Closed Bug 1367560 Opened 8 years ago Closed 8 years ago

dom/filesystem/tests/test_basic.html ASSERT failure on OS X with level 3 due to /Volumes restriction

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Version:
55 Branch
Platform:
Unspecified
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox55 --- fixed

People

(Reporter: haik, Assigned: Alex_Gaynor)

References

Details

(Whiteboard: sbmc2)

Attachments

(1 file)

Bug 1367560 - Remove an assertion from the Directory constructor that the directory exists on disk from DEBUG builds;
59 bytes, text/x-review-board-request
baku
: review+
Details
On OS X, with a debug build, with security.sandbox.content.level=3, the test dom/filesystem/tests/test_basic.html triggers an ASSERT failure in the content process. This appears to be triggered by the /Volumes restriction added in bug 1363179. I tried running the test with '(allow file-read* (literal "/Volumes"))' added to the rules and that let the test pass. Whether or not that's the right fix needs more thought. Process 44710 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) frame #0 XUL`mozilla::dom::Directory::Create() at Directory.cpp:92 89 #ifdef DEBUG 90 bool isDir; 91 nsresult rv = aFile->IsDirectory(&isDir); -> 92 MOZ_ASSERT(NS_SUCCEEDED(rv) && isDir); 93 #endif 94 95 RefPtr<Directory> directory = new Directory(aParent, aFile, aFileSystem); (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0 XUL`mozilla::dom::Directory::Create() at Directory.cpp:92 frame #1 XUL`mozilla::dom::GetDirectoryListingTaskChild::SetSuccessRequestResult() at GetDirectoryListingTask.cpp:152 frame #2 XUL`mozilla::dom::FileSystemTaskChildBase::SetRequestResult() at FileSystemTaskBase.cpp:209 frame #3 XUL`mozilla::dom::FileSystemTaskChildBase::Recv__delete__() at FileSystemTaskBase.cpp:219 frame #4 XUL`mozilla::dom::PFileSystemRequestChild::OnMessageReceived() at PFileSystemRequestChild.cpp:90 frame #5 XUL`mozilla::ipc::PBackgroundChild::OnMessageReceived() at PBackgroundChild.cpp:1630 frame #6 XUL`mozilla::ipc::MessageChannel::DispatchAsyncMessage() at MessageChannel.cpp:2040 frame #7 XUL`mozilla::ipc::MessageChannel::DispatchMessage() at MessageChannel.cpp:1975 frame #8 XUL`mozilla::ipc::MessageChannel::RunMessage() at MessageChannel.cpp:1844 frame #9 XUL`mozilla::ipc::MessageChannel::MessageTask::Run() at MessageChannel.cpp:1877 frame #10 XUL`mozilla::SchedulerGroup::Runnable::Run() at SchedulerGroup.cpp:370 frame #11 XUL`nsThread::ProcessNextEvent() at nsThread.cpp:1273 frame #12 XUL`NS_ProcessPendingEvents() at nsThreadUtils.cpp:335 frame #13 XUL`nsBaseAppShell::NativeEventCallback() at nsBaseAppShell.cpp:97 frame #14 XUL`nsAppShell::ProcessGeckoEvents() at nsAppShell.mm:399 frame #15 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__() frame #16 CoreFoundation`__CFRunLoopDoSources0() frame #17 CoreFoundation`__CFRunLoopRun() frame #18 CoreFoundation`CFRunLoopRunSpecific() frame #19 HIToolbox`RunCurrentEventLoopInMode() frame #20 HIToolbox`ReceiveNextEventCommon() frame #21 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter() frame #22 AppKit`_DPSNextEvent() frame #23 AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]() frame #24 XUL`::-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](NSEventMask, NSDate *, NSString *, BOOL)() at nsAppShell.mm:130 frame #25 AppKit`-[NSApplication run]() frame #26 XUL`nsAppShell::Run() at nsAppShell.mm:673 frame #27 XUL`XRE_RunAppShell() at nsEmbedFunctions.cpp:893 frame #28 XUL`mozilla::ipc::MessagePumpForChildProcess::Run() at MessagePump.cpp:269 frame #29 XUL`MessageLoop::RunInternal() at message_loop.cc:238 frame #30 XUL`MessageLoop::RunHandler() at message_loop.cc:231 frame #31 XUL`MessageLoop::Run() at message_loop.cc:211 frame #32 XUL`XRE_InitChildProcess() at nsEmbedFunctions.cpp:709 frame #33 XUL`mozilla::BootstrapImpl::XRE_InitChildProcess() at Bootstrap.cpp:65 frame #34 plugin-container`content_process_main() at plugin-container.cpp:64 frame #35 plugin-container`main() at MozillaRuntimeMain.cpp:25 frame #36 plugin-container`start()
See Also: → 1363179
Whiteboard: sbmc2
The problem is that Directory::Create() can't be called in DEBUG mode to create a directory object for a directory the content process doesn't have access to. This is due to the following code extra DEBUG check. http://searchfox.org/mozilla-central/rev/35b37316149108d53a02fb8498e250ea8a22ab5d/dom/filesystem/Directory.cpp#89 Directory::Create(nsISupports* aParent, nsIFile* aFile, FileSystemBase* aFileSystem) ... #ifdef DEBUG bool isDir; nsresult rv = aFile->IsDirectory(&isDir); MOZ_ASSERT(NS_SUCCEEDED(rv) && isDir); #endif ... With sandboxing, we're not going to be able to rely on being able to access the directory so this code should go. That's a better fix than adding a sandbox '(allow file-read* (literal "/Volumes"))' rule which would allow the test to pass, but wouldn't fix the problem for directory listing operations on other directories.
Assignee: nobody → agaynor
Ok, I took a look at the rest of the |dom/| directory, and I couldn't find anywhere else that triggers this assert, so I think, even though that DEBUG block is clearly wrong in a sandboxed process, I'm going to see how hard it would be to move the Directory object to the parent, since it seems unfortunate to remove a debugging assertion for one callsite. If I've missed any tests and really a ton more our broken we should revisit.
I spent some more time thinking about this, and the potential for tests (or application code) that break as we tighten up the sandbox only increases. More importantly, if this code is really going to be accessible from content, in an e10s sandboxed world, it doesn't make sense for Directory methods to be touching the filesystem, it just can't work as a general rule. Given this, I think the originally proposed solution of just deleting that |#if DEBUG| branch makes the most sense. Before I send a patch for that, I'd like some feedback from the DOM folks who own this code. :baku, do you have any objections to this change?
Flags: needinfo?(amarchesini)
Comment on attachment 8874843 [details] Bug 1367560 - Remove an assertion from the Directory constructor that the directory exists on disk from DEBUG builds; https://reviewboard.mozilla.org/r/146234/#review150206
Attachment #8874843 - Flags: review?(amarchesini) → review+
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/6a8333a5941e Remove an assertion from the Directory constructor that the directory exists on disk from DEBUG builds; r=baku
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/6a8333a5941e
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Flags: needinfo?(amarchesini)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: