Closed
Bug 1285525
Opened 8 years ago
Closed 8 years ago
Crash in mozilla::AudioStream::Init
Categories
(Core :: Security: Process Sandboxing, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
Tracking | Status | |
---|---|---|
firefox50 | --- | fixed |
People
(Reporter: ato, Unassigned)
References
(Blocks 1 open bug)
Details
Crash Data
Attachments
(1 file)
Nightly crashes on attempting to initialise mozilla::AudioStream, which calls alsa_stream_init in libasound.so.2.0.0: https://crash-stats.mozilla.com/report/index/bd62f279-187a-42f0-b656-8fa032160708 This seems likely to be a fallout from bug 742434.
Reporter | ||
Updated•8 years ago
|
Summary: Crash on in mozilla::AudioStream::Init → Crash in mozilla::AudioStream::Init
Reporter | ||
Comment 1•8 years ago
|
||
This can be reproduced by being pinged on IRCCloud when the tab isn’t in the foreground.
Comment 3•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/63236/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/63236/
Attachment #8769272 -
Flags: review?(julian.r.hector)
Comment 4•8 years ago
|
||
Comment on attachment 8769272 [details] 1285525 - Add sys_semget to seccomp-bpf whitelist. https://reviewboard.mozilla.org/r/63236/#review60198 ::: security/sandbox/linux/SandboxFilter.cpp:637 (Diff revision 1) > .Else(InvalidSyscall()); > } > + > + case __NR_semget: > + return Allow(); > #endif Is there a reason for this to be added within the __NR_rt_tsigqueueinfo ifdef? I can't find sys_semget in syscall_32.tbl (x86 system call table), it probably needs its own ifdef if it is not defined on x86.
Attachment #8769272 -
Flags: review?(julian.r.hector) → review-
Comment 5•8 years ago
|
||
:gcp what do you think of whitelisting the other system calls related to system v semaphore (all defined on x86_64, arm, arm64): sys_semctl sys_semget sys_semop sys_semtimedop if sys_semget is used, the others are probably used as well. But we could also wait for crash reports to come in so we only whitelist the ones actually used.
Flags: needinfo?(gpascutto)
Comment 6•8 years ago
|
||
Comment on attachment 8769272 [details] 1285525 - Add sys_semget to seccomp-bpf whitelist. Review request updated; see interdiff: https://reviewboard.mozilla.org/r/63236/diff/1-2/
Attachment #8769272 -
Attachment description: Bug 1285525 - Add sys_semget to seccomp-bpf whitelist. → 1285525 - Add sys_semget to seccomp-bpf whitelist.
Attachment #8769272 -
Flags: review- → review?(julian.r.hector)
Comment 7•8 years ago
|
||
(In reply to Julian Hector [:tedd] [:jhector] from comment #5) > But we could also wait for crash reports to come in so we only whitelist the ones > actually used. I'd rather whitelist what we need. We can better keep track of the underlying callers that way.
Flags: needinfo?(gpascutto)
Comment 8•8 years ago
|
||
Comment on attachment 8769272 [details] 1285525 - Add sys_semget to seccomp-bpf whitelist. https://reviewboard.mozilla.org/r/63236/#review60282 lgtm
Attachment #8769272 -
Flags: review?(julian.r.hector) → review+
Comment 9•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b46c6dcd1ea8bc355da21bf19bf212a9a7842e0 Bug 1285525 - Add sys_semget to seccomp-bpf whitelist. r=tedd
Comment 10•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/4b46c6dcd1ea
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Comment 11•8 years ago
|
||
https://reviewboard.mozilla.org/r/63236/#review60370 ::: security/sandbox/linux/SandboxFilter.cpp:642 (Diff revision 2) > .Else(InvalidSyscall()); > } > #endif > > +#ifdef __NR_semget > + case __NR_semget: This doesn't fix 32-bit x86; it should be checking for SEMGET in EvaluateIpcCall().
Comment 12•8 years ago
|
||
Thanks Jed, I just checked dxr: https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/SandboxFilterUtil.cpp#100 It seems that __NR_semget is dispatched anyways, so just checking SEMGET in EvaluateIpcCall() should fix both architectures. Sorry :gcp I forgot that we dispatch those calls as well.
Comment 13•8 years ago
|
||
I will fix this with the patch for Bug 1286033 (adding sys_semctl).
Updated•8 years ago
|
Crash Signature: [@ libc-2.23.so@0xe8f17 ] [@ libc-2.22.so@0xea6a7 ] [@ libc-2.22.so@0xead57 ] [@ libc-2.19.so@0xfbdb7 ] [@ libc-2.23.so@0xe94d7 ] [@ libc-2.23.so@0x1083b7 ] [@ libc-2.22.so@0xed2c7 ] [@ libc-2.23.so@0xeb447 ] [@ libc-2.19.so@0xe7857 ] [@ libc-2.23.so@0x10…
Updated•7 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•