Closed Bug 1705045 Opened 4 years ago Closed 4 years ago

Crash in [@ ld-linux-x86-64.so.2@0x1faeb] with SIGSYS

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Product:
Core
Component:
Security: Process Sandboxing
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
90 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- fixed

People

(Reporter: emilio, Assigned: jld)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1705045 - Quietly deny `MADV_MERGEABLE` in Linux sandbox policies that filter `madvise`.
48 bytes, text/x-phabricator-request
Details | Review

Looks like maybe running on a very modern system or something that may hint at a new syscall to be blocked / allowed?

Jed, do you know if we have the syscall information in the crash report?

Crash report: https://crash-stats.mozilla.org/report/index/6c182e8f-a58f-4974-96c9-6ddaf0210412

Reason: SIGSYS

Top 10 frames of crashing thread:

0 ld-linux-x86-64.so.2 ld-linux-x86-64.so.2@0x1faeb 
1 ld-linux-x86-64.so.2 ld-linux-x86-64.so.2@0x9285 
2 ld-linux-x86-64.so.2 ld-linux-x86-64.so.2@0xd5cb 
3 [stack] [stack]@0x1bbcf 
4 [stack] [stack]@0x1bccf 
5 [stack] [stack]@0x1bd5f 
6 ld-linux-x86-64.so.2 ld-linux-x86-64.so.2@0x84bc 
7 [stack] [stack]@0x1bb7f 
8 libfreeblpriv3.so _fini 
9 [stack] [stack]@0x1bd5f
Flags: needinfo?(jld)

(In reply to Emilio Cobos Álvarez (:emilio) from comment #0)

Jed, do you know if we have the syscall information in the crash report?

We have the registers in the crash report; see the syscall(2) man page for which ones are which. Also, the address field in the crash report is the syscall number.

In this case it's madvise with MADV_MERGEABLE. This doesn't appear to be used in the current development versions of either glibc or musl.

I notice that all the crash reports declare themselves to be Clear Linux OS. Which leads us to this patch, which asks the kernel to merge identical pages in the BSS segments of loaded objects.

I'd prefer not to allow this in the sandbox policies — being able to share physical memory pages with other processes by guessing their contents has some privacy implications — and I don't think this can save enough memory in practice to justify that.

As a side note, the sandbox policy applies only to libraries loaded after it's started, like NSS or FFmpeg, but not libxul itself (or libc, etc.), which means a sandboxed process on Clear Linux already has KSM-enabled pages that an attacker could use. It's theoretically possible for us to try to find those regions and MADV_UNMERGEABLE them, but I don't think it's worth it.

Flags: needinfo?(jld)

This madvise type is used by one Linux distro's libc, and in
principle could be used by other userspace libraries trying to optimize
performance, and I'd rather not allow it (see bug for more details).

Therefore, this patch returns an error instead of treating it as an
unknown syscall (which crashes on Nightly).

However, the content policy doesn't yet filter madvise (bug 1510861);
this patch doesn't change that.

Assignee: nobody → jld
Status: NEW → ASSIGNED
Severity: -- → S4
Priority: -- → P1
Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/602dca652b3a Quietly deny `MADV_MERGEABLE` in Linux sandbox policies that filter `madvise`. r=gcp

https://hg.mozilla.org/mozilla-central/rev/602dca652b3a

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox90: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: