Closed Bug 1597792 Opened 5 years ago Closed 5 years ago

Launching the profiler on linux insta-crashes due to sandbox violation.

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox-esr68 72+ fixed
firefox70 --- wontfix
firefox71 --- wontfix
firefox72 --- fixed

People

(Reporter: emilio, Assigned: emilio)

References

Details

Attachments

(1 file)

Bug 1597792 - Allow clock_nanosleep in the sandbox filter. r=gcp
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta-
jcristau
: approval-mozilla-esr68+
Details | Review

trying it on a debug build I get:

[Parent 4506, Main Thread] WARNING: NS_ENSURE_TRUE(weakFrame.IsAlive()) failed: file /home/emilio/src/moz/gecko-2/layout/xul/nsXULPopupManager.cpp, line 1058
Sandbox: seccomp sandbox violation: pid 4688, tid 4742, syscall 230, args 0 0 139981609756488 139981609756488 0 139981609756504.  Killing process.
Sandbox: crash reporter is disabled (or failed); trying stack trace:
Sandbox: frame #01: clock_nanosleep[/lib64/libc.so.6 +0xc85b1]
Sandbox: frame #02: nanosleep[/lib64/libc.so.6 +0xcdf87]
Sandbox: frame #03: ???[/home/emilio/src/moz/gecko-2/obj-debug/dist/bin/libxul.so +0x952b1da]
Sandbox: frame #04: ???[/home/emilio/src/moz/gecko-2/obj-debug/dist/bin/libxul.so +0x952ae7a]
Sandbox: frame #05: ???[/home/emilio/src/moz/gecko-2/obj-debug/dist/bin/libxul.so +0x952b6b1]
Sandbox: frame #06: ???[/lib64/libpthread.so.0 +0x9482]
Sandbox: frame #07: clone[/lib64/libc.so.6 +0x101453]
Sandbox: frame #08: ??? (???:???)
Sandbox: end of stack.
Sandbox: seccomp sandbox violation: pid 4567, tid 4745, syscall 230, args 0 0 139690952877896 139690952877896 0 139690952877912.  Killing process.
Sandbox: crash reporter is disabled (or failed); trying stack trace:
Sandbox: frame #01: clock_nanosleep[/lib64/libc.so.6 +0xc85b1]
Sandbox: frame #02: nanosleep[/lib64/libc.so.6 +0xcdf87]
Sandbox: frame #03: ???[/home/emilio/src/moz/gecko-2/obj-debug/dist/bin/libxul.so +0x952b1da]
Sandbox: frame #04: ???[/home/emilio/src/moz/gecko-2/obj-debug/dist/bin/libxul.so +0x952ae7a]
Sandbox: frame #05: ???[/home/emilio/src/moz/gecko-2/obj-debug/dist/bin/libxul.so +0x952b6b1]
Sandbox: frame #06: ???[/lib64/libpthread.so.0 +0x9482]
Sandbox: frame #07: clone[/lib64/libc.so.6 +0x101453]
Sandbox: frame #08: ??? (???:???)
Sandbox: end of stack.
Sandbox: seccomp sandbox violation: pid 4632, tid 4747, syscall 230, args 0 0 140445303695176 140445303695176 0 140445303695192.  Killing process.
Sandbox: crash reporter is disabled (or failed); trying stack trace:
Sandbox: frame #01: clock_nanosleep[/lib64/libc.so.6 +0xc85b1]
Sandbox: frame #02: nanosleep[/lib64/libc.so.6 +0xcdf87]
Sandbox: frame #03: ???[/home/emilio/src/moz/gecko-2/obj-debug/dist/bin/libxul.so +0x952b1da]
Sandbox: frame #04: ???[/home/emilio/src/moz/gecko-2/obj-debug/dist/bin/libxul.so +0x952ae7a]
Sandbox: frame #05: ???[/home/emilio/src/moz/gecko-2/obj-debug/dist/bin/libxul.so +0x952b6b1]
Sandbox: frame #06: ???[/lib64/libpthread.so.0 +0x9482]
Sandbox: frame #07: clone[/lib64/libc.so.6 +0x101453]
Sandbox: frame #08: ??? (???:???)
Sandbox: end of stack.

So I tried to get a regression range for this and I can reproduce it in 68... so what gives? has it been a system update?

Nazim, have you seen this before?

Flags: needinfo?(canaltinova)
Assignee: nobody → emilio
Flags: needinfo?(canaltinova)

It seems newer glibc versions implement nanosleep() in terms of
clock_nanosleep(), which broke the profiler due to the sandbox rules
whitelisting the former but not the later.

Unfortunate that the profiler will fail in old Firefox versions though... :/

following

We can probably uplift this aggressively.

Unfortunate that the profiler will fail in old Firefox versions though... :/

This can be worked around with:
security.sandbox.content.syscall_whitelist

Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7d78f9dd9527 Allow clock_nanosleep in the sandbox filter. r=gcp

Comment on attachment 9110079 [details]
Bug 1597792 - Allow clock_nanosleep in the sandbox filter. r=gcp

Beta/Release Uplift Approval Request

  • User impact if declined: Broken profiler after system (libc) updates.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Not risky - adds permissions to the sandbox.
  • String changes made/needed:
Attachment #9110079 - Flags: approval-mozilla-beta?

https://hg.mozilla.org/mozilla-central/rev/7d78f9dd9527

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Attachment #9110079 - Flags: approval-mozilla-beta?

Previous bugs similar to this haven't necessarily needed uplift, because in those cases it was a newly added syscall and glibc has fallback code, and on non-Nightly builds we return ENOSYS instead of crashing (see gSandboxCrashOnError).

This bug is an exception. clock_nanosleep is old (predates the start of the Git history in 2005) and glibc doesn't have fallback code, so we do need uplift. Otherwise, nanosleep will fail, and the profiler's assertion that it succeeds is debug-only. I haven't tested this, but I'd expect a release (or beta, or ESR) build affected by this bug to busy-loop interrupting threads for samples, probably making the browser unusable. So we'll need uplift of this and bug 1598040.

Comment on attachment 9110079 [details]
Bug 1597792 - Allow clock_nanosleep in the sandbox filter. r=gcp

Beta/Release Uplift Approval Request

  • User impact if declined: Profiler doesn't work on Linux.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: Bug 1598040
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple sandbox allowance, with further restrictions in bug 1598040.
  • String changes made/needed: none

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: See above
  • User impact if declined: See above.
  • Fix Landed on Version: 72
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): see above
  • String or UUID changes made by this patch: none
Attachment #9110079 - Flags: approval-mozilla-esr68?
Attachment #9110079 - Flags: approval-mozilla-beta?

Comment on attachment 9110079 [details]
Bug 1597792 - Allow clock_nanosleep in the sandbox filter. r=gcp

I talked with emilio and this bug would only affect end users on Linux that use the profiler and have the most recent glibc library, that seems like a very small subset of users for an uplift on RC day so we agreed that this could ride the 72 train, I am leaving the flag for ESR as it probably makes sense to uplift in the January ESR.

Attachment #9110079 - Flags: approval-mozilla-beta? → approval-mozilla-beta-

Comment on attachment 9110079 [details]
Bug 1597792 - Allow clock_nanosleep in the sandbox filter. r=gcp

linux sandbox update, approved for 68.4esr

Attachment #9110079 - Flags: approval-mozilla-esr68? → approval-mozilla-esr68+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: