Closed Bug 1285525 Opened 8 years ago Closed 8 years ago

Crash in mozilla::AudioStream::Init

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla50
Tracking Flags:
Tracking Status
firefox50 --- fixed

People

(Reporter: ato, Unassigned)

References

(Blocks 1 open bug)

Details

Crash Data

Attachments

(1 file)

1285525 - Add sys_semget to seccomp-bpf whitelist.
58 bytes, text/x-review-board-request
tedd
: review+
Details 
Nightly crashes on attempting to initialise mozilla::AudioStream, which calls alsa_stream_init in libasound.so.2.0.0:

    https://crash-stats.mozilla.com/report/index/bd62f279-187a-42f0-b656-8fa032160708

This seems likely to be a fallout from bug 742434.
Summary: Crash on in mozilla::AudioStream::Init → Crash in mozilla::AudioStream::Init
Blocks: 1280415
This can be reproduced by being pinged on IRCCloud when the tab isn’t in the foreground.
Depends on: sb-audio
Comment on attachment 8769272 [details]
1285525 - Add sys_semget to seccomp-bpf whitelist.

https://reviewboard.mozilla.org/r/63236/#review60198

::: security/sandbox/linux/SandboxFilter.cpp:637
(Diff revision 1)
>          .Else(InvalidSyscall());
>      }
> +
> +    case __NR_semget:
> +      return Allow();
>  #endif

Is there a reason for this to be added within the __NR_rt_tsigqueueinfo ifdef?

I can't find sys_semget in syscall_32.tbl (x86 system call table), it probably needs its own ifdef if it is not defined on x86.
Attachment #8769272 - Flags: review?(julian.r.hector) → review-
:gcp what do you think of whitelisting the other system calls related to system v semaphore (all defined on x86_64, arm, arm64):

sys_semctl
sys_semget
sys_semop
sys_semtimedop

if sys_semget is used, the others are probably used as well. But we could also wait for crash reports to come in so we only whitelist the ones actually used.
Flags: needinfo?(gpascutto)
Comment on attachment 8769272 [details]
1285525 - Add sys_semget to seccomp-bpf whitelist.

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/63236/diff/1-2/
Attachment #8769272 - Attachment description: Bug 1285525 - Add sys_semget to seccomp-bpf whitelist. → 1285525 - Add sys_semget to seccomp-bpf whitelist.
Attachment #8769272 - Flags: review- → review?(julian.r.hector)
(In reply to Julian Hector [:tedd] [:jhector] from comment #5)
> But we could also wait for crash reports to come in so we only whitelist the ones
> actually used.

I'd rather whitelist what we need. We can better keep track of the underlying callers that way.
Flags: needinfo?(gpascutto)
Comment on attachment 8769272 [details]
1285525 - Add sys_semget to seccomp-bpf whitelist.

https://reviewboard.mozilla.org/r/63236/#review60282

lgtm
Attachment #8769272 - Flags: review?(julian.r.hector) → review+
https://hg.mozilla.org/mozilla-central/rev/4b46c6dcd1ea
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
https://reviewboard.mozilla.org/r/63236/#review60370

::: security/sandbox/linux/SandboxFilter.cpp:642
(Diff revision 2)
>          .Else(InvalidSyscall());
>      }
>  #endif
>  
> +#ifdef __NR_semget
> +    case __NR_semget:

This doesn't fix 32-bit x86; it should be checking for SEMGET in EvaluateIpcCall().
Thanks Jed, I just checked dxr:
https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/SandboxFilterUtil.cpp#100

It seems that __NR_semget is dispatched anyways, so just checking SEMGET in EvaluateIpcCall() should fix both architectures. Sorry :gcp I forgot that we dispatch those calls as well.
I will fix this with the patch for Bug 1286033 (adding sys_semctl).
Crash Signature: [@ libc-2.23.so@0xe8f17 ] [@ libc-2.22.so@0xea6a7 ] [@ libc-2.22.so@0xead57 ] [@ libc-2.19.so@0xfbdb7 ] [@ libc-2.23.so@0xe94d7 ] [@ libc-2.23.so@0x1083b7 ] [@ libc-2.22.so@0xed2c7 ] [@ libc-2.23.so@0xeb447 ] [@ libc-2.19.so@0xe7857 ] [@ libc-2.23.so@0x10…
Blocks: sb-audio
No longer depends on: sb-audio
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: