Closed Bug 1489735 Opened Last year Closed Last year

sandbox forbids sched_setaffinity syscall, required by radeonsi mesa git

Categories

(Core :: Security: Process Sandboxing, defect, P1, critical)

64 Branch
x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- unaffected
firefox63 --- unaffected
firefox64 --- fixed

People

(Reporter: haagch+ff, Assigned: jld)

References

Details

(Keywords: crash, regression)

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
Build ID: 20180906232139

Steps to reproduce:

See https://www.phoronix.com/scan.php?page=news_item&px=AMD-RadeonSI-Ryzen-Tuned and the linked patches for details.

At the moment this only affects the open source radeon driver.


Actual results:

Running on Firefox nightly 64.0a1 (2018-09-06) the content process crashes
```
Core was generated by `/opt/firefox-nightly/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1'.
Program terminated with signal SIGSYS, Bad system call.
#0  0x00007f99d7f3740d in syscall () from /usr/lib/libc.so.6
[Current thread is 1 (Thread 0x7f99d77ef740 (LWP 3987))]
(gdb) bt
#0  0x00007f99d7f3740d in syscall () at /usr/lib/libc.so.6
#1  0x00007f99ca27f823 in  () at /opt/firefox-nightly/libxul.so
#2  0x00007f99d8409fe9 in  () at /opt/firefox-nightly/libmozsandbox.so
#3  0x00007f99d83563c0 in <signal handler called> () at /usr/lib/libpthread.so.0
#4  0x00007f99d83566f3 in pthread_setaffinity_np@@GLIBC_2.3.4 () at /usr/lib/libpthread.so.0
#5  0x00007f99b951f825 in util_pin_thread_to_L3 (cores_per_L3=<optimized out>, L3_index=<optimized out>, thread=<optimized out>) at ../src/util/u_thread.h:92
... etc.
```

Firefox stable 62.0 with default settings does NOT crash. It just prints warnings and then the content process still works:
```
Sandbox: seccomp sandbox violation: pid 5322, tid 5322, syscall 203, args 5322 128 140723740317632 0 128 140723740317632.
Sandbox: seccomp sandbox violation: pid 5322, tid 5322, syscall 203, args 5556 128 140723740317472 14355229661309726 1 140644547393280.
Sandbox: seccomp sandbox violation: pid 5322, tid 5322, syscall 203, args 5541 128 140723740316032 140723740315840 12 140644907620096.
```




Expected results:

Workaround:
in about:config, tell the sandbox to whitelist syscall 203, which is sched_setaffinity

security.sandbox.content.syscall_whitelist;203
Severity: normal → critical
Component: Untriaged → Security: Process Sandboxing
OS: Unspecified → Linux
Product: Firefox → Core
Hardware: Unspecified → x86_64
Thanks for the heads-up.

(In reply to haagch+ff from comment #0)
> Sandbox: seccomp sandbox violation: pid 5322, tid 5322, syscall 203, args 5322 128 140723740317632

This isn't so bad; it's setting scheduler attributes on itself, so we could trap that and change the first argument to 0, like we do with some other sched_* calls.

> Sandbox: seccomp sandbox violation: pid 5322, tid 5322, syscall 203, args 5556 128 140723740317472

This is more of a problem; I assume tid 5556 is another thread in the same process, but it could be anything owned by the same user, and we can't check that in the seccomp-bpf filter.  Changing CPU affinity isn't immediately a sandbox escape, but I really don't like allowing it for a process that theoretically should be isolated from other processes.

Alternately, we can just fail sched_[gs]etaffinity with EPERM; we'll be passing up some (possibly small in practice?) performance improvement, but eventually we'll move GPU drivers out of content processes (bug 1477756).


As for a regression window, I don't think we've ever allowed this as long as we've been doing sandboxing on desktop Linux; this is a compatibility problem introduced by a new (not yet released) driver version.  (I'll leave the `regression` tag because, technically, there was an earlier version where this would have worked.)

Also, comment #0 pointed this out, but to emphasize: this is a crash only on Nightly; on other release trains it fails with warnings.
Priority: -- → P1
Assignee: nobody → jld
Status: UNCONFIRMED → NEW
Ever confirmed: true
Duplicate of this bug: 1490994
Comment on attachment 9009273 [details]
Bug 1489735 - Quietly deny sched_setaffinity in content process sandbox

Gian-Carlo Pascutto [:gcp] has approved the revision.
Attachment #9009273 - Flags: review+
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/026130a68e7c
Quietly deny sched_setaffinity in content process sandbox r=gcp
https://hg.mozilla.org/mozilla-central/rev/026130a68e7c
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.