Closed Bug 1591117 Opened 5 years ago Closed 5 years ago

seccomp access violation: sys_statx with rust nightly

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox72 --- fixed

People

(Reporter: mceier+mozilla, Assigned: gcp)

Details

Attachments

(1 file)

Bug 1591117 - Report ENOSYS on statx, but allow membarrier. r?jld
47 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0

Steps to reproduce:

I'm using rust nightly (from yesterday) and built firefox from trunk.

I opened youtube link with video and clicked play (it crashes on any page that tries to play audio).

Actual results:

Tab crashed with following backtrace:

Sandbox: seccomp sandbox violation: pid 84091, tid 84301, syscall 332, args 66 140653172312854 4096 4095 140652752458960 140652752458976. Killing process.
Sandbox: crash reporter is disabled (or failed); trying stack trace:
Sandbox: frame #01: syscall (/var/tmp/portage/sys-libs/glibc-2.30-r2/work/glibc-2.30/misc/../sysdeps/unix/sysv/linux/x86_64/syscall.S:38)
Sandbox: frame #02: _ZN3std3sys4unix2fs9try_statx17h4543349cfb684145E.llvm.12725196948316218630 (crtstuff.c:?)
Sandbox: frame #03: std::fs::File::metadata (/home/dev/home/sources/firefox-hg/mozilla-central/obj-x86_64-pc-linux-gnu/dist/bin/libxul.so)
Sandbox: frame #04: memmap::MmapOptions::get_len::{{closure}} (/home/dev/home/sources/firefox-hg/mozilla-central/third_party/rust/memmap/src/lib.rs:122)
Sandbox: frame #05: core::option::Option<T>::unwrap_or_else (/var/tmp/portage/dev-lang/rust-9999/work/rust-git-src/src/libcore/option.rs:421)
Sandbox: frame #06: memmap::MmapOptions::get_len (/home/dev/home/sources/firefox-hg/mozilla-central/third_party/rust/memmap/src/lib.rs:131)
Sandbox: frame #07: memmap::MmapOptions::map_mut (/home/dev/home/sources/firefox-hg/mozilla-central/third_party/rust/memmap/src/lib.rs:231)
Sandbox: frame #08: audioipc::shm::SharedMemMutSlice::from (/home/dev/home/sources/firefox-hg/mozilla-central/obj-x86_64-pc-linux-gnu/dist/bin/libxul.so)
Sandbox: frame #09: audioipc_client::stream::ClientStream::init (/home/dev/home/sources/firefox-hg/mozilla-central/media/audioipc/client/src/stream.rs:195)
Sandbox: frame #10: audioipc_client::stream::init (crtstuff.c:?)
Sandbox: frame #11: <audioipc_client::context::ClientContext as cubeb_backend::traits::ContextOps>::stream_init (/home/dev/home/sources/firefox-hg/mozilla-central/media/audioipc/client/src/context.rs:359)
Sandbox: frame #12: cubeb_backend::capi::capi_stream_init (/home/dev/home/sources/firefox-hg/mozilla-central/third_party/rust/cubeb-backend/src/capi.rs:155)
Sandbox: end of stack.

Expected results:

Tab shouldn't crash and video should play. It seems statx syscall is not whitelisted.

Just noticed that bugzilla inserts User-Agent into bugreport... I'm using user-agent switcher and also have resistFingerprinting set to true, so it's incorrect.

Assignee: nobody → gpascutto
Priority: -- → P1
Status: UNCONFIRMED → NEW
Ever confirmed: true
Severity: normal → critical
OS: Unspecified → Linux
Hardware: Unspecified → x86_64

I think we can just do ENOSYS: https://github.com/rust-lang/rust/commit/43f398be6d0faaf119150c950133ba4aa0ff42b3#diff-aa082e80918abc05b2471acd31e76621R90

And then deal with full brokering (as it's filesystem access) in a follow-up.

I've confirmed that this reproduces with rustc 1.40 (nightly) and not with 1.39 (beta).

The upstream files for the sycall numbers are only partially up to date. The latest change was a shmem related change and they only needed the new 32-bit ones. So I regenerated the 64-bit one from the source. Chromium doesn't include any script to do so - I used a vim macro, as my awk skills aren't all that.

From surveying the new syscalls, stax and membarrier seem the most likely to be used by relevant userspace. It seems some downstream users actually already had to patch membarrier, which I've confirmed musl will try to use.

Maybe rseq is also a candidate, but the use cases for that seem more limited.

Pushed by gpascutto@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a0be746532f4
Report ENOSYS on statx, but allow membarrier. r=jld

https://hg.mozilla.org/mozilla-central/rev/a0be746532f4

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Flags: qe-verify+

This should've made a corresponding change to security/sandbox/chromium-shim/patches/with_update/ so the patch to Chromium's code doesn't get lost.

Flags: needinfo?(gpascutto)

Follow up in bug Bug 1613921.

Flags: needinfo?(gpascutto)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: