Closed Bug 1850322 Opened 9 months ago Closed 5 months ago

Crash in [@ libc.so.6@0xddda3 | libc.so.6@0xddbf9 | <.text ELF section in libnvidia-glsi.so.535.98>]

Categories

(Core :: Security: Process Sandboxing, defect, P2)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: gsvelto, Unassigned)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/501eeaab-a638-4289-9606-05e6e0230828

Reason: SIGSYS / SYS_SECCOMP

Top 10 frames of crashing thread:

0  libc.so.6  libc.so.6@0xddda3  
1  libc.so.6  libc.so.6@0xddbf9  
2  libnvidia-glsi.so.535.98  <.text ELF section in libnvidia-glsi.so.535.98>  
3  libnvidia-glsi.so.535.98  <.text ELF section in libnvidia-glsi.so.535.98>  
4  libnvidia-glsi.so.535.98  <.text ELF section in libnvidia-glsi.so.535.98>  
5  libnvidia-glsi.so.535.98  _nv001glsi  
6  libnvidia-glsi.so.535.98  _nv001glsi  
7  libnvidia-glsi.so.535.98  _nv001glsi  
8  libEGL_nvidia.so.0  NvEglwlaf47906in  
9  libc.so.6  libc.so.6@0x9381e

The proprietary Nvidia driver seems to be doing a clone() call.

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash

rdi = 0x0000000001200011 is CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD; essentially, it's trying to fork, possibly to run an external command. This is not allowed, and there isn't a way to allow it even if we wanted to (which we almost certainly don't).

We could work around it — return an error but not crash. I'd like to make this conditional on the nvidia driver being present but I don't know how feasible that is (it probably wouldn't be loaded yet when we set up the sandbox, and trying to interact with dynamic linker state during the clone syscall could potentially get us into trouble with glibc). Note that this is for the RDD process, so maybe it's fine if we always ignore attempts to fork for that process type.

Also note that the crashes here all appear to be from one install, so this is perhaps not high severity (despite being flagged as a topcrash), and this is a Nightly-only crash.

Severity: -- → S3
Priority: -- → P2

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.