Closed
Bug 1342385
Opened 7 years ago
Closed 7 years ago
Allow mremap in linux32 for wasm resizing features
Categories
(Core :: Security: Process Sandboxing, defect)
Core
Security: Process Sandboxing
Tracking
()
RESOLVED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox54 | --- | fixed |
People
(Reporter: bbouvier, Assigned: bbouvier)
References
Details
Attachments
(1 file, 1 obsolete file)
1.89 KB,
patch
|
jld
:
review+
|
Details | Diff | Splinter Review |
After landing the wasm WPT test cases, we've hit this: https://treeherder.mozilla.org/logviewer.html#?job_id=79928041&repo=mozilla-inbound&lineNumber=3672 The stack trace shows the content process gets killed because of a sandbox violation: [task 2017-02-24T11:41:47.528494Z] 11:41:47 INFO - PROCESS | 5086 | Sandbox: seccomp sandbox violation: pid 5140, tid 5140, syscall 163, args 3944837120 65536 131072 0 4116342032 4291377480. Killing process. [task 2017-02-24T11:41:47.657522Z] 11:41:47 INFO - PROCESS | 5086 | Sandbox: JS frame 0: call http://web-platform.test:8000/_mozilla/wasm/js/harness/index.js line 211 [task 2017-02-24T11:41:47.658322Z] 11:41:47 INFO - PROCESS | 5086 | Sandbox: JS frame 1: (anonymous) http://web-platform.test:8000/_mozilla/wasm/js/resizing.wast.js line 21 [task 2017-02-24T11:41:47.658452Z] 11:41:47 INFO - PROCESS | 5086 | Sandbox: JS frame 2: assert_return http://web-platform.test:8000/_mozilla/wasm/js/harness/index.js line 314 [task 2017-02-24T11:41:47.659428Z] 11:41:47 INFO - PROCESS | 5086 | Sandbox: JS frame 3: (anonymous) http://web-platform.test:8000/_mozilla/wasm/js/resizing.wast.js line 21 [task 2017-02-24T11:41:47.774484Z] 11:41:47 INFO - PROCESS | 5086 | [Parent 5086] WARNING: 'NS_FAILED(rv)', file /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp, line 1999 Looking up in the Linux32 syscall table: http://searchfox.org/mozilla-central/source/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h#665 We find that the offending syscall 163 is mremap, which is used by the wasm memory resizing feature on linux32: http://searchfox.org/mozilla-central/source/js/src/vm/ArrayBufferObject.cpp#597 So I think we should allow it more broadly. cc'ing sheriffs, because this might be a source of intermittent errors in some web platform test cases for wasm, **linux32 only**: nop.wast.js.html and resizing.wast.js.html.
Assignee | ||
Comment 1•7 years ago
|
||
See explanation in comment 0.
Attachment #8840835 -
Flags: review?(jld)
Assignee | ||
Comment 2•7 years ago
|
||
The tests were actually permafailing, not intermittent, so I've disabled them. This updated patch also re-enables them.
Attachment #8840835 -
Attachment is obsolete: true
Attachment #8840835 -
Flags: review?(jld)
Attachment #8840839 -
Flags: review?(jld)
Updated•7 years ago
|
Attachment #8840839 -
Flags: review?(jld) → review+
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/7a9b07064c28 Allow mremap on linux32 for wasm; r=jld
Comment 4•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/7a9b07064c28
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in
before you can comment on or make changes to this bug.
Description
•