Closed Bug 1743609 Opened 2 years ago Closed 2 years ago

[VA-API] Crash in [@ __GI___socket]

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox94 --- unaffected
firefox95 --- unaffected
firefox96 --- disabled
firefox97 --- fixed

People

(Reporter: gsvelto, Assigned: jld)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1743609 - Quietly reject socket creation in the RDD process.
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/c07ca086-6177-4cf5-a29d-41c890211130

Reason: SIGSYS

Top 10 frames of crashing thread:

0 libc.so.6 __GI___socket 
1 libc.so.6 open_socket 
2 libc.so.6 __nscd_get_mapping 
3 libc.so.6 __nscd_get_map_ref 
4 libc.so.6 nscd_getpw_r 
5 libc.so.6 __nscd_getpwuid_r 
6 libc.so.6 __getpwuid_r 
7 libgallium_dri.so __driDriverGetExtensions_zink 
8 libgallium_dri.so nouveau_drm_screen_create 
9 libgallium_dri.so nouveau_drm_screen_create

Mesa seems to be using getpwuid_r() in order to get the user's home directory (where it will further look for .cache in order to store its compiled shaders cache). This in turns calls open_socket() which ultimately seems to be calling socket() and that's where we're crashing.

Meh, sorry, it's a socket() call, not a dup() one.

Assignee: nobody → jld
Summary: Crash in [@ __GI___socket] → [VA-API] Crash in [@ __GI___socket]

MESA_GLSL_CACHE_DISABLE=1 might also be an option for the RDD process. (?)
(Nvidia is still incompatible/irrelevant, but does also offer a __GL_SHADER_DISK_CACHE=0 option.)

Crash Signature: [@ __GI___socket] → [@ __GI___socket] [@ __GI_socket ]

Mesa tries to get the XDG cache directory value, but if $XDG_CACHE_HOME
is unset it tries to call getpwuid_r for the home directory instead of
checking the environment, and passwd lookup can use sockets (to connect to
nscd, or a server like NIS or LDAP). This patch changes the RDD sandbox
policy to simply return an error instead of treating it as an unexpected
event.

Also, we don't allow access to that directory in the RDD process's
filesystem policy, so there's no point in Mesa trying to find it.

Priority: -- → P1
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ef135302a153
Quietly reject socket creation in the RDD process. r=gcp

https://hg.mozilla.org/mozilla-central/rev/ef135302a153

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox97: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: