Closed
Bug 1215734
Opened 10 years ago
Closed 10 years ago
seccomp sandbox violation in dom/media/test/test_eme_canvas_blocked.html with Clang 3.7 ASan
Categories
(Core :: Security: Process Sandboxing, defect, P2)
Core
Security: Process Sandboxing
Tracking
()
RESOLVED
FIXED
mozilla44
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | fixed |
People
(Reporter: mccr8, Assigned: jld)
References
Details
Attachments
(1 file)
|
1.71 KB,
patch
|
kang
:
review+
|
Details | Diff | Splinter Review |
In a clang 3.7 ASan run, this test fails in a weird way. I'm not sure what this means exactly:
11:43:27 INFO - 43884 INFO TEST-START | dom/media/test/test_eme_canvas_blocked.html
11:43:28 INFO - file=[xpconnect wrapped nsILocalFile]
11:43:29 INFO - file=[xpconnect wrapped nsILocalFile]
11:43:29 INFO - Sandbox: seccomp sandbox violation: pid 10351, syscall 28, args 17460533698560 1044480 16 16434 18446744073709551615 0. Killing process.
11:43:29 INFO - Sandbox: crash reporter is disabled (or failed); trying stack trace:
11:43:29 INFO - Sandbox: frame #01: madvise[/lib/x86_64-linux-gnu/libc.so.6 +0xf0787]
11:43:29 INFO - Sandbox: frame #02: ???[/builds/slave/test/build/application/firefox/plugin-container +0xbc90b]
11:43:29 INFO - Sandbox: frame #03: ???[/builds/slave/test/build/application/firefox/plugin-container +0xbca86]
11:43:29 INFO - Sandbox: frame #04: ???[/lib/x86_64-linux-gnu/libpthread.so.0 +0x7e9a]
11:43:29 INFO - Sandbox: frame #05: clone[/lib/x86_64-linux-gnu/libc.so.6 +0xf42ed]
11:43:29 INFO - Sandbox: end of stack.
11:43:29 INFO - ###!!! [Parent][MessageChannel] Error: (msgtype=0x700005,name=PGMPStorage::Msg_Shutdown) Channel error: cannot send/recv
11:43:29 INFO - ###!!! [Parent][MessageChannel] Error: (msgtype=0x6C000F,name=PGMP::Msg_CloseActive) Channel error: cannot send/recv
11:43:30 INFO - [9454] WARNING: pipe error (71): Connection reset by peer: file /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459
There are a total of six of these messages in M2:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=0cfedd968806
Maybe LSan is trying to run when we shut down the EME process, and tries to execute a symbolicator or something?
In the current clang we're running, the test looks like this:
14:58:27 INFO - 43884 INFO TEST-START | dom/media/test/test_eme_canvas_blocked.html
14:58:28 INFO - file=[xpconnect wrapped nsILocalFile]
14:58:28 INFO - file=[xpconnect wrapped nsILocalFile]
14:58:29 INFO - file=[xpconnect wrapped nsILocalFile]
14:58:29 INFO - file=[xpconnect wrapped nsILocalFile]
14:58:29 INFO - file=[xpconnect wrapped nsILocalFile]
14:58:29 INFO - file=[xpconnect wrapped nsILocalFile]
14:58:38 INFO - MEMORY STAT | vsize 20973301MB | residentFast 862MB
14:58:38 INFO - 43885 INFO TEST-OK | dom/media/test/test_eme_canvas_blocked.html | took 11743ms
There are then a bunch of other failures in the directory, maybe because somehow we ended up not cleaning up things properly:
11:43:32 INFO - 43948 INFO TEST-UNEXPECTED-FAIL | dom/media/test/test_eme_canvas_blocked.html | video-only with 2 keys, CORS-1 MediaKeySession update failed; InvalidStateError: Promise still outstanding at MediaKeys shutdown
11:43:32 INFO - bail/<@dom/media/test/eme.js:20:5
11:43:32 INFO - UpdateSessionFunc/</<@dom/media/test/eme.js:143:7
11:43:32 INFO - promise callback*UpdateSessionFunc/<@dom/media/test/eme.js:139:1
11:43:32 INFO - EventListener.handleEvent*SetupEME/processInitDataQueue/<@dom/media/test/eme.js:330:1
11:43:32 INFO - processInitDataQueue@dom/media/test/eme.js:329:12
11:43:32 INFO - promise callback*SetupEME/<@dom/media/test/eme.js:381:7
11:43:32 INFO - EventListener.handleEvent*SetupEME@dom/media/test/eme.js:357:3
11:43:32 INFO - promise callback*LoadTestWithManagedLoadToken@dom/media/test/eme.js:265:1
11:43:32 INFO - Async*MediaTestManager/this.runTests@dom/media/test/manifest.js:1430:1
11:43:32 INFO - beginTest@dom/media/test/test_eme_canvas_blocked.html:46:3
11:43:32 INFO - Async*SetupEMEPref@dom/media/test/eme.js:430:3
11:43:32 INFO - @dom/media/test/test_eme_canvas_blocked.html:51:3
|
Assignee | |
Comment 2•10 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #0)
> 11:43:29 INFO - Sandbox: seccomp sandbox violation: pid 10351, syscall
> 28, args 17460533698560 1044480 16 16434 18446744073709551615 0. Killing
> process.
The stack trace shows that this is madvise(), as does looking up 28 in /usr/include/asm/unistd_64.h. As for the third argument, /usr/include/bits/mman-linux.h says:
# define MADV_DONTDUMP 16
The relevant part of the policy, from security/sandbox/linux/SandboxFilter.cpp:
case __NR_madvise: {
Arg<int> advice(2);
return If(advice == MADV_DONTNEED, Allow())
.Else(InvalidSyscall());
}
So this is a 3-line fix to add an ElseIf for that, including the ifdefs.
> 11:43:29 INFO - Sandbox: frame #02:
> ???[/builds/slave/test/build/application/firefox/plugin-container +0xbc90b]
> 11:43:29 INFO - Sandbox: frame #03:
> ???[/builds/slave/test/build/application/firefox/plugin-container +0xbca86]
These, if symbolicated, would show where that call is coming from, but I'd guess it's something in the sanitizer runtime that has a reason for doing that.
> 11:43:29 INFO - ###!!! [Parent][MessageChannel] Error:
> (msgtype=0x700005,name=PGMPStorage::Msg_Shutdown) Channel error: cannot
> send/recv
> 11:43:29 INFO - ###!!! [Parent][MessageChannel] Error:
> (msgtype=0x6C000F,name=PGMP::Msg_CloseActive) Channel error: cannot send/recv
> 11:43:30 INFO - [9454] WARNING: pipe error (71): Connection reset by
> peer: file
> /builds/slave/try-l64-asan-00000000000000000/build/src/ipc/chromium/src/
> chrome/common/ipc_channel_posix.cc, line 459
This is the parent noticing that the child exited as a result of the sandbox violation.
Assignee: nobody → jld
Flags: needinfo?(jld)
|
||
Updated•10 years ago
|
Priority: -- → P2
|
Reporter | |
Comment 3•10 years ago
|
||
Thanks. I also had to add MADV_NOHUGEPAGE to get this test to work locally.
|
|
Assignee | |
Comment 4•10 years ago
|
||
Interestingly, https://treeherder.mozilla.org/#/jobs?repo=try&revision=be3c57c8d653 passed without adding MADV_HUGEPAGE. Maybe it probed for MADV_HUGEPAGE support earlier (or at compile time?) and didn't find it on the test machines.
|
|
Reporter | |
Comment 5•10 years ago
|
||
You have to push some other stuff in order to get it to use 3.7.
Oddly, while I was able to build locally, it didn't build on try, complaining about the two MADV_ constants being undefined:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=75ae82bd345e
|
|
Reporter | |
Comment 6•10 years ago
|
||
Oh, I see you defined it in there. I'll try that.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f2ddf89075d0
|
|
Assignee | |
Comment 7•10 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #6)
> Oh, I see you defined it in there. I'll try that.
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=f2ddf89075d0
That patch looks oddly similar to https://treeherder.mozilla.org/#/jobs?repo=try&revision=c19aa1e397f6 (-:
|
|
Reporter | |
Comment 8•10 years ago
|
||
That try run looks fine. The failures are all unrelated things. (For future reference, it sounds like Chrome disables the built-in symbolizer because it doesn't work with their sandboxing. So we may have to do that at some point.)
|
|
Assignee | |
Comment 9•10 years ago
|
||
Attachment #8676353 -
Flags: review?(gdestuynder)
|
|
Assignee | |
Updated•10 years ago
|
Component: Audio/Video → Security: Process Sandboxing
Attachment #8676353 -
Flags: review?(gdestuynder) → review+
|
|
Assignee | |
Comment 10•10 years ago
|
||
(checkin-needed note: see comment #7 and comment #8 for Try run)
Keywords: checkin-needed
|
|
Reporter | |
Updated•10 years ago
|
Keywords: checkin-needed
|
||
Comment 11•10 years ago
|
||
|
||
Comment 12•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•