Closed
Bug 913760
Opened 11 years ago
Closed 11 years ago
Upload static rooting analysis results
Categories
(Release Engineering :: General, defect)
Release Engineering
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: sfink, Assigned: sfink)
References
Details
Attachments
(5 files)
18.42 KB,
patch
|
mozilla
:
review+
sfink
:
checked-in+
|
Details | Diff | Splinter Review |
3.15 KB,
patch
|
mozilla
:
review+
sfink
:
checked-in+
|
Details | Diff | Splinter Review |
7.54 KB,
patch
|
mozilla
:
review+
sfink
:
checked-in+
|
Details | Diff | Splinter Review |
2.84 KB,
patch
|
mozilla
:
review+
sfink
:
checked-in+
|
Details | Diff | Splinter Review |
4.23 KB,
patch
|
mozilla
:
review+
sfink
:
checked-in+
|
Details | Diff | Splinter Review |
Hi, I'm back! I need to upload the static rooting analysis results somewhere so people can actually see them.
Assignee | ||
Comment 1•11 years ago
|
||
This requires a buildbotcustom patch to feed through the information necessary for constructing upload paths and getting to the server.
Attachment #801077 -
Flags: review?(aki)
Assignee | ||
Comment 2•11 years ago
|
||
Buildbot knows where the servers and things are, so it should communicate them to the mozharness jobs.
Attachment #801078 -
Flags: review?(aki)
Assignee | ||
Comment 3•11 years ago
|
||
One of the analysis files is really, really repetitive, and when analyzing the full browser, comes to 159MB. I really don't want to upload all of that. Compressing it brings it all the way down to 3MB (as I said: repetitive). I kind of like having the option to compress built into the copy into the upload area; your opinion may differ wildly.
Attachment #801079 -
Flags: review?(aki)
Assignee | ||
Comment 4•11 years ago
|
||
Somewhat silly patch to catch problems sooner and with clearer messages. I thought I had several actions that I could apply this decorator to, but it turns out that this is all in the upload step. Naturally, I wrote this patch *after* tediously working through all of the issues it would have caught. But there's a chance I missed something that will make this fail in a production config. Ok, mostly I'm wondering what you think of the general idea. I was considering extending it to config and/or buildbot_config entries. It's hard to keep track of what needs what, and I sometimes want to run the script with a subset of the actions that don't need a bunch of the configuration. (Eg, run the analysis locally and don't upload it => no need for SSH keys and servers and stuff.)
Attachment #801080 -
Flags: review?(aki)
Assignee | ||
Comment 5•11 years ago
|
||
Callek pointed out that we should consider the security implications of the static rooting analysis. After this bug, we'd be running it on the try server and uploading the results to a publicly-accessible repository. Note that the results of this analysis are not as sensitive as, say, the ASAN analysis. But this analysis *does* identify defects that could trigger memory corruption and therefore are potentially exploitable. The fuzz posse (gkw, decoder, Jesse) have more experience with these sorts of GC bugs, but I will add some of my own speculation here: First, none of the hazards identified by this analysis are relevant at all until we turn off the conservative stack scanner. Most problems will also require turning on some sort of moving GC (initially, that will be the generational garbage collector.) The upload will produce 3 files: gcTypes.txt, gcFunctions.txt, and rootingHazards.txt. The first two are purely information about what functions can potentially trigger a GC, and are not a problem. rootingHazards.txt contains 3 types of entries: unnecessary roots, which are only relevant to performance; actual hazards, where a GC at the wrong time can invalidate a pointer; and unsafe references, which may indicate an actual hazard or may just be a false positive. We intend to drive actual hazards to zero before enabling exact rooting, or at least manually inspecting them to ensure they are false positives. So these shouldn't pose a problem. The unsafe references are a little trickier. All of them must be manually inspected to distinguish false positives from real hazards. We may need to put a check in place to ensure that all references reported are known to be false positives. (We will manually inspect all of these before enabling exact rooting.) If a hazard were to slip through, it could result in a use-after-free or access to the wrong object, possibly one in another compartment/security domain. The difficulty of triggering such a hazard depends on what code it is in. Exploiting a hazard would be fairly hard, but not impossible, if I were to guess. But I'm kind of out of my depth on that question. Note that this analysis uses all easily-available components, so someone determined could run it themselves. Uploading autogenerated results to a public server obviously makes it far easier to get hold of, of course.
Flags: sec-review?
Assignee | ||
Comment 6•11 years ago
|
||
CC'ing dveditz on gkw's recommendation. And clarifying that these results will only be relevant when generational garbage collection is turned on. (Strictly speaking, it's when exact rooting is enabled, but we won't do that until we're turning on GGC.)
Assignee | ||
Updated•11 years ago
|
Flags: needinfo?(dveditz)
Comment 7•11 years ago
|
||
Comment on attachment 801077 [details] [diff] [review] Upload static rooting analysis results I don't think the upload_ssh_* properties are actually set currently, though I may be surprised in a later patch...
Attachment #801077 -
Flags: review?(aki) → review+
Comment 8•11 years ago
|
||
Comment on attachment 801078 [details] [diff] [review] Pass through more configuration to mozharness jobs And... boom. I think I ruined the surprise.
Attachment #801078 -
Flags: review?(aki) → review+
Comment 9•11 years ago
|
||
Comment on attachment 801079 [details] [diff] [review] Allow compressing when copying to upload dir Sure, looks good.
Attachment #801079 -
Flags: review?(aki) → review+
Comment 10•11 years ago
|
||
Comment on attachment 801080 [details] [diff] [review] imported patch checks I'm not familiar with this, but I can stamp it. ... All of my reviews are dependent on sec review passing.
Attachment #801080 -
Flags: review?(aki) → review+
Comment 11•11 years ago
|
||
sfink said in irc: we'd start uploading with 1-2 dozen remaining. We won't turn anything on until they're at zero (or identified as false positives) That sounds like a fine plan as long as someone will be regularly looking at these results in the future.
Flags: sec-review?
Flags: sec-review+
Flags: needinfo?(dveditz)
Assignee | ||
Updated•11 years ago
|
Attachment #801078 -
Flags: checked-in+
Assignee | ||
Comment 12•11 years ago
|
||
http://hg.mozilla.org/build/buildbotcustom/rev/61b695e32092
Assignee | ||
Updated•11 years ago
|
Attachment #801077 -
Flags: checked-in+
Assignee | ||
Updated•11 years ago
|
Attachment #801079 -
Flags: checked-in+
Assignee | ||
Updated•11 years ago
|
Attachment #801080 -
Flags: checked-in+
Assignee | ||
Comment 13•11 years ago
|
||
I still have mixed feelings about the decoration thing, but I'll leave it for now. http://hg.mozilla.org/build/mozharness/rev/4595f8895ed3 http://hg.mozilla.org/build/mozharness/rev/ef200219ec21 http://hg.mozilla.org/build/mozharness/rev/fe41b7979c01
Assignee | ||
Comment 14•11 years ago
|
||
Oops, when running in a buildbot setup, files were being uploaded successfully, but to the wrong place.
Attachment #802605 -
Flags: review?(aki)
Updated•11 years ago
|
Attachment #802605 -
Flags: review?(aki) → review+
Assignee | ||
Updated•11 years ago
|
Attachment #802605 -
Flags: checked-in+
Assignee | ||
Comment 15•11 years ago
|
||
http://hg.mozilla.org/build/mozharness/rev/4ecc13e691a6
Comment 16•11 years ago
|
||
Merged to mozharness' production branch. It is now live on tbpl.
Assignee | ||
Comment 17•11 years ago
|
||
(In reply to Armen Zambrano [:armenzg] (Release Engineering) (EDT/UTC-4) from comment #16) > Merged to mozharness' production branch. > It is now live on tbpl. Except it fails, because I messed up and landed the buildbotcustom change to the production branch by mistake. Aki noticed that the branches didn't match and blew it away in 7be15a497289, which caused these jobs to fail. So I just relanded onto the default branch: http://hg.mozilla.org/build/buildbotcustom/rev/80f90cac6464
Assignee | ||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Component: General Automation → General
You need to log in
before you can comment on or make changes to this bug.
Description
•