #24 0x7f9e43ae883c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:732:34

previously allocated by thread T0 (Web Content) here:
    #0 0x5589d1f6e02d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x5589d1fb290d in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f9e3abf1397 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f9e3abf1397 in gfxFontconfigFontEntry::CreateFontInstance(gfxFontStyle const*) /gecko/gfx/thebes/gfxFcPlatformFontList.cpp:870:22
    #4 0x7f9e3ac428e3 in gfxFontEntry::FindOrMakeFont(gfxFontStyle const*, gfxCharacterMap*) /gecko/gfx/thebes/gfxFontEntry.cpp:280:24
    #5 0x7f9e3adc7bd0 in gfxFontGroup::GetFontAt(int, unsigned int, bool*) /gecko/gfx/thebes/gfxTextRun.cpp:2055:16
    #6 0x7f9e3adc9412 in gfxFontGroup::GetFirstValidFont(unsigned int, mozilla::StyleGenericFontFamily*) /gecko/gfx/thebes/gfxTextRun.cpp:2277:12
    #7 0x7f9e401d2f5e in Gecko_GetFontMetrics /gecko/layout/style/GeckoBindings.cpp:1457:33
    #8 0x7f9e469b92cd in _$LT$style..gecko..wrapper..GeckoFontMetricsProvider$u20$as$u20$style..font_metrics..FontMetricsProvider$GT$::query::h3759fbc4866cf298 /gecko/servo/components/style/gecko/wrapper.rs:986:13
    #9 0x7f9e465c7c5c in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::query_font_metrics::hc67792483aee53f0 /gecko/servo/components/style/values/specified/length.rs:158:13
    #10 0x7f9e465c7c5c in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::h806342036867de5a /gecko/servo/components/style/values/specified/length.rs:188:21
    #11 0x7f9e465c7c5c in style::values::specified::length::FontRelativeLength::to_computed_value::ha2a083094b5d0646 /gecko/servo/components/style/values/specified/length.rs:137:40
    #12 0x7f9e465c580d in style::values::computed::length::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..length..NoCalcLength$GT$::to_computed_value::h0ecd15cd2647c96b /gecko/servo/components/style/values/computed/length.rs:36:17
    #13 0x7f9e465bb7f2 in style::values::computed::length_percentage::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..length..LengthPercentage$GT$::to_computed_value::h217b42dd8a766ef3 /gecko/servo/components/style/values/computed/length_percentage.rs:502:46
    #14 0x7f9e465bb7f2 in _$LT$style..values..generics..NonNegative$LT$T$GT$$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::hfffe814fa0c780b0 /gecko/servo/components/style/values/generics/mod.rs:159:5
    #15 0x7f9e465bb7f2 in _$LT$style..values..generics..size..Size2D$LT$L$GT$$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::h475e1a5d578fecb3 /gecko/servo/components/style/values/generics/size.rs:26:5
    #16 0x7f9e465bb7f2 in _$LT$style..values..generics..border..GenericBorderCornerRadius$LT$L$GT$$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::h2d6f73396932981c /gecko/servo/components/style/values/generics/border.rs:88:5
    #17 0x7f9e465bb7f2 in style::properties::longhands::border_top_right_radius::cascade_property::hf774be0c6c78eadc /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-b92d20914194d20b/out/longhands/border.rs:2908:32
    #18 0x7f9e45b7c1f6 in style::properties::cascade::Cascade::apply_declaration::hd80bc4a262944ad0 /gecko/servo/components/style/properties/cascade.rs:556:9
    #19 0x7f9e45b7c1f6 in style::properties::cascade::Cascade::apply_properties::h97dc347fdfb66d00 /gecko/servo/components/style/properties/cascade.rs:673:13
    #20 0x7f9e45b7f34d in style::properties::cascade::apply_declarations::h79e76a38ef3dd397 /gecko/servo/components/style/properties/cascade.rs:349:9
    #21 0x7f9e45b7f34d in style::properties::cascade::cascade_rules::h6cd7581f7454481d /gecko/servo/components/style/properties/cascade.rs:210:5
    #22 0x7f9e45b99988 in style::properties::cascade::cascade::h095b70487531cd61 /gecko/servo/components/style/properties/cascade.rs:93:5
    #23 0x7f9e45b99988 in style::stylist::Stylist::cascade_style_and_visited::hb2060cc5018908d1 /gecko/servo/components/style/stylist.rs:905:9
    #24 0x7f9e45ba42b4 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_style_and_visited::h0e5aa1193cfc8070 /gecko/servo/components/style/style_resolver.rs:346:22
    #25 0x7f9e45ba391e in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_primary_style::h09ed4087b003e7eb /gecko/servo/components/style/style_resolver.rs:243:20
    #26 0x7f9e45b9f1cc in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_primary_style::h910ea45f7d136d0c /gecko/servo/components/style/style_resolver.rs:203:9
    #27 0x7f9e45b9edf9 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::hbafcad99a6c1d8ad /gecko/servo/components/style/style_resolver.rs:259:29
    #28 0x7f9e45b9a68a in style::traversal::resolve_style::hfcb3b409f24f1892 /gecko/servo/components/style/traversal.rs:367:5
    #29 0x7f9e45b9a68a in Servo_ResolveStyleLazily /gecko/servo/ports/geckolib/glue.rs:5502:18
    #30 0x7f9e402266aa in mozilla::ServoStyleSet::ResolveStyleLazily(mozilla::dom::Element&, mozilla::PseudoStyleType, mozilla::StyleRuleInclusion) /gecko/layout/style/ServoStyleSet.cpp:1140:10

Johnathan, if you have a testcase that reproduces this (from the dup'd report in bug 1679936), I'd be interested to see it, as it's not immediately clear to me how this arises. Thanks!

Flags: needinfo?(simonjohnathan)
Blocks: domino
Attached file testcase.zip

(In reply to Jonathan Kew (:jfkthame) from comment #2)

Johnathan, if you have a testcase that reproduces this (from the dup'd report in bug 1679936), I'd be interested to see it, as it's not immediately clear to me how this arises. Thanks!

I've attached a reduced testcase for this issue. Please let me know if you have any issues reproducing it.

Flags: needinfo?(simonjohnathan)
Flags: needinfo?(jfkthame)

Jason, does this still reproduce? It looks to me like it may have been triggered by the same underlying issue as bug 1684497.

Flags: needinfo?(jfkthame) → needinfo?(jkratzer)
Flags: needinfo?(jkratzer)
Keywords: bugmon

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210120161357-171064b937f6.
The bug appears to have been introduced in the following build range:

Start: bf21f044ae70855a7407d7ac247b915dd65ae7a4 (20200622093556)
End: 7a13c77442451fdb9fd1032f605f1322a218702b (20200622094618)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bf21f044ae70855a7407d7ac247b915dd65ae7a4&tochange=7a13c77442451fdb9fd1032f605f1322a218702b

Whiteboard: [bugmon:bisected,confirmed]
Has Regression Range: --- → yes
Assignee: nobody → emilio

I couldn't repro this one, but I could repro bug 1682607 and I'm ~sure it's the same underlying issue. Jason, can you confirm bug 1682607 fixes this when it lands?

Flags: needinfo?(emilio) → needinfo?(jkratzer)
Flags: needinfo?(jkratzer)
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirm]

(In reply to Emilio Cobos Álvarez (:emilio) from comment #8)

I couldn't repro this one, but I could repro bug 1682607 and I'm ~sure it's the same underlying issue. Jason, can you confirm bug 1682607 fixes this when it lands?

:emilio, I can confirm that this bug no longer reproduces using the patch in bug 1682607.

Whiteboard: [bugmon:bisected,confirm] → [bugmon:bisected,confirmed]

Should we uplift bug 1682607 to 86?

Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
Depends on: 1682607
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210211154112-160b47b7163e.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Flags: needinfo?(emilio)

I had requested uplift for that bug already.

Flags: needinfo?(emilio)

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(emilio)
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][sec-survey]
Flags: needinfo?(emilio)
Whiteboard: [bugmon:bisected,confirmed][sec-survey] → [bugmon:bisected,confirmed][sec-survey][adv-main86+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: