Closed Bug 1723945 Opened 3 years ago Closed 3 years ago

nsSystemInfo.cpp: On non-x86_{32,64} Linux, CollectProcessInfo can silently fail and insert junk data into the process

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
94 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox92 --- wontfix
firefox93 --- wontfix
firefox94 --- fixed

People

(Reporter: jseward, Assigned: jseward)

Details

Attachments

(4 files)

Selected valgrind complainage
9.44 KB, application/octet-stream
Details
/proc/cpuinfo examples, x86_64 vs aarch64
2.04 KB, application/octet-stream
Details
A possible fix
812 bytes, patch
Details | Diff | Splinter Review
Bug 1723945 - nsSystemInfo.cpp: On non-x86_{32,64} Linux, CollectProcessInfo can silently fail and insert junk data into the process. r=nika.
48 bytes, text/x-phabricator-request
Details | Review

-- Summary --

This doesn't happen on any P1 platforms. It affects all non-x86/x86_64 Linuxes
though, in this example, aarch64-linux. It causes Valgrind runs on
aarch64-linux to report hundreds of errors, some of which are shown in the
attached log. These make it more difficult to use Valgrind to look for
problems in aarch64-specific parts of our code base.

-- Details --

What I think happens is:

xpcom/base/nsSystemInfo.cpp
nsSystemInfo::GetProcessInfo(JSContext*, Promise**)

It creates a new PromiseInfo, around line 1531:

    mProcessInfoPromise = InvokeAsync(backgroundET, __func__, []() {
      ProcessInfo info;                       <--------- UNINITIALISED
      nsresult rv = CollectProcessInfo(info);
      if (NS_SUCCEEDED(rv)) {
        return ProcessInfoPromise::CreateAndResolve(info, __func__);
      }
      return ProcessInfoPromise::CreateAndReject(rv, __func__);
    });
  };

A reference to it is passed to CollectProcessInfo(..). That is supposed to
fill in various fields of it, but fails to do so, because ..

(reading the XP_LINUX non-ANDROID implementation of it starting at line 727)

.. it tries to pull out various fields from /proc/cpuinfo, in particular
vendor_id, cpu family, model, stepping, cpu cores etc. That works
fine on x86/x86_64-linux, but on aarch64-linux (or Linux on any other
architecture) the format of /proc/cpuinfo is completely different. See the
second attachment.

Hence attempts to read those fields fail, and the control flow that follows
(at the bottom of CollectProcessInfo(..)) does not alter the fields of the
provided ProcessInfo struct. But nobody detects the failure, and so the
contents of the struct are used uninitialised, resulting in Valgrind reporting
dozens of errors throughout Gecko.

One simple way to fix this is to provide a constructor for struct ProcessInfo
that zeroes out all the fields at the start, hence providing a
safe fallback situation. Frankly I'm amazed that we still allow
classes/structs with no constructors. Don't we have static analysis in
automation to guard against this?

Attached patch A possible fixSplinter Review
Assignee: nobody → jseward
Summary: nsSystemInfo.cpp: On Linux, CollectProcessInfo can silently fail and insert junk data into the process → nsSystemInfo.cpp: On non-x86_{32,64} Linux, CollectProcessInfo can silently fail and insert junk data into the process

This doesn't happen on any P1 platforms. It affects all non-x86/x86_64
Linuxes though, in this example, aarch64-linux. It causes Valgrind runs on
aarch64-linux to report hundreds of errors. In short, attempts to read
various fields from /proc/cpuinfo fail, because CollectProcessInfo() assumes
that it is looking at a /proc/cpuinfo file from a x86_{32,64} target, but its
format is very different on non x86 targets. Unfortunately the parsing fails,
but the failure is not detected, resulting in the uninitialised fields being
treated as if they contained real data.

The simple fix here is just to add a constructor for class ProcessInfo.

Pushed by jseward@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cd6051c0a723
nsSystemInfo.cpp: On non-x86_{32,64} Linux, CollectProcessInfo can silently fail and insert junk data into the process.  r=nika.

https://hg.mozilla.org/mozilla-central/rev/cd6051c0a723

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox94: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 94 Branch

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

status-firefox93: --- → ?

Beta is also affected. Given that this is non-Tier-1 Linux, I don't think it's worth
uplifting the fix.

status-firefox93: ?affected

We might actually want it for downstreams, on beta and esr.

Flags: needinfo?(jseward)

Is this ready for an ESR uplift request?

Flags: needinfo?(jseward)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #10)

Is this ready for an ESR uplift request?

Flags: needinfo?(jseward)

On consideration, I would prefer to wontfix esr91, since

  • we are not aware of any actual problems caused by the bug

  • this is non-P1 Linux only (eg, arm64-linux etc)

  • For those targets, I don't have any simple way to know what the effects of changing the reported values of various CPU parameters from <random junk in memory> to zero are, and I don't want to rock the ESR boat.

status-firefox-esr91: affectedwontfix
Flags: needinfo?(jseward)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: