Closed Bug 1462640 Opened Last year Closed Last year
Sandbox disables egl
Get Display() call on Wayland/EGL backend
59 bytes, text/x-review-board-request
Attempting load of libEGL.so Sandbox: seccomp sandbox violation: pid 14803, tid 14803, syscall 27, args 140351623237632 4096 140724220371447 0 1 1. Killing process. Sandbox: crash reporter is disabled (or failed); trying stack trace: Sandbox: frame #01: ???[/lib64/libpthread.so.0 +0x11fb0] Sandbox: frame #02: mincore[/lib64/libc.so.6 +0xf51a7] Sandbox: frame #03: ???[/lib64/libEGL.so +0x333b] Sandbox: frame #04: eglGetDisplay[/lib64/libEGL.so +0x3c18] Reproduction steps: 1) build FF with ac_add_options --enable-default-toolkit=cairo-gtk3-wayland 2) set webgl.force-enabled to true (make sure gl is enabled) 3) open any WebGL example
libEGL is using mincore() to determine if a virtual address is mapped, because it's more or less guaranteed to fail with EFAULT if it's unmapped and has minimal side effects if it is. This is because, due to some unfortunate design decisions, it winds up being given an untagged value that might be a pointer or a small integer, and it has to distinguish those cases dynamically. In particular, it doesn't need to know the actual page residency, so this could be faked by something like write()ing one byte to a pipe, but that's probably excessive for the small amount of attack surface exposed by the actual mincore().
Assignee: nobody → jld
Priority: -- → P1
Comment on attachment 8978467 [details] Bug 1462640 - Allow content processes to mincore() individual pages. https://reviewboard.mozilla.org/r/245262/#review251858
Attachment #8978467 - Flags: review?(gpascutto) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/c74eb9a24c8b Allow content processes to mincore() individual pages. r=gcp
You need to log in before you can comment on or make changes to this bug.