Closed Bug 908907 Opened 6 years ago Closed 6 years ago

Fill in gaps in seccomp-bpf whitelist for b2g.

Categories

(Core :: Security, defect)

ARM
Gonk (Firefox OS)
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla26

People

(Reporter: jld, Assigned: jld)

References

Details

Attachments

(1 file)

Program received signal SIGSYS, Bad system call.
dup () at bionic/libc/arch-arm/syscalls/dup.S:10
10          ldmfd   sp!, {r4, r7}

dup seems relatively harmless, so maybe we should allow it?  Here's the beginning of the call stack, with newlines added for clarity, in case we want to try to avoid it instead:


(gdb) bt
#0  dup () at bionic/libc/arch-arm/syscalls/dup.S:10

#1  0x40e17d72 in mozilla::ipc::SharedMemoryBasic::ShareToProcess (this=<value optimized out>, aNewHandle=0xbec9c024) at /home/jld/src/B2G/gecko/ipc/glue/SharedMemoryBasic_android.cpp:103

#2  0x40e1e36e in mozilla::ipc::Shmem::ShareTo (this=0xbec9c05c, aProcess=2639, routingId=2147483647) at /home/jld/src/B2G/gecko/ipc/glue/Shmem.cpp:606

#3  0x40e8b68c in mozilla::layers::PCompositorChild::CreateSharedMemory (this=0x42ce1180, aSize=<value optimized out>, aType=<value optimized out>, aUnsafe=<value optimized out>, aId=0xbec9c0b4) at /home/jld/src/B2G/objdir-gecko/ipc/ipdl/PCompositorChild.cpp:530

#4  0x40e1f1b2 in mozilla::dom::PSpeechSynthesisChild::CreateSharedMemory (this=0x25, aSize=<value optimized out>, aType=<value optimized out>, aUnsafe=255, aId=0xbec9c0b4) at /home/jld/src/B2G/objdir-gecko/ipc/ipdl/PSpeechSynthesisChild.cpp:266

#5  0x40e9449e in mozilla::layers::PLayerTransactionChild::AllocUnsafeShmem (this=0xbec9c0b4, aSize=126736, aType=mozilla::ipc::SharedMemory::TYPE_BASIC, aMem=0xbec9c0d8) at /home/jld/src/B2G/objdir-gecko/ipc/ipdl/PLayerTransactionChild.cpp:782

#6  0x4110e78c in mozilla::layers::ShadowLayerForwarder::AllocUnsafeShmem (this=<value optimized out>, aSize=126736, aType=mozilla::ipc::SharedMemory::TYPE_BASIC, aShmem=0xffffffff) at /home/jld/src/B2G/gecko/gfx/layers/ipc/ShadowLayers.cpp:567

#7  0x410ffad2 in Create<mozilla::layers::ISurfaceAllocator, true> (this=0x40326428, aSize=..., aContent=<value optimized out>, aBuffer=0xbec9c130) at ../../dist/include/gfxBaseSharedMemorySurface.h:176

#8  CreateUnsafe<mozilla::layers::ISurfaceAllocator> (this=0x40326428, aSize=..., aContent=<value optimized out>, aBuffer=0xbec9c130) at ../../dist/include/gfxBaseSharedMemorySurface.h:98

#9  mozilla::layers::ISurfaceAllocator::AllocSharedImageSurface (this=0x40326428, aSize=..., aContent=<value optimized out>, aBuffer=0xbec9c130) at /home/jld/src/B2G/gecko/gfx/layers/ipc/ISurfaceAllocator.cpp:60

#10 0x410ffa4c in mozilla::layers::ISurfaceAllocator::AllocSurfaceDescriptorWithCaps (this=0x40326428, aSize=..., aContent=gfxASurface::CONTENT_ALPHA, aCaps=<value optimized out>, aBuffer=0x443d62bc) at /home/jld/src/B2G/gecko/gfx/layers/ipc/ISurfaceAllocator.cpp:112

#11 0x410ff940 in mozilla::layers::ISurfaceAllocator::AllocSurfaceDescriptor (this=0xbec9c0b4, aSize=<value optimized out>, aContent=0, aBuffer=<value optimized out>) at /home/jld/src/B2G/gecko/gfx/layers/ipc/ISurfaceAllocator.cpp:74
There are a few other syscalls I found.  I'm going to expand this bug to cover all of them, including working around bug 906996, because if I try to separate each added line into its own patch they'll all conflict with each other.
…and I should reapply the summary change I lost after mid-air colliding with myself.
Summary: b2g UI Tests app crashes on startup because seccomp disallows dup → Fill in gaps in seccomp-bpf whitelist for b2g.
Assignee: nobody → jld
Status: NEW → ASSIGNED
Attachment #799883 - Flags: review?(gdestuynder)
Duplicate of this bug: 907087
Comment on attachment 799883 [details] [diff] [review]
bug908907-seccomp-gaps.diff

Review of attachment 799883 [details] [diff] [review]:
-----------------------------------------------------------------

thanks :)

hopefully we can remove some of these sooner than later (same for open, in fact). Until then, looks good.
Attachment #799883 - Flags: review?(gdestuynder) → review+
I have this patch applied, and it works generalyl. However I got bug 907087 once again, but I didn't think of running gdb at that time so I don't know why... I'll report again if I find something.
Thanks for the review.

Checkin note: This should be sent to b2g-inbound instead of regular inbound, I think?
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/cd4715bff794
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.