Closed
Bug 1289500
Opened 8 years ago
Closed 8 years ago
Sandbox violation by __NR_vfork when using uim-mozc
Categories
(Core :: Security: Process Sandboxing, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | fixed |
People
(Reporter: m_kato, Assigned: m_kato)
References
Details
(Keywords: crash, inputmethod)
Crash Data
Attachments
(1 file)
This bug was filed from the Socorro interface and is
report bp-b84b0784-d151-40b4-9aab-4643c2160726.
=============================================================
Although we don't use gtk_im_* APIs on content process, GTK API might calls gtk_im_* APIs (ex. set cursor position into GTK internal code).
I think that we shouldn't load GTK IM Module on content process if possible. But GTK doesn't provide good APIs for this usage...
- Step
1. Setup uim-mozc
2. Run Firefox with e10s+content sandbox
- Result
Crash by Sandbox violation
|
Assignee | |
Comment 1•8 years ago
|
||
#4 vfork () at ../sysdeps/unix/sysv/linux/x86_64/vfork.S:52
#5 0x00007fe30a105215 in __spawni (pid=0x7ffc77fa862c,
file=0x7fe2ddabefe0 "/usr/lib/mozc/mozc_server", file_actions=0x0,
attrp=0x0, argv=0x7fe2ddae2bd0, envp=0x7ffc77faa670, xflags=0)
at ../sysdeps/posix/spawni.c:106
#6 0x00007fe30a104f5b in __posix_spawn (pid=<optimized out>,
path=<optimized out>, file_actions=<optimized out>, attrp=<optimized out>,
argv=<optimized out>, envp=<optimized out>) at spawn.c:30
#7 0x00007fe2dd7c43a8 in mozc::Process::SpawnProcess(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long*) () from /usr/lib/x86_64-linux-gnu/uim/plugin/libuim-mozc.so
#8 0x00007fe2dd77b9f0 in mozc::client::ServerLauncher::StartServer(mozc::client::ClientInterface*) () from /usr/lib/x86_64-linux-gnu/uim/plugin/libuim-mozc.so
#9 0x00007fe2dd779cc5 in mozc::client::Client::EnsureConnection() ()
from /usr/lib/x86_64-linux-gnu/uim/plugin/libuim-mozc.so
#10 0x00007fe2dd77870a in ?? ()
from /usr/lib/x86_64-linux-gnu/uim/plugin/libuim-mozc.so
#11 0x00007fe2de5c5f9f in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#12 0x00007fe2de5c6279 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#13 0x00007fe2de5d2047 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#14 0x00007fe2de5c5f74 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#15 0x00007fe2de5c6279 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#16 0x00007fe2de5d2047 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#17 0x00007fe2de5c5f74 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#18 0x00007fe2de5c6279 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#19 0x00007fe2de5d2047 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#20 0x00007fe2de5c5f74 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#21 0x00007fe2de5c6279 in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#22 0x00007fe2de5c6b3c in ?? () from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#23 0x00007fe2de1a0cbd in GCROOTS_call_with_gc_ready_stack ()
from /usr/lib/x86_64-linux-gnu/libgcroots.so.0
#24 0x00007fe2de5d7b33 in uim_scm_callf ()
from /usr/lib/x86_64-linux-gnu/libuim-scm.so.0
#25 0x00007fe2de3ac040 in uim_create_context ()
from /usr/lib/x86_64-linux-gnu/libuim.so.8
#26 0x00007fe2de7f001a in im_module_create ()
from /usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/im-uim.so
#27 0x00007fe3028111b6 in _gtk_im_module_create (context_id=<optimized out>)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkimmodule.c:793
#28 0x00007fe302811c4b in gtk_im_multicontext_get_slave (
multicontext=0x7fe2ef2d8690)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkimmulticontext.c:275
#29 0x00007fe302811f82 in gtk_im_multicontext_get_preedit_string (
context=<optimized out>, str=0x7ffc77fa8f40, attrs=0x7ffc77fa8f48,
cursor_pos=0x0)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkimmulticontext.c:337
#30 0x00007fe30280e11c in gtk_im_context_get_preedit_string (
context=0x7fe2ef2d8690, str=0x7ffc77fa8f40, attrs=0x7ffc77fa8f48,
cursor_pos=0x0)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkimcontext.c:490
#31 0x00007fe3027ac04a in gtk_entry_create_layout (include_preedit=1,
entry=0x7fe2ef2e45d0)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:6213
#32 gtk_entry_ensure_layout (entry=0x7fe2ef2e45d0,
include_preedit=include_preedit@entry=1)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:6305
#33 0x00007fe3027ad297 in gtk_entry_get_cursor_locations (
entry=entry@entry=0x7fe2ef2e45d0, strong_x=strong_x@entry=0x7ffc77fa9024,
weak_x=weak_x@entry=0x0, type=CURSOR_STANDARD)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:6736
#34 0x00007fe3027adaca in update_im_cursor_location (entry=0x7fe2ef2e45d0)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:6102
#35 gtk_entry_recompute (entry=0x7fe2ef2e45d0)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:6133
#36 0x00007fe3027abaea in get_buffer (entry=entry@entry=0x7fe2ef2e45d0)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:7416
#37 0x00007fe3027ae612 in gtk_entry_real_set_position (
editable=0x7fe2ef2e45d0, position=0)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:5106
#38 0x00007fe3027aba6d in gtk_entry_set_buffer (entry=0x7fe2ef2e45d0,
buffer=0x0) at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:7491
#39 0x00007fe30534d6a3 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#40 0x00007fe30534ec01 in g_object_newv ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#41 0x00007fe30534f534 in g_object_new ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#42 0x00007fe3027ab7f9 in gtk_entry_new ()
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkentry.c:7387
#43 0x00007fe3027641f5 in gtk_combo_box_create_child (combo_box=0x7fe2ef2ee2a0)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkcombobox.c:1652
#44 0x00007fe302766966 in gtk_combo_box_constructed (object=0x7fe2ef2ee2a0)
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkcombobox.c:4408
#45 0x00007fe30534d897 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#46 0x00007fe30534f1b5 in g_object_new_valist ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#47 0x00007fe30534f521 in g_object_new ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#48 0x00007fe302766345 in gtk_combo_box_new_with_entry ()
at /build/gtk+3.0-MFQuqz/gtk+3.0-3.20.6/./gtk/gtkcombobox.c:3628
#49 0x00007fe30d7e847f in nsLookAndFeel::Init (this=0x7fe2fa51ca80)
at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/widget/gtk/nsLookAndFeel.cpp:1201
#50 0x00007fe30d7be9a3 in nsXPLookAndFeel::GetInstance ()
at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/widget/nsXPLookAndFeel.cpp:265
#51 0x00007fe30d7c177b in mozilla::LookAndFeel::GetColor (
aID=aID@entry=mozilla::LookAndFeel::eColorID_WindowBackground,
aResult=aResult@entry=0x7fe2fd218340)
at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/widget/nsXPLookAndFeel.cpp:906
#52 0x00007fe30dddef0f in nsWebBrowser::Create (this=0x7fe2fd218240)
at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/embedding/browser/nsWebBrowser.cpp:1199
#53 0x00007fe30d5b955b in mozilla::dom::TabChild::Init (this=0x7fe2ef2d1400)
at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/dom/ipc/TabChild.cpp:803
#54 0x00007fe30d5be4e5 in mozilla::dom::TabChild::Create (
aManager=aManager@entry=0x7fe2fdd819d8, aTabId=..., aContext=...,
aChromeFlags=<optimized out>)
...
#77 0x00007fe30e03f3a7 in XRE_InitChildProcess (aArgc=<optimized out>,
aArgv=aArgv@entry=0x7ffc77faa638,
aChildData=aChildData@entry=0x7ffc77faa510)
at /home/makoto/Development/hg.mozilla.org/mozilla-inbound/toolkit/xre/nsEmbedFunctions.cpp:681
#78 0x000000000040939d in content_process_main (argc=<optimized out>,
argv=0x7ffc77faa638)
|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → m_kato
|
|
Assignee | |
Comment 2•8 years ago
|
||
set gtk-im-context-simple to GTK_IM_MODULE on content process...
|
||
Comment 3•8 years ago
|
||
We can also make vfork() fail with EPERM instead of crashing; this is already the case for fork() and any other non-pthread_create uses of clone(), in bug 1286324. Also, from the stack it looks like this would affect anything using posix_spawn (at least with a similar libc), so we might want to do that just to make posix_spawn consistent with fork+exec.
|
|
Assignee | |
Comment 4•8 years ago
|
||
(In reply to Jed Davis [:jld] [⏰PDT; UTC-7] from comment #3)
> We can also make vfork() fail with EPERM instead of crashing; this is
> already the case for fork() and any other non-pthread_create uses of
> clone(), in bug 1286324. Also, from the stack it looks like this would
> affect anything using posix_spawn (at least with a similar libc), so we
> might want to do that just to make posix_spawn consistent with fork+exec.
Thanks. Even if we allow or return EPERM, uim-mozc won't be able to communicate mozc server (IM engine) process... (I don't debug it yet). So we shouldn't load IM module on content process because we don't use gtk_im APIs on content process. GTK_IM_MODULE=gtk-im-context-simple will be able to disallow external im module.
|
|
Assignee | |
Comment 5•8 years ago
|
||
Now content sandbox process is enabled. Since uim-mozc uses vfork, it causes sandbox violation. It is unnecessary to load IM module on content process becasue we don't use GTK IM APIs on content process.
Review commit: https://reviewboard.mozilla.org/r/67326/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/67326/
Attachment #8774980 -
Flags: review?(masayuki)
|
||
Comment 6•8 years ago
|
||
Comment on attachment 8774980 [details]
Bug 1289500 - Don't load GTK IM module on content process.
https://reviewboard.mozilla.org/r/67326/#review64360
If my following worries are wrong, r=masayuki.
::: ipc/glue/GeckoChildProcessHost.cpp:736
(Diff revision 1)
> + // disable IM module to avoid sandbox violation
> + newEnvVars["GTK_IM_MODULE"] = "gtk-im-context-simple";
I worry about something:
1. Whether "gtk-im-context-simple" is valid value in any environments which Gecko is available on.
2. If "gtk-im-context-simple" isn't available, which IM module will be used?
3. Could we get the alternative IM module name from pref for odd environment?
Attachment #8774980 -
Flags: review?(masayuki) → review+
|
|
||
Comment 7•8 years ago
|
||
https://reviewboard.mozilla.org/r/67326/#review64360
> I worry about something:
>
> 1. Whether "gtk-im-context-simple" is valid value in any environments which Gecko is available on.
> 2. If "gtk-im-context-simple" isn't available, which IM module will be used?
> 3. Could we get the alternative IM module name from pref for odd environment?
Um, I found this document:
https://wiki.archlinux.org/index.php/Internationalization#Disabling_GTK_IM_modules_.28without_uninstalling.29
> To prevent GTK+ from loading any IM modules
>
> set GTK_IM_MODULE to the empty string
> set GTK_IM_MODULE to "gtk-im-context-simple"
Setting empty string might be safer? (up to you!)
|
|
Assignee | |
Comment 8•8 years ago
|
||
(In reply to Masayuki Nakano [:masayuki] (Mozilla Japan) from comment #6)
> Comment on attachment 8774980 [details]
> Bug 1289500 - Don't load GTK IM module on content process.
>
> https://reviewboard.mozilla.org/r/67326/#review64360
>
> If my following worries are wrong, r=masayuki.
>
> ::: ipc/glue/GeckoChildProcessHost.cpp:736
> (Diff revision 1)
> > + // disable IM module to avoid sandbox violation
> > + newEnvVars["GTK_IM_MODULE"] = "gtk-im-context-simple";
>
> I worry about something:
>
> 1. Whether "gtk-im-context-simple" is valid value in any environments which
> Gecko is available on.
> 2. If "gtk-im-context-simple" isn't available, which IM module will be used?
gtk-im-context-simple is internal context id of GTK. gtk-im-context-simple means that GTK doesn't load external IM module, If gtk module is it, GtkIMContext is created by gtk_im_context_simple_new() for builtin IM class.
> 3. Could we get the alternative IM module name from pref for odd environment?
Although we clear GTK_IM_MODULE or GTK_IM_MODULE has unknown module name, GTK will get gtk-im-module from xsettings. To detect current IM module, we check both value, and check whether it can load, then we must check whether im_moudle->create call is success. (I request API to them, but they reject it now. see https://bugzilla.gnome.org/show_bug.cgi?id=764568).
(In reply to Masayuki Nakano [:masayuki] (Mozilla Japan) from comment #7)
> https://reviewboard.mozilla.org/r/67326/#review64360
>
> > I worry about something:
> >
> > 1. Whether "gtk-im-context-simple" is valid value in any environments which Gecko is available on.
> > 2. If "gtk-im-context-simple" isn't available, which IM module will be used?
> > 3. Could we get the alternative IM module name from pref for odd environment?
>
> Um, I found this document:
> https://wiki.archlinux.org/index.php/
> Internationalization#Disabling_GTK_IM_modules_.28without_uninstalling.29
>
> > To prevent GTK+ from loading any IM modules
> >
> > set GTK_IM_MODULE to the empty string
> > set GTK_IM_MODULE to "gtk-im-context-simple"
>
> Setting empty string might be safer? (up to you!)
Empty doesn't work well. If GTK_IM_MODULE is empty or invalid, GTK reads xsettings.
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/635ffb6c4ccf
Don't load GTK IM module on content process. r=masayuki
|
||
Comment 10•8 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
|
||
Comment 11•8 years ago
|
||
Thanks!
You need to log in
before you can comment on or make changes to this bug.
Description
•