Closed Bug 1950573 Opened 28 days ago Closed 22 days ago

Crash in [@ setup_stack_prot] caused by a madvise() call

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
138 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- disabled
firefox-esr128 --- disabled
firefox136 --- disabled
firefox137 --- disabled
firefox138 --- fixed

People

(Reporter: gsvelto, Assigned: jld)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1950573 - Allow madvise-based guard pages in the Linux sandbox.
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/79f6d944-3507-4f79-8986-aec210250226

Reason:

SIGSYS / SYS_SECCOMP

Top 10 frames:

0  libc.so.6  __GI_madvise  /usr/src/debug/glibc-2.41.9000-1.fc43.x86_64/sysdeps/unix/syscall-template.S:117
1  libc.so.6  setup_stack_prot  /usr/src/debug/glibc-2.41.9000-1.fc43.x86_64/nptl/allocatestack.c:203
1  libc.so.6  allocate_stack  /usr/src/debug/glibc-2.41.9000-1.fc43.x86_64/nptl/allocatestack.c:519
1  libc.so.6  __pthread_create_2_1  /usr/src/debug/glibc-2.41.9000-1.fc43.x86_64/nptl/pthread_create.c:660
2  firefox-bin  pthread_create  mozglue/interposers/pthread_create_interposer.cpp:99
3  libnspr4.so  _PR_CreateThread  nsprpub/pr/src/pthreads/ptthread.c:429
4  libnspr4.so  PR_CreateThread  nsprpub/pr/src/pthreads/ptthread.c:496
5  libxul.so  nsThread::Init(nsTSubstring<char> const&)  xpcom/threads/nsThread.cpp:615
6  libxul.so  nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::...  xpcom/threads/nsThreadManager.cpp:619
7  libxul.so  NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<ns...  xpcom/threads/nsThreadUtils.cpp:176

This is caused by a madvise() call that was introduced by this glibc change.

Huge spike in Nightly crashes, probably worth release tracking.

status-firefox136: --- → unaffected
status-firefox137: --- → affected
tracking-firefox137: --- → +

It looks like this currently applies only to Fedora Rawhide, their rolling-release experimental distro which uses bleeding-edge prerelease versions of glibc.

Also, this crash is Nightly-only; other branches will return an error and glibc will fall back to mprotect.

(Edit: fixed hyperlink)

Assignee: nobody → jld
Severity: -- → S2
Priority: -- → P1
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Version: unspecified → Trunk
Duplicate of this bug: 1950322
Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e4e7ca5d70cf Allow madvise-based guard pages in the Linux sandbox. r=gcp

https://hg.mozilla.org/mozilla-central/rev/e4e7ca5d70cf

Status: NEW → RESOLVED
Closed: 22 days ago
status-firefox138: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch

The patch landed in nightly and beta is affected.
:jld, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox137 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jld)

137 is unaffected now that it's Beta; the crash is Nightly-only.

status-firefox137: affectedunaffected
tracking-firefox137: + → ---
Flags: needinfo?(jld)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: