1798494 - AddressSanitizer: heap-use-after-free [@ gfxFontFaceSrc::LoadPrincipal] with READ of size 8

Reporter

Description

•

2 years ago

Found while fuzzing mozilla-central rev d0fd41bff926 (built with: --enable-address-sanitizer --enable-fuzzing).

I don't currently have a reproducible test case at the moment.

AddressSanitizer: heap-use-after-free [@ gfxFontFaceSrc::LoadPrincipal] with READ of size 8

    =================================================================
    ==964==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120001dd1c8 at pc 0x7fcb107c31ec bp 0x7ffedc4cc740 sp 0x7ffedc4cc738
    READ of size 8 at 0x6120001dd1c8 thread T0 (Isolated Web Co)
        #0 0x7fcb107c31eb in gfxFontFaceSrc::LoadPrincipal(gfxUserFontSet const&) const /gecko/gfx/thebes/gfxUserFontSet.cpp:265:19
        #1 0x7fcb107c4093 in gfxUserFontEntry::DoLoadNextSrc(bool) /gecko/gfx/thebes/gfxUserFontSet.cpp:513:30
        #2 0x7fcb16d6efcf in operator() /gecko/layout/style/FontFaceImpl.cpp:349:53
        #3 0x7fcb16d6efcf in mozilla::detail::RunnableFunction<mozilla::dom::FontFaceImpl::DoLoad()::$_9>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #4 0x7fcb0dcdf1e2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:538:16
        #5 0x7fcb0dcd6147 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:851:26
        #6 0x7fcb0dcd33d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:683:15
        #7 0x7fcb0dcd3b00 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:461:36
        #8 0x7fcb0dce57c4 in operator() /gecko/xpcom/threads/TaskController.cpp:190:37
        #9 0x7fcb0dce57c4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #10 0x7fcb0dd08b68 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1204:16
        #11 0x7fcb0dd13614 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
        #12 0x7fcb15a0dcdd in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_9>(nsTSubstring<char> const&, mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_9&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
        #13 0x7fcb15a0a5f1 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /gecko/dom/ipc/ContentChild.cpp:1270:5
        #14 0x7fcb15a707c5 in mozilla::dom::BrowserChild::ProvideWindow(nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /gecko/dom/ipc/BrowserChild.cpp:807:14
        #15 0x7fcb1b9d0ac7 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, bool, bool, bool, nsIArray*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:924:24
        #16 0x7fcb1b9d55b8 in nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, bool, bool, bool, nsISupports*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:388:10
        #17 0x7fcb10dde186 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsGlobalWindowOuter::PrintKind, mozilla::dom::BrowsingContext**) /gecko/dom/base/nsGlobalWindowOuter.cpp:7015:21
        #18 0x7fcb10de4817 in nsGlobalWindowOuter::OpenJS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext**) /gecko/dom/base/nsGlobalWindowOuter.cpp:5642:10
        #19 0x7fcb10de4270 in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /gecko/dom/base/nsGlobalWindowOuter.cpp:5606:17
        #20 0x7fcb10d74dbf in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /gecko/dom/base/nsGlobalWindowInner.cpp:4147:3
        #21 0x7fcb1281d031 in mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3111:59
        #22 0x7fcb13071ac0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3287:13
        #23 0x7fcb1bef41d3 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:459:13
        #24 0x7fcb1bef41d3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:547:12
        #25 0x7fcb1bee2b07 in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
        #26 0x7fcb1bee2b07 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:619:10
        #27 0x7fcb1bee2b07 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3375:16
        #28 0x7fcb1bec807e in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:431:13
        #29 0x7fcb1bef42f5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:579:13
        #30 0x7fcb1bef5e7e in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
        #31 0x7fcb1bef5e7e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
        #32 0x7fcb1bffdea5 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
        #33 0x7fcb12d87a67 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50:8
        #34 0x7fcb1124d1d1 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
        #35 0x7fcb1124cdba in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /gecko/dom/base/TimeoutHandler.cpp:167:29
        #36 0x7fcb10d8a3fa in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /gecko/dom/base/nsGlobalWindowInner.cpp:6479:38
        #37 0x7fcb11261787 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /gecko/dom/base/TimeoutManager.cpp:903:44
        #38 0x7fcb112496d5 in mozilla::dom::TimeoutExecutor::MaybeExecute() /gecko/dom/base/TimeoutExecutor.cpp:179:11
        #39 0x7fcb1124a27c in Notify /gecko/dom/base/TimeoutExecutor.cpp:246:5
        #40 0x7fcb1124a27c in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /gecko/dom/base/TimeoutExecutor.cpp
        #41 0x7fcb0dcf3eae in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:658:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:662:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
        #42 0x7fcb0dcf3eae in nsTimerImpl::Fire(int) /gecko/xpcom/threads/nsTimerImpl.cpp:655:22
        #43 0x7fcb0dcf34dc in nsTimerEvent::Run() /gecko/xpcom/threads/TimerThread.cpp:365:11
        #44 0x7fcb0dd311f2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
        #45 0x7fcb0dd27a6f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
        #46 0x7fcb0dcdf1e2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:538:16
        #47 0x7fcb0dcd6147 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:851:26
        #48 0x7fcb0dcd33d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:683:15
        #49 0x7fcb0dcd3b00 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:461:36
        #50 0x7fcb0dce5791 in operator() /gecko/xpcom/threads/TaskController.cpp:187:37
        #51 0x7fcb0dce5791 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #52 0x7fcb0dd08b68 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1204:16
        #53 0x7fcb0dd13614 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
        #54 0x7fcb0f4e074f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
        #55 0x7fcb0f35cb51 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
        #56 0x7fcb0f35cb51 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
        #57 0x7fcb0f35cb51 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
        #58 0x7fcb16888eb7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
        #59 0x7fcb1bad4257 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
        #60 0x7fcb0f35cb51 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
        #61 0x7fcb0f35cb51 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
        #62 0x7fcb0f35cb51 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
        #63 0x7fcb1bad3223 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
        #64 0x5582c5f19465 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #65 0x5582c5f198b7 in main /gecko/browser/app/nsBrowserApp.cpp:357:18
        #66 0x7fcb312e1082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #67 0x5582c5e59768 in _start (/home/worker/builds/m-c-20221101093931-fuzzing-asan-opt/firefox+0xfa768) (BuildId: 1e48fd2ef8e0614d0a5d02861678d5d24775ee78)
    
    0x6120001dd1c8 is located 8 bytes inside of 280-byte region [0x6120001dd1c0,0x6120001dd2d8)
    freed by thread T64 (DOM Worker) here:
        #0 0x5582c5edb9d2 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
        #1 0x7fcb16d5b206 in mozilla::dom::FontFaceSetImpl::Release() /gecko/layout/style/FontFaceSetImpl.cpp:67:1
        #2 0x7fcb16d50799 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
        #3 0x7fcb16d50799 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
        #4 0x7fcb16d50799 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
        #5 0x7fcb16d50799 in mozilla::dom::FontFaceImpl::~FontFaceImpl() /gecko/layout/style/FontFaceImpl.cpp:75:1
        #6 0x7fcb16d4d4d6 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FontFaceImpl.h:39:3
        #7 0x7fcb16d4d4d6 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
        #8 0x7fcb16d4d4d6 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
        #9 0x7fcb16d4d4d6 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
        #10 0x7fcb16d4d4d6 in mozilla::dom::FontFace::~FontFace() /gecko/layout/style/FontFace.cpp:83:1
        #11 0x7fcb16d6a060 in DeleteCycleCollectable /gecko/layout/style/FontFace.cpp:73:1
        #12 0x7fcb16d6a060 in mozilla::dom::FontFace::cycleCollection::DeleteCycleCollectable(void*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FontFace.h:44:3
        #13 0x7fcb0db1c1e2 in SnowWhiteKiller::~SnowWhiteKiller() /gecko/xpcom/base/nsCycleCollector.cpp:2434:7
        #14 0x7fcb0db1b77e in nsCycleCollector::FreeSnowWhite(bool) /gecko/xpcom/base/nsCycleCollector.cpp:2624:3
        #15 0x7fcb0db23734 in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /gecko/xpcom/base/nsCycleCollector.cpp:3613:3
        #16 0x7fcb0db22d5c in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3440:9
        #17 0x7fcb0db226cb in nsCycleCollector::ShutdownCollect() /gecko/xpcom/base/nsCycleCollector.cpp:3379:20
        #18 0x7fcb0db24bb6 in nsCycleCollector::Shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:3675:5
        #19 0x7fcb0db26b12 in nsCycleCollector_shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:3999:18
        #20 0x7fcb15f59673 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2089:7
        #21 0x7fcb0dd0938e in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1198:16
        #22 0x7fcb0dd13614 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
        #23 0x7fcb0f4e1df5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
        #24 0x7fcb0f35cb51 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
        #25 0x7fcb0f35cb51 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
        #26 0x7fcb0f35cb51 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
        #27 0x7fcb0dd004e8 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:383:10
        #28 0x7fcb30be53ee in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
        #29 0x7fcb31815608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    
    previously allocated by thread T64 (DOM Worker) here:
        #0 0x5582c5edbc7e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
        #1 0x5582c5f207e5 in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
        #2 0x7fcb16d572c8 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
        #3 0x7fcb16d572c8 in mozilla::dom::FontFaceSet::CreateForWorker(nsIGlobalObject*, mozilla::dom::WorkerPrivate*) /gecko/layout/style/FontFaceSet.cpp:130:40
        #4 0x7fcb15fa0149 in mozilla::dom::WorkerGlobalScope::Fonts() /gecko/dom/workers/WorkerScope.cpp:490:20
        #5 0x7fcb16d4de91 in mozilla::dom::FontFace::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char> const&, mozilla::dom::UTF8StringOrArrayBufferOrArrayBufferView const&, mozilla::dom::FontFaceDescriptors const&, mozilla::ErrorResult&) /gecko/layout/style/FontFace.cpp:109:30
        #6 0x7fcb12db3d1e in mozilla::dom::FontFace_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FontFaceBinding.cpp:2268:54
        #7 0x7fcb1bef6ba7 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:459:13
        #8 0x7fcb1bef6ba7 in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:475:8
        #9 0x7fcb1bef6ba7 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:694:10
        #10 0x7fcb1bee2aac in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3360:16
        #11 0x7fcb1bec807e in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:431:13
        #12 0x7fcb1bef42f5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:579:13
        #13 0x7fcb1bef5e7e in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
        #14 0x7fcb1bef5e7e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
        #15 0x7fcb1bffdea5 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
        #16 0x7fcb12c62c1f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
        #17 0x7fcb13b4a3e3 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
        #18 0x7fcb13b48958 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
        #19 0x7fcb13b0e438 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1316:22
        #20 0x7fcb13b0f9a2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1506:17
        #21 0x7fcb13afda4e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
        #22 0x7fcb13afc2b1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:550:16
        #23 0x7fcb13b00495 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1119:11
        #24 0x7fcb13b05ea1 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
        #25 0x7fcb13aaef6d in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/events/DOMEventTargetHelper.cpp:176:17
        #26 0x7fcb13b1cd43 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /gecko/dom/events/EventTarget.cpp:180:13
        #27 0x7fcb15f2eafc in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /gecko/dom/workers/MessageEventRunnable.cpp:104:12
        #28 0x7fcb15f9ab7e in mozilla::dom::WorkerRunnable::Run() /gecko/dom/workers/WorkerRunnable.cpp:377:12
        #29 0x7fcb0dd0938e in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1198:16
        #30 0x7fcb0dd13614 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
        #31 0x7fcb15f82d4c in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /gecko/dom/workers/WorkerPrivate.cpp:3205:7
        #32 0x7fcb15f5959e in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2042:42
        #33 0x7fcb0dd0938e in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1198:16
    
    Thread T64 (DOM Worker) created by T0 (Isolated Web Co) here:
        #0 0x5582c5ec51dc in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
        #1 0x7fcb30bd549c in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7fcb30bc683e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7fcb0dd03455 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:617:18
        #4 0x7fcb15fa94ba in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /gecko/dom/workers/WorkerThread.cpp:102:7
        #5 0x7fcb15f33805 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1323:37
        #6 0x7fcb15f3288b in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1205:19
        #7 0x7fcb15f7d1b7 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /gecko/dom/workers/WorkerPrivate.cpp:2588:24
        #8 0x7fcb15f43805 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /gecko/dom/workers/Worker.cpp:43:41
        #9 0x7fcb128a85b4 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1107:52
        #10 0x7fcb1bef6ba7 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:459:13
        #11 0x7fcb1bef6ba7 in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:475:8
        #12 0x7fcb1bef6ba7 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:694:10
        #13 0x7fcb1bee2aac in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3360:16
        #14 0x7fcb1bec807e in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:431:13
        #15 0x7fcb1bef42f5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:579:13
        #16 0x7fcb1bef5e7e in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
        #17 0x7fcb1bef5e7e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
        #18 0x7fcb1bffdea5 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
        #19 0x7fcb12c67a09 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #20 0x7fcb13b0e8e4 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #21 0x7fcb13b0e3a0 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1310:43
        #22 0x7fcb13b0f95b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1506:17
        #23 0x7fcb13afda4e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
        #24 0x7fcb13afc2b1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:550:16
        #25 0x7fcb13b00495 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1119:11
        #26 0x7fcb16fc3aa4 in nsDocumentViewer::LoadComplete(nsresult) /gecko/layout/base/nsDocumentViewer.cpp:1079:7
        #27 0x7fcb1ab5a8ca in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /gecko/docshell/base/nsDocShell.cpp:6434:20
        #28 0x7fcb1ab59934 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp:5827:7
        #29 0x7fcb1ab5bf77 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp
        #30 0x7fcb0fa46430 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1380:3
        #31 0x7fcb0fa44e34 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:978:14
        #32 0x7fcb0fa41782 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /gecko/uriloader/base/nsDocLoader.cpp:797:9
        #33 0x7fcb0fa437f1 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:680:5
        #34 0x7fcb1aba2d8d in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /gecko/docshell/base/nsDocShell.cpp:13841:23
        #35 0x7fcb0e099ace in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:628:22
        #36 0x7fcb0e09c4d4 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:532:10
        #37 0x7fcb11008344 in mozilla::dom::Document::DoUnblockOnload() /gecko/dom/base/Document.cpp:11488:18
        #38 0x7fcb10fb5e80 in mozilla::dom::Document::UnblockOnload(bool) /gecko/dom/base/Document.cpp:11426:9
        #39 0x7fcb10fdebbd in mozilla::dom::Document::DispatchContentLoadedEvents() /gecko/dom/base/Document.cpp:7953:3
        #40 0x7fcb110d965d in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #41 0x7fcb110d965d in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #42 0x7fcb110d965d in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #43 0x7fcb0dccb5df in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:140:20
        #44 0x7fcb0dcdf1e2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:538:16
        #45 0x7fcb0dcd6147 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:851:26
        #46 0x7fcb0dcd33d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:683:15
        #47 0x7fcb0dcd3b00 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:461:36
        #48 0x7fcb0dce5791 in operator() /gecko/xpcom/threads/TaskController.cpp:187:37
        #49 0x7fcb0dce5791 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #50 0x7fcb0dd08b68 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1204:16
        #51 0x7fcb0dd13614 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
        #52 0x7fcb0f4e074f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
        #53 0x7fcb0f35cb51 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
        #54 0x7fcb0f35cb51 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
        #55 0x7fcb0f35cb51 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
        #56 0x7fcb16888eb7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
        #57 0x7fcb1bad4257 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
        #58 0x7fcb0f35cb51 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
        #59 0x7fcb0f35cb51 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
        #60 0x7fcb0f35cb51 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
        #61 0x7fcb1bad3223 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
        #62 0x5582c5f19465 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #63 0x5582c5f198b7 in main /gecko/browser/app/nsBrowserApp.cpp:357:18
        #64 0x7fcb312e1082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /gecko/gfx/thebes/gfxUserFontSet.cpp:265:19 in gfxFontFaceSrc::LoadPrincipal(gfxUserFontSet const&) const
    Shadow bytes around the buggy address:
      0x0c24800339e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c24800339f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
      0x0c2480033a00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c2480033a10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c2480033a20: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
    =>0x0c2480033a30: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
      0x0c2480033a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c2480033a50: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
      0x0c2480033a60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c2480033a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c2480033a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==964==ABORTING

Jason Kratzer [:jkratzer]

Reporter

Updated

•

2 years ago

Group: core-security

Comment hidden (obsolete)

Andrew McCreight [:mccr8]

Updated

•

2 years ago

Keywords: testcase → csectype-uaf, sec-high, testcase-wanted

Tyson Smith [:tsmith]

Updated

•

2 years ago

Group: core-security → gfx-core-security

status-firefox108: --- → affected

Brad Werth [:bradwerth]

Updated

•

2 years ago

Severity: -- → S2

Priority: -- → P2

Bob Hood [:bhood]

Comment 2

•

2 years ago

Andrew, this seems to be in the FontFaceSet work you did with Jonathan. Could you have a look, please?

Flags: needinfo?(aosmond)

Jim Mathies [:jimm]

Updated

•

2 years ago

Assignee: nobody → aosmond

Andrew Osmond [:aosmond] (he/him)

Assignee

Comment 3

•

2 years ago

We need to control access to gfxUserFontEntry::mFontSet to be threadsafe for FontFaceImpl::Entry objects and properly clear it when FontFaceSetImpl is cleared.

Andrew Osmond [:aosmond] (he/him)

Assignee

Comment 4

•

2 years ago

I think this was an existing bug, although possibly not exploitable without workers. The lifetime of the gfxUserFontSet and the corresponding "owning" FontFaceSet before the refactoring lacked guarantees, although perhaps the single threadedness and ordering saved us by accident (or undocumented design).

Flags: needinfo?(aosmond)

Andrew Osmond [:aosmond] (he/him)

Assignee

Comment 5

•

2 years ago

Attached file Bug 1798494. — Details

Andrew Osmond [:aosmond] (he/him)

Assignee

Comment 6

•

2 years ago

Attached file Bug 1798494. (obsolete) — Details

Phabricator Automation

Updated

•

2 years ago

Attachment #9304640 - Attachment is obsolete: true

Andrew Osmond [:aosmond] (he/him)

Assignee

Comment 7

•

2 years ago

Comment on attachment 9304557 [details]
Bug 1798494.

Security Approval Request

How easily could an exploit be constructed based on the patch?: It should be obvious that we have a lifetime management issue with a raw pointer in gfxUserFontEntry, it is related to threading given I put a mutex around it, and that one may be able to craft something based on loading user fonts. I don't have an obvious STR myself as to how to cause this.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
Which older supported branches are affected by this flaw?: All
If not all supported branches, which bug introduced the flaw?: None
Do you have backports for the affected branches?: No
If not, how different, hard to create, and risky will they be?: Should apply cleanly
How likely is this patch to cause regressions; how much testing does it need?: We are a lot more explicit in handling the lifetimes, so the main risk would be that we clear our reference sooner than necessary, and now a particular user font is unusable (instead of crashing). In the typical use case, I don't believe this is likely.
Is Android affected?: Yes

Attachment #9304557 - Flags: sec-approval?

Tom Ritter [:tjr] (OOTO until mid-August)

Comment 8

•

2 years ago

Comment on attachment 9304557 [details]
Bug 1798494.

Approved to land and request uplift

Attachment #9304557 - Flags: sec-approval? → sec-approval+

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 9

•

2 years ago

r=jfkthame
https://hg.mozilla.org/integration/autoland/rev/f15750a6990f4c66528609d4047ba725f99c21cf
https://hg.mozilla.org/mozilla-central/rev/f15750a6990f

Group: gfx-core-security → core-security-release

Status: NEW → RESOLVED

Closed: 2 years ago

status-firefox109: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 109 Branch

BugBot [:suhaib / :marco/ :calixte]

Comment 10

•

2 years ago

The patch landed in nightly and beta is affected.
:aosmond, is this bug important enough to require an uplift?

If yes, please nominate the patch for beta approval.
If no, please set status-firefox108 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(aosmond)

Andrew Osmond [:aosmond] (he/him)

Assignee

Updated

•

2 years ago

Crash Signature: [@ gfxUserFontEntry::DoLoadNextSrc ]

Andrew Osmond [:aosmond] (he/him)

Assignee

Comment 11

•

2 years ago

Comment on attachment 9304557 [details]
Bug 1798494.

Beta/Release Uplift Approval Request

User impact if declined: Sec issue will go unfixed, may crash
Is this code covered by automated tests?: Yes
Has the fix been verified in Nightly?: Yes
Needs manual test from QE?: No
If yes, steps to reproduce:
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): We've let this soak in nightly for the past week, without identifying any new crashes. Low risk because we just protect an additional field with an existing mutex. The worst case is we would get a null pointer sooner, but we now check for that and fail gracefully.
String changes made/needed:
Is Android affected?: Yes

Flags: needinfo?(aosmond)

Attachment #9304557 - Flags: approval-mozilla-beta?

Ryan VanderMeulen [:RyanVM]

Comment 12

•

2 years ago

If this affects all branches, we'll also need a rebased patch for ESR102 and an approval request when you get a chance.

status-firefox107: --- → wontfix

status-firefox-esr102: --- → ?

Flags: needinfo?(aosmond)

Dianna Smith [:diannaS] - on Leave, back on August 9th

Comment 13

•

2 years ago

Comment on attachment 9304557 [details]
Bug 1798494.

Approved for 108.0b8

Attachment #9304557 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Dianna Smith [:diannaS] - on Leave, back on August 9th

Comment 14

•

2 years ago

uplift

https://hg.mozilla.org/releases/mozilla-beta/rev/aad364962b82

status-firefox108: affected → fixed

Andrew Osmond [:aosmond] (he/him)

Assignee

Comment 15

•

2 years ago

I looked at what it would take to uplift this, and I don't think it is worth it. It should not be exploitable without workers and that is disabled in 102. I would need to either rewrite parts of it, or take it a lot more uplifts than we should (there has been a lot of churn in the font code).

Flags: needinfo?(aosmond)

Andrew McCreight [:mccr8]

Updated

•

2 years ago

status-firefox-esr102: ? → disabled

Brindusa Tot, Desktop QA

Updated

•

2 years ago

Flags: qe-verify-

Whiteboard: [bugmon:confirm] → [bugmon:confirm][post-critsmash-triage]

Tom Ritter [:tjr] (OOTO until mid-August)

Updated

•

2 years ago

Whiteboard: [bugmon:confirm][post-critsmash-triage] → [bugmon:confirm][post-critsmash-triage][adv-main108+r]

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Group: core-security-release

Bug 1798494. 2 years ago Andrew Osmond [:aosmond] (he/him) 48 bytes, text/x-phabricator-request	diannaS : approval-mozilla-beta+ tjr : sec-approval+	Details \| Review
Bug 1798494. 2 years ago Andrew Osmond [:aosmond] (he/him) 48 bytes, text/x-phabricator-request		Details \| Review