Closed Bug 1462640 Opened Last year Closed Last year

Sandbox disables eglGetDisplay() call on Wayland/EGL backend

Categories

(Core :: Security: Process Sandboxing, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox62 --- fixed

People

(Reporter: stransky, Assigned: jld)

References

Details

Attachments

(1 file)

Attempting load of libEGL.so

Sandbox: seccomp sandbox violation: pid 14803, tid 14803, syscall 27, args 140351623237632 4096 140724220371447 0 1 1.  Killing process.

Sandbox: crash reporter is disabled (or failed); trying stack trace:
Sandbox: frame #01: ???[/lib64/libpthread.so.0 +0x11fb0]
Sandbox: frame #02: mincore[/lib64/libc.so.6 +0xf51a7]
Sandbox: frame #03: ???[/lib64/libEGL.so +0x333b]
Sandbox: frame #04: eglGetDisplay[/lib64/libEGL.so +0x3c18]

Reproduction steps:

1) build FF with ac_add_options --enable-default-toolkit=cairo-gtk3-wayland
2) set webgl.force-enabled to true (make sure gl is enabled)
3) open any WebGL example
libEGL is using mincore() to determine if a virtual address is mapped, because it's more or less guaranteed to fail with EFAULT if it's unmapped and has minimal side effects if it is.  This is because, due to some unfortunate design decisions, it winds up being given an untagged value that might be a pointer or a small integer, and it has to distinguish those cases dynamically.

In particular, it doesn't need to know the actual page residency, so this could be faked by something like write()ing one byte to a pipe, but that's probably excessive for the small amount of attack surface exposed by the actual mincore().
Assignee: nobody → jld
Priority: -- → P1
Comment on attachment 8978467 [details]
Bug 1462640 - Allow content processes to mincore() individual pages.

https://reviewboard.mozilla.org/r/245262/#review251858
Attachment #8978467 - Flags: review?(gpascutto) → review+
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c74eb9a24c8b
Allow content processes to mincore() individual pages. r=gcp
https://hg.mozilla.org/mozilla-central/rev/c74eb9a24c8b
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Duplicate of this bug: 1456025
You need to log in before you can comment on or make changes to this bug.