Closed Bug 1573578 Opened 5 years ago Closed 5 years ago

Allow brk() in the common sandbox policy

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: jld, Assigned: gcp)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1573578 - Whitelist brk syscall if jemalloc is disabled. r?jld
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta-
Details | Review

glibc's malloc will call sbrk, which uses the system call brk. We're allowing this for content and GMP processes, but not RDD. Because it's (potentially) used by malloc, it should be in the common policy.

It would also be nice if we could detect at build time whether we're using our own malloc, so we can make those rules conditional.

Here's an example, reported in IRC #developers. It's actually free trying to shrink the sbrk heap, but the principle is the same.

Regressed by: 1506291
Assignee: nobody → gpascutto
Priority: -- → P1
Pushed by gpascutto@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2679dd0ac879
Whitelist brk syscall if jemalloc is disabled. r=jld

https://hg.mozilla.org/mozilla-central/rev/2679dd0ac879

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox70: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

I assume this is something we're going to want to uplift for the sake of downstream distros?

status-firefox68: --- → wontfix
status-firefox69: --- → affected
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → affected
Flags: needinfo?(gpascutto)

This is riskfree so we can uplift, but I sure as hell hope downstream distros don't disable jemalloc because it would disable a lot of our memory hardening work.

Flags: needinfo?(gpascutto)

Per IRC discussion, it doesn't sound like there's any compelling argument for backport here even though it's effectively NPOTB for builds we ship.

status-firefox69: affectedwontfix
status-firefox-esr68: affectedwontfix

Comment on attachment 9085516 [details]
Bug 1573578 - Whitelist brk syscall if jemalloc is disabled. r?jld

Beta/Release Uplift Approval Request

  • User impact if declined: Custom builds with jemalloc disabled and the sandbox enabled (this excludes ASAN) can crash.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The code change is not active for our own builds.
  • String changes made/needed:
Attachment #9085516 - Flags: approval-mozilla-beta?
Attachment #9085516 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: