Closed Bug 1297934 (CVE-2016-5272) Opened 3 years ago Closed 3 years ago

Bad cast in nsImageGeometryMixin

Categories

(Core :: Layout, defect)

defect
Not set

Tracking

()

VERIFIED FIXED
mozilla51
Tracking Status
firefox48 --- wontfix
firefox49 + verified
firefox-esr45 49+ verified
firefox50 + verified
firefox51 + verified

People

(Reporter: inferno, Assigned: tnikkel)

References

Details

(Keywords: csectype-other, regression, sec-high, Whiteboard: [adv-main49+][adv-esr45.4+])

Attachments

(2 files)

Attached file Testcase
1. Load testcase and press Tab to trigger.
2. Looks like a bad cast / type confusion issue.

auto lastGeometry =
      static_cast<T*>(mozilla::FrameLayerBuilder::GetMostRecentGeometry(aItem));
    if (lastGeometry) {
      mLastDrawResult = lastGeometry->mLastDrawResult; // crashing here.

==6679==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0004e5028 at pc 0x7f0c222bbb93 bp 0x7fffba9ec040 sp 0x7fffba9ec038
READ of size 1 at 0x60b0004e5028 thread T0 (Web Content)
    #0 0x7f0c222bbb92 in nsImageGeometryMixin layout/base/nsDisplayListInvalidation.h:101:39
    #1 0x7f0c222bbb92 in nsDisplayItemGenericImageGeometry layout/base/nsDisplayListInvalidation.h:163
    #2 0x7f0c222bbb92 in nsDisplayRangeFocusRing::AllocateGeometry(nsDisplayListBuilder*) layout/forms/nsRangeFrame.cpp:202
    #3 0x7f0c21c3d579 in mozilla::FrameLayerBuilder::ComputeGeometryChangeForItem(mozilla::FrameLayerBuilder::DisplayItemData*) layout/base/FrameLayerBuilder.cpp:4366:22
    #4 0x7f0c21c3c5ce in mozilla::FrameLayerBuilder::WillEndTransaction() layout/base/FrameLayerBuilder.cpp:1901:7
    #5 0x7f0c21dcbc5f in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) layout/base/nsDisplayList.cpp:1894:17
    #6 0x7f0c21e7cd99 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) layout/base/nsLayoutUtils.cpp:3603:10
    #7 0x7f0c21f05989 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:6640:5
    #8 0x7f0c214bda0c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) view/nsViewManager.cpp:484:19
    #9 0x7f0c214bc6ae in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/nsViewManager.cpp:415:33
    #10 0x7f0c214c051d in nsViewManager::ProcessPendingUpdates() view/nsViewManager.cpp:1118:5
    #11 0x7f0c21bf3b99 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1898:9
    #12 0x7f0c21bfeccd in TickDriver layout/base/nsRefreshDriver.cpp:275:13
    #13 0x7f0c21bfeccd in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:247
    #14 0x7f0c21bfe929 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:266:5
    #15 0x7f0c21c00934 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:426:9
    #16 0x7f0c2259ae74 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) layout/ipc/VsyncChild.cpp:64:16
    #17 0x7f0c1be65f39 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) objdir-ff-asan/ipc/ipdl/PVsyncChild.cpp:240:20
    #18 0x7f0c1b8b1151 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) objdir-ff-asan/ipc/ipdl/PBackgroundChild.cpp:2048:28
    #19 0x7f0c1b7da134 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp:1662:25
    #20 0x7f0c1b7d68f7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) ipc/glue/MessageChannel.cpp:1600:17
    #21 0x7f0c1b7c3bff in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() ipc/glue/MessageChannel.cpp:1567:5
    #22 0x7f0c1b7f4a62 in applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:729:12
    #23 0x7f0c1b7f4a62 in apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:735
    #24 0x7f0c1b7f4a62 in mozilla::detail::RunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() objdir-ff-asan/dist/include/nsThreadUtils.h:764
    #25 0x7f0c1b7f42ef in Run objdir-ff-asan/dist/include/mozilla/ipc/MessageChannel.h:545:29
    #26 0x7f0c1b7f42ef in mozilla::ipc::MessageChannel::DequeueTask::Run() objdir-ff-asan/dist/include/mozilla/ipc/MessageChannel.h:564
    #27 0x7f0c1aa15a1e in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1058:14
    #28 0x7f0c1aa965e8 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:290:10
    #29 0x7f0c1b7e17a1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:96:21
    #30 0x7f0c1b754ad0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10
    #31 0x7f0c1b754ad0 in RunHandler ipc/chromium/src/base/message_loop.cc:225
    #32 0x7f0c1b754ad0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205
    #33 0x7f0c2153565f in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27
    #34 0x7f0c236e7697 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:846:22
    #35 0x7f0c1b754ad0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10
    #36 0x7f0c1b754ad0 in RunHandler ipc/chromium/src/base/message_loop.cc:225
    #37 0x7f0c1b754ad0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205
    #38 0x7f0c236e6d58 in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:676:34
    #39 0x511ab3 in content_process_main ipc/contentproc/plugin-container.cpp:197:19
    #40 0x511ab3 in main browser/app/nsBrowserApp.cpp:369
    #41 0x7f0c348e9f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
0x60b0004e5028 is located 0 bytes to the right of 40-byte region [0x60b0004e5000,0x60b0004e5028)
allocated by thread T0 (Web Content) here:
    #0 0x4d5cc8 in malloc _asan_rtl_
    #1 0x51296d in moz_xmalloc memory/mozalloc/mozalloc.cpp:110:17
    #2 0x7f0c21f3009e in operator new objdir-ff-asan/dist/include/mozilla/mozalloc.h:193:12
    #3 0x7f0c21f3009e in nsDisplayItem::AllocateGeometry(nsDisplayListBuilder*) layout/base/nsDisplayList.h:1484
    #4 0x7f0c21c3d579 in mozilla::FrameLayerBuilder::ComputeGeometryChangeForItem(mozilla::FrameLayerBuilder::DisplayItemData*) layout/base/FrameLayerBuilder.cpp:4366:22
    #5 0x7f0c21c3c5ce in mozilla::FrameLayerBuilder::WillEndTransaction() layout/base/FrameLayerBuilder.cpp:1901:7
    #6 0x7f0c21dcbc5f in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) layout/base/nsDisplayList.cpp:1894:17
    #7 0x7f0c21e7cd99 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) layout/base/nsLayoutUtils.cpp:3603:10
    #8 0x7f0c21f05989 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:6640:5
    #9 0x7f0c214bda0c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) view/nsViewManager.cpp:484:19
    #10 0x7f0c214bc6ae in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/nsViewManager.cpp:415:33
    #11 0x7f0c214c051d in nsViewManager::ProcessPendingUpdates() view/nsViewManager.cpp:1118:5
    #12 0x7f0c21bf3b99 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1898:9
    #13 0x7f0c21bfeccd in TickDriver layout/base/nsRefreshDriver.cpp:275:13
    #14 0x7f0c21bfeccd in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:247
    #15 0x7f0c21bfe929 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:266:5
    #16 0x7f0c21c00934 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:426:9
    #17 0x7f0c2259ae74 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) layout/ipc/VsyncChild.cpp:64:16
    #18 0x7f0c1be65f39 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) objdir-ff-asan/ipc/ipdl/PVsyncChild.cpp:240:20
    #19 0x7f0c1b8b1151 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) objdir-ff-asan/ipc/ipdl/PBackgroundChild.cpp:2048:28
    #20 0x7f0c1b7da134 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp:1662:25
    #21 0x7f0c1b7d68f7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) ipc/glue/MessageChannel.cpp:1600:17
    #22 0x7f0c1b7c3bff in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() ipc/glue/MessageChannel.cpp:1567:5
    #23 0x7f0c1b7f4a62 in applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:729:12
    #24 0x7f0c1b7f4a62 in apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:735
    #25 0x7f0c1b7f4a62 in mozilla::detail::RunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() objdir-ff-asan/dist/include/nsThreadUtils.h:764
    #26 0x7f0c1b7f42ef in Run objdir-ff-asan/dist/include/mozilla/ipc/MessageChannel.h:545:29
    #27 0x7f0c1b7f42ef in mozilla::ipc::MessageChannel::DequeueTask::Run() objdir-ff-asan/dist/include/mozilla/ipc/MessageChannel.h:564
    #28 0x7f0c1aa15a1e in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1058:14
    #29 0x7f0c1aa965e8 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:290:10
    #30 0x7f0c1b7e17a1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:96:21
    #31 0x7f0c1b754ad0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10
    #32 0x7f0c1b754ad0 in RunHandler ipc/chromium/src/base/message_loop.cc:225
    #33 0x7f0c1b754ad0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205
    #34 0x7f0c2153565f in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27
    #35 0x7f0c236e7697 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:846:22
    #36 0x7f0c1b754ad0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10
    #37 0x7f0c1b754ad0 in RunHandler ipc/chromium/src/base/message_loop.cc:225
    #38 0x7f0c1b754ad0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205

SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/linux_asan_firefox/custom/firefox/libxul.so+0x9805b92)
Shadow bytes around the buggy address:
  0x0c16800949b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
  0x0c16800949c0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c16800949d0: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c16800949e0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa
  0x0c16800949f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1680094a00: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c1680094a10: fa fa fa fa fa fa 00 00 00 00 00 fa fa fa fa fa
  0x0c1680094a20: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1680094a30: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1680094a40: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1680094a50: fa fa fa fa fa fa fa fa fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6679==ABORTING
Component: DOM → Layout
I think this is because nsDisplayFocusRing uses display item type TYPE_OUTLINE, which is also used by nsDisplayOutline. Each display item needs it's own type.

This was added in https://hg.mozilla.org/mozilla-central/rev/bb2b0d8fdfd3 from bug 864120, so it was probably just overlooked when implementing the new display item type.
Blocks: 864120
Attached patch patchSplinter Review
Assignee: nobody → tnikkel
Attachment #8785020 - Flags: review?(matt.woodrow)
I haven't tested that the patch fixes the problem, but I'm guessing it will.
Getting something automated that checks the invariant that every different display item class gets a different display item type would be good.
Attachment #8785020 - Flags: review?(matt.woodrow) → review+
Comment on attachment 8785020 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

see below

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

the patch points to <input type="range"> as the source of the issue, knowing that it might not be too hard to run a fuzzer with ASAN builds to find this heap overflow

Which older supported branches are affected by this flaw?

all of them

If not all supported branches, which bug introduced the flaw?

bug 864120

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

trivial

How likely is this patch to cause regressions; how much testing does it need?

very unlikely, no extra testing required
Attachment #8785020 - Flags: sec-approval?
sec-approval+ for trunk. Please nominate aurora, beta, and ESR45 patches as we're running out of time.

Release Management, this is a TWO line change so it should be pretty safe everywhere.
Attachment #8785020 - Flags: sec-approval? → sec-approval+
Comment on attachment 8785020 [details] [diff] [review]
patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: hasn't been rated yet, but heap overflows are usually sec-crit
User impact if declined: security issue
Fix Landed on Version: 51
Risk to taking this patch (and alternatives if risky): safe
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Approval Request Comment
[Feature/regressing bug #]: bug 864120
[User impact if declined]: security issue
[Describe test coverage new/current, TreeHerder]: none
[Risks and why]: safe
[String/UUID change made/needed]: none
Attachment #8785020 - Flags: approval-mozilla-esr45?
Attachment #8785020 - Flags: approval-mozilla-beta?
Attachment #8785020 - Flags: approval-mozilla-aurora?
No security rating here. Dan can you help out? 
tnikkel can you request sec-approval, assuming this may turn out to be sec-critical? 
We will likely go to build Monday morning, so if this misses beta 8 we can still consider it for beta 9 later in the week.
Flags: needinfo?(tnikkel)
Flags: needinfo?(dveditz)
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #9)
> tnikkel can you request sec-approval, assuming this may turn out to be
> sec-critical? 

sec-approval has already been requested and granted, see comment 6.
Flags: needinfo?(tnikkel)
Would you mind confirming that the patch fixed the issue for you?
Flags: needinfo?(inferno)
(In reply to Timothy Nikkel (:tnikkel) from comment #11)
> Would you mind confirming that the patch fixed the issue for you?

Verified that the patch fixes the bad cast.
Flags: needinfo?(inferno)
I missed that. Thanks.
Comment on attachment 8785020 [details] [diff] [review]
patch

Likely sec-critical, fix verified in comment 12, let's uplift this for the beta 8 build.
Attachment #8785020 - Flags: approval-mozilla-beta?
Attachment #8785020 - Flags: approval-mozilla-beta+
Attachment #8785020 - Flags: approval-mozilla-aurora?
Attachment #8785020 - Flags: approval-mozilla-aurora+
Comment on attachment 8785020 [details] [diff] [review]
patch

Taking to esr45 too.
Attachment #8785020 - Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
https://hg.mozilla.org/mozilla-central/rev/ff8a0cac29b2
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(dveditz) → in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Flags: sec-bounty?
Group: core-security → core-security-release
Flags: qe-verify+
Whiteboard: [adv-main49+][adv-esr45.4+]
Reproduced on 50.0a1 (2016-06-15) asan build, Ubuntu 14.04.
Verified fixed FX 49.0, 50.0a2 (2016-09-07), 45.4.0 ESR asan builds.
Any idea why there are no recent asan builds on http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/ ?
(In reply to Paul Silaghi, QA [:pauly] from comment #18)
> Any idea why there are no recent asan builds on
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-
> linux64-asan/ ?

That's a question for someone else, but I'm not sure who would know.
Flags: needinfo?(tnikkel)
(In reply to Paul Silaghi, QA [:pauly] from comment #18)
> Any idea why there are no recent asan builds on
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-
> linux64-asan/ ?

Those builds aren't made by Tinderbox anymore. They moved to Task Cluster by release engineering (don't ask me why). My team documented how to get current builds:

Manual browsing:

1. Go to
https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.firefox/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt

2. On the right side, you will see the most recent build (the browser is
in "public/build/target.tar.bz2").


Automated downloading:

There is a JSON API for accessing the index and the artifacts of a task,
so you would have to:

1. Fetch
https://index.taskcluster.net/v1/task/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt

2. Extract the taskId from the response.

3. Fetch https://queue.taskcluster.net/v1/task/<TASKID>/artifacts
(replace <TASKID> with the id from the previous response).

4. Extract list of desired files and fetch them by appending them to the
previous URL, e.g. the browser will be at:
https://queue.taskcluster.net/v1/task/<TASKID>/artifacts/public/build/target.tar.bz2
Alias: CVE-2016-5272
Thanks for clarifying.
Verified fixed FX 51.0a1 (2016-09-08) asan, Ubuntu 14.04.
Status: RESOLVED → VERIFIED
(In reply to Daniel Holbert [:dholbert] from comment #21)
> From talking to catlee, I think the answer is:
>  https://tools.taskcluster.net/index/#gecko.v2.mozilla-central.pushdate/
> gecko.v2.mozilla-central.pushdate
How do I download a build from there?
Let's say: https://tools.taskcluster.net/index/#gecko.v2.mozilla-central.pushdate.2016.09.01.20160901001112.firefox/gecko.v2.mozilla-central.pushdate.2016.09.01.20160901001112.firefox.linux64-asan-opt
Flags: needinfo?(dholbert)
Currently you'd need to jump through 3 more hoops from that page (yes, this sucks):
 - Click the "TaskId" link
 - Click "Run 0"
 - Under "Artifacts", click "public/build/target.tar.bz2"

That'll give you the firefox build.

(catlee says that these extra hoops are arguably a bug in taskcluster, and I've brought it up in #taskcluster. Hopefully the URL from comment 23 will just have an easy link to the build, at some point in the future.)
Flags: needinfo?(dholbert)
OK, better steps: use the "artifact" view on taskcluster, which has a similar folder structure to my link in comment 21, but actually shows you download links on the right.

You can start navigating (by year, month, etc) from here:
https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.pushdate/gecko.v2.mozilla-central.pushdate
...and you'll end up at a page like this:
https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.pushdate.2016.09.01.20160901001112.firefox/gecko.v2.mozilla-central.pushdate.2016.09.01.20160901001112.firefox.linux64-asan-opt
...and target.tar.bz2 (linked on the right) is the file you're looking for.
If you are just looking for the latest build, there is an easy way. Just use this direct URL for downloading:

https://index.taskcluster.net/v1/task/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt/artifacts/public/build/target.tar.bz2
Thank you for your explanations!
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.