Closed Bug 1124289 Opened 9 years ago Closed 6 years ago

xpcshell tests that use run_test_in_child violate the sandbox with getcwd

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: keeler, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: sb+) 

In adding an xpcshell test that uses run_test_in_child, I encountered the following on b2g (ICS emulator): 

13:38:01     INFO -  TEST-START | security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js
13:38:09     INFO -  TEST-PASS | security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js | took 8304ms
13:38:11     INFO -  mozcrash Downloading symbols from: http://pvtbuilds.pvt.build.mozilla.org/pub/mozilla.org/b2g/try-builds/dkeeler@mozilla.com-9b8f5473650e/try-emulator/b2g-38.0a1.en-US.android-arm.crashreporter-symbols.zip
13:38:32  WARNING -  PROCESS-CRASH | security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js | application crashed [@ __getcwd + 0xc]
13:38:32     INFO -  Crash dump filename: /tmp/tmp8EirNp/0b075522-8cd9-2a5e-29f657aa-30248ce4.dmp
13:38:32     INFO -  Operating system: Android
13:38:32     INFO -                    0.0.0 Linux 2.6.29-g41a03df #22 Thu Jun 26 10:59:09 CST 2014 armv7l Android/full/generic:4.0.4.0.4.0.4/OPENMASTER/eng.cltbld.20150116.151345:eng/test-keys
13:38:32     INFO -  CPU: arm
13:38:32     INFO -       0 CPUs
13:38:32     INFO -  Crash reason:  SIGSYS
13:38:32     INFO -  Crash address: 0xb7
13:38:32     INFO -  Thread 0 (crashed)
13:38:32     INFO -   0  libc.so!__getcwd + 0xc
13:38:32     INFO -       r4 = 0xbee83fd8    r5 = 0x00000004    r6 = 0xbee85080    r7 = 0x000000b7
13:38:32     INFO -       r8 = 0x00000001    r9 = 0x40201bb0   r10 = 0xfffffffc    fp = 0xbee85078
13:38:32     INFO -       sp = 0xbee83fa8    lr = 0x40076101    pc = 0x4006ab54
13:38:32     INFO -      Found by: given as instruction pointer in context
13:38:32     INFO -   1  libc.so!getcwd [getcwd.c : 34 + 0x3]
13:38:32     INFO -       r4 = 0xbee83fd8    r5 = 0x00000004    r6 = 0xbee85080    r7 = 0xbee85004
13:38:32     INFO -       r8 = 0x00000001    r9 = 0x40201bb0   r10 = 0xfffffffc    fp = 0xbee85078
13:38:32     INFO -       sp = 0xbee83fb0    pc = 0x40076101
13:38:32     INFO -      Found by: call frame info
13:38:32     INFO -   2  libxul.so!GetSpecialSystemDirectory [SpecialSystemDirectory.cpp:9b8f5473650e : 498 + 0xb]
13:38:32     INFO -       r4 = 0xbee83fd8    r5 = 0x00000004    r6 = 0xbee85080    r7 = 0xbee85004
13:38:32     INFO -       r8 = 0x00000001    r9 = 0x40201bb0   r10 = 0xfffffffc    fp = 0xbee85078
13:38:32     INFO -       sp = 0xbee83fb8    pc = 0x407be853
13:38:32     INFO -      Found by: call frame info
13:38:32     INFO -   3  libxul.so!nsDirectoryService::GetFile [nsDirectoryService.cpp:9b8f5473650e : 753 + 0x11]
13:38:32     INFO -       r4 = 0xbee85004    r5 = 0xbee8500c    r6 = 0xbee85080    r7 = 0xbee8507c
13:38:32     INFO -       r8 = 0x00000001    r9 = 0x40201bb0   r10 = 0xfffffffc    fp = 0xbee85078
13:38:32     INFO -       sp = 0xbee85000    pc = 0x407c0b1d
13:38:32     INFO -      Found by: call frame info
13:38:32     INFO -   4  libxul.so!FindProviderFile [nsDirectoryService.cpp:9b8f5473650e : 347 + 0xf]
13:38:32     INFO -       r4 = 0xbee85078    r5 = 0x407c0c79    r6 = 0x40201bb8    r7 = 0x43e56360
13:38:32     INFO -       r8 = 0xbee8506c    r9 = 0xbee85220   r10 = 0xfffffffc    fp = 0xbee85078
13:38:32     INFO -       sp = 0xbee85030    pc = 0x407bd7bd
13:38:32     INFO -      Found by: call frame info
13:38:32     INFO -   5  libxul.so!nsDirectoryService::Get [nsDirectoryService.cpp:9b8f5473650e : 390 + 0x9]
13:38:32     INFO -       r4 = 0x40201bb0    r5 = 0xffffffff    r6 = 0x43e56370    r7 = 0x43e56360
13:38:32     INFO -       r8 = 0xbee8506c    r9 = 0xbee85220   r10 = 0xfffffffc    fp = 0xbee85078
13:38:32     INFO -       sp = 0xbee85060    pc = 0x407bfd57
13:38:32     INFO -      Found by: call frame info
13:38:32     INFO -   6  libxul.so!NS_InvokeByIndex [xptcinvoke_arm.cpp:9b8f5473650e : 163 + 0x9]
13:38:32     INFO -       r4 = 0x407bfda9    r5 = 0xbee85240    r6 = 0x00000003    r7 = 0xbee850d0
13:38:32     INFO -       r8 = 0x00000003    r9 = 0x00000003   r10 = 0xbee85304    fp = 0xbee8517c
13:38:32     INFO -       sp = 0xbee850b0    pc = 0x407d2339
13:38:32     INFO -      Found by: call frame info

All other similar tests that use run_test_in_child are skipped on that platform:

13:37:48     INFO -  TEST-START | netwerk/test/unit_ipc/test_head_wrap.js
13:37:48     INFO -  TEST-SKIP | netwerk/test/unit_ipc/test_head_wrap.js | took 1ms
13:37:48     INFO -  TEST-START | netwerk/test/unit_ipc/test_headers_wrap.js
13:37:48     INFO -  TEST-SKIP | netwerk/test/unit_ipc/test_headers_wrap.js | took 0ms
13:37:48     INFO -  TEST-START | netwerk/test/unit_ipc/test_httpsuspend_wrap.js
13:37:48     INFO -  TEST-SKIP | netwerk/test/unit_ipc/test_httpsuspend_wrap.js | took 1ms
13:37:48     INFO -  TEST-START | netwerk/test/unit_ipc/test_post_wrap.js
13:37:48     INFO -  TEST-SKIP | netwerk/test/unit_ipc/test_post_wrap.js | took 0ms
13:37:48     INFO -  TEST-START | netwerk/test/unit_ipc/test_progress_wrap.js
13:37:48     INFO -  TEST-SKIP | netwerk/test/unit_ipc/test_progress_wrap.js | took 1ms
13:37:48     INFO -  TEST-START | netwerk/test/unit_ipc/test_redirect-caching_canceled_wrap.js
13:37:48     INFO -  TEST-SKIP | netwerk/test/unit_ipc/test_redirect-caching_canceled_wrap.js | took 0ms
13:37:48     INFO -  TEST-START | netwerk/test/unit_ipc/test_redirect-caching_failure_wrap.js
13:37:48     INFO -  TEST-SKIP | netwerk/test/unit_ipc/test_redirect-caching_failure_wrap.js | took 1ms
13:37:48     INFO -  TEST-START | netwerk/test/unit_ipc/test_redirect-caching_passing_wrap.js
13:37:48     INFO -  TEST-SKIP | netwerk/test/unit_ipc/test_redirect-caching_passing_wrap.js | took 0ms

etc.

Here's a link to the log for as long as it lasts: http://ftp.mozilla.org/pub/mozilla.org/b2g/try-builds/dkeeler@mozilla.com-9b8f5473650e/try-emulator/try_ubuntu64_vm-b2g-emulator_test-xpcshell-bm118-tests1-linux64-build757.txt.gz
E/Sandbox ( 4716): JS frame 0: do_get_file /data/local/tests/xpcshell/head.js line 964
E/Sandbox ( 4716): JS frame 1: do_get_cwd /data/local/tests/xpcshell/head.js line 997
E/Sandbox ( 4716): JS frame 2: _register_protocol_handlers /data/local/tests/xpcshell/head.js line 325
E/Sandbox ( 4716): JS frame 3: _execute_test /data/local/tests/xpcshell/head.js line 468
E/Sandbox ( 4716): JS frame 4: (anonymous) typein line 0

Which looks like this: https://dxr.mozilla.org/mozilla-central/source/testing/xpcshell/head.js#316

    316 // Map resource://test/ to current working directory and
    317 // resource://testing-common/ to the shared test modules directory.

Do we need this in a child process, or could it just be made conditional on process type?
Blocks: sb-test
OS: Gonk (Firefox OS) → Linux
Whiteboard: sb+
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.