Closed Bug 1444086 (CVE-2018-5180) Opened 2 years ago Closed 2 years ago

heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced

Categories

(Core :: Canvas: WebGL, defect, P1)

60 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- wontfix
firefox60 + fixed
firefox61 + fixed

People

(Reporter: nils, Assigned: jgilbert, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, regression, sec-low, Whiteboard: [gfx-noted][adv-main60+])

Attachments

(3 files)

The following testcase crashes the latest ASAN build of Firefox 60.0a1 (SourceStamp=a6a32fb286fa9e5d5f6d5b3b77423ab6b96c9502).

crash.html:
<script>
	o935=document.createElementNS('http://www.w3.org/1999/xhtml','canvas');
	o935.getContext('webgl2',{depth: true,stencil: true,antialias: true,premultipliedAlpha: false,preserveDrawingBuffer: true,failIfMajorPerformanceCaveat: false,});
	o935.setAttribute('height','3');
	o2819=o935.getContext('webgl2',{stencil: false,preserveDrawingBuffer: true,failIfMajorPerformanceCaveat: true,});
	o3250=o2819.createBuffer();
	o2819.bindBuffer(o2819.PIXEL_UNPACK_BUFFER,o3250);
	o3623=o2819.createTexture();
	o2819.bindTexture(o2819.TEXTURE_2D,o3623);
	o2819.copyTexImage2D(o2819.TEXTURE_2D,2,o2819.RGBA,1,4,8,7,0);
	o935.setAttribute('height','9');
	o2819.drawElements(o2819.LINE_STRIP,0,o2819.UNSIGNED_BYTE,10);
</script>

ASAN output:
=================================================================
==21389==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e0000504a9 at pc 0x7fc1d0dec464 bp 0x7fff6f759b50 sp 0x7fff6f759b48
WRITE of size 1 at 0x61e0000504a9 thread T0 (file:// Content)
    #0 0x7fc1d0dec463 in ~TlsScope /builds/worker/workspace/build/src/gfx/gl/GLContext.h:216:35
    #1 0x7fc1d0dec463 in mozilla::WebGLContext::DrawElementsInstanced(unsigned int, int, unsigned int, long, int, char const*) /builds/worker/workspace/build/src/dom/canvas/WebGLContextDraw.cpp:721
    #2 0x7fc1cfccc036 in DrawElements /builds/worker/workspace/build/src/dom/canvas/WebGLContext.h:1329:9
    #3 0x7fc1cfccc036 in mozilla::dom::WebGL2RenderingContextBinding::drawElements(JSContext*, JS::Handle<JSObject*>, mozilla::WebGL2Context*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WebGL2RenderingContextBinding.cpp:10939
    #4 0x7fc1d0bf92b1 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3031:13
    #5 0x7fc1d76e46c8 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #6 0x7fc1d76e46c8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #7 0x7fc1d76ca2f9 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #8 0x7fc1d76ca2f9 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085
    #9 0x7fc1d76b638a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #10 0x7fc1d76e76c4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:700:15
    #11 0x7fc1d76e7e4f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:732:12
    #12 0x7fc1d81d7129 in ExecuteScript(JSContext*, JS::AutoVector<JSObject*>&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4748:12
    #13 0x7fc1ce4b6836 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:266:8
    #14 0x7fc1d2d14a74 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2321:25
    #15 0x7fc1d2d0e4b9 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1950:10
    #16 0x7fc1d2d0b8e7 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1591:10
    #17 0x7fc1d2ceea7e in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1310:10
    #18 0x7fc1d2cedb99 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:141:18
    #19 0x7fc1cd26a87b in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:247:18
    #20 0x7fc1cd26a87b in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:736
    #21 0x7fc1cd263d74 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:540:7
    #22 0x7fc1cd26fc6b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:131:20
    #23 0x7fc1cb2fd320 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:413:25
    #24 0x7fc1cb326ae6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #25 0x7fc1cb342080 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #26 0x7fc1cc1f552a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #27 0x7fc1cc147389 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #28 0x7fc1cc147389 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #29 0x7fc1cc147389 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #30 0x7fc1d2f5811a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #31 0x7fc1d7415bfb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #32 0x7fc1cc147389 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #33 0x7fc1cc147389 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #34 0x7fc1cc147389 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #35 0x7fc1d74155da in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:718:34
    #36 0x4f1875 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #37 0x4f1875 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #38 0x7fc1ea9c182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #39 0x420f48 in _start (/fuzzer3/firefox/firefox+0x420f48)

0x61e0000504a9 is located 41 bytes inside of 2744-byte region [0x61e000050480,0x61e000050f38)
freed by thread T0 (file:// Content) here:
    #0 0x4c1952 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7fc1d0dcf5f9 in ForceLoseContext /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1883:5
    #2 0x7fc1d0dcf5f9 in mozilla::WebGLContext::EnsureDefaultFB(char const*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:785
    #3 0x7fc1d0daed2e in ValidateAndInitFB /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1983:10
    #4 0x7fc1d0daed2e in mozilla::WebGLContext::BindCurFBForDraw(char const*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:2009
    #5 0x7fc1d0de939b in mozilla::ScopedDrawHelper::ScopedDrawHelper(mozilla::WebGLContext*, char const*, unsigned int, mozilla::Maybe<unsigned int> const&, unsigned int, bool*) /builds/worker/workspace/build/src/dom/canvas/WebGLContextDraw.cpp:246:22
    #6 0x7fc1d0deb960 in mozilla::WebGLContext::DrawElementsInstanced(unsigned int, int, unsigned int, long, int, char const*) /builds/worker/workspace/build/src/dom/canvas/WebGLContextDraw.cpp:683:28
    #7 0x7fc1cfccc036 in DrawElements /builds/worker/workspace/build/src/dom/canvas/WebGLContext.h:1329:9
    #8 0x7fc1cfccc036 in mozilla::dom::WebGL2RenderingContextBinding::drawElements(JSContext*, JS::Handle<JSObject*>, mozilla::WebGL2Context*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WebGL2RenderingContextBinding.cpp:10939
    #9 0x7fc1d0bf92b1 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3031:13
    #10 0x7fc1d76e46c8 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #11 0x7fc1d76e46c8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #12 0x7fc1d76ca2f9 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #13 0x7fc1d76ca2f9 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085
    #14 0x7fc1d76b638a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #15 0x7fc1d76e76c4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:700:15
    #16 0x7fc1d76e7e4f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:732:12
    #17 0x7fc1d81d7129 in ExecuteScript(JSContext*, JS::AutoVector<JSObject*>&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4748:12
    #18 0x7fc1ce4b6836 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:266:8
    #19 0x7fc1d2d14a74 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2321:25
    #20 0x7fc1d2d0e4b9 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1950:10
    #21 0x7fc1d2d0b8e7 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1591:10
    #22 0x7fc1d2ceea7e in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1310:10
    #23 0x7fc1d2cedb99 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:141:18
    #24 0x7fc1cd26a87b in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:247:18
    #25 0x7fc1cd26a87b in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:736
    #26 0x7fc1cd263d74 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:540:7
    #27 0x7fc1cd26fc6b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:131:20
    #28 0x7fc1cb2fd320 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:413:25
    #29 0x7fc1cb326ae6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #30 0x7fc1cb342080 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #31 0x7fc1cc1f552a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #32 0x7fc1cc147389 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #33 0x7fc1cc147389 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #34 0x7fc1cc147389 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #35 0x7fc1d2f5811a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #36 0x7fc1d7415bfb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #37 0x7fc1cc147389 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #38 0x7fc1cc147389 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #39 0x7fc1cc147389 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c1c93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f26fd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7fc1cd4e0ca0 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12
    #3 0x7fc1cd4e0ca0 in mozilla::gl::GLContextGLX::CreateGLContext(mozilla::gl::CreateContextFlags, mozilla::gl::SurfaceCaps const&, bool, _XDisplay*, unsigned long, __GLXFBConfigRec*, bool, gfxXlibSurface*) /builds/worker/workspace/build/src/gfx/gl/GLContextProviderGLX.cpp:546
    #4 0x7fc1cd4e3732 in mozilla::gl::CreateOffscreenPixmapContext(mozilla::gl::CreateContextFlags, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gl::SurfaceCaps const&, nsTSubstring<char>*) /builds/worker/workspace/build/src/gfx/gl/GLContextProviderGLX.cpp:1007:12
    #5 0x7fc1cd4e3abd in mozilla::gl::GLContextProviderGLX::CreateOffscreen(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gl::SurfaceCaps const&, mozilla::gl::CreateContextFlags, nsTSubstring<char>*) /builds/worker/workspace/build/src/gfx/gl/GLContextProviderGLX.cpp:1034:10
    #6 0x7fc1d0dce6d5 in mozilla::CreateGLWithDefault(mozilla::gl::SurfaceCaps const&, mozilla::gl::CreateContextFlags, mozilla::WebGLContext*, std::vector<mozilla::WebGLContext::FailureReason, std::allocator<mozilla::WebGLContext::FailureReason> >*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:565:28
    #7 0x7fc1d0dcac7f in mozilla::WebGLContext::CreateAndInitGLWith(already_AddRefed<mozilla::gl::GLContext> (*)(mozilla::gl::SurfaceCaps const&, mozilla::gl::CreateContextFlags, mozilla::WebGLContext*, std::vector<mozilla::WebGLContext::FailureReason, std::allocator<mozilla::WebGLContext::FailureReason> >*), mozilla::gl::SurfaceCaps const&, mozilla::gl::CreateContextFlags, std::vector<mozilla::WebGLContext::FailureReason, std::allocator<mozilla::WebGLContext::FailureReason> >*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:597:23
    #8 0x7fc1d0dcced4 in mozilla::WebGLContext::CreateAndInitGL(bool, std::vector<mozilla::WebGLContext::FailureReason, std::allocator<mozilla::WebGLContext::FailureReason> >*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:724:13
    #9 0x7fc1d0dd0d32 in mozilla::WebGLContext::SetDimensions(int, int) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:961:10
    #10 0x7fc1d0d1aa0e in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:243:24
    #11 0x7fc1d0d1a4ba in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:197:19
    #12 0x7fc1d15241d0 in mozilla::dom::HTMLCanvasElement::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:1016:40
    #13 0x7fc1d0646a50 in mozilla::dom::HTMLCanvasElementBinding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:275:49
    #14 0x7fc1d0bf92b1 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3031:13
    #15 0x7fc1d76e46c8 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #16 0x7fc1d76e46c8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #17 0x7fc1d76ca2f9 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #18 0x7fc1d76ca2f9 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085
    #19 0x7fc1d76b638a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #20 0x7fc1d76e76c4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:700:15
    #21 0x7fc1d76e7e4f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:732:12
    #22 0x7fc1d81d7129 in ExecuteScript(JSContext*, JS::AutoVector<JSObject*>&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4748:12
    #23 0x7fc1ce4b6836 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:266:8
    #24 0x7fc1d2d14a74 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2321:25
    #25 0x7fc1d2d0e4b9 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1950:10
    #26 0x7fc1d2d0b8e7 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1591:10
    #27 0x7fc1d2ceea7e in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1310:10
    #28 0x7fc1d2cedb99 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:141:18
    #29 0x7fc1cd26a87b in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:247:18
    #30 0x7fc1cd26a87b in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:736
    #31 0x7fc1cd263d74 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:540:7
    #32 0x7fc1cd26fc6b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:131:20
    #33 0x7fc1cb2fd320 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:413:25

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/gfx/gl/GLContext.h:216:35 in ~TlsScope
Shadow bytes around the buggy address:
  0x0c3c80002040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80002050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80002060: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c3c80002070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c80002080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3c80002090: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c3c800020a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c800020b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c800020c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c800020d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c800020e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21389==ABORTING
Attached file ASAN output
Group: core-security → gfx-core-security
Priority: -- → P1
Assignee: nobody → jgilbert
Flags: needinfo?(jgilbert)
Whiteboard: [gfx-noted]
This is on the benign side of UAFs because the UAF is hit while unwinding the same callstack that it was freed in, so there's not really an opportunity to do much with it.
Flags: needinfo?(jgilbert)
Attachment #8958603 - Flags: review?(jmuizelaar) → review+
Comment on attachment 8958603 [details] [diff] [review]
0001-Bug-1444086-TlsScope-should-use-WeakPtr.-r-jrmuizel.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Very hard. Something new would have to be allocated over the memory of the freed object between when it's freed (further up the stack) and when we unwind past this RAII class's dtor. That's a very narrow window.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Switching a bare pointer to a WeakPtr does point to UAF protection, but it's not obvious how to trigger it.

Which older supported branches are affected by this flaw?
59+, so Release and Beta.

If not all supported branches, which bug introduced the flaw?
Bug 1428898

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Trivial backports.

How likely is this patch to cause regressions; how much testing does it need?
Very unlikely.
Attachment #8958603 - Flags: sec-approval?
Depends on: 1428898
Sec-approval for March 27, two weeks into the new release cycle. Please don't check it into trunk before then.

At that point, we'll want patches for other affected branches nominated as well.
Whiteboard: [gfx-noted] → [gfx-noted][checkin on 3/27]
Attachment #8958603 - Flags: sec-approval? → sec-approval+
Please request Beta approval on this when you get a chance. It grafts cleanly as-landed.
Flags: needinfo?(jgilbert)
Comment on attachment 8958603 [details] [diff] [review]
0001-Bug-1444086-TlsScope-should-use-WeakPtr.-r-jrmuizel.patch

Approval Request Comment
[Feature/Bug causing the regression]: bug 1428898
[User impact if declined]: sec-high
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: no
[Needs manual test from QE? If yes, steps to reproduce]: testcase provided
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: low risk
[Why is the change risky/not risky?]: easy-to-understand fix
[String changes made/needed]: none
Flags: needinfo?(jgilbert)
Attachment #8958603 - Flags: approval-mozilla-beta?
Comment on attachment 8958603 [details] [diff] [review]
0001-Bug-1444086-TlsScope-should-use-WeakPtr.-r-jrmuizel.patch

Approved for 60.0b8.
Attachment #8958603 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
https://hg.mozilla.org/mozilla-central/rev/6de32df4f0ca
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Group: gfx-core-security → core-security-release
Flags: qe-verify+
I didn't manage to reproduce the issue using the ASAN build of Firefox 60.0a1 from 2018-03-08 (when the bug was reported), using the provided testcase on Ubuntu 16.04 x64 and Ubuntu 14.04 x86. I also have to mention that the most recent ASAN builds of 61.0a1 and 60.0b8 have the same behaviour as the affected one. 
Can you please confirm the fix on your affected environment?
Flags: needinfo?(nils)
Flags: sec-bounty?
Agreeing with Jeff's comment 2, we are not awarding a bounty for this bug.
Blocks: 1428898
No longer depends on: 1428898
Flags: sec-bounty? → sec-bounty-
Keywords: sec-highregression, sec-low
Whiteboard: [gfx-noted] → [gfx-noted][adv-main60+]
Alias: CVE-2018-5180
Group: core-security-release
Flags: qe-verify+ → qe-verify-
You need to log in before you can comment on or make changes to this bug.