1093893 - pthread_kill is broken on ICS B2G because the sandbox rejects tkill

Status: RESOLVED FIXED

(Core :: Security, defect)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

On ICS B2G(/Android) and older, pthread_kill() uses tkill(tid, sig) instead of tgkill(getpid(), tid, sig); the latter is allowed by the current sandbox policy, but not the former.  It's simple enough to “polyfill” this by having the SIGSYS handler check for __NR_tkill and do the corresponding tgkill instead.

In principle this affects all earlier B2G branches with seccomp sandboxing, but I don't think this needs to be uplifted unless it's blocking something upliftable.

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: bug1093893-ics-tkill-hg0.diff

Passes try on top of Luke's patches from bug 1091916: https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=5a5d048ae730

Fails try without this patch: https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=066f76915a23 (i.e., proves that applying those other patches on top of m-c and doing mochitests is sufficient to reproduce the bug)

Comment 2

[Luke Wagner [:luke]]

Thank you so much!

Comment 3

[Luke Wagner [:luke]]

(Unrelated to this bug) looking at your patch, you #ifdef on "ANDROID_VERSION < 16".  I had guess (hopefully wrongly) that we compiled a single binary for Android and thus we'd have to do a dynamic query on the Android version.  Is that not the case?  Do we compile for several major Android versions and upload the lot of them to the Play store?

Comment 4

[Luke Wagner [:luke]]

n/m question in comment 3; I was confusing Android version with NDK version.

Comment 5

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

(In reply to Luke Wagner [:luke] from comment #3)
> (Unrelated to this bug) looking at your patch, you #ifdef on
> "ANDROID_VERSION < 16".  I had guess (hopefully wrongly) that we compiled a
> single binary for Android and thus we'd have to do a dynamic query on the
> Android version.  Is that not the case?  Do we compile for several major
> Android versions and upload the lot of them to the Play store?

That might need an a comment.   As I understand it, ANDROID_VERSION is the SDK version and thus the lowest version of Android the compiled code will run on.

Maybe more importantly, this isn't used on Firefox for Android (yet); we don't have sandboxable child processes there (yet), and we don't have seccomp-bpf support there (yet; Chrome for Android might have plans for it).  B2G has seccomp-bpf support because we convinced hardware manufacturers to take kernel patches.

B2G, as I understand it, always has ANDROID_VERSION equal to (rather than ≤) the base version for the device.

Comment 6

[Guillaume Destuynder [:kang] [this account is no longer active]]

Comment on attachment 8517653 [details] [diff] [review]
bug1093893-ics-tkill-hg0.diff

Review of attachment 8517653 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/sandbox/linux/Sandbox.cpp
@@ +137,5 @@
>    args[3] = SECCOMP_PARM4(ctx);
>    args[4] = SECCOMP_PARM5(ctx);
>    args[5] = SECCOMP_PARM6(ctx);
>  
> +#if defined(ANDROID) && ANDROID_VERSION < 16

nit: would be good to have something that indicates which "human readable" version is android 16 (like "4.3") - eventually in this bug, not necessarily in the code

Comment 7

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: bug1093893-ics-tkill-hg1.diff

Updated with improved comment (API level 16 = Android JB 4.1; https://en.wikipedia.org/wiki/Android_version_history is a useful resource); carrying over r+.

Comment 8

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Try runs in comment #1 should be sufficient.

Comment 9

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/2881d59c61f2

Comment 10

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/2881d59c61f2