Crash in [@ libc.so.6@0xddda3 | libc.so.6@0xddbf9 | <.text ELF section in libnvidia-glsi.so.535.98>]
Categories
(Core :: Security: Process Sandboxing, defect, P2)
Tracking
()
People
(Reporter: gsvelto, Unassigned)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/501eeaab-a638-4289-9606-05e6e0230828
Reason: SIGSYS / SYS_SECCOMP
Top 10 frames of crashing thread:
0 libc.so.6 libc.so.6@0xddda3
1 libc.so.6 libc.so.6@0xddbf9
2 libnvidia-glsi.so.535.98 <.text ELF section in libnvidia-glsi.so.535.98>
3 libnvidia-glsi.so.535.98 <.text ELF section in libnvidia-glsi.so.535.98>
4 libnvidia-glsi.so.535.98 <.text ELF section in libnvidia-glsi.so.535.98>
5 libnvidia-glsi.so.535.98 _nv001glsi
6 libnvidia-glsi.so.535.98 _nv001glsi
7 libnvidia-glsi.so.535.98 _nv001glsi
8 libEGL_nvidia.so.0 NvEglwlaf47906in
9 libc.so.6 libc.so.6@0x9381e
The proprietary Nvidia driver seems to be doing a clone()
call.
Comment 1•9 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 desktop browser crashes on nightly
For more information, please visit BugBot documentation.
Comment 2•9 months ago
|
||
rdi = 0x0000000001200011
is CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD
; essentially, it's trying to fork
, possibly to run an external command. This is not allowed, and there isn't a way to allow it even if we wanted to (which we almost certainly don't).
We could work around it — return an error but not crash. I'd like to make this conditional on the nvidia driver being present but I don't know how feasible that is (it probably wouldn't be loaded yet when we set up the sandbox, and trying to interact with dynamic linker state during the clone
syscall could potentially get us into trouble with glibc). Note that this is for the RDD process, so maybe it's fine if we always ignore attempts to fork for that process type.
Also note that the crashes here all appear to be from one install, so this is perhaps not high severity (despite being flagged as a topcrash), and this is a Nightly-only crash.
Updated•9 months ago
|
Comment 3•8 months ago
|
||
Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.
For more information, please visit BugBot documentation.
Comment 4•5 months ago
|
||
Closing because no crashes reported for 12 weeks.
Description
•