Closed Bug 1410241 Opened 7 years ago Closed 7 years ago

SIGSYS handler can access destroyed objects during shutdown

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla58

Tracking Flags:

Tracking

Status

firefox58

---

fixed

People

(Reporter: jld, Assigned: jld)

Details

(Whiteboard: sb+)

Attachments

(1 file)

Bug 1410241 - Don't call destructors on objects we use in the SIGSYS handler. 7 years ago Jed Davis [:jld] ⟨⏰\|UTC-7⟩ ⟦he/him⟧ 59 bytes, text/x-review-board-request	gcp : review+	Details

Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧

Assignee

Description

•

7 years ago

We're storing the client objects for the sandbox file broker and rejected syscall reporter in static variables, which means they'll be destroyed on shutdown when static destructors are calls.

However, they could be used by a SIGSYS handler after that, or concurrently in a SIGSYS handler on another thread (possibly even a call which started before shutdown).

I remembered not to do this when I was writing the SandboxOpenedFiles code

I'm reasonably sure that this invokes undefined behavior regardless of what the destructors actually do.  If the compiler doesn't do anything clever, then SandboxReporterClient is unaffected, but SandboxBrokerClient will do a file descriptor use-after-close, sending the broker request on some other fd (possibly its own response socket).  And, of course, it's not a good idea to depend on the compiler not being clever.

Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧

Assignee

Comment 1

•

7 years ago

(In reply to Jed Davis [:jld] (⏰UTC-6) from comment #0)
> I remembered not to do this when I was writing the SandboxOpenedFiles code

I think the end of this sentence was going to be something like “but not for SandboxBroker or SandboxReporter”.

Anyway, I'm taking this bug because the patch is simple and I wrote it.

Assignee: nobody → jld

Comment hidden (mozreview-request)

Review commit: https://reviewboard.mozilla.org/r/193182/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/193182/

Jim Mathies [:jimm]

Updated

•

7 years ago

Whiteboard: sb+

Gian-Carlo Pascutto [:gcp]

Comment 3

•

7 years ago

mozreview-review

Comment on attachment 8922165 [details]
Bug 1410241 - Don't call destructors on objects we use in the SIGSYS handler.

https://reviewboard.mozilla.org/r/193182/#review198686

Attachment #8922165 - Flags: review?(gpascutto) → review+

Pulsebot

Comment 4

•

7 years ago

Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7e53467676ca
Don't call destructors on objects we use in the SIGSYS handler. r=gcp

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 5

•

7 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/7e53467676ca

Status: NEW → RESOLVED

Closed: 7 years ago

status-firefox58: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla58

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

SIGSYS handler can access destroyed objects during shutdown

Categories

(Core :: Security: Process Sandboxing, enhancement)

Tracking

()

People

(Reporter: jld, Assigned: jld)

References

Details

(Whiteboard: sb+)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type