Closed
Bug 1412480
Opened 7 years ago
Closed 7 years ago
The Linux sandbox isn't forwarding syscall arguments correctly on 32-bit platforms
Categories
(Core :: Security: Process Sandboxing, enhancement, P1)
Tracking
()
RESOLVED
FIXED
mozilla58
Tracking | Status | |
---|---|---|
firefox58 | --- | fixed |
People
(Reporter: jld, Assigned: jld)
References
Details
(Whiteboard: sb+)
Attachments
(2 files)
When we trap system calls with seccomp-bpf, the Chromium code passes our callback a struct arch_seccomp_data, which matches the layout of the data provided by the kernel to the BPF program. In particular, it stores syscall arguments as uint64_t even on 32-bit platforms. So, when we pass these arguments directly to the syscall() function, which uses C varargs, they occupy 2 words each instead of 1 (and may also be padded to aligned register pairs, depending on architecture). In the general case, this is bad. (I note that Chromium's sandbox::Syscall, which I considered using in bug 1410191 and then didn't, casts all the arguments to intptr_t and avoids this problem. (It's probably invoking implementation-defined behavior in some cases by casting to a signed type, but then so are we whenever we cast one of those `uint64_t`s back to an int.) That approach would solve this problem, but I'd prefer to require callers to cast to the actual type in question, where possible, for clarity.)
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 3•7 years ago
|
||
mozreview-review |
Comment on attachment 8923643 [details] Bug 1412480 - Fix syscall argument types in seccomp-bpf sandbox traps. https://reviewboard.mozilla.org/r/194772/#review200022 This sounds pretty scary, but we already shipped this, didn't we?
Attachment #8923643 -
Flags: review?(gpascutto) → review+
Assignee | ||
Comment 4•7 years ago
|
||
It's a problem only when arguments are passed directly from the args[] array to syscall without a cast. Also, if it's a single argument at the end (and, maybe, if it's in an even-numbered position) on a little-endian platform, the lower half will be in the right place and things will work anyway. So I think the impact of this on 32-bit x86 is: * tkill will send signal 0 (no signal, just check process existence); on desktop this is used only by musl libc. * sched_setscheduler will pass nullptr for the policy argument and probably fail with EFAULT. (Also the traps for sched_get_priority_{min,max} are competely wrong, but that's a separate bug.)
Assignee | ||
Comment 5•7 years ago
|
||
(In reply to Jed Davis [:jld] (⏰UTC-6) from comment #4) > * sched_setscheduler will pass nullptr for the policy argument and probably > fail with EFAULT. …and this applies only to the media plugin policy; in content we're allowing sched_* syscalls without filtering, which is yet another bug.
Updated•7 years ago
|
Whiteboard: sb+
Comment 6•7 years ago
|
||
mozreview-review |
Comment on attachment 8923644 [details] Bug 1412480 - Statically check for overly large syscall arguments. https://reviewboard.mozilla.org/r/194774/#review201038
Attachment #8923644 -
Flags: review?(gpascutto) → review+
Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/48b83b14ff3d Fix syscall argument types in seccomp-bpf sandbox traps. r=gcp https://hg.mozilla.org/integration/autoland/rev/eeb1aae7683b Statically check for overly large syscall arguments. r=gcp
Comment 8•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/48b83b14ff3d https://hg.mozilla.org/mozilla-central/rev/eeb1aae7683b
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in
before you can comment on or make changes to this bug.
Description
•