1297934 - (CVE-2016-5272) Bad cast in nsImageGeometryMixin

Status: VERIFIED FIXED

(Core :: Layout, defect)

Description

[Abhishek Arya]

Attachment: Testcase

1. Load testcase and press Tab to trigger.
2. Looks like a bad cast / type confusion issue.

auto lastGeometry =
      static_cast<T*>(mozilla::FrameLayerBuilder::GetMostRecentGeometry(aItem));
    if (lastGeometry) {
      mLastDrawResult = lastGeometry->mLastDrawResult; // crashing here.

==6679==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0004e5028 at pc 0x7f0c222bbb93 bp 0x7fffba9ec040 sp 0x7fffba9ec038
READ of size 1 at 0x60b0004e5028 thread T0 (Web Content)
    #0 0x7f0c222bbb92 in nsImageGeometryMixin layout/base/nsDisplayListInvalidation.h:101:39
    #1 0x7f0c222bbb92 in nsDisplayItemGenericImageGeometry layout/base/nsDisplayListInvalidation.h:163
    #2 0x7f0c222bbb92 in nsDisplayRangeFocusRing::AllocateGeometry(nsDisplayListBuilder*) layout/forms/nsRangeFrame.cpp:202
    #3 0x7f0c21c3d579 in mozilla::FrameLayerBuilder::ComputeGeometryChangeForItem(mozilla::FrameLayerBuilder::DisplayItemData*) layout/base/FrameLayerBuilder.cpp:4366:22
    #4 0x7f0c21c3c5ce in mozilla::FrameLayerBuilder::WillEndTransaction() layout/base/FrameLayerBuilder.cpp:1901:7
    #5 0x7f0c21dcbc5f in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) layout/base/nsDisplayList.cpp:1894:17
    #6 0x7f0c21e7cd99 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) layout/base/nsLayoutUtils.cpp:3603:10
    #7 0x7f0c21f05989 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:6640:5
    #8 0x7f0c214bda0c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) view/nsViewManager.cpp:484:19
    #9 0x7f0c214bc6ae in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/nsViewManager.cpp:415:33
    #10 0x7f0c214c051d in nsViewManager::ProcessPendingUpdates() view/nsViewManager.cpp:1118:5
    #11 0x7f0c21bf3b99 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1898:9
    #12 0x7f0c21bfeccd in TickDriver layout/base/nsRefreshDriver.cpp:275:13
    #13 0x7f0c21bfeccd in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:247
    #14 0x7f0c21bfe929 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:266:5
    #15 0x7f0c21c00934 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:426:9
    #16 0x7f0c2259ae74 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) layout/ipc/VsyncChild.cpp:64:16
    #17 0x7f0c1be65f39 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) objdir-ff-asan/ipc/ipdl/PVsyncChild.cpp:240:20
    #18 0x7f0c1b8b1151 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) objdir-ff-asan/ipc/ipdl/PBackgroundChild.cpp:2048:28
    #19 0x7f0c1b7da134 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp:1662:25
    #20 0x7f0c1b7d68f7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) ipc/glue/MessageChannel.cpp:1600:17
    #21 0x7f0c1b7c3bff in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() ipc/glue/MessageChannel.cpp:1567:5
    #22 0x7f0c1b7f4a62 in applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:729:12
    #23 0x7f0c1b7f4a62 in apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:735
    #24 0x7f0c1b7f4a62 in mozilla::detail::RunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() objdir-ff-asan/dist/include/nsThreadUtils.h:764
    #25 0x7f0c1b7f42ef in Run objdir-ff-asan/dist/include/mozilla/ipc/MessageChannel.h:545:29
    #26 0x7f0c1b7f42ef in mozilla::ipc::MessageChannel::DequeueTask::Run() objdir-ff-asan/dist/include/mozilla/ipc/MessageChannel.h:564
    #27 0x7f0c1aa15a1e in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1058:14
    #28 0x7f0c1aa965e8 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:290:10
    #29 0x7f0c1b7e17a1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:96:21
    #30 0x7f0c1b754ad0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10
    #31 0x7f0c1b754ad0 in RunHandler ipc/chromium/src/base/message_loop.cc:225
    #32 0x7f0c1b754ad0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205
    #33 0x7f0c2153565f in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27
    #34 0x7f0c236e7697 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:846:22
    #35 0x7f0c1b754ad0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10
    #36 0x7f0c1b754ad0 in RunHandler ipc/chromium/src/base/message_loop.cc:225
    #37 0x7f0c1b754ad0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205
    #38 0x7f0c236e6d58 in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:676:34
    #39 0x511ab3 in content_process_main ipc/contentproc/plugin-container.cpp:197:19
    #40 0x511ab3 in main browser/app/nsBrowserApp.cpp:369
    #41 0x7f0c348e9f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
0x60b0004e5028 is located 0 bytes to the right of 40-byte region [0x60b0004e5000,0x60b0004e5028)
allocated by thread T0 (Web Content) here:
    #0 0x4d5cc8 in malloc _asan_rtl_
    #1 0x51296d in moz_xmalloc memory/mozalloc/mozalloc.cpp:110:17
    #2 0x7f0c21f3009e in operator new objdir-ff-asan/dist/include/mozilla/mozalloc.h:193:12
    #3 0x7f0c21f3009e in nsDisplayItem::AllocateGeometry(nsDisplayListBuilder*) layout/base/nsDisplayList.h:1484
    #4 0x7f0c21c3d579 in mozilla::FrameLayerBuilder::ComputeGeometryChangeForItem(mozilla::FrameLayerBuilder::DisplayItemData*) layout/base/FrameLayerBuilder.cpp:4366:22
    #5 0x7f0c21c3c5ce in mozilla::FrameLayerBuilder::WillEndTransaction() layout/base/FrameLayerBuilder.cpp:1901:7
    #6 0x7f0c21dcbc5f in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) layout/base/nsDisplayList.cpp:1894:17
    #7 0x7f0c21e7cd99 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) layout/base/nsLayoutUtils.cpp:3603:10
    #8 0x7f0c21f05989 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:6640:5
    #9 0x7f0c214bda0c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) view/nsViewManager.cpp:484:19
    #10 0x7f0c214bc6ae in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/nsViewManager.cpp:415:33
    #11 0x7f0c214c051d in nsViewManager::ProcessPendingUpdates() view/nsViewManager.cpp:1118:5
    #12 0x7f0c21bf3b99 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1898:9
    #13 0x7f0c21bfeccd in TickDriver layout/base/nsRefreshDriver.cpp:275:13
    #14 0x7f0c21bfeccd in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:247
    #15 0x7f0c21bfe929 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:266:5
    #16 0x7f0c21c00934 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:426:9
    #17 0x7f0c2259ae74 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) layout/ipc/VsyncChild.cpp:64:16
    #18 0x7f0c1be65f39 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) objdir-ff-asan/ipc/ipdl/PVsyncChild.cpp:240:20
    #19 0x7f0c1b8b1151 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) objdir-ff-asan/ipc/ipdl/PBackgroundChild.cpp:2048:28
    #20 0x7f0c1b7da134 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp:1662:25
    #21 0x7f0c1b7d68f7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) ipc/glue/MessageChannel.cpp:1600:17
    #22 0x7f0c1b7c3bff in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() ipc/glue/MessageChannel.cpp:1567:5
    #23 0x7f0c1b7f4a62 in applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:729:12
    #24 0x7f0c1b7f4a62 in apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:735
    #25 0x7f0c1b7f4a62 in mozilla::detail::RunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() objdir-ff-asan/dist/include/nsThreadUtils.h:764
    #26 0x7f0c1b7f42ef in Run objdir-ff-asan/dist/include/mozilla/ipc/MessageChannel.h:545:29
    #27 0x7f0c1b7f42ef in mozilla::ipc::MessageChannel::DequeueTask::Run() objdir-ff-asan/dist/include/mozilla/ipc/MessageChannel.h:564
    #28 0x7f0c1aa15a1e in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1058:14
    #29 0x7f0c1aa965e8 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:290:10
    #30 0x7f0c1b7e17a1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:96:21
    #31 0x7f0c1b754ad0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10
    #32 0x7f0c1b754ad0 in RunHandler ipc/chromium/src/base/message_loop.cc:225
    #33 0x7f0c1b754ad0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205
    #34 0x7f0c2153565f in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27
    #35 0x7f0c236e7697 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:846:22
    #36 0x7f0c1b754ad0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10
    #37 0x7f0c1b754ad0 in RunHandler ipc/chromium/src/base/message_loop.cc:225
    #38 0x7f0c1b754ad0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205

SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/linux_asan_firefox/custom/firefox/libxul.so+0x9805b92)
Shadow bytes around the buggy address:
  0x0c16800949b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
  0x0c16800949c0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c16800949d0: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c16800949e0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa
  0x0c16800949f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1680094a00: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c1680094a10: fa fa fa fa fa fa 00 00 00 00 00 fa fa fa fa fa
  0x0c1680094a20: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1680094a30: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1680094a40: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1680094a50: fa fa fa fa fa fa fa fa fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6679==ABORTING

Comment 1

[Timothy Nikkel (:tnikkel)]

I think this is because nsDisplayFocusRing uses display item type TYPE_OUTLINE, which is also used by nsDisplayOutline. Each display item needs it's own type.

This was added in https://hg.mozilla.org/mozilla-central/rev/bb2b0d8fdfd3 from bug 864120, so it was probably just overlooked when implementing the new display item type.

Comment 2

[Timothy Nikkel (:tnikkel)]

Attachment: patch

Comment 3

[Timothy Nikkel (:tnikkel)]

I haven't tested that the patch fixes the problem, but I'm guessing it will.

Comment 4

[Timothy Nikkel (:tnikkel)]

Getting something automated that checks the invariant that every different display item class gets a different display item type would be good.

Comment 5

[Timothy Nikkel (:tnikkel)]

Comment on attachment 8785020 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

see below

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

the patch points to <input type="range"> as the source of the issue, knowing that it might not be too hard to run a fuzzer with ASAN builds to find this heap overflow

Which older supported branches are affected by this flaw?

all of them

If not all supported branches, which bug introduced the flaw?

bug 864120

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

trivial

How likely is this patch to cause regressions; how much testing does it need?

very unlikely, no extra testing required

Comment 6

[Al Billings [:abillings - ex-MoCo]]

sec-approval+ for trunk. Please nominate aurora, beta, and ESR45 patches as we're running out of time.

Release Management, this is a TWO line change so it should be pretty safe everywhere.

Comment 7

[Timothy Nikkel (:tnikkel)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/ff8a0cac29b2dc7634531b03133f97e1c1460818

Comment 8

[Timothy Nikkel (:tnikkel)]

Comment on attachment 8785020 [details] [diff] [review]
patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: hasn't been rated yet, but heap overflows are usually sec-crit
User impact if declined: security issue
Fix Landed on Version: 51
Risk to taking this patch (and alternatives if risky): safe
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Approval Request Comment
[Feature/regressing bug #]: bug 864120
[User impact if declined]: security issue
[Describe test coverage new/current, TreeHerder]: none
[Risks and why]: safe
[String/UUID change made/needed]: none

Comment 9

[Liz Henry (:lizzard) (relman/hg->git project)]

No security rating here. Dan can you help out? 
tnikkel can you request sec-approval, assuming this may turn out to be sec-critical? 
We will likely go to build Monday morning, so if this misses beta 8 we can still consider it for beta 9 later in the week.

Comment 10

[Timothy Nikkel (:tnikkel)]

(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #9)
> tnikkel can you request sec-approval, assuming this may turn out to be
> sec-critical? 

sec-approval has already been requested and granted, see comment 6.

Comment 11

[Timothy Nikkel (:tnikkel)]

Would you mind confirming that the patch fixed the issue for you?

Comment 12

[Abhishek Arya]

(In reply to Timothy Nikkel (:tnikkel) from comment #11)
> Would you mind confirming that the patch fixed the issue for you?

Verified that the patch fixes the bad cast.

Comment 13

[Liz Henry (:lizzard) (relman/hg->git project)]

I missed that. Thanks.

Comment 14

[Liz Henry (:lizzard) (relman/hg->git project)]

Comment on attachment 8785020 [details] [diff] [review]
patch

Likely sec-critical, fix verified in comment 12, let's uplift this for the beta 8 build.

Comment 15

[Sylvestre Ledru [:Sylvestre]]

Comment on attachment 8785020 [details] [diff] [review]
patch

Taking to esr45 too.

Comment 16

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/ff8a0cac29b2

Comment 17

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/releases/mozilla-aurora/rev/350ef810694c
https://hg.mozilla.org/releases/mozilla-beta/rev/748b8f8c0c98
https://hg.mozilla.org/releases/mozilla-esr45/rev/6e43a01fee3c

Comment 18

[Paul Silaghi, QA [:pauly]]

Reproduced on 50.0a1 (2016-06-15) asan build, Ubuntu 14.04.
Verified fixed FX 49.0, 50.0a2 (2016-09-07), 45.4.0 ESR asan builds.
Any idea why there are no recent asan builds on http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/ ?

Comment 19

[Timothy Nikkel (:tnikkel)]

(In reply to Paul Silaghi, QA [:pauly] from comment #18)
> Any idea why there are no recent asan builds on
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-
> linux64-asan/ ?

That's a question for someone else, but I'm not sure who would know.

Comment 20

[Al Billings [:abillings - ex-MoCo]]

(In reply to Paul Silaghi, QA [:pauly] from comment #18)
> Any idea why there are no recent asan builds on
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-
> linux64-asan/ ?

Those builds aren't made by Tinderbox anymore. They moved to Task Cluster by release engineering (don't ask me why). My team documented how to get current builds:

Manual browsing:

1. Go to
https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.firefox/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt

2. On the right side, you will see the most recent build (the browser is
in "public/build/target.tar.bz2").


Automated downloading:

There is a JSON API for accessing the index and the artifacts of a task,
so you would have to:

1. Fetch
https://index.taskcluster.net/v1/task/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt

2. Extract the taskId from the response.

3. Fetch https://queue.taskcluster.net/v1/task/<TASKID>/artifacts
(replace <TASKID> with the id from the previous response).

4. Extract list of desired files and fetch them by appending them to the
previous URL, e.g. the browser will be at:
https://queue.taskcluster.net/v1/task/<TASKID>/artifacts/public/build/target.tar.bz2

Comment 21

[Daniel Holbert [:dholbert]]

I think the question here is "how do I get an ASAN build for a particular day in recent history, e.g. the day when this bug was filed". I'm not sure Comment 20 answers that.

From talking to catlee, I think the answer is:
 https://tools.taskcluster.net/index/#gecko.v2.mozilla-central.pushdate/gecko.v2.mozilla-central.pushdate

(The "pushdate" category is important there -- if you go up one level, you *could* choose "nightly" instead, BUT don't do that -- then you won't find any ASAN builds because you'll just be filtering for Nightlies, and we're not making ASAN nightlies right now for some reason. *shrug*  So use "pushdate")

Comment 22

[Paul Silaghi, QA [:pauly]]

Thanks for clarifying.
Verified fixed FX 51.0a1 (2016-09-08) asan, Ubuntu 14.04.

Comment 23

[Paul Silaghi, QA [:pauly]]

(In reply to Daniel Holbert [:dholbert] from comment #21)
> From talking to catlee, I think the answer is:
>  https://tools.taskcluster.net/index/#gecko.v2.mozilla-central.pushdate/
> gecko.v2.mozilla-central.pushdate
How do I download a build from there?
Let's say: https://tools.taskcluster.net/index/#gecko.v2.mozilla-central.pushdate.2016.09.01.20160901001112.firefox/gecko.v2.mozilla-central.pushdate.2016.09.01.20160901001112.firefox.linux64-asan-opt

Comment 24

[Daniel Holbert [:dholbert]]

Currently you'd need to jump through 3 more hoops from that page (yes, this sucks):
 - Click the "TaskId" link
 - Click "Run 0"
 - Under "Artifacts", click "public/build/target.tar.bz2"

That'll give you the firefox build.

(catlee says that these extra hoops are arguably a bug in taskcluster, and I've brought it up in #taskcluster. Hopefully the URL from comment 23 will just have an easy link to the build, at some point in the future.)

Comment 25

[Daniel Holbert [:dholbert]]

OK, better steps: use the "artifact" view on taskcluster, which has a similar folder structure to my link in comment 21, but actually shows you download links on the right.

You can start navigating (by year, month, etc) from here:
https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.pushdate/gecko.v2.mozilla-central.pushdate
...and you'll end up at a page like this:
https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.pushdate.2016.09.01.20160901001112.firefox/gecko.v2.mozilla-central.pushdate.2016.09.01.20160901001112.firefox.linux64-asan-opt
...and target.tar.bz2 (linked on the right) is the file you're looking for.

Comment 26

[Christian Holler (:decoder)]

If you are just looking for the latest build, there is an easy way. Just use this direct URL for downloading:

https://index.taskcluster.net/v1/task/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt/artifacts/public/build/target.tar.bz2

Comment 27

[Daniel Holbert [:dholbert]]

(Yup, abillings already gave a version of that link, in comment 20.)

Comment 28

[Paul Silaghi, QA [:pauly]]

Thank you for your explanations!