Closed Bug 1285507 Opened 4 years ago Closed 4 years ago

Attempting to use WebGL with Intel graphics under Linux results in crash

Categories

(Core :: Security: Process Sandboxing, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox50 --- fixed

People

(Reporter: wgianopoulos, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: regression)

Crash Data

Attachments

(2 files)

Visiting either http://html5test.com or https://www.khronos.org/registry/webgl/sdk/tests/webgl-conformance-tests.html results in a sandbox violation and browser crash during the test for WebGL capability.

I verified bug 742434 as the culprit via backout.
Blocks: 1280415
This only seems to happen on my laptop with Intel graphics those with AMD graphics do NOT crash.
Summary: Attempting to use WebGL under Linux results in crash → Attempting to use WebGL with Intel graphics under Linux results in crash
Here is the output showing the sandbox errors:

libGL error: MESA-LOADER: could not create udev device for fd 38
libGL error: MESA-LOADER: could not create udev device for fd 38
ATTENTION: default value of option force_s3tc_enable overridden by environment.
Sandbox: seccomp sandbox violation: pid 18323, syscall 319, args 139999292218373 3 0 0 139998546444288 7883677795399066671.  Killing process.
Sandbox: crash reporter is disabled (or failed); trying stack trace:
Sandbox: frame #01: syscall[/lib64/libc.so.6 +0xfcff9]
Sandbox: frame #02: xshmfence_alloc_shm[/lib64/libxshmfence.so.1 +0xa6d]
Sandbox: frame #03: ???[/lib64/libGL.so.1 +0x4e214]
Sandbox: frame #04: ???[/usr/lib64/dri/i965_dri.so +0x378498]
Sandbox: frame #05: ???[/usr/lib64/dri/i965_dri.so +0x378811]
Sandbox: frame #06: ???[/usr/lib64/dri/i965_dri.so +0x378900]
Sandbox: frame #07: ???[/usr/lib64/dri/i965_dri.so +0x327a56]
Sandbox: frame #08: ???[/lib64/libGL.so.1 +0x4886a]
Sandbox: frame #09: glXMakeCurrentReadSGI[/lib64/libGL.so.1 +0x1be95]
Sandbox: frame #10: ???[/home/wag/wg9s_64/libxul.so +0x129afe9]
Sandbox: frame #11: ???[/home/wag/wg9s_64/libxul.so +0x12b9caf]
Sandbox: frame #12: ???[/home/wag/wg9s_64/libxul.so +0x12bb002]
Sandbox: frame #13: ???[/home/wag/wg9s_64/libxul.so +0x129a4ae]
Sandbox: frame #14: ???[/home/wag/wg9s_64/libxul.so +0x129ba70]
Sandbox: frame #15: ???[/home/wag/wg9s_64/libxul.so +0x129c057]
Sandbox: frame #16: ???[/home/wag/wg9s_64/libxul.so +0x129c0cc]
Sandbox: frame #17: ???[/home/wag/wg9s_64/libxul.so +0x129bd14]
Sandbox: frame #18: ???[/home/wag/wg9s_64/libxul.so +0x129c028]
Sandbox: frame #19: ???[/home/wag/wg9s_64/libxul.so +0x129c257]
Sandbox: frame #20: ???[/home/wag/wg9s_64/libxul.so +0x1a9b8b9]
Sandbox: frame #21: ???[/home/wag/wg9s_64/libxul.so +0x1a9cff2]
Sandbox: frame #22: ???[/home/wag/wg9s_64/libxul.so +0x1a9d334]
Sandbox: frame #23: ???[/home/wag/wg9s_64/libxul.so +0x1a9d748]
Sandbox: frame #24: ???[/home/wag/wg9s_64/libxul.so +0x1a67065]
Sandbox: frame #25: ???[/home/wag/wg9s_64/libxul.so +0x1a7668e]
Sandbox: frame #26: ???[/home/wag/wg9s_64/libxul.so +0x1b4c5d0]
Sandbox: frame #27: ???[/home/wag/wg9s_64/libxul.so +0x19e525a]
Sandbox: frame #28: ???[/home/wag/wg9s_64/libxul.so +0x1a3fb45]
Sandbox: frame #29: ???[/home/wag/wg9s_64/libxul.so +0x2e30fa2]
Sandbox: frame #30: ???[/home/wag/wg9s_64/libxul.so +0x2e2b896]
Sandbox: frame #31: ???[/home/wag/wg9s_64/libxul.so +0x2e30bd8]
Sandbox: frame #32: ???[/home/wag/wg9s_64/libxul.so +0x2e30df3]
Sandbox: frame #33: ???[/home/wag/wg9s_64/libxul.so +0x2e31740]
Sandbox: frame #34: ???[/home/wag/wg9s_64/libxul.so +0x2ae12d4]
Sandbox: frame #35: ??? (???:???)
Sandbox: end of stack.
Sandbox: JS frame 0: testWebGL.prototype.initialize http://html5test.com/scripts/6/engine.js line 2962
Sandbox: JS frame 1: testWebGL http://html5test.com/scripts/6/engine.js line 2948
Sandbox: JS frame 2: test.prototype.initialize http://html5test.com/scripts/6/engine.js line 3831
Sandbox: JS frame 3: test http://html5test.com/scripts/6/engine.js line 3747
Sandbox: JS frame 4: start http://html5test.com/ line 257
Sandbox: JS frame 5: (anonymous) http://html5test.com/ line 252
Sandbox: JS frame 6: wait http://html5test.com/ line 211
[Parent 18273] WARNING: pipe error (68): Connection reset by peer: file /home/wag/mozilla/mozilla2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 320
[Parent 18273] WARNING: pipe error (60): Connection reset by peer: file /home/wag/mozilla/mozilla2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 320
[Parent 18273] WARNING: pipe error (57): Connection reset by peer: file /home/wag/mozilla/mozilla2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 320

###!!! [Parent][MessageChannel] Error: (msgtype=0x2C007D,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
Crash Signature: [@ libc-2.23.so@0xfcff9 ]
Duplicate of this bug: 1285497
Yes I just had a crash at 123greetings.com trying to send a Birthday card.  Perhaps it is just intel graphics related.
(In reply to Bill Gianopoulos [:WG9s] from comment #6)
> Yes I just had a crash at 123greetings.com trying to send a Birthday card. 
> Perhaps it is just intel graphics related.

what version of linux are you using ?
(In reply to Ludovic Hirlimann [:Usul] from comment #7)
> (In reply to Bill Gianopoulos [:WG9s] from comment #6)
> > Yes I just had a crash at 123greetings.com trying to send a Birthday card. 
> > Perhaps it is just intel graphics related.
> 
> what version of linux are you using ?

fedora 24
Just wanted to confirm that with seccomp-bpf enabled for content, everything works fine for me with Nvidia proprietary driver on an 4.4.14 kernel, no crashes.
Video, Audio, WebGL1 WebGL2, MathML, canvas, no problems so far.

Seccomp-BPF (System Call Filtering)	true
Seccomp Thread Synchronization	true
User Namespaces	false
Content Process Sandboxing	true
Media Plugin Sandboxing	true

Device ID	GeForce GTX 650 Ti BOOST/PCIe/SSE2
Driver Version	4.5.0 NVIDIA 364.19

User Agent 	Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
OS 	Linux 4.4.14-3-MANJARO
Build ID 	20160707083343
OK so definitely seems to be intel only.
In any event just go to about:config and set security.sandbox.content.level to 0, then restart the browser and all should be well again
We'll need to whitelist memfd_create. Luckily, that doesn't look like a potentially evil system call.
Reading the manpage, this syscall appears to be pretty innocent
and in fact used to protect shmem users against exploits.

MozReview-Commit-ID: 7UE6hyDiC6H
Attachment #8769214 - Flags: review?(julian.r.hector)
Comment on attachment 8769214 [details] [diff] [review]
Whitelist memfd_create (used for Sealed Files IPC)

Review of attachment 8769214 [details] [diff] [review]:
-----------------------------------------------------------------

lgtm
Attachment #8769214 - Flags: review?(julian.r.hector) → review+
Duplicate of this bug: 1285296
No longer blocks: desktop-seccomp
(In reply to Gian-Carlo Pascutto [:gcp] from comment #14)
> Reading the manpage, this syscall appears to be pretty innocent
> and in fact used to protect shmem users against exploits.

It's also much easier for sandboxing to allow it (as seen here) than the classical open+unlink, so we'd like to *encourage* its use, if anything.  (See also: bug 1146416 and https://crbug.com/415681#c48.)  Unfortunately, it's still relatively new, so its availability can't be assumed.
(In reply to Gian-Carlo Pascutto [:gcp] from comment #17)
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=ef1fcbf9e2ae

Thanks for coming up with a fix so quickly.  Unfortunately I am at my weekend place so wont be able to do extensive testing on the system with Intel graphics until Monday.
(In reply to Bill Gianopoulos [:WG9s] from comment #19)
> (In reply to Gian-Carlo Pascutto [:gcp] from comment #17)
> > https://treeherder.mozilla.org/#/jobs?repo=try&revision=ef1fcbf9e2ae
> 
> Thanks for coming up with a fix so quickly.  Unfortunately I am at my
> weekend place so wont be able to do extensive testing on the system with
> Intel graphics until Monday.

Came home early because of inclement weather so was able to test today.  I was able to run the html5test.com ans well as the webgl conformance tests and browser cards on 123greetings.com all of which crash without this patch.

This patch seems to fix all the issues I had seen before.
Duplicate of this bug: 1285604
Duplicate of this bug: 1285788
Duplicate of this bug: 1285920
https://hg.mozilla.org/mozilla-central/rev/a22656e76df7
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Crash Signature: [@ libc-2.23.so@0xfcff9 ] → [@ libc-2.23.so@0xfcff9 ] [@ libc-2.23.so@0xe3269 ] [@ libc-2.22.so@0xfc7a9 ] [@ libc-2.22.so@0xe4a59 ] [@ libc-2.23.so@0xe36c9 ] [@ libc-2.23.so@0x100fa9 ] [@ libc-2.23.so@0xe38f9 ] [@ libc-2.23.so@0xe5599 ] [@ libc-2.22.so@0xe4e49 ] [@ libc-2.23.so@0x10…
Some of these signatures are still active on Fx50, although in low volume. The following is based on the last ~3 months of crash data, after the fix landed on 2016-07-11.

  +-----------------------+----------------------------+--------------------+-------------+
  | SIGNATURE             | CRASH STATS                | OVERVIEW           | LAST CRASH  |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0xfcff9  | http://tinyurl.com/h47djjc | 52.0a1: 0 crashes  | 2016-07-18  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 29 crashes |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b: 0 crashes   |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0xe3269  | http://tinyurl.com/hnjqyw5 | 52.0a1: 0 crashes  | 2016-09-29  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 49 crashes |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b3: 0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.22.so@0xfc7a9  | http://tinyurl.com/zff8j5b | 52.0a1: 0 crashes  | 2016-07-12  |	
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 17 crashes |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.22.so@0xe4a59  | http://tinyurl.com/zgckqp6 | 52.0a1: 0 crashes  | 2016-07-12  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 7 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0xe36c9  | http://tinyurl.com/hutkky6 | 52.0a1: 0 crashes  | n/a         |
  |                       |                            | 51.0a1: 0 crashes  |             |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 0 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0x100fa9 | http://tinyurl.com/zv7wrrd | 52.0a1: 0 crashes  | n/a         |
  |                       |                            | 51.0a1: 0 crashes  |             |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 0 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0xe38f9  | http://tinyurl.com/z8eaufs | 52.0a1: 0 crashes  | 2016-07-13  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 3 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0xe5599  | http://tinyurl.com/hcgs2rl | 52.0a1: 0 crashes  | 2016-07-11  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  | 	                  |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 7 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.22.so@0xe4e49  | http://tinyurl.com/jsuyuxf | 52.0a1: 0 crashes  | 2016-07-11  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 5 crashes  |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
  | libc-2.23.so@0x100c19 | http://tinyurl.com/zffp4fv | 52.0a1: 0 crashes  | 2016-07-23  |
  |                       |                            | 51.0a1: 0 crashes  | (on 50.0a1) |
  |                       |                            | 51.0a2: 0 crashes  |             |
  |                       |                            | 50.0a1: 12 crashes |             |
  |                       |                            | 50.0a2: 0 crashes  |             |
  |                       |                            | 50.0b:  0 crashes  |             |
  +-----------------------+----------------------------+--------------------+-------------+
Crash Signature: libc-2.23.so@0x100c19 ] → libc-2.23.so@0x100c19 ] [@ libc-2.24.so@0xe3f19 ]
You need to log in before you can comment on or make changes to this bug.