Closed
Bug 1285507
Opened 8 years ago
Closed 8 years ago
Attempting to use WebGL with Intel graphics under Linux results in crash
Categories
(Core :: Security: Process Sandboxing, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
Tracking | Status | |
---|---|---|
firefox50 | --- | fixed |
People
(Reporter: wgianopoulos, Unassigned)
References
Details
(Keywords: regression)
Crash Data
Attachments
(2 files)
58 bytes,
text/x-review-board-request
|
Details | |
1.04 KB,
patch
|
tedd
:
review+
|
Details | Diff | Splinter Review |
Visiting either http://html5test.com or https://www.khronos.org/registry/webgl/sdk/tests/webgl-conformance-tests.html results in a sandbox violation and browser crash during the test for WebGL capability. I verified bug 742434 as the culprit via backout.
Reporter | ||
Comment 1•8 years ago
|
||
Some crash dumps are: bp-1ca79095-750f-4612-8f9a-b8c662160707 bp-27c86afd-b95e-4900-bde4-bea7c2160707 bp-80602b67-0720-46b6-9edf-08eed2160707 bp-45f71216-f2a1-4d6e-b0d8-18ec72160707
Reporter | ||
Comment 2•8 years ago
|
||
This only seems to happen on my laptop with Intel graphics those with AMD graphics do NOT crash.
Summary: Attempting to use WebGL under Linux results in crash → Attempting to use WebGL with Intel graphics under Linux results in crash
Reporter | ||
Comment 3•8 years ago
|
||
Here is the output showing the sandbox errors: libGL error: MESA-LOADER: could not create udev device for fd 38 libGL error: MESA-LOADER: could not create udev device for fd 38 ATTENTION: default value of option force_s3tc_enable overridden by environment. Sandbox: seccomp sandbox violation: pid 18323, syscall 319, args 139999292218373 3 0 0 139998546444288 7883677795399066671. Killing process. Sandbox: crash reporter is disabled (or failed); trying stack trace: Sandbox: frame #01: syscall[/lib64/libc.so.6 +0xfcff9] Sandbox: frame #02: xshmfence_alloc_shm[/lib64/libxshmfence.so.1 +0xa6d] Sandbox: frame #03: ???[/lib64/libGL.so.1 +0x4e214] Sandbox: frame #04: ???[/usr/lib64/dri/i965_dri.so +0x378498] Sandbox: frame #05: ???[/usr/lib64/dri/i965_dri.so +0x378811] Sandbox: frame #06: ???[/usr/lib64/dri/i965_dri.so +0x378900] Sandbox: frame #07: ???[/usr/lib64/dri/i965_dri.so +0x327a56] Sandbox: frame #08: ???[/lib64/libGL.so.1 +0x4886a] Sandbox: frame #09: glXMakeCurrentReadSGI[/lib64/libGL.so.1 +0x1be95] Sandbox: frame #10: ???[/home/wag/wg9s_64/libxul.so +0x129afe9] Sandbox: frame #11: ???[/home/wag/wg9s_64/libxul.so +0x12b9caf] Sandbox: frame #12: ???[/home/wag/wg9s_64/libxul.so +0x12bb002] Sandbox: frame #13: ???[/home/wag/wg9s_64/libxul.so +0x129a4ae] Sandbox: frame #14: ???[/home/wag/wg9s_64/libxul.so +0x129ba70] Sandbox: frame #15: ???[/home/wag/wg9s_64/libxul.so +0x129c057] Sandbox: frame #16: ???[/home/wag/wg9s_64/libxul.so +0x129c0cc] Sandbox: frame #17: ???[/home/wag/wg9s_64/libxul.so +0x129bd14] Sandbox: frame #18: ???[/home/wag/wg9s_64/libxul.so +0x129c028] Sandbox: frame #19: ???[/home/wag/wg9s_64/libxul.so +0x129c257] Sandbox: frame #20: ???[/home/wag/wg9s_64/libxul.so +0x1a9b8b9] Sandbox: frame #21: ???[/home/wag/wg9s_64/libxul.so +0x1a9cff2] Sandbox: frame #22: ???[/home/wag/wg9s_64/libxul.so +0x1a9d334] Sandbox: frame #23: ???[/home/wag/wg9s_64/libxul.so +0x1a9d748] Sandbox: frame #24: ???[/home/wag/wg9s_64/libxul.so +0x1a67065] Sandbox: frame #25: ???[/home/wag/wg9s_64/libxul.so +0x1a7668e] Sandbox: frame #26: ???[/home/wag/wg9s_64/libxul.so +0x1b4c5d0] Sandbox: frame #27: ???[/home/wag/wg9s_64/libxul.so +0x19e525a] Sandbox: frame #28: ???[/home/wag/wg9s_64/libxul.so +0x1a3fb45] Sandbox: frame #29: ???[/home/wag/wg9s_64/libxul.so +0x2e30fa2] Sandbox: frame #30: ???[/home/wag/wg9s_64/libxul.so +0x2e2b896] Sandbox: frame #31: ???[/home/wag/wg9s_64/libxul.so +0x2e30bd8] Sandbox: frame #32: ???[/home/wag/wg9s_64/libxul.so +0x2e30df3] Sandbox: frame #33: ???[/home/wag/wg9s_64/libxul.so +0x2e31740] Sandbox: frame #34: ???[/home/wag/wg9s_64/libxul.so +0x2ae12d4] Sandbox: frame #35: ??? (???:???) Sandbox: end of stack. Sandbox: JS frame 0: testWebGL.prototype.initialize http://html5test.com/scripts/6/engine.js line 2962 Sandbox: JS frame 1: testWebGL http://html5test.com/scripts/6/engine.js line 2948 Sandbox: JS frame 2: test.prototype.initialize http://html5test.com/scripts/6/engine.js line 3831 Sandbox: JS frame 3: test http://html5test.com/scripts/6/engine.js line 3747 Sandbox: JS frame 4: start http://html5test.com/ line 257 Sandbox: JS frame 5: (anonymous) http://html5test.com/ line 252 Sandbox: JS frame 6: wait http://html5test.com/ line 211 [Parent 18273] WARNING: pipe error (68): Connection reset by peer: file /home/wag/mozilla/mozilla2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 320 [Parent 18273] WARNING: pipe error (60): Connection reset by peer: file /home/wag/mozilla/mozilla2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 320 [Parent 18273] WARNING: pipe error (57): Connection reset by peer: file /home/wag/mozilla/mozilla2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 320 ###!!! [Parent][MessageChannel] Error: (msgtype=0x2C007D,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
Reporter | ||
Updated•8 years ago
|
Crash Signature: [@ libc-2.23.so@0xfcff9 ]
Comment 5•8 years ago
|
||
Urls whehre I crash and I don't think it's webgl related. http://www.miniwargaming.com/content/Quick-Tip-Airbrush-Primer http://www.dell.com/us/p/xps-8900-desktop/pd
Reporter | ||
Comment 6•8 years ago
|
||
Yes I just had a crash at 123greetings.com trying to send a Birthday card. Perhaps it is just intel graphics related.
Comment 7•8 years ago
|
||
(In reply to Bill Gianopoulos [:WG9s] from comment #6) > Yes I just had a crash at 123greetings.com trying to send a Birthday card. > Perhaps it is just intel graphics related. what version of linux are you using ?
Reporter | ||
Comment 8•8 years ago
|
||
(In reply to Ludovic Hirlimann [:Usul] from comment #7) > (In reply to Bill Gianopoulos [:WG9s] from comment #6) > > Yes I just had a crash at 123greetings.com trying to send a Birthday card. > > Perhaps it is just intel graphics related. > > what version of linux are you using ? fedora 24
Just wanted to confirm that with seccomp-bpf enabled for content, everything works fine for me with Nvidia proprietary driver on an 4.4.14 kernel, no crashes. Video, Audio, WebGL1 WebGL2, MathML, canvas, no problems so far. Seccomp-BPF (System Call Filtering) true Seccomp Thread Synchronization true User Namespaces false Content Process Sandboxing true Media Plugin Sandboxing true Device ID GeForce GTX 650 Ti BOOST/PCIe/SSE2 Driver Version 4.5.0 NVIDIA 364.19 User Agent Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 OS Linux 4.4.14-3-MANJARO Build ID 20160707083343
Reporter | ||
Comment 10•8 years ago
|
||
OK so definitely seems to be intel only.
Reporter | ||
Comment 11•8 years ago
|
||
In any event just go to about:config and set security.sandbox.content.level to 0, then restart the browser and all should be well again
Comment 12•8 years ago
|
||
We'll need to whitelist memfd_create. Luckily, that doesn't look like a potentially evil system call.
Updated•8 years ago
|
Blocks: ogl-linux-beta
Comment 13•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/63176/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/63176/
Comment 14•8 years ago
|
||
Reading the manpage, this syscall appears to be pretty innocent and in fact used to protect shmem users against exploits. MozReview-Commit-ID: 7UE6hyDiC6H
Attachment #8769214 -
Flags: review?(julian.r.hector)
Comment 15•8 years ago
|
||
Comment on attachment 8769214 [details] [diff] [review] Whitelist memfd_create (used for Sealed Files IPC) Review of attachment 8769214 [details] [diff] [review]: ----------------------------------------------------------------- lgtm
Attachment #8769214 -
Flags: review?(julian.r.hector) → review+
Updated•8 years ago
|
No longer blocks: desktop-seccomp
Comment 18•8 years ago
|
||
(In reply to Gian-Carlo Pascutto [:gcp] from comment #14) > Reading the manpage, this syscall appears to be pretty innocent > and in fact used to protect shmem users against exploits. It's also much easier for sandboxing to allow it (as seen here) than the classical open+unlink, so we'd like to *encourage* its use, if anything. (See also: bug 1146416 and https://crbug.com/415681#c48.) Unfortunately, it's still relatively new, so its availability can't be assumed.
Reporter | ||
Comment 19•8 years ago
|
||
(In reply to Gian-Carlo Pascutto [:gcp] from comment #17) > https://treeherder.mozilla.org/#/jobs?repo=try&revision=ef1fcbf9e2ae Thanks for coming up with a fix so quickly. Unfortunately I am at my weekend place so wont be able to do extensive testing on the system with Intel graphics until Monday.
Reporter | ||
Comment 20•8 years ago
|
||
(In reply to Bill Gianopoulos [:WG9s] from comment #19) > (In reply to Gian-Carlo Pascutto [:gcp] from comment #17) > > https://treeherder.mozilla.org/#/jobs?repo=try&revision=ef1fcbf9e2ae > > Thanks for coming up with a fix so quickly. Unfortunately I am at my > weekend place so wont be able to do extensive testing on the system with > Intel graphics until Monday. Came home early because of inclement weather so was able to test today. I was able to run the html5test.com ans well as the webgl conformance tests and browser cards on 123greetings.com all of which crash without this patch. This patch seems to fix all the issues I had seen before.
Comment 23•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a22656e76df720def44b182a645f9ba78dc085d6 Bug 1285507 - Whitelist memfd_create (used for Sealed Files IPC). r=jhector
Comment 25•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/a22656e76df7
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Updated•8 years ago
|
Crash Signature: [@ libc-2.23.so@0xfcff9 ] → [@ libc-2.23.so@0xfcff9 ] [@ libc-2.23.so@0xe3269 ] [@ libc-2.22.so@0xfc7a9 ] [@ libc-2.22.so@0xe4a59 ] [@ libc-2.23.so@0xe36c9 ] [@ libc-2.23.so@0x100fa9 ] [@ libc-2.23.so@0xe38f9 ] [@ libc-2.23.so@0xe5599 ] [@ libc-2.22.so@0xe4e49 ] [@ libc-2.23.so@0x10…
Comment 26•8 years ago
|
||
Some of these signatures are still active on Fx50, although in low volume. The following is based on the last ~3 months of crash data, after the fix landed on 2016-07-11. +-----------------------+----------------------------+--------------------+-------------+ | SIGNATURE | CRASH STATS | OVERVIEW | LAST CRASH | +-----------------------+----------------------------+--------------------+-------------+ | libc-2.23.so@0xfcff9 | http://tinyurl.com/h47djjc | 52.0a1: 0 crashes | 2016-07-18 | | | | 51.0a1: 0 crashes | (on 50.0a1) | | | | 51.0a2: 0 crashes | | | | | 50.0a1: 29 crashes | | | | | 50.0a2: 0 crashes | | | | | 50.0b: 0 crashes | | +-----------------------+----------------------------+--------------------+-------------+ | libc-2.23.so@0xe3269 | http://tinyurl.com/hnjqyw5 | 52.0a1: 0 crashes | 2016-09-29 | | | | 51.0a1: 0 crashes | (on 50.0a1) | | | | 51.0a2: 0 crashes | | | | | 50.0a1: 49 crashes | | | | | 50.0a2: 0 crashes | | | | | 50.0b3: 0 crashes | | +-----------------------+----------------------------+--------------------+-------------+ | libc-2.22.so@0xfc7a9 | http://tinyurl.com/zff8j5b | 52.0a1: 0 crashes | 2016-07-12 | | | | 51.0a1: 0 crashes | (on 50.0a1) | | | | 51.0a2: 0 crashes | | | | | 50.0a1: 17 crashes | | | | | 50.0a2: 0 crashes | | | | | 50.0b: 0 crashes | | +-----------------------+----------------------------+--------------------+-------------+ | libc-2.22.so@0xe4a59 | http://tinyurl.com/zgckqp6 | 52.0a1: 0 crashes | 2016-07-12 | | | | 51.0a1: 0 crashes | (on 50.0a1) | | | | 51.0a2: 0 crashes | | | | | 50.0a1: 7 crashes | | | | | 50.0a2: 0 crashes | | | | | 50.0b: 0 crashes | | +-----------------------+----------------------------+--------------------+-------------+ | libc-2.23.so@0xe36c9 | http://tinyurl.com/hutkky6 | 52.0a1: 0 crashes | n/a | | | | 51.0a1: 0 crashes | | | | | 51.0a2: 0 crashes | | | | | 50.0a1: 0 crashes | | | | | 50.0a2: 0 crashes | | | | | 50.0b: 0 crashes | | +-----------------------+----------------------------+--------------------+-------------+ | libc-2.23.so@0x100fa9 | http://tinyurl.com/zv7wrrd | 52.0a1: 0 crashes | n/a | | | | 51.0a1: 0 crashes | | | | | 51.0a2: 0 crashes | | | | | 50.0a1: 0 crashes | | | | | 50.0a2: 0 crashes | | | | | 50.0b: 0 crashes | | +-----------------------+----------------------------+--------------------+-------------+ | libc-2.23.so@0xe38f9 | http://tinyurl.com/z8eaufs | 52.0a1: 0 crashes | 2016-07-13 | | | | 51.0a1: 0 crashes | (on 50.0a1) | | | | 51.0a2: 0 crashes | | | | | 50.0a1: 3 crashes | | | | | 50.0a2: 0 crashes | | | | | 50.0b: 0 crashes | | +-----------------------+----------------------------+--------------------+-------------+ | libc-2.23.so@0xe5599 | http://tinyurl.com/hcgs2rl | 52.0a1: 0 crashes | 2016-07-11 | | | | 51.0a1: 0 crashes | (on 50.0a1) | | | | 51.0a2: 0 crashes | | | | | 50.0a1: 7 crashes | | | | | 50.0a2: 0 crashes | | | | | 50.0b: 0 crashes | | +-----------------------+----------------------------+--------------------+-------------+ | libc-2.22.so@0xe4e49 | http://tinyurl.com/jsuyuxf | 52.0a1: 0 crashes | 2016-07-11 | | | | 51.0a1: 0 crashes | (on 50.0a1) | | | | 51.0a2: 0 crashes | | | | | 50.0a1: 5 crashes | | | | | 50.0a2: 0 crashes | | | | | 50.0b: 0 crashes | | +-----------------------+----------------------------+--------------------+-------------+ | libc-2.23.so@0x100c19 | http://tinyurl.com/zffp4fv | 52.0a1: 0 crashes | 2016-07-23 | | | | 51.0a1: 0 crashes | (on 50.0a1) | | | | 51.0a2: 0 crashes | | | | | 50.0a1: 12 crashes | | | | | 50.0a2: 0 crashes | | | | | 50.0b: 0 crashes | | +-----------------------+----------------------------+--------------------+-------------+
Comment 27•8 years ago
|
||
Note the distribution of build IDs — looks like it's all from people still running old Nightly builds: https://crash-stats.mozilla.com/search/?date=%3E2016-07-11&reason=%3DSIGSYS&cpu_arch=amd64&address=%3D0x13f&_facets=build_id&_facets=version#facet-build_id
Updated•8 years ago
|
Crash Signature: libc-2.23.so@0x100c19 ] → libc-2.23.so@0x100c19 ] [@ libc-2.24.so@0xe3f19 ]
You need to log in
before you can comment on or make changes to this bug.
Description
•