Open Bug 1292249 Opened 7 years ago Updated 6 months ago

nsFileChannel::OpenContentStream leads to sys call access(mimehandler, X_OK) checks in content

Categories

(Core :: Security: Process Sandboxing, defect, P3)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox51 --- affected

People

(Reporter: gcp, Unassigned)

References

Details

(Whiteboard: sblc5) 

This isn't directly a problem, but nsGIOService::GetAppForMimeType probably shouldn't run in content as its functionality will be impaired by seccomp-bpf.

Sandbox: SandboxBroker: denied op=1 rflags=1 perms=15 path=/usr/local/bin/kate for pid=2798 permissive=1 error="No such file or directory"
Sandbox: seccomp sandbox violation: pid 2798, syscall 21, args 139915271711700 1 14 32 0 64.  Killing process.
Sandbox: crash reporter is disabled (or failed); trying stack trace:
Sandbox: frame #01: __GI_access (/build/glibc-uPj9cH/glibc-2.19/io/../sysdeps/unix/syscall-template.S:81)
Sandbox: frame #02: g_file_test (/build/glib2.0-ETetDu/glib2.0-2.48.0/./glib/gfileutils.c:412 (discriminator 1))
Sandbox: frame #03: g_find_program_in_path (/build/glib2.0-ETetDu/glib2.0-2.48.0/./glib/gutils.c:459)
Sandbox: frame #04: g_desktop_app_info_load_from_keyfile (/build/glib2.0-ETetDu/glib2.0-2.48.0/./gio/gdesktopappinfo.c:1709)
Sandbox: frame #05: g_desktop_app_info_load_file (/build/glib2.0-ETetDu/glib2.0-2.48.0/./gio/gdesktopappinfo.c:1824)
Sandbox: frame #06: g_app_info_get_default_for_type (/build/glib2.0-ETetDu/glib2.0-2.48.0/./gio/gdesktopappinfo.c:4049)
Sandbox: frame #07: nsGIOService::GetAppForMimeType(nsACString_internal const&, nsIGIOMimeApp**) (/home/morbo/hg/firefox/toolkit/system/gnome/nsGIOService.cpp:295)
Sandbox: frame #08: nsGNOMERegistry::GetFromType(nsACString_internal const&) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsGNOMERegistry.cpp:97)
Sandbox: frame #09: already_AddRefed<nsMIMEInfoBase>::take() (/home/morbo/hg/firefox/objdir-desktop/dist/include/mozilla/AlreadyAddRefed.h:116)
Sandbox: frame #10: already_AddRefed<nsMIMEInfoBase>::take() (/home/morbo/hg/firefox/objdir-desktop/dist/include/mozilla/AlreadyAddRefed.h:116)
Sandbox: frame #11: already_AddRefed<nsMIMEInfoBase>::take() (/home/morbo/hg/firefox/objdir-desktop/dist/include/mozilla/AlreadyAddRefed.h:116)
Sandbox: frame #12: already_AddRefed<nsIMIMEInfo>::take() (/home/morbo/hg/firefox/objdir-desktop/dist/include/mozilla/AlreadyAddRefed.h:116)
Sandbox: frame #13: nsExternalHelperAppService::GetTypeFromFile(nsIFile*, nsACString_internal&) (/home/morbo/hg/firefox/uriloader/exthandler/nsExternalHelperAppService.cpp:2891)
Sandbox: frame #14: ~nsCOMPtr (/home/morbo/hg/firefox/objdir-desktop/dist/include/nsCOMPtr.h:402)
Sandbox: frame #15: nsFileChannel::OpenContentStream(bool, nsIInputStream**, nsIChannel**) (/home/morbo/hg/firefox/netwerk/protocol/file/nsFileChannel.cpp:403)
Sandbox: frame #16: nsBaseChannel::Open(nsIInputStream**) (/home/morbo/hg/firefox/netwerk/base/nsBaseChannel.cpp:610)
Sandbox: frame #17: nsBaseChannel::Open2(nsIInputStream**) (/home/morbo/hg/firefox/netwerk/base/nsBaseChannel.cpp:634)
Sandbox: frame #18: nsMessageManagerScriptExecutor::TryCacheLoadAndCompileScript(nsAString_internal const&, bool, bool, JS::MutableHandle<JSScript*>) (/home/morbo/hg/firefox/dom/base/nsFrameMessageManager.cpp:1783)
Sandbox: frame #19: nsCOMPtr<nsIXPConnectJSObjectHolder>::operator->() const (/home/morbo/hg/firefox/objdir-desktop/dist/include/nsCOMPtr.h:746)
Sandbox: frame #20: mozilla::dom::TabChild::RecvLoadRemoteScript(nsString const&, bool const&) (/home/morbo/hg/firefox/dom/ipc/TabChild.cpp:2367)
Sandbox: frame #21: mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) (/home/morbo/hg/firefox/objdir-desktop/ipc/ipdl/PBrowserChild.cpp:4423)
Sandbox: frame #22: mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) (/home/morbo/hg/firefox/objdir-desktop/ipc/ipdl/PContentChild.cpp:7396)
Sandbox: frame #23: ~AutoSetValue (/home/morbo/hg/firefox/objdir-desktop/dist/include/mozilla/ipc/MessageChannel.h:626)
Sandbox: frame #24: mozilla::WeakPtr<mozilla::ipc::MessageListener>::operator->() const (/home/morbo/hg/firefox/objdir-desktop/dist/include/mozilla/WeakPtr.h:196)
Sandbox: frame #25: mozilla::Monitor::Unlock() (/home/morbo/hg/firefox/objdir-desktop/dist/include/mozilla/Monitor.h:36)
Sandbox: frame #26: mozilla::detail::RunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() (/home/morbo/hg/firefox/objdir-desktop/dist/include/nsThreadUtils.h:767)
Sandbox: frame #27: mozilla::ipc::MessageChannel::DequeueTask::Run() (/home/morbo/hg/firefox/objdir-desktop/dist/include/mozilla/ipc/MessageChannel.h:572)
Sandbox: frame #28: nsThread::ProcessNextEvent(bool, bool*) (/home/morbo/hg/firefox/xpcom/threads/nsThread.cpp:1047)
Sandbox: frame #29: NS_ProcessNextEvent(nsIThread*, bool) (/home/morbo/hg/firefox/xpcom/glue/nsThreadUtils.cpp:290)
Sandbox: frame #30: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/home/morbo/hg/firefox/ipc/glue/MessagePump.cpp:100)
Sandbox: frame #31: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/home/morbo/hg/firefox/ipc/glue/MessagePump.cpp:317)
Sandbox: frame #32: MessageLoop::RunInternal() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:233)
Sandbox: frame #33: ~AutoRunState (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:490)
Sandbox: frame #34: nsBaseAppShell::Run() (/home/morbo/hg/firefox/widget/nsBaseAppShell.cpp:158)
Sandbox: frame #35: XRE_RunAppShell (/home/morbo/hg/firefox/toolkit/xre/nsEmbedFunctions.cpp:851)
Sandbox: frame #36: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/home/morbo/hg/firefox/ipc/glue/MessagePump.cpp:285)
Sandbox: frame #37: MessageLoop::RunInternal() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:233)
Sandbox: frame #38: ~AutoRunState (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:490)
Sandbox: frame #39: XRE_InitChildProcess (/home/morbo/hg/firefox/toolkit/xre/nsEmbedFunctions.cpp:685)
Sandbox: frame #40: content_process_main(int, char**) (/home/morbo/hg/firefox/ipc/app/../contentproc/plugin-container.cpp:227)
Sandbox: frame #41: main (/home/morbo/hg/firefox/ipc/app/MozillaRuntimeMain.cpp:19)
Sandbox: frame #42: __libc_start_main (/build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:321)
Sandbox: frame #43: _start (/home/morbo/hg/firefox/objdir-desktop/dist/bin/plugin-container)
Sandbox: frame #44: ??? (???:???)
Sandbox: end of stack.
Whiteboard: sb?
Whiteboard: sb? → sblc2
Whiteboard: sblc2 → sblc4
Summary: nsFileChannel::OpenContentStream leads to access(mimehandler, X_OK) checks in content → nsFileChannel::OpenContentStream leads to sys call access(mimehandler, X_OK) checks in content
Whiteboard: sblc4 → sblc5
OS: Unspecified → Linux
Priority: -- → P3
See Also: → 1382323
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.