[VA-API] Crash in [@ __GI___socket]
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox94 | --- | unaffected |
firefox95 | --- | unaffected |
firefox96 | --- | disabled |
firefox97 | --- | fixed |
People
(Reporter: gsvelto, Assigned: jld)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/c07ca086-6177-4cf5-a29d-41c890211130
Reason: SIGSYS
Top 10 frames of crashing thread:
0 libc.so.6 __GI___socket
1 libc.so.6 open_socket
2 libc.so.6 __nscd_get_mapping
3 libc.so.6 __nscd_get_map_ref
4 libc.so.6 nscd_getpw_r
5 libc.so.6 __nscd_getpwuid_r
6 libc.so.6 __getpwuid_r
7 libgallium_dri.so __driDriverGetExtensions_zink
8 libgallium_dri.so nouveau_drm_screen_create
9 libgallium_dri.so nouveau_drm_screen_create
Mesa seems to be using getpwuid_r()
in order to get the user's home directory (where it will further look for .cache
in order to store its compiled shaders cache). This in turns calls open_socket()
which ultimately seems to be calling socket()
and that's where we're crashing.
Reporter | ||
Comment 1•2 years ago
|
||
Meh, sorry, it's a socket()
call, not a dup()
one.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 2•2 years ago
|
||
Got it with Intel: bp-cb0dabbe-47ef-46d0-906c-bf4290211202
Comment 3•2 years ago
|
||
MESA_GLSL_CACHE_DISABLE=1 might also be an option for the RDD process. (?)
(Nvidia is still incompatible/irrelevant, but does also offer a __GL_SHADER_DISK_CACHE=0 option.)
Updated•2 years ago
|
Assignee | ||
Comment 4•2 years ago
|
||
Mesa tries to get the XDG cache directory value, but if $XDG_CACHE_HOME
is unset it tries to call getpwuid_r
for the home directory instead of
checking the environment, and passwd lookup can use sockets (to connect to
nscd
, or a server like NIS or LDAP). This patch changes the RDD sandbox
policy to simply return an error instead of treating it as an unexpected
event.
Also, we don't allow access to that directory in the RDD process's
filesystem policy, so there's no point in Mesa trying to find it.
Updated•2 years ago
|
Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ef135302a153 Quietly reject socket creation in the RDD process. r=gcp
Comment 6•2 years ago
|
||
bugherder |
Description
•