1719391 - File descriptor leak when constructing sandbox file broker

Status: RESOLVED FIXED

(Core :: Security: Process Sandboxing, defect, P1)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

This line in sandbox broker initialization constructs a mozilla::ipc::FileDescriptor (for the client side of the broker's socket pair) from an int, which dups the fd, but in this case the caller intended to transfer ownership.

As a result, every time a content process is started/stopped, we leak a file descriptor in the parent process. This code hasn't been changed in a very long time, so it's possible that this has been the case since sandbox file brokering shipped on desktop. (It was originally written for B2G, but I vaguely remember that I only ever got it working on the emulator.)

Note that we don't leak the broker thread: when the broker instance is destroyed (it's owned by the ContentParent), it forces an EOF on the socket which causes the thread to exit.

There have been a number of bugs recently which came down to mystery fd exhaustion, and it's possible that this bug is the cause (or at least a contributing factor), especially because Fission probably means more turnover of content processes.

This is a one-line fix and we'll probably want to uplift it everywhere.

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: Bug 1719391 - Fix fd leak during Linux sandbox file broker creation.

Comment 2

[Pulsebot]

Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1fa9aa100504
Fix fd leak during Linux sandbox file broker creation. r=glandium

Comment 3

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/1fa9aa100504