Closed Bug 1215734 Opened 4 years ago Closed 4 years ago

seccomp sandbox violation in dom/media/test/test_eme_canvas_blocked.html with Clang 3.7 ASan

Categories

(Core :: Security: Process Sandboxing, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla44
Tracking Status
firefox44 --- fixed

People

(Reporter: mccr8, Assigned: jld)

References

Details

Attachments

(1 file)

In a clang 3.7 ASan run, this test fails in a weird way. I'm not sure what this means exactly:

11:43:27     INFO -  43884 INFO TEST-START | dom/media/test/test_eme_canvas_blocked.html
11:43:28     INFO -  file=[xpconnect wrapped nsILocalFile]
11:43:29     INFO -  file=[xpconnect wrapped nsILocalFile]
11:43:29     INFO -  Sandbox: seccomp sandbox violation: pid 10351, syscall 28, args 17460533698560 1044480 16 16434 18446744073709551615 0.  Killing process.
11:43:29     INFO -  Sandbox: crash reporter is disabled (or failed); trying stack trace:
11:43:29     INFO -  Sandbox: frame #01: madvise[/lib/x86_64-linux-gnu/libc.so.6 +0xf0787]
11:43:29     INFO -  Sandbox: frame #02: ???[/builds/slave/test/build/application/firefox/plugin-container +0xbc90b]
11:43:29     INFO -  Sandbox: frame #03: ???[/builds/slave/test/build/application/firefox/plugin-container +0xbca86]
11:43:29     INFO -  Sandbox: frame #04: ???[/lib/x86_64-linux-gnu/libpthread.so.0 +0x7e9a]
11:43:29     INFO -  Sandbox: frame #05: clone[/lib/x86_64-linux-gnu/libc.so.6 +0xf42ed]
11:43:29     INFO -  Sandbox: end of stack.
11:43:29     INFO -  ###!!! [Parent][MessageChannel] Error: (msgtype=0x700005,name=PGMPStorage::Msg_Shutdown) Channel error: cannot send/recv
11:43:29     INFO -  ###!!! [Parent][MessageChannel] Error: (msgtype=0x6C000F,name=PGMP::Msg_CloseActive) Channel error: cannot send/recv
11:43:30     INFO -  [9454] WARNING: pipe error (71): Connection reset by peer: file /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459

There are a total of six of these messages in M2:
  https://treeherder.mozilla.org/#/jobs?repo=try&revision=0cfedd968806

Maybe LSan is trying to run when we shut down the EME process, and tries to execute a symbolicator or something?

In the current clang we're running, the test looks like this:

14:58:27     INFO -  43884 INFO TEST-START | dom/media/test/test_eme_canvas_blocked.html
14:58:28     INFO -  file=[xpconnect wrapped nsILocalFile]
14:58:28     INFO -  file=[xpconnect wrapped nsILocalFile]
14:58:29     INFO -  file=[xpconnect wrapped nsILocalFile]
14:58:29     INFO -  file=[xpconnect wrapped nsILocalFile]
14:58:29     INFO -  file=[xpconnect wrapped nsILocalFile]
14:58:29     INFO -  file=[xpconnect wrapped nsILocalFile]
14:58:38     INFO -  MEMORY STAT | vsize 20973301MB | residentFast 862MB
14:58:38     INFO -  43885 INFO TEST-OK | dom/media/test/test_eme_canvas_blocked.html | took 11743ms

There are then a bunch of other failures in the directory, maybe because somehow we ended up not cleaning up things properly:

11:43:32     INFO -  43948 INFO TEST-UNEXPECTED-FAIL | dom/media/test/test_eme_canvas_blocked.html | video-only with 2 keys, CORS-1 MediaKeySession update failed; InvalidStateError: Promise still outstanding at MediaKeys shutdown
11:43:32     INFO -      bail/<@dom/media/test/eme.js:20:5
11:43:32     INFO -      UpdateSessionFunc/</<@dom/media/test/eme.js:143:7
11:43:32     INFO -      promise callback*UpdateSessionFunc/<@dom/media/test/eme.js:139:1
11:43:32     INFO -      EventListener.handleEvent*SetupEME/processInitDataQueue/<@dom/media/test/eme.js:330:1
11:43:32     INFO -      processInitDataQueue@dom/media/test/eme.js:329:12
11:43:32     INFO -      promise callback*SetupEME/<@dom/media/test/eme.js:381:7
11:43:32     INFO -      EventListener.handleEvent*SetupEME@dom/media/test/eme.js:357:3
11:43:32     INFO -      promise callback*LoadTestWithManagedLoadToken@dom/media/test/eme.js:265:1
11:43:32     INFO -      Async*MediaTestManager/this.runTests@dom/media/test/manifest.js:1430:1
11:43:32     INFO -      beginTest@dom/media/test/test_eme_canvas_blocked.html:46:3
11:43:32     INFO -      Async*SetupEMEPref@dom/media/test/eme.js:430:3
11:43:32     INFO -      @dom/media/test/test_eme_canvas_blocked.html:51:3
Have any ideas, Jed? Thanks.
Flags: needinfo?(jld)
(In reply to Andrew McCreight [:mccr8] from comment #0)
> 11:43:29     INFO -  Sandbox: seccomp sandbox violation: pid 10351, syscall
> 28, args 17460533698560 1044480 16 16434 18446744073709551615 0.  Killing
> process.

The stack trace shows that this is madvise(), as does looking up 28 in /usr/include/asm/unistd_64.h.  As for the third argument, /usr/include/bits/mman-linux.h says:

# define MADV_DONTDUMP    16

The relevant part of the policy, from security/sandbox/linux/SandboxFilter.cpp:

    case __NR_madvise: {
      Arg<int> advice(2);
      return If(advice == MADV_DONTNEED, Allow())
        .Else(InvalidSyscall());
    }

So this is a 3-line fix to add an ElseIf for that, including the ifdefs.

> 11:43:29     INFO -  Sandbox: frame #02:
> ???[/builds/slave/test/build/application/firefox/plugin-container +0xbc90b]
> 11:43:29     INFO -  Sandbox: frame #03:
> ???[/builds/slave/test/build/application/firefox/plugin-container +0xbca86]

These, if symbolicated, would show where that call is coming from, but I'd guess it's something in the sanitizer runtime that has a reason for doing that.

> 11:43:29     INFO -  ###!!! [Parent][MessageChannel] Error:
> (msgtype=0x700005,name=PGMPStorage::Msg_Shutdown) Channel error: cannot
> send/recv
> 11:43:29     INFO -  ###!!! [Parent][MessageChannel] Error:
> (msgtype=0x6C000F,name=PGMP::Msg_CloseActive) Channel error: cannot send/recv
> 11:43:30     INFO -  [9454] WARNING: pipe error (71): Connection reset by
> peer: file
> /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/
> chrome/common/ipc_channel_posix.cc, line 459

This is the parent noticing that the child exited as a result of the sandbox violation.
Assignee: nobody → jld
Flags: needinfo?(jld)
Priority: -- → P2
Thanks. I also had to add MADV_NOHUGEPAGE to get this test to work locally.
Interestingly, https://treeherder.mozilla.org/#/jobs?repo=try&revision=be3c57c8d653 passed without adding MADV_HUGEPAGE.  Maybe it probed for MADV_HUGEPAGE support earlier (or at compile time?) and didn't find it on the test machines.
You have to push some other stuff in order to get it to use 3.7.

Oddly, while I was able to build locally, it didn't build on try, complaining about the two MADV_ constants being undefined:
  https://treeherder.mozilla.org/#/jobs?repo=try&revision=75ae82bd345e
Oh, I see you defined it in there. I'll try that.
  https://treeherder.mozilla.org/#/jobs?repo=try&revision=f2ddf89075d0
(In reply to Andrew McCreight [:mccr8] from comment #6)
> Oh, I see you defined it in there. I'll try that.
>   https://treeherder.mozilla.org/#/jobs?repo=try&revision=f2ddf89075d0

That patch looks oddly similar to https://treeherder.mozilla.org/#/jobs?repo=try&revision=c19aa1e397f6 (-:
That try run looks fine. The failures are all unrelated things. (For future reference, it sounds like Chrome disables the built-in symbolizer because it doesn't work with their sandboxing. So we may have to do that at some point.)
Component: Audio/Video → Security: Process Sandboxing
(checkin-needed note: see comment #7 and comment #8 for Try run)
Keywords: checkin-needed
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/a96ed2b2a641
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.