Closed Bug 1978492 Opened 9 months ago Closed 9 months ago

AddressSanitizer: heap-use-after-free [@ get_relaxed] with READ of size 1

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1976782

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, pernosco-wanted, sec-high)

Attachments

(2 files)

asan_log.txt
30.27 KB, text/plain
Details
asan_log_2.txt
30.92 KB, text/plain
Details

Found with m-c 20250719-2d7acdf37ce4 (--enable-address-sanitizer)

This was found by visiting a live website with a ASan build. I've been unable to reproduce this issue reliably. The top harfbuzz frames looks similar to bug 1976782 but the calls into it don't. Maybe a dupe?

==1691211==ERROR: AddressSanitizer: heap-use-after-free on address 0x504000be8d54 at pc 0x7fffdf278c1e bp 0x7fffb3dcf3e0 sp 0x7fffb3dcf3d8
READ of size 1 at 0x504000be8d54 thread T38
    #0 0x7fffdf278c1d in get_relaxed /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-atomic.hh:174:35
    #1 0x7fffdf278c1d in operator bool /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-atomic.hh:170:32
    #2 0x7fffdf278c1d in hb_object_is_immutable<hb_blob_t> /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-object.hh:267:11
    #3 0x7fffdf278c1d in hb_blob_get_data_writable /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-blob.cc:402:7
    #4 0x7fffdf278c1d in hb_blob_t* hb_sanitize_context_t::sanitize_blob<OT::BASE>(hb_blob_t*) /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-sanitize.hh:467:10
    #5 0x7fffdf277f18 in create /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:301:14
    #6 0x7fffdf277f18 in hb_blob_t* hb_data_wrapper_t<hb_face_t, 27u>::call_create<hb_blob_t, hb_table_lazy_loader_t<OT::BASE, 27u, true>>() const /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:158:42
    #7 0x7fffdf0666e6 in get_stored /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:221:26
    #8 0x7fffdf0666e6 in get /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:245:58
    #9 0x7fffdf0666e6 in operator-> /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:205:50
    #10 0x7fffdf0666e6 in hb_ot_layout_get_baseline /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-ot-layout.cc:2305:10
    #11 0x7fffdf42af83 in gfxFont::GetBaselines(nsFontMetrics::FontOrientation) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:4454:7
    #12 0x7fffe20c7026 in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:5192:30
    ...

0x504000be8d54 is located 4 bytes inside of 48-byte region [0x504000be8d50,0x504000be8d80)
freed by thread T39 here:
    #0 0x5555556af486 in __interceptor_free _asan_rtl_:3
    #1 0x7fffdf047bed in destroy /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:303:40
    #2 0x7fffdf047bed in do_destroy /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:202:7
    #3 0x7fffdf047bed in fini /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:188:19
    #4 0x7fffdf047bed in hb_ot_face_t::fini() /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-ot-face-table-list.hh:122:1
    #5 0x7fffdf046c14 in hb_face_destroy /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-face.cc:593:15
    #6 0x7fffdf054067 in hb_font_destroy /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-font.cc:2097:3
    #7 0x7fffdf42b16f in gfxFont::GetBaselines(nsFontMetrics::FontOrientation) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:4472:3
    #8 0x7fffe20c7026 in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:5192:30
    #9 0x7fffe20c7ff9 in mozilla::dom::CanvasRenderingContext2D::MeasureText(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4619:10
    #10 0x7fffe0c05dd3 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::measureText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./OffscreenCanvasRenderingContext2DBinding.cpp:4128:78
    ...

previously allocated by thread T39 here:
    #0 0x5555556af839 in ___interceptor_calloc _asan_rtl_:3
    #1 0x7fffdf03c4db in hb_calloc /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-common.cc:1245:53
    #2 0x7fffdf03c4db in hb_object_create<hb_blob_t> /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-object.hh:240:24
    #3 0x7fffdf03c4db in hb_blob_create_or_fail /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-blob.cc:116:16
    #4 0x7fffdf03c41b in hb_blob_create /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-blob.cc:82:21
    #5 0x7fffdf431678 in gfxFontEntry::FontTableHashEntry::ShareTableAndGetBlob(nsTArray<unsigned char>&&, gfxFontEntry*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:474:11
    #6 0x7fffdf431c45 in gfxFontEntry::ShareFontTableAndGetBlob(unsigned int, nsTArray<unsigned char>*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:550:17
    #7 0x7fffdf432194 in gfxFontEntry::GetFontTable(unsigned int) /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:571:10
    #8 0x7fffdf278049 in reference_table /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-face.hh:83:12
    #9 0x7fffdf278049 in hb_face_reference_table /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-face.cc:701:16
    #10 0x7fffdf278049 in hb_blob_t* hb_sanitize_context_t::reference_table<OT::BASE>(hb_face_t const*, unsigned int) /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-sanitize.hh:500:33
    #11 0x7fffdf277f18 in create /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:301:14
    #12 0x7fffdf277f18 in hb_blob_t* hb_data_wrapper_t<hb_face_t, 27u>::call_create<hb_blob_t, hb_table_lazy_loader_t<OT::BASE, 27u, true>>() const /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:158:42
    #13 0x7fffdf0666e6 in get_stored /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:221:26
    #14 0x7fffdf0666e6 in get /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:245:58
    ...

Thread T38 created by T0 (Web Content) here:
    #0 0x555555694f61 in ___interceptor_pthread_create _asan_rtl_:3
    #1 0x7ffff73dc419 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:429:10
    #2 0x7ffff73ca65e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:496:10
    #3 0x7fffdc988421 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:615:20
    #4 0x7fffe5acef03 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:97:7
    #5 0x7fffe5a3f3e7 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1408:37
    #6 0x7fffe5a3e0dd in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1291:19
    #7 0x7fffe5a98df4 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&, mozilla::ipc::Endpoint<mozilla::dom::PRemoteWorkerNonLifeCycleOpControllerChild>&&) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3134:24
    #8 0x7fffe5a57b67 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::TrustedScriptURLOrUSVString const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:80:41
    #9 0x7fffe174da06 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./WorkerBinding.cpp:1084:52
    #10 0x7fffe85d4705 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:501:13
    ...

Thread T39 created by T0 (Web Content) here:
    #0 0x555555694f61 in ___interceptor_pthread_create _asan_rtl_:3
    #1 0x7ffff73dc419 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:429:10
    #2 0x7ffff73ca65e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:496:10
    #3 0x7fffdc988421 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:615:20
    #4 0x7fffe5acef03 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:97:7
    #5 0x7fffe5a3f3e7 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1408:37
    #6 0x7fffe5a3e0dd in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1291:19
    #7 0x7fffe5a98df4 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&, mozilla::ipc::Endpoint<mozilla::dom::PRemoteWorkerNonLifeCycleOpControllerChild>&&) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3134:24
    #8 0x7fffe5a57b67 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::TrustedScriptURLOrUSVString const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:80:41
    #9 0x7fffe174da06 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./WorkerBinding.cpp:1084:52
    #10 0x7fffe85d4705 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:501:13
    ...
Attached file asan_log.txt

Jonathan, another text-based report I'd appreciate your insights on. :)

Flags: needinfo?(jfkthame)
Attached file asan_log_2.txt

Another similar looking report.

My hunch is that this may be the same root issue as bug 1976782, where I've posted a patch to fix a race condition managing the table cache in gfxFontEntry.

Flags: needinfo?(jfkthame)
Component: Graphics: Text → Layout: Text and Fonts
Group: gfx-core-security → layout-core-security

(In reply to Tyson Smith [:tsmith] from comment #0)

This was found by visiting a live website with a ASan build. I've been unable to reproduce this issue reliably.

Maybe hard to confirm whether it was a dupe if it wasn't reliable.

Given comment 4, seems like we can dupe with reasonable confidence, and we can always open a new one (or reopen this) if it turns up again.

Status: NEW → RESOLVED
Closed: 9 months ago
Duplicate of bug: 1976782
Resolution: --- → DUPLICATE
Group: layout-core-security → core-security-release
status-firefox143: affected → ---
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: