1025329 - PR_GetNumberOfProcessors opens /sys/devices/system/cpu/present in content processes

Status: NEW

(Core :: Security: Process Sandboxing, defect, P3)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

In nsprpub/pr/src/misc/prsystem.c:

    221     const char *cpu_present = "/sys/devices/system/cpu/present";
    224     fin = fopen(cpu_present, "r");

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Bionic also opens this file for sysconf(_SC_NPROCESSORS_CONF) and sysconf(_SC_NPROCESSORS_ONLN).

Comment 2

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Move process sandboxing bugs to the new Bugzilla component.

(Sorry for the bugspam; filter on 3c21328c-8cfb-4819-9d88-f6e965067350.)

Comment 3

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Sorry for the bugspam; filter on 086f2ac3-ac15-4299-889b-009181af5029.

Comment 4

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Sorry for the bugspam; filter on 086f2ac3-ac15-4299-889b-009181af5029.

Comment 5

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

From the code referenced in comment #0, this could also affect desktop Linux (once we can get to a default-deny read policy and start pruning what's left).

Comment 6

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Further notes: NSPR will fall back to sysconf(_SC_NPROCESSORS_CONF) if it gets an error from opening the sysfs file, but that just moves the problem down a layer.  glibc tries readdir() on /sys/devices/system/cpu, then falls back to parsing /proc/cpuinfo if that fails, then just returns 1 if that fails.  musl libc calls sched_getaffinity (and returns how many CPUs the process can actually use, rather than how many the hardware has); we currently allow that syscall for content processes, and it's not that dangerous.