Closed
Bug 1701942
(CVE-2021-23997)
Opened 3 years ago
Closed 3 years ago
AddressSanitizer: heap-use-after-free at gfxFont.h GetUnicodeRangeMap in RefPtr.h get
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
VERIFIED
FIXED
89 Branch
People
(Reporter: sourc7, Assigned: emilio)
References
(Regression)
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main88+])
Attachments
(7 files)
|
446 bytes,
text/html
|
Details | |
|
18.01 KB,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
sec-approval+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
sec-approval+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
316.15 KB,
text/html
|
Details | |
|
269 bytes,
text/plain
|
Details |
After open the testcase, then close the tab, the tab crash with SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get.
I'm currently able to reproduce this on Firefox ASan Nightly 89.0a1 (2021-03-30) (64-bit) from fuzzfetch m-c-20210330035059-fuzzing-asan-opt.
Steps to reproduce:
- Open Firefox ASan Nightly from terminal (to view the ASan output)
- Visit the testcase.html
- Close the tab
- On the console, ASan will show output "AddressSanitizer: heap-use-after-free"
ASan output:
=================================================================
==1163767==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400055a288 at pc 0x7f639ce90178 bp 0x7ffcb518b280 sp 0x7ffcb518b278
READ of size 8 at 0x61400055a288 thread T0 (file:// Content)
#0 0x7f639ce90177 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
#1 0x7f639ce90177 in GetUnicodeRangeMap /builds/worker/workspace/obj-build/dist/include/gfxFont.h:1764:29
#2 0x7f639ce90177 in gfxFontCache::HashEntry::KeyEquals(gfxFontCache::Key const*) const /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:220:55
#3 0x7f639a05767c in SearchTable<PLDHashTable::ForSearchOrRemove, (lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:500:7), (lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:501:7)> /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:375:11
#4 0x7f639a05767c in PLDHashTable::Search(void const*) const /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:498:10
#5 0x7f639ce90f70 in GetEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:289:16
#6 0x7f639ce90f70 in gfxFontCache::DestroyFont(gfxFont*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:282:29
#7 0x7f639ce90e22 in gfxFontCache::NotifyReleased(gfxFont*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:264:5
#8 0x7f639cfd3eb7 in NotifyReleased /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.h:1440:14
#9 0x7f639cfd3eb7 in Release /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.h:1415:7
#10 0x7f639cfd3eb7 in gfxFontGroup::FamilyFace::~FamilyFace() /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.h:1230:9
#11 0x7f639cfff5e7 in Destruct /builds/worker/workspace/obj-build/dist/include/nsTArray.h:645:45
#12 0x7f639cfff5e7 in nsTArray_Impl<gfxFontGroup::FamilyFace, nsTArrayInfallibleAllocator>::DestructRange(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2404:7
#13 0x7f639cfd27df in ClearAndRetainStorage /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1482:5
#14 0x7f639cfd27df in nsTArray_Impl<gfxFontGroup::FamilyFace, nsTArrayInfallibleAllocator>::~nsTArray_Impl() /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1037:7
#15 0x7f639cfd26e6 in gfxFontGroup::~gfxFontGroup() /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:1859:1
#16 0x7f639cfd286d in gfxFontGroup::~gfxFontGroup() /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:1856:31
#17 0x7f639c785303 in Release /builds/worker/workspace/obj-build/dist/include/gfxFont.h:588:3
#18 0x7f639c785303 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#19 0x7f639c785303 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#20 0x7f639c785303 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#21 0x7f639c785303 in nsFontMetrics::~nsFontMetrics() /builds/worker/checkouts/gecko/gfx/src/nsFontMetrics.cpp:145:1
#22 0x7f639c7694c5 in Release /builds/worker/checkouts/gecko/gfx/src/nsFontMetrics.h:74:3
#23 0x7f639c7694c5 in nsFontCache::Flush(int) /builds/worker/checkouts/gecko/gfx/src/nsDeviceContext.cpp:229:5
#24 0x7f639c76a7d2 in nsDeviceContext::~nsDeviceContext() /builds/worker/checkouts/gecko/gfx/src/nsDeviceContext.cpp:254:17
#25 0x7f63a21fb7cc in Release /builds/worker/workspace/obj-build/dist/include/nsDeviceContext.h:43:3
#26 0x7f63a21fb7cc in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#27 0x7f63a21fb7cc in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#28 0x7f63a21fb7cc in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#29 0x7f63a21fb7cc in nsPresContext::~nsPresContext() /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:308:1
#30 0x7f63a22128f7 in ~nsRootPresContext /builds/worker/checkouts/gecko/layout/base/nsPresContext.h:1366:7
#31 0x7f63a22128f7 in nsRootPresContext::~nsRootPresContext() /builds/worker/checkouts/gecko/layout/base/nsPresContext.h:1366:7
#32 0x7f6399ffe702 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2421:7
#33 0x7f6399ffdb66 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2611:3
#34 0x7f639a005719 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3592:3
#35 0x7f639a004e0e in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3415:9
#36 0x7f639a004925 in nsCycleCollector::ShutdownCollect() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3358:20
#37 0x7f639a006976 in nsCycleCollector::Shutdown(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3653:5
#38 0x7f639a008503 in nsCycleCollector_shutdown(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3968:18
#39 0x7f639a227f3a in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:706:3
#40 0x7f63a568c85c in XRE_TermEmbedding() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:212:3
#41 0x7f639b406304 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90:5
#42 0x7f63a568d3b3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:16
#43 0x557a2acdbc8d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#44 0x557a2acdc0b1 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
#45 0x7f63ba8f9b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#46 0x557a2ac2f629 in _start (/tmp/m-c-20210330035059-fuzzing-asan-opt/firefox+0x5a629)
0x61400055a288 is located 72 bytes inside of 400-byte region [0x61400055a240,0x61400055a3d0)
freed by thread T0 (file:// Content) here:
#0 0x557a2aca923d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#1 0x7f639ce90fcd in gfxFontCache::DestroyFont(gfxFont*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:288:3
#2 0x7f639ce90e22 in gfxFontCache::NotifyReleased(gfxFont*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:264:5
#3 0x7f639cfd3eb7 in NotifyReleased /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.h:1440:14
#4 0x7f639cfd3eb7 in Release /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.h:1415:7
#5 0x7f639cfd3eb7 in gfxFontGroup::FamilyFace::~FamilyFace() /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.h:1230:9
#6 0x7f639cfff5e7 in Destruct /builds/worker/workspace/obj-build/dist/include/nsTArray.h:645:45
#7 0x7f639cfff5e7 in nsTArray_Impl<gfxFontGroup::FamilyFace, nsTArrayInfallibleAllocator>::DestructRange(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2404:7
#8 0x7f639cfd27df in ClearAndRetainStorage /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1482:5
#9 0x7f639cfd27df in nsTArray_Impl<gfxFontGroup::FamilyFace, nsTArrayInfallibleAllocator>::~nsTArray_Impl() /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1037:7
#10 0x7f639cfd26e6 in gfxFontGroup::~gfxFontGroup() /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:1859:1
#11 0x7f639cfd286d in gfxFontGroup::~gfxFontGroup() /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:1856:31
#12 0x7f639c785303 in Release /builds/worker/workspace/obj-build/dist/include/gfxFont.h:588:3
#13 0x7f639c785303 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#14 0x7f639c785303 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#15 0x7f639c785303 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#16 0x7f639c785303 in nsFontMetrics::~nsFontMetrics() /builds/worker/checkouts/gecko/gfx/src/nsFontMetrics.cpp:145:1
#17 0x7f639c7694c5 in Release /builds/worker/checkouts/gecko/gfx/src/nsFontMetrics.h:74:3
#18 0x7f639c7694c5 in nsFontCache::Flush(int) /builds/worker/checkouts/gecko/gfx/src/nsDeviceContext.cpp:229:5
#19 0x7f639c76a7d2 in nsDeviceContext::~nsDeviceContext() /builds/worker/checkouts/gecko/gfx/src/nsDeviceContext.cpp:254:17
#20 0x7f63a21fb7cc in Release /builds/worker/workspace/obj-build/dist/include/nsDeviceContext.h:43:3
#21 0x7f63a21fb7cc in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#22 0x7f63a21fb7cc in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#23 0x7f63a21fb7cc in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#24 0x7f63a21fb7cc in nsPresContext::~nsPresContext() /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:308:1
#25 0x7f63a22128f7 in ~nsRootPresContext /builds/worker/checkouts/gecko/layout/base/nsPresContext.h:1366:7
#26 0x7f63a22128f7 in nsRootPresContext::~nsRootPresContext() /builds/worker/checkouts/gecko/layout/base/nsPresContext.h:1366:7
#27 0x7f6399ffe702 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2421:7
#28 0x7f6399ffdb66 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2611:3
#29 0x7f639a005719 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3592:3
#30 0x7f639a004e0e in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3415:9
#31 0x7f639a004925 in nsCycleCollector::ShutdownCollect() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3358:20
#32 0x7f639a006976 in nsCycleCollector::Shutdown(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3653:5
#33 0x7f639a008503 in nsCycleCollector_shutdown(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3968:18
#34 0x7f639a227f3a in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:706:3
#35 0x7f63a568c85c in XRE_TermEmbedding() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:212:3
#36 0x7f639b406304 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90:5
#37 0x7f63a568d3b3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:16
#38 0x557a2acdbc8d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#39 0x557a2acdc0b1 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
#40 0x7f63ba8f9b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
previously allocated by thread T0 (file:// Content) here:
#0 0x557a2aca94bd in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x557a2ace2e4d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f639ce19443 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f639ce19443 in gfxFontconfigFontEntry::CreateFontInstance(gfxFontStyle const*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFcPlatformFontList.cpp:873:22
#4 0x7f639ce6a183 in gfxFontEntry::FindOrMakeFont(gfxFontStyle const*, gfxCharacterMap*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:281:24
#5 0x7f639cfd44ad in gfxFontGroup::GetFontAt(int, unsigned int, bool*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2058:16
#6 0x7f639cfd5ca2 in gfxFontGroup::GetFirstValidFont(unsigned int, mozilla::StyleGenericFontFamily*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2280:12
#7 0x7f639c78630a in GetMetrics(nsFontMetrics*, nsFontMetrics::FontOrientation) /builds/worker/checkouts/gecko/gfx/src/nsFontMetrics.cpp:155:46
#8 0x7f639c785f2d in GetMetrics /builds/worker/checkouts/gecko/gfx/src/nsFontMetrics.cpp:160:10
#9 0x7f639c785f2d in nsFontMetrics::MaxAscent() /builds/worker/checkouts/gecko/gfx/src/nsFontMetrics.cpp:234:10
#10 0x7f63a21d26de in nsLayoutUtils::GetCenteredFontBaseline(nsFontMetrics*, int, bool) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:5674:64
#11 0x7f63a24a8730 in nsLineLayout::VerticalAlignFrames(nsLineLayout::PerSpanData*) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:2284:31
#12 0x7f63a24aa175 in nsLineLayout::VerticalAlignLine() /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:1506:3
#13 0x7f63a229954b in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, nsFlowAreaRect&, int&, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4867:15
#14 0x7f63a2297f12 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4461:12
#15 0x7f63a2290dae in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4219:9
#16 0x7f63a228a6b9 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3199:5
#17 0x7f63a22824a0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2733:7
#18 0x7f63a227ccff in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1375:3
#19 0x7f63a26935d9 in mozilla::SVGTextFrame::DoReflow() /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:5118:8
#20 0x7f63a26835de in mozilla::SVGTextFrame::MaybeReflowAnonymousBlockChild() /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:5059:5
#21 0x7f63a265f6b8 in mozilla::SVGTextFrame::ReflowSVG() /builds/worker/checkouts/gecko/layout/svg/SVGTextFrame.cpp:3294:3
#22 0x7f63a262a3cf in mozilla::SVGDisplayContainerFrame::ReflowSVG() /builds/worker/checkouts/gecko/layout/svg/SVGContainerFrame.cpp:320:17
#23 0x7f63a26964ed in mozilla::SVGUseFrame::ReflowSVG() /builds/worker/checkouts/gecko/layout/svg/SVGUseFrame.cpp:114:14
#24 0x7f63a262a3cf in mozilla::SVGDisplayContainerFrame::ReflowSVG() /builds/worker/checkouts/gecko/layout/svg/SVGContainerFrame.cpp:320:17
#25 0x7f63a266ad5e in mozilla::SVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/svg/SVGOuterSVGFrame.cpp:453:14
#26 0x7f63a20b4389 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9630:11
#27 0x7f63a20c6037 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9801:24
#28 0x7f63a20c4769 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4277:11
#29 0x7f63a20549e7 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1409:5
#30 0x7f63a20549e7 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2221:20
#31 0x7f63a2060c75 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:347:13
#32 0x7f63a2060c75 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:325:7
#33 0x7f63a20609dd in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:341:5
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
Shadow bytes around the buggy address:
0x0c28800a3400: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c28800a3410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c28800a3420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c28800a3430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c28800a3440: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c28800a3450: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c28800a3460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c28800a3470: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c28800a3480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c28800a3490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c28800a34a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1163767==ABORTING
Flags: sec-bounty?
|
Reporter | |
Comment 1•3 years ago
|
||
|
||
Updated•3 years ago
|
Group: firefox-core-security → gfx-core-security
Component: Security → Graphics: Text
Product: Firefox → Core
|
|
Reporter | |
Comment 2•3 years ago
|
||
After performing interactions with the page (eg zooming-in and zooming-out), the tab also crashes on Firefox Nightly 89.0a1 (2021-03-30) (64-bit) and Firefox Release 87.0 (64-bit).
|
|
Reporter | |
Comment 3•3 years ago
|
||
Mozregression show it regression of Bug 1646224 - Use mozilla::Length rather than nscoord to store font sizes.
|
||
Comment 4•3 years ago
|
||
Are we modifying the hashtable while we're iterating over it? taking a stab at sec-moderate because there doesn't appear to be any chance for a user-controlled allocation between the free and the reuse--if that assumption holds.
Keywords: csectype-uaf,
sec-moderate
Regressed by: 1646224
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
Keywords: regression
|
||
Comment 5•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/atTqtEtIvRZJWtQOyzMIig/index.html
|
Assignee | |
Updated•3 years ago
|
Assignee: nobody → emilio
|
|
Assignee | |
Comment 6•3 years ago
|
||
Bug 1646224 made font sizes floats, which caused conversion to nscoord
not happen. Style fonts should never have NaN, but in this case a
massive SVG transform matrix ends up causing a NaN font inflation
factor.
This in turn caused the scaled size to be NaN, and to get stuck on the
font variations array here:
That NaN in turn caused the font variations to have a NaN, and font
styles comparing unequal, which prevents the font from getting removed
from the cache, causing the issue.
This should prevent it, but I have a more in-depth patch incoming.
|
|
Assignee | |
Comment 7•3 years ago
|
||
Just like we do for font sizes / size-adjust in gfxFontStyle.
Depends on D110518
|
|
Assignee | |
Comment 8•3 years ago
|
||
|
|
Assignee | |
Comment 9•3 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4)
Are we modifying the hashtable while we're iterating over it? taking a stab at sec-moderate because there doesn't appear to be any chance for a user-controlled allocation between the free and the reuse--if that assumption holds.
This is not the case. We're leaving a stale font entry in the cache (we then crash when trying to compare against it). Not sure if that changes the sec rating or not?
Flags: needinfo?(dveditz)
|
|
||
Comment 10•3 years ago
|
||
How stale? Is it all part of the same control flow (so the only chance for re-allocating the memory used by the old font is a race condition) or arbitrarily long ago that would give an attacker a chance to run some of their own script in between? The racy version we can leave sec-moderate, but the second one should be sec-high.
Flags: needinfo?(dveditz) → needinfo?(emilio)
|
|
Assignee | |
Comment 11•3 years ago
|
||
I'm not the most familiar with the font cache, but I don't see anything that would guarantee that the freed pointer is cleaned up before returning to the event loop etc.
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 12•3 years ago
|
||
Comment on attachment 9213031 [details]
Bug 1701942 - Use bitwise equality for font variation value comparisons. r=jfkthame
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Probably not super easily.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
- Which older supported branches are affected by this flaw?: all except ESR
- If not all supported branches, which bug introduced the flaw?: Bug 1646224
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Should apply cleanly-ish, fix is simple.
- How likely is this patch to cause regressions; how much testing does it need?: not much, handling floating point edge cases...
Attachment #9213031 -
Flags: sec-approval?
|
|
Assignee | |
Updated•3 years ago
|
Attachment #9213030 -
Flags: sec-approval?
|
||
Updated•3 years ago
|
Attachment #9213030 -
Flags: sec-approval?
Attachment #9213030 -
Flags: sec-approval+
Attachment #9213030 -
Flags: approval-mozilla-beta+
|
|
||
Updated•3 years ago
|
Attachment #9213031 -
Flags: sec-approval?
Attachment #9213031 -
Flags: sec-approval+
Attachment #9213031 -
Flags: approval-mozilla-beta+
|
||
Comment 13•3 years ago
|
||
Normalize font size when font inflation is involved. r=jfkthame
https://hg.mozilla.org/integration/autoland/rev/79a77f6c10d476fd6c198f4e8bf1c3f7c6b8826f
Use bitwise equality for font variation value comparisons. r=jfkthame
https://hg.mozilla.org/integration/autoland/rev/4a5976e79e137a26c433adc3bcde8602994ff10d
https://hg.mozilla.org/mozilla-central/rev/79a77f6c10d4
https://hg.mozilla.org/mozilla-central/rev/4a5976e79e13
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch
|
||
Comment 14•3 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/073204411782
https://hg.mozilla.org/releases/mozilla-beta/rev/7a55c07c059f
status-firefox87:
--- → wontfix
status-firefox88:
--- → fixed
status-firefox-esr78:
--- → unaffected
tracking-firefox88:
--- → +
tracking-firefox89:
--- → +
|
|
Reporter | |
Comment 15•3 years ago
|
||
When I run the PoC on the GDB, I found out by adding random web source code (e.g. https://developer.mozilla.org/en-US/docs/Web/CSS/font-family) to the PoC, I able to change aTable=0xe5e5e5e5 to another hex value (i.e. aTable=0x640065, aTable=0x41900000).
Original PoC:
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax : 0xe5e5e5e5 → 0x00000000
$ebx : 0xf0d2e8f0 → 0x0a3c09c4
$ecx : 0x59ef4600
$edx : 0x12
$esp : 0xffffb560 → 0xf7900010 → 0x00000000
$ebp : 0xffffb578 → 0xffffb5b8 → 0xffffb5f8 → 0xffffb6a8 → 0xffffb718 → 0xffffbb88 → 0xffffbd58 → 0xffffbd98
$esi : 0xffffb590 → 0xe5e5e5e5 → 0x00000000
$edi : 0xf4877788 → 0x00000000
$eip : 0xe9e5c12d → <PLDHashTable::Iterator::Iterator(PLDHashTable*)+29> mov edx, DWORD PTR [eax+0x4]
$eflags: [zero carry PARITY ADJUST SIGN trap INTERRUPT direction overflow RESUME virtualx86 IDENTIFICATION]
$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffb560│+0x0000: 0xf7900010 → 0x00000000 ← $esp
0xffffb564│+0x0004: 0xbe29a000 → 0x384adf93
0xffffb568│+0x0008: 0xf7900094 → 0xbe29a000 → 0x384adf93
0xffffb56c│+0x000c: 0xffffb590 → 0xe5e5e5e5 → 0x00000000
0xffffb570│+0x0010: 0xf4877788 → 0x00000000
0xffffb574│+0x0014: 0xf0d2e8f0 → 0x0a3c09c4
0xffffb578│+0x0018: 0xffffb5b8 → 0xffffb5f8 → 0xffffb6a8 → 0xffffb718 → 0xffffbb88 → 0xffffbd58 → 0xffffbd98 ← $ebp
0xffffb57c│+0x001c: 0xeb017f27 → <gfxFont::AgeCachedWords()+55> jmp 0xeb017f40 <gfxFont::AgeCachedWords()+80>
─────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
0xe9e5c124 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+20> pop ebx
0xe9e5c125 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+21> add ebx, 0x6ed27cc
0xe9e5c12b <PLDHashTable::Iterator::Iterator(PLDHashTable*)+27> mov DWORD PTR [esi], eax
→ 0xe9e5c12d <PLDHashTable::Iterator::Iterator(PLDHashTable*)+29> mov edx, DWORD PTR [eax+0x4]
0xe9e5c130 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+32> test edx, edx
0xe9e5c132 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+34> je 0xe9e5c142 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+50>
0xe9e5c134 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+36> xor ecx, ecx
0xe9e5c136 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+38> mov edi, 0x4
0xe9e5c13b <PLDHashTable::Iterator::Iterator(PLDHashTable*)+43> sub cl, BYTE PTR [eax+0xa]
───────────────────────────────────────────────────────────────────────────────────── source:/home/sourc7/gi[...].h+325 ────
320 free(mEntryStore);
321 mEntryStore = nullptr;
322 }
323
324 char* Get() const { return mEntryStore; }
→ 325 bool IsAllocated() const { return !!mEntryStore; }
326
327 Slot SlotForIndex(uint32_t aIndex, uint32_t aEntrySize,
328 uint32_t aCapacity) const {
329 char* entries = Entries(aCapacity);
330 auto entry =
─────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "firefox", stopped 0xe9e5c12d in PLDHashTable::Iterator::Iterator (), reason: SIGSEGV
[#1] Id 3, Name: "IPC I/O Parent", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#2] Id 4, Name: "Timer", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#3] Id 5, Name: "Netlink Monitor", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#4] Id 6, Name: "Socket Thread", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#5] Id 7, Name: "Permission", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#6] Id 9, Name: "BHMgr Monitor", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#7] Id 10, Name: "BHMgr Processor", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#8] Id 12, Name: "JS Watchdog", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#9] Id 13, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#10] Id 14, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#11] Id 15, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#12] Id 16, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#13] Id 17, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#14] Id 18, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#15] Id 19, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#16] Id 20, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#17] Id 22, Name: "Softwar~cThread", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#18] Id 23, Name: "Renderer", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#19] Id 24, Name: "WRWorker#0", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#20] Id 25, Name: "WRWorker#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#21] Id 26, Name: "WRWorker#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#22] Id 27, Name: "WRWorker#3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#23] Id 28, Name: "WRWorker#4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#24] Id 29, Name: "WRWorker#5", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#25] Id 30, Name: "WRWorker#6", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#26] Id 31, Name: "WRWorker#7", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#27] Id 32, Name: "WRWorkerLP#0", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#28] Id 33, Name: "WRWorkerLP#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#29] Id 34, Name: "WRWorkerLP#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#30] Id 35, Name: "WRWorkerLP#3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#31] Id 36, Name: "WRWorkerLP#4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#32] Id 37, Name: "WRWorkerLP#5", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#33] Id 38, Name: "WRWorkerLP#6", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#34] Id 39, Name: "WRWorkerLP#7", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#35] Id 40, Name: "Compositor", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#36] Id 41, Name: "ImageIO", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#37] Id 42, Name: "gmain", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#38] Id 46, Name: "IPDL Background", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#39] Id 47, Name: "firefox", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#40] Id 48, Name: "IPC Launch", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#41] Id 49, Name: "TRR Background", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#42] Id 50, Name: "Cache2 I/O", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#43] Id 51, Name: "Cookie", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#44] Id 52, Name: "StreamTrans #1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#45] Id 53, Name: "StreamTrans #2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#46] Id 55, Name: "Worker Launcher", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#47] Id 56, Name: "ImageBridgeChld", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#48] Id 57, Name: "SwComposite", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#49] Id 58, Name: "WRScene~ilder#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#50] Id 59, Name: "WRScene~derLP#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#51] Id 60, Name: "WRRende~ckend#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#52] Id 61, Name: "FS Broker 10416", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#53] Id 62, Name: "QuotaManager IO", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#54] Id 64, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#55] Id 65, Name: "StyleThread#0", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#56] Id 66, Name: "StyleThread#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#57] Id 67, Name: "StyleThread#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#58] Id 68, Name: "StyleThread#3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#59] Id 69, Name: "StyleThread#4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#60] Id 70, Name: "StyleThread#5", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#61] Id 71, Name: "TaskCon~read #0", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#62] Id 72, Name: "TaskCon~read #1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#63] Id 73, Name: "TaskCon~read #2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#64] Id 74, Name: "TaskCon~read #3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#65] Id 75, Name: "TaskCon~read #4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#66] Id 76, Name: "TaskCon~read #5", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#67] Id 77, Name: "TaskCon~read #6", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#68] Id 78, Name: "TaskCon~read #7", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#69] Id 79, Name: "Backgro~Pool #1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#70] Id 81, Name: "dconf worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#71] Id 82, Name: "DNS Resolver #1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#72] Id 83, Name: "gdbus", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#73] Id 84, Name: "Cache I/O", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#74] Id 86, Name: "HTML5 Parser", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#75] Id 87, Name: "mozStorage #1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#76] Id 88, Name: "mozStorage #2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#77] Id 89, Name: "mozStorage #3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#78] Id 90, Name: "DNS Resolver #2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#79] Id 91, Name: "DNS Resolver #3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#80] Id 92, Name: "DNS Resolver #4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#81] Id 93, Name: "SwComposite", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#82] Id 94, Name: "WRScene~ilder#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#83] Id 95, Name: "WRScene~derLP#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#84] Id 96, Name: "WRRende~ckend#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#85] Id 97, Name: "BgIOThr~Pool #1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#86] Id 98, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#87] Id 99, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#88] Id 104, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#89] Id 106, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#90] Id 107, Name: "GMPThread", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#91] Id 108, Name: "FS Broker 10423", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#92] Id 109, Name: "ProcessHangMon", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#93] Id 110, Name: "AudioIPC Callba", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#94] Id 111, Name: "AudioIPC Server", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#95] Id 112, Name: "URL Classifier", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#96] Id 113, Name: "glean.dispatche", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#97] Id 114, Name: "IndexedDB #6", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#98] Id 116, Name: "firefox", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#99] Id 118, Name: "RemoteLzyStream", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#100] Id 120, Name: "mozStorage #4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#101] Id 121, Name: "mozStorage #5", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#102] Id 122, Name: "mozStorage #6", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#103] Id 123, Name: "StreamTrans #5", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#104] Id 124, Name: "StreamTrans #6", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#105] Id 125, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#106] Id 126, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0xe9e5c12d → PLDHashTable::Iterator::Iterator(this=0xffffb590, aTable=0xe5e5e5e5)
[#1] 0xeb017f27 → nsTHashtable<gfxFont::CacheHashEntry>::Iterator::Iterator(this=0xffffb590, aTable=0xe5e5e5e5)
[#2] 0xeb017f27 → nsTHashtable<gfxFont::CacheHashEntry>::Iter(this=0xe5e5e5e5)
[#3] 0xeb017f27 → gfxFont::AgeCachedWords(this=0xcc0349c0)
[#4] 0xeb017a15 → gfxFontCache::WordCacheExpirationTimerCallback(aTimer=<optimized out>, aCache=0xf78cb290)
[#5] 0xe9ed51ad → nsTimerImpl::Fire(this=0xf4877760, aGeneration=0x1)
[#6] 0xe9ed4dd9 → nsTimerEvent::Run(this=0xd53da1a0)
[#7] 0xe9ecf434 → mozilla::RunnableTask::Run(this=0xc7e0b650)
[#8] 0xe9ecbf4e → mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(this=0xf7812e30, aProofOfLock=@0xffffbdc0)
[#9] 0xe9ecaef0 → mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(this=0xf7812e30, aProofOfLock=@0xffffbdc0)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤ p $_siginfo._sifields._sigfault.si_addr
$1 = (void *) 0xe5e5e5e9
gef➤ q
Modified PoC:
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax : 0x41900000
$ebx : 0xf0d2e8f0 → 0x0a3c09c4
$ecx : 0x895dba00
$edx : 0x400
$esp : 0xffffb560 → 0x00020000
$ebp : 0xffffb578 → 0xffffb5b8 → 0xffffb5f8 → 0xffffb6a8 → 0xffffb718 → 0xffffbb88 → 0xffffbd58 → 0xffffbd98
$esi : 0xffffb590 → 0x41900000
$edi : 0xf4853ae8 → 0x00000000
$eip : 0xe9e5c12d → <PLDHashTable::Iterator::Iterator(PLDHashTable*)+29> mov edx, DWORD PTR [eax+0x4]
$eflags: [zero carry PARITY ADJUST SIGN trap INTERRUPT direction overflow RESUME virtualx86 IDENTIFICATION]
$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffb560│+0x0000: 0x00020000 ← $esp
0xffffb564│+0x0004: 0xf0d2e8f0 → 0x0a3c09c4
0xffffb568│+0x0008: 0xf7ffcfe0 → 0x00031f18
0xffffb56c│+0x000c: 0xffffb590 → 0x41900000
0xffffb570│+0x0010: 0xf4853ae8 → 0x00000000
0xffffb574│+0x0014: 0xf0d2e8f0 → 0x0a3c09c4
0xffffb578│+0x0018: 0xffffb5b8 → 0xffffb5f8 → 0xffffb6a8 → 0xffffb718 → 0xffffbb88 → 0xffffbd58 → 0xffffbd98 ← $ebp
0xffffb57c│+0x001c: 0xeb017f27 → <gfxFont::AgeCachedWords()+55> jmp 0xeb017f40 <gfxFont::AgeCachedWords()+80>
─────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
0xe9e5c124 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+20> pop ebx
0xe9e5c125 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+21> add ebx, 0x6ed27cc
0xe9e5c12b <PLDHashTable::Iterator::Iterator(PLDHashTable*)+27> mov DWORD PTR [esi], eax
→ 0xe9e5c12d <PLDHashTable::Iterator::Iterator(PLDHashTable*)+29> mov edx, DWORD PTR [eax+0x4]
0xe9e5c130 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+32> test edx, edx
0xe9e5c132 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+34> je 0xe9e5c142 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+50>
0xe9e5c134 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+36> xor ecx, ecx
0xe9e5c136 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+38> mov edi, 0x4
0xe9e5c13b <PLDHashTable::Iterator::Iterator(PLDHashTable*)+43> sub cl, BYTE PTR [eax+0xa]
───────────────────────────────────────────────────────────────────────────────────── source:/home/sourc7/gi[...].h+325 ────
320 free(mEntryStore);
321 mEntryStore = nullptr;
322 }
323
324 char* Get() const { return mEntryStore; }
→ 325 bool IsAllocated() const { return !!mEntryStore; }
326
327 Slot SlotForIndex(uint32_t aIndex, uint32_t aEntrySize,
328 uint32_t aCapacity) const {
329 char* entries = Entries(aCapacity);
330 auto entry =
─────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "firefox", stopped 0xe9e5c12d in PLDHashTable::Iterator::Iterator (), reason: SIGSEGV
[#1] Id 3, Name: "IPC I/O Parent", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#2] Id 4, Name: "Timer", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#3] Id 5, Name: "Netlink Monitor", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#4] Id 6, Name: "Socket Thread", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#5] Id 7, Name: "Permission", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#6] Id 9, Name: "BHMgr Monitor", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#7] Id 10, Name: "BHMgr Processor", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#8] Id 12, Name: "JS Watchdog", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#9] Id 13, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#10] Id 14, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#11] Id 15, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#12] Id 16, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#13] Id 17, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#14] Id 18, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#15] Id 19, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#16] Id 20, Name: "JS Helper", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#17] Id 22, Name: "Softwar~cThread", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#18] Id 23, Name: "Renderer", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#19] Id 24, Name: "WRWorker#0", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#20] Id 25, Name: "WRWorker#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#21] Id 26, Name: "WRWorker#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#22] Id 27, Name: "WRWorker#3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#23] Id 28, Name: "WRWorker#4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#24] Id 29, Name: "WRWorker#5", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#25] Id 30, Name: "WRWorker#6", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#26] Id 31, Name: "WRWorker#7", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#27] Id 32, Name: "WRWorkerLP#0", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#28] Id 33, Name: "WRWorkerLP#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#29] Id 34, Name: "WRWorkerLP#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#30] Id 35, Name: "WRWorkerLP#3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#31] Id 36, Name: "WRWorkerLP#4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#32] Id 37, Name: "WRWorkerLP#5", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#33] Id 38, Name: "WRWorkerLP#6", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#34] Id 39, Name: "WRWorkerLP#7", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#35] Id 40, Name: "Compositor", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#36] Id 41, Name: "ImageIO", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#37] Id 42, Name: "gmain", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#38] Id 46, Name: "IPDL Background", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#39] Id 47, Name: "firefox", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#40] Id 48, Name: "IPC Launch", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#41] Id 49, Name: "TRR Background", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#42] Id 50, Name: "Cache2 I/O", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#43] Id 51, Name: "Cookie", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#44] Id 54, Name: "StreamTrans #3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#45] Id 55, Name: "Worker Launcher", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#46] Id 56, Name: "ImageBridgeChld", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#47] Id 57, Name: "SwComposite", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#48] Id 58, Name: "WRScene~ilder#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#49] Id 59, Name: "WRScene~derLP#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#50] Id 60, Name: "WRRende~ckend#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#51] Id 61, Name: "FS Broker 11454", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#52] Id 62, Name: "QuotaManager IO", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#53] Id 64, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#54] Id 66, Name: "StyleThread#0", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#55] Id 67, Name: "StyleThread#1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#56] Id 68, Name: "StyleThread#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#57] Id 69, Name: "StyleThread#3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#58] Id 70, Name: "StyleThread#4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#59] Id 71, Name: "StyleThread#5", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#60] Id 74, Name: "TaskCon~read #0", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#61] Id 75, Name: "TaskCon~read #1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#62] Id 76, Name: "BgIOThr~Pool #1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#63] Id 77, Name: "TaskCon~read #2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#64] Id 78, Name: "TaskCon~read #3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#65] Id 79, Name: "TaskCon~read #4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#66] Id 80, Name: "TaskCon~read #5", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#67] Id 81, Name: "TaskCon~read #6", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#68] Id 82, Name: "TaskCon~read #7", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#69] Id 83, Name: "dconf worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#70] Id 84, Name: "DNS Resolver #1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#71] Id 85, Name: "gdbus", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#72] Id 86, Name: "Cache I/O", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#73] Id 87, Name: "HTML5 Parser", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#74] Id 88, Name: "mozStorage #1", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#75] Id 89, Name: "DNS Resolver #2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#76] Id 90, Name: "mozStorage #2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#77] Id 91, Name: "mozStorage #3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#78] Id 92, Name: "mozStorage #4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#79] Id 93, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#80] Id 94, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#81] Id 95, Name: "URL Classifier", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#82] Id 97, Name: "DNS Resolver #3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#83] Id 99, Name: "DNS Resolver #4", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#84] Id 100, Name: "SwComposite", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#85] Id 101, Name: "WRScene~ilder#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#86] Id 102, Name: "WRScene~derLP#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#87] Id 103, Name: "WRRende~ckend#2", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#88] Id 108, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#89] Id 109, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#90] Id 110, Name: "RemoteLzyStream", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#91] Id 111, Name: "LS Thread", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#92] Id 112, Name: "Backgro~Pool #3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#93] Id 118, Name: "glean.dispatche", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#94] Id 122, Name: "firefox", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#95] Id 123, Name: "mozStorage #5", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#96] Id 125, Name: "mozStorage #6", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#97] Id 127, Name: "StreamTrans #7", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#98] Id 128, Name: "SwComposite", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#99] Id 129, Name: "WRScene~ilder#3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#100] Id 130, Name: "WRScene~derLP#3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#101] Id 131, Name: "WRRende~ckend#3", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#102] Id 132, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#103] Id 133, Name: "DOM Worker", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#104] Id 134, Name: "speechd init", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#105] Id 135, Name: "mozStorage #7", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#106] Id 138, Name: "IndexedDB #8", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#107] Id 141, Name: "StreamTrans #9", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
[#108] Id 142, Name: "SSL Cert #8", stopped 0xf7fc9549 in __kernel_vsyscall (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0xe9e5c12d → PLDHashTable::Iterator::Iterator(this=0xffffb590, aTable=0x41900000)
[#1] 0xeb017f27 → nsTHashtable<gfxFont::CacheHashEntry>::Iterator::Iterator(this=0xffffb590, aTable=0x41900000)
[#2] 0xeb017f27 → nsTHashtable<gfxFont::CacheHashEntry>::Iter(this=0x41900000)
[#3] 0xeb017f27 → gfxFont::AgeCachedWords(this=0xc8e9dfc0)
[#4] 0xeb017a15 → gfxFontCache::WordCacheExpirationTimerCallback(aTimer=<optimized out>, aCache=0xf78cb740)
[#5] 0xe9ed51ad → nsTimerImpl::Fire(this=0xf4853ac0, aGeneration=0x1)
[#6] 0xe9ed4dd9 → nsTimerEvent::Run(this=0xdcf8b290)
[#7] 0xe9ecf434 → mozilla::RunnableTask::Run(this=0x9ce82470)
[#8] 0xe9ecbf4e → mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(this=0xf7813420, aProofOfLock=@0xffffbdc0)
[#9] 0xe9ecaef0 → mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(this=0xf7813420, aProofOfLock=@0xffffbdc0)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤ p $_siginfo._sifields._sigfault.si_addr
$1 = (void *) 0x41900004
gef➤
|
|
Reporter | |
Comment 16•3 years ago
|
||
Hereby my crash report reproduced on Firefox 87.0 32-bit (Windows 10), showing EXCEPTION_ACCESS_VIOLATION_READ at address 0x212885bc: https://crash-stats.mozilla.org/report/index/147c0de8-0314-4fb2-b40d-268cc0210405.
|
|
Reporter | |
Comment 17•3 years ago
|
||
After a few tries on Firefox 64-bit (Arch Linux) with launch command --debugger="gdb" --disable-e10s I also able to see the aTable address changed from 0xe5e5e5e5e5e5e5e5 into another address (e.g. 0x4747415347435743, 0xcae9a0001cc9a239, and more..):
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0xe33ff84806ab1500
$rbx : 0x00007fffffffc2b8 → 0xcae9a0001cc9a239
$rcx : 0x00007fffaf7d8400 → 0x00007fffa9dd4bb0 → 0x00007ffff4abc9a0 → 0x00007fffef29c000 → <gfxFontconfigFont::~gfxFontconfigFont()+0> push rbp
$rdx : 0x100
$rsp : 0x00007fffffffc290 → 0x00007fffffffc328 → 0x00007fffc75990d8 → 0x00007ffff4abe788 → 0x00007fffef2f0860 → <nsTHashtable<gfxFontCache::HashEntry>::s_HashKey(void+0> push rbp
$rbp : 0x00007fffffffc2a0 → 0x00007fffffffc2f0 → 0x00007fffffffc360 → 0x00007fffffffc3f0 → 0x00007fffffffc420 → 0x00007fffffffc8a0 → 0x00007fffffffca70 → 0x00007fffffffcab0
$rsi : 0xcae9a0001cc9a239
$rdi : 0x00007fffffffc2b8 → 0xcae9a0001cc9a239
$rip : 0x00007fffee255dcd → <PLDHashTable::Iterator::Iterator(PLDHashTable*)+13> mov rax, QWORD PTR [rsi+0x8]
$r8 : 0x00007fffaf7d80dc → 0x3880c54116c79f93
$r9 : 0x00007fffffffc4c0 → 0x0000000000000000
$r10 : 0x00007ffff7fc6080 → 0x00007ffff7fc6080
$r11 : 0x00007ffff7fc6090 → 0x00007ffff7fc6090
$r12 : 0x16c39c728a4e
$r13 : 0x00007fffe9fa50d0 → 0x0000000000000002
$r14 : 0x00007fffe9fa5108 → 0x0000000000000000
$r15 : 0x7fffffffffffffff
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffc290│+0x0000: 0x00007fffffffc328 → 0x00007fffc75990d8 → 0x00007ffff4abe788 → 0x00007fffef2f0860 → <nsTHashtable<gfxFontCache::HashEntry>::s_HashKey(void+0> push rbp ← $rsp
0x00007fffffffc298│+0x0008: 0x00007fffe9fa5108 → 0x0000000000000000
0x00007fffffffc2a0│+0x0010: 0x00007fffffffc2f0 → 0x00007fffffffc360 → 0x00007fffffffc3f0 → 0x00007fffffffc420 → 0x00007fffffffc8a0 → 0x00007fffffffca70 → 0x00007fffffffcab0 ← $rbp
0x00007fffffffc2a8│+0x0018: 0x00007fffef2c4ed8 → <gfxFont::AgeCachedWords()+40> mov eax, DWORD PTR [rbp-0x20]
0x00007fffffffc2b0│+0x0020: 0x00007fffffffc310 → 0x00007fffaf7d8000 → 0x00000000004d1686
0x00007fffffffc2b8│+0x0028: 0xcae9a0001cc9a239 ← $rbx, $rdi
0x00007fffffffc2c0│+0x0030: 0x00007fffa43daaf0 → 0x00007fffaf775420 → 0x00007ffff4abe3e8 → 0x00007fffef2df020 → <gfxShapedWord::~gfxShapedWord()+0> push rbp
0x00007fffffffc2c8│+0x0038: 0x00007fffa43da8f8 → 0x00000000f8d3e914
─────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x7fffee255dc6 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+6> push rbx
0x7fffee255dc7 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+7> mov rbx, rdi
0x7fffee255dca <PLDHashTable::Iterator::Iterator(PLDHashTable*)+10> mov QWORD PTR [rdi], rsi
→ 0x7fffee255dcd <PLDHashTable::Iterator::Iterator(PLDHashTable*)+13> mov rax, QWORD PTR [rsi+0x8]
0x7fffee255dd1 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+17> test rax, rax
0x7fffee255dd4 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+20> je 0x7fffee255de8 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+40>
0x7fffee255dd6 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+22> xor ecx, ecx
0x7fffee255dd8 <PLDHashTable::Iterator::Iterator(PLDHashTable*)+24> sub cl, BYTE PTR [rsi+0x12]
0x7fffee255ddb <PLDHashTable::Iterator::Iterator(PLDHashTable*)+27> mov edx, 0x1
───────────────────────────────────────────────────────────────────────────────────── source:/home/sourc7/gi[...].h+325 ────
320 free(mEntryStore);
321 mEntryStore = nullptr;
322 }
323
324 char* Get() const { return mEntryStore; }
→ 325 bool IsAllocated() const { return !!mEntryStore; }
326
327 Slot SlotForIndex(uint32_t aIndex, uint32_t aEntrySize,
328 uint32_t aCapacity) const {
329 char* entries = Entries(aCapacity);
330 auto entry =
─────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "firefox", stopped 0x7fffee255dcd in PLDHashTable::Iterator::Iterator (), reason: SIGSEGV
[#1] Id 3, Name: "gmain", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#2] Id 4, Name: "IPC I/O Parent", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#3] Id 5, Name: "Timer", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#4] Id 6, Name: "Netlink Monitor", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#5] Id 7, Name: "Socket Thread", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#6] Id 8, Name: "Permission", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#7] Id 9, Name: "BHMgr Monitor", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#8] Id 10, Name: "BHMgr Processor", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#9] Id 12, Name: "JS Watchdog", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#10] Id 13, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#11] Id 14, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#12] Id 15, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#13] Id 16, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#14] Id 17, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#15] Id 18, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#16] Id 19, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#17] Id 20, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#18] Id 22, Name: "firefox:cs0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#19] Id 23, Name: "firefox:disk$0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#20] Id 24, Name: "firefox:disk$1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#21] Id 25, Name: "firefox:disk$2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#22] Id 26, Name: "firefox:disk$3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#23] Id 27, Name: "firefox:sh0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#24] Id 28, Name: "firefox:sh1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#25] Id 29, Name: "firefox:sh2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#26] Id 30, Name: "firefox:sh3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#27] Id 31, Name: "firefox:sh4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#28] Id 32, Name: "firefox:sh5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#29] Id 33, Name: "firefox:sh6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#30] Id 34, Name: "firefox:sh7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#31] Id 35, Name: "firefox:sh8", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#32] Id 36, Name: "firefox:shlo0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#33] Id 37, Name: "firefox:shlo1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#34] Id 38, Name: "firefox:shlo2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#35] Id 39, Name: "firefox:shlo3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#36] Id 40, Name: "GLXVsyncThread", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#37] Id 41, Name: "firefox:disk$0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#38] Id 42, Name: "firefox:disk$1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#39] Id 43, Name: "firefox:disk$2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#40] Id 44, Name: "firefox:disk$3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#41] Id 45, Name: "firefox:sh0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#42] Id 46, Name: "firefox:sh1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#43] Id 47, Name: "firefox:sh2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#44] Id 48, Name: "firefox:sh3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#45] Id 49, Name: "firefox:sh4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#46] Id 50, Name: "firefox:sh5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#47] Id 51, Name: "firefox:sh6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#48] Id 52, Name: "firefox:sh7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#49] Id 53, Name: "firefox:sh8", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#50] Id 54, Name: "firefox:shlo0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#51] Id 55, Name: "firefox:shlo1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#52] Id 56, Name: "firefox:shlo2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#53] Id 57, Name: "firefox:shlo3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#54] Id 58, Name: "firefox:gdrv0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#55] Id 59, Name: "Renderer", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#56] Id 60, Name: "WRWorker#0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#57] Id 61, Name: "WRWorker#1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#58] Id 62, Name: "WRWorker#2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#59] Id 63, Name: "WRWorker#3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#60] Id 64, Name: "WRWorker#4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#61] Id 65, Name: "WRWorker#5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#62] Id 66, Name: "WRWorker#6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#63] Id 67, Name: "WRWorker#7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#64] Id 68, Name: "WRWorkerLP#0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#65] Id 69, Name: "WRWorkerLP#1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#66] Id 70, Name: "WRWorkerLP#2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#67] Id 71, Name: "WRWorkerLP#3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#68] Id 72, Name: "WRWorkerLP#4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#69] Id 73, Name: "WRWorkerLP#5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#70] Id 74, Name: "WRWorkerLP#6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#71] Id 75, Name: "WRWorkerLP#7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#72] Id 76, Name: "Compositor", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#73] Id 77, Name: "ImageIO", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#74] Id 81, Name: "IPDL Background", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#75] Id 82, Name: "firefox", stopped 0x7ffff7fb65ad in recvmsg (), reason: SIGSEGV
[#76] Id 83, Name: "IPC Launch", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#77] Id 84, Name: "TRR Background", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#78] Id 85, Name: "Cache2 I/O", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#79] Id 86, Name: "Cookie", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#80] Id 87, Name: "StreamTrans #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#81] Id 89, Name: "StreamTrans #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#82] Id 90, Name: "StreamTrans #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#83] Id 91, Name: "Worker Launcher", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#84] Id 92, Name: "threaded-ml", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#85] Id 93, Name: "ImageBridgeChld", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#86] Id 94, Name: "firefox:gdrv0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#87] Id 95, Name: "WRScene~ilder#1", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#88] Id 96, Name: "WRScene~derLP#1", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#89] Id 97, Name: "WRRende~ckend#1", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#90] Id 98, Name: "FS Broker 25823", stopped 0x7ffff7fb65ad in recvmsg (), reason: SIGSEGV
[#91] Id 99, Name: "QuotaManager IO", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#92] Id 100, Name: "IndexedDB #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#93] Id 101, Name: "DOM Worker", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#94] Id 102, Name: "StreamTrans #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#95] Id 103, Name: "StyleThread#0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#96] Id 104, Name: "StyleThread#1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#97] Id 105, Name: "StyleThread#2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#98] Id 106, Name: "StyleThread#3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#99] Id 107, Name: "StyleThread#4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#100] Id 108, Name: "StyleThread#5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#101] Id 109, Name: "TaskCon~read #0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#102] Id 110, Name: "TaskCon~read #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#103] Id 111, Name: "TaskCon~read #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#104] Id 112, Name: "TaskCon~read #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#105] Id 113, Name: "TaskCon~read #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#106] Id 114, Name: "TaskCon~read #5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#107] Id 115, Name: "TaskCon~read #6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#108] Id 116, Name: "TaskCon~read #7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#109] Id 117, Name: "DOM Worker", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#110] Id 119, Name: "dconf worker", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#111] Id 120, Name: "DNS Resolver #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#112] Id 121, Name: "gdbus", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#113] Id 122, Name: "Cache I/O", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#114] Id 123, Name: "mozStorage #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#115] Id 124, Name: "mozStorage #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#116] Id 125, Name: "URL Classifier", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#117] Id 126, Name: "BgIOThr~Pool #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#118] Id 127, Name: "mozStorage #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#119] Id 128, Name: "DNS Resolver #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#120] Id 129, Name: "DNS Resolver #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#121] Id 130, Name: "DNS Resolver #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#122] Id 131, Name: "mozStorage #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#123] Id 134, Name: "HTML5 Parser", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#124] Id 135, Name: "DOM Worker", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#125] Id 136, Name: "firefox:gdrv0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#126] Id 137, Name: "WRScene~ilder#2", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#127] Id 138, Name: "WRScene~derLP#2", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#128] Id 139, Name: "WRRende~ckend#2", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#129] Id 144, Name: "DOM Worker", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#130] Id 146, Name: "glean.dispatche", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#131] Id 150, Name: "RemoteLzyStream", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#132] Id 151, Name: "LS Thread", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#133] Id 153, Name: "IndexedDB #8", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#134] Id 154, Name: "SSL Cert #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#135] Id 157, Name: "mozStorage #5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#136] Id 158, Name: "Backgro~Pool #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#137] Id 159, Name: "DOMCacheThread", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#138] Id 161, Name: "mozStorage #6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#139] Id 162, Name: "mozStorage #7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#140] Id 163, Name: "MediaDe~hine #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#141] Id 164, Name: "MediaSu~isor #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#142] Id 165, Name: "MediaSu~isor #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#143] Id 166, Name: "MediaTimer #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#144] Id 167, Name: "MediaPD~oder #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#145] Id 168, Name: "MediaPD~oder #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#146] Id 169, Name: "MediaSu~isor #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#147] Id 170, Name: "MediaPD~oder #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#148] Id 173, Name: "MediaPD~oder #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#149] Id 176, Name: "MediaSu~isor #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#150] Id 179, Name: "AudioIPC Callba", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#151] Id 180, Name: "AudioIPC Server", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#152] Id 181, Name: "AudioIP~ent RPC", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#153] Id 182, Name: "threaded-ml", stopped 0x7ffff7b8737f in poll (), reason: SIGSEGV
[#154] Id 183, Name: "AudioIPC0", stopped 0x7ffff7b8ca9d in syscall (), reason: SIGSEGV
[#155] Id 184, Name: "IndexedDB #9", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
[#156] Id 185, Name: "mozStorage #8", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7fffee255dcd → PLDHashTable::Iterator::Iterator(this=0x7fffffffc2b8, aTable=0xcae9a0001cc9a239)
[#1] 0x7fffef2c4ed8 → nsTHashtable<gfxFont::CacheHashEntry>::ConstIterator::ConstIterator(this=0x7fffffffc2b8, aTable=0xcae9a0001cc9a239)
[#2] 0x7fffef2c4ed8 → nsTHashtable<gfxFont::CacheHashEntry>::Iterator::ConstIterator(this=0x7fffffffc2b8)
[#3] 0x7fffef2c4ed8 → nsTHashtable<gfxFont::CacheHashEntry>::Iter(this=0xcae9a0001cc9a239)
[#4] 0x7fffef2c4ed8 → gfxFont::AgeCachedWords(this=<optimized out>)
[#5] 0x7fffef2c49dc → gfxFontCache::WordCacheExpirationTimerCallback(aTimer=<optimized out>, aCache=<optimized out>)
[#6] 0x7fffee2c6bd6 → nsTimerImpl::Fire(this=0x7fffe9fa50d0, aGeneration=0x1)
[#7] 0x7fffee2c68d5 → nsTimerEvent::Run(this=0x7fffb0cf4608)
[#8] 0x7fffee2c1574 → mozilla::RunnableTask::Run(this=0x7fff92675680)
[#9] 0x7fffee2bea1a → mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(this=<optimized out>, aProofOfLock=<optimized out>)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
|
|
Reporter | |
Comment 18•3 years ago
|
||
Hereby my crash report reproduced on Firefox 87.0 64-bit (Windows 10) showing AV at address 0x900000008: https://crash-stats.mozilla.org/report/index/24952e1e-d0b5-4822-bdc0-86b1a0210406#tab-details.
|
|
||
Comment 19•3 years ago
|
||
Irvan, it is expected this would still reproduce in Fx87 because the fix will be going out with the Fx88 release. You should be able to verify on current Beta or Nightly builds that the crash no longer occurs there. Thanks again for the report!
|
|
Reporter | |
Comment 20•3 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #19)
Irvan, it is expected this would still reproduce in Fx87 because the fix will be going out with the Fx88 release. You should be able to verify on current Beta or Nightly builds that the crash no longer occurs there. Thanks again for the report!
I'm sorry Ryan, I forgot to mention, it is additional information for the UAF is able to allocated between the free and the reuse, the 0xe5e5e5 (freed) is able to filled with another address (e.g. 0x640065, 0x41900000, 0x212885bc).
Yes, I verified that the fix is works on Firefox 89.0a1 (2021/04/06) (64-bit). Sorry for the confusion :)
Status: RESOLVED → VERIFIED
|
|
||
Comment 21•3 years ago
|
||
Irvan: can you attach any of the testcases where you reproduced this with a non-UAF crashing address? It would be interesting to see what kinds of conditions did that.
|
|
Reporter | |
Comment 22•3 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #21)
Irvan: can you attach any of the testcases where you reproduced this with a non-UAF crashing address? It would be interesting to see what kinds of conditions did that.
Thanks Dan for bump this to sec-high (as based on comments above) (sorry for the late information).
I observe in order to crash at non-UAF crashing address it also need a few interaction to the page (e.g. reloading, zoom-in, zoom-out). I think I still can automate the interaction with JavaScript, so it easily and reliably crash to non-UAF address (just by only visiting the page). I'll attach after I improve the modified testcase.
|
|
Reporter | |
Comment 23•3 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #21)
Irvan: can you attach any of the testcases where you reproduced this with a non-UAF crashing address? It would be interesting to see what kinds of conditions did that.
Hereby I attach the modified testcase that often crash on non-UAF crashing address. After visit the page, the page will reload itself every ~2 seconds until the tab is crashed.
On 32-bit it's more often to crash at non-UAF address, on 64 bit sometimes it's occasional to crash on UAF crashing address, unmapped addresses (so crash stats show 0xFFFFFFFF), and fair chance to crash on non-UAF address.
Flags: needinfo?(susah.yak)
|
||
Comment 24•3 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Flags: needinfo?(emilio)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][sec-survey]
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(emilio)
|
|
||
Updated•3 years ago
|
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey] → [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main88+]
|
|
||
Comment 25•3 years ago
|
||
|
||
Updated•3 years ago
|
Alias: CVE-2021-23997
|
|
||
Comment 27•3 years ago
|
||
We fixed this in 88. Should be fine to land.
AFAIU we usually wait until that release went live and then at least 4 weeks
Flags: needinfo?(tom)
|
|
||
Comment 28•3 years ago
|
||
|
||
Updated•3 years ago
|
Flags: in-testsuite? → in-testsuite+
|
|
||
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•