seccomp access violation: sys_statx with rust nightly
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox72 | --- | fixed |
People
(Reporter: mceier+mozilla, Assigned: gcp)
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Steps to reproduce:
I'm using rust nightly (from yesterday) and built firefox from trunk.
I opened youtube link with video and clicked play (it crashes on any page that tries to play audio).
Actual results:
Tab crashed with following backtrace:
Sandbox: seccomp sandbox violation: pid 84091, tid 84301, syscall 332, args 66 140653172312854 4096 4095 140652752458960 140652752458976. Killing process.
Sandbox: crash reporter is disabled (or failed); trying stack trace:
Sandbox: frame #01: syscall (/var/tmp/portage/sys-libs/glibc-2.30-r2/work/glibc-2.30/misc/../sysdeps/unix/sysv/linux/x86_64/syscall.S:38)
Sandbox: frame #02: _ZN3std3sys4unix2fs9try_statx17h4543349cfb684145E.llvm.12725196948316218630 (crtstuff.c:?)
Sandbox: frame #03: std::fs::File::metadata (/home/dev/home/sources/firefox-hg/mozilla-central/obj-x86_64-pc-linux-gnu/dist/bin/libxul.so)
Sandbox: frame #04: memmap::MmapOptions::get_len::{{closure}} (/home/dev/home/sources/firefox-hg/mozilla-central/third_party/rust/memmap/src/lib.rs:122)
Sandbox: frame #05: core::option::Option<T>::unwrap_or_else (/var/tmp/portage/dev-lang/rust-9999/work/rust-git-src/src/libcore/option.rs:421)
Sandbox: frame #06: memmap::MmapOptions::get_len (/home/dev/home/sources/firefox-hg/mozilla-central/third_party/rust/memmap/src/lib.rs:131)
Sandbox: frame #07: memmap::MmapOptions::map_mut (/home/dev/home/sources/firefox-hg/mozilla-central/third_party/rust/memmap/src/lib.rs:231)
Sandbox: frame #08: audioipc::shm::SharedMemMutSlice::from (/home/dev/home/sources/firefox-hg/mozilla-central/obj-x86_64-pc-linux-gnu/dist/bin/libxul.so)
Sandbox: frame #09: audioipc_client::stream::ClientStream::init (/home/dev/home/sources/firefox-hg/mozilla-central/media/audioipc/client/src/stream.rs:195)
Sandbox: frame #10: audioipc_client::stream::init (crtstuff.c:?)
Sandbox: frame #11: <audioipc_client::context::ClientContext as cubeb_backend::traits::ContextOps>::stream_init (/home/dev/home/sources/firefox-hg/mozilla-central/media/audioipc/client/src/context.rs:359)
Sandbox: frame #12: cubeb_backend::capi::capi_stream_init (/home/dev/home/sources/firefox-hg/mozilla-central/third_party/rust/cubeb-backend/src/capi.rs:155)
Sandbox: end of stack.
Expected results:
Tab shouldn't crash and video should play. It seems statx syscall is not whitelisted.
Just noticed that bugzilla inserts User-Agent into bugreport... I'm using user-agent switcher and also have resistFingerprinting set to true, so it's incorrect.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
I think we can just do ENOSYS: https://github.com/rust-lang/rust/commit/43f398be6d0faaf119150c950133ba4aa0ff42b3#diff-aa082e80918abc05b2471acd31e76621R90
And then deal with full brokering (as it's filesystem access) in a follow-up.
Comment 3•5 years ago
|
||
I've confirmed that this reproduces with rustc 1.40 (nightly) and not with 1.39 (beta).
Assignee | ||
Comment 4•5 years ago
|
||
Assignee | ||
Comment 5•5 years ago
|
||
The upstream files for the sycall numbers are only partially up to date. The latest change was a shmem related change and they only needed the new 32-bit ones. So I regenerated the 64-bit one from the source. Chromium doesn't include any script to do so - I used a vim macro, as my awk skills aren't all that.
From surveying the new syscalls, stax and membarrier seem the most likely to be used by relevant userspace. It seems some downstream users actually already had to patch membarrier, which I've confirmed musl will try to use.
Maybe rseq is also a candidate, but the use cases for that seem more limited.
Pushed by gpascutto@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a0be746532f4 Report ENOSYS on statx, but allow membarrier. r=jld
Comment 7•5 years ago
|
||
bugherder |
Updated•4 years ago
|
Assignee | ||
Comment 8•4 years ago
•
|
||
This should've made a corresponding change to security/sandbox/chromium-shim/patches/with_update/ so the patch to Chromium's code doesn't get lost.
Description
•