Closed Bug 1489735 Opened Last year Closed Last year
sandbox forbids sched
_setaffinity syscall, required by radeonsi mesa git
46 bytes, text/x-phabricator-request
|Details | Review|
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0 Build ID: 20180906232139 Steps to reproduce: See https://www.phoronix.com/scan.php?page=news_item&px=AMD-RadeonSI-Ryzen-Tuned and the linked patches for details. At the moment this only affects the open source radeon driver. Actual results: Running on Firefox nightly 64.0a1 (2018-09-06) the content process crashes ``` Core was generated by `/opt/firefox-nightly/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1'. Program terminated with signal SIGSYS, Bad system call. #0 0x00007f99d7f3740d in syscall () from /usr/lib/libc.so.6 [Current thread is 1 (Thread 0x7f99d77ef740 (LWP 3987))] (gdb) bt #0 0x00007f99d7f3740d in syscall () at /usr/lib/libc.so.6 #1 0x00007f99ca27f823 in () at /opt/firefox-nightly/libxul.so #2 0x00007f99d8409fe9 in () at /opt/firefox-nightly/libmozsandbox.so #3 0x00007f99d83563c0 in <signal handler called> () at /usr/lib/libpthread.so.0 #4 0x00007f99d83566f3 in pthread_setaffinity_np@@GLIBC_2.3.4 () at /usr/lib/libpthread.so.0 #5 0x00007f99b951f825 in util_pin_thread_to_L3 (cores_per_L3=<optimized out>, L3_index=<optimized out>, thread=<optimized out>) at ../src/util/u_thread.h:92 ... etc. ``` Firefox stable 62.0 with default settings does NOT crash. It just prints warnings and then the content process still works: ``` Sandbox: seccomp sandbox violation: pid 5322, tid 5322, syscall 203, args 5322 128 140723740317632 0 128 140723740317632. Sandbox: seccomp sandbox violation: pid 5322, tid 5322, syscall 203, args 5556 128 140723740317472 14355229661309726 1 140644547393280. Sandbox: seccomp sandbox violation: pid 5322, tid 5322, syscall 203, args 5541 128 140723740316032 140723740315840 12 140644907620096. ``` Expected results: Workaround: in about:config, tell the sandbox to whitelist syscall 203, which is sched_setaffinity security.sandbox.content.syscall_whitelist;203
Severity: normal → critical
Component: Untriaged → Security: Process Sandboxing
OS: Unspecified → Linux
Product: Firefox → Core
Hardware: Unspecified → x86_64
Thanks for the heads-up. (In reply to haagch+ff from comment #0) > Sandbox: seccomp sandbox violation: pid 5322, tid 5322, syscall 203, args 5322 128 140723740317632 This isn't so bad; it's setting scheduler attributes on itself, so we could trap that and change the first argument to 0, like we do with some other sched_* calls. > Sandbox: seccomp sandbox violation: pid 5322, tid 5322, syscall 203, args 5556 128 140723740317472 This is more of a problem; I assume tid 5556 is another thread in the same process, but it could be anything owned by the same user, and we can't check that in the seccomp-bpf filter. Changing CPU affinity isn't immediately a sandbox escape, but I really don't like allowing it for a process that theoretically should be isolated from other processes. Alternately, we can just fail sched_[gs]etaffinity with EPERM; we'll be passing up some (possibly small in practice?) performance improvement, but eventually we'll move GPU drivers out of content processes (bug 1477756). As for a regression window, I don't think we've ever allowed this as long as we've been doing sandboxing on desktop Linux; this is a compatibility problem introduced by a new (not yet released) driver version. (I'll leave the `regression` tag because, technically, there was an earlier version where this would have worked.) Also, comment #0 pointed this out, but to emphasize: this is a crash only on Nightly; on other release trains it fails with warnings.
Assignee: nobody → jld
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 9009273 [details] Bug 1489735 - Quietly deny sched_setaffinity in content process sandbox Gian-Carlo Pascutto [:gcp] has approved the revision.
Attachment #9009273 - Flags: review+
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/026130a68e7c Quietly deny sched_setaffinity in content process sandbox r=gcp
You need to log in before you can comment on or make changes to this bug.