Closed Bug 960365 Opened 11 years ago Closed 11 years ago

Allow uname in seccomp whitelist for nsSystemInfo (instantiated late on debug / non-prelaunch b2g)

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29

People

(Reporter: jld, Assigned: jld)

References

Details

Attachments

(1 file, 1 obsolete file)

bug960365-whitelist-uname-hg1.diff
1.46 KB, patch
kang
: review+
Details | Diff | Splinter Review
On debug builds with seccomp, we crash because we call uname in content processes. It's probably not too harmful by itself; it does reveal information that could identify the device model and build, but that might be available by other channels? The remarkably long stack, which isn't giving me huge amounts of insight, is: #0 uname () at bionic/libc/arch-arm/syscalls/uname.S:10 #1 0x42c95696 in _MD_getsysinfo (cmd=PR_SI_SYSNAME, name=0xbedc1dc0 "", namelen=256) at /home/jld/src/B2G/gecko/nsprpub/pr/src/md/unix/unix.c:3525 #2 0x42c8b210 in PR_GetSystemInfo (cmd=PR_SI_SYSNAME, buf=0xbedc1dc0 "", buflen=256) at /home/jld/src/B2G/gecko/nsprpub/pr/src/misc/prsystem.c:129 #3 0x406c3406 in nsSystemInfo::Init (this=0x44c08040) at /home/jld/src/B2G/gecko/xpcom/base/nsSystemInfo.cpp:168 #4 0x406a924e in nsSystemInfoConstructor (aOuter=<value optimized out>, aIID=..., aResult=0xbedc223c) at /home/jld/src/B2G/gecko/xpcom/build/nsXPComInit.cpp:208 #5 0x406a0cb4 in mozilla::GenericFactory::CreateInstance (this=<value optimized out>, aOuter=<value optimized out>, aIID=<value optimized out>, aResult=0x0) at /home/jld/src/B2G/gecko/xpcom/glue/GenericFactory.cpp:16 #6 0x406ea20e in nsComponentManagerImpl::CreateInstanceByContractID (this=<value optimized out>, aContractID=0x420fce43 "@mozilla.org/system-info;1", aDelegate=0x0, aIID=..., aResult=0xbedc223c) at /home/jld/src/B2G/gecko/xpcom/components/nsComponentManager.cpp:1081 #7 0x406eb35e in nsComponentManagerImpl::GetServiceByContractID (this=0x40332c00, aContractID=<value optimized out>, aIID=..., result=0xbedc22a0) at /home/jld/src/B2G/gecko/xpcom/components/nsComponentManager.cpp:1437 #8 0x406a320a in CallGetService (aContractID=0x420fce43 "@mozilla.org/system-info;1", aIID=..., aResult=0xbedc22a0) at /home/jld/src/B2G/gecko/xpcom/glue/nsComponentManagerUtils.cpp:64 #9 0x406a323e in nsGetServiceByContractID::operator() (this=<value optimized out>, aIID=..., aInstancePtr=0x443ff930) at /home/jld/src/B2G/gecko/xpcom/glue/nsComponentManagerUtils.cpp:252 #10 0x408272fe in nsCOMPtr<nsIPropertyBag2>::assign_from_gs_contractid (this=0x443e3400) at ../../../dist/include/nsCOMPtr.h:1242 #11 nsCOMPtr (this=0x443e3400) at ../../../dist/include/nsCOMPtr.h:623 #12 mozilla::net::nsHttpHandler::InitUserAgentComponents (this=0x443e3400) at /home/jld/src/B2G/gecko/netwerk/protocol/http/nsHttpHandler.cpp:691 #13 0x40829f88 in mozilla::net::nsHttpHandler::Init (this=0x443e3400) at /home/jld/src/B2G/gecko/netwerk/protocol/http/nsHttpHandler.cpp:278 #14 0x407243b0 in nsHttpHandlerConstructor (aOuter=<value optimized out>, aIID=..., aResult=0xbedc239c) at /home/jld/src/B2G/gecko/netwerk/build/nsNetModule.cpp:238 #15 0x406a0cb4 in mozilla::GenericFactory::CreateInstance (this=<value optimized out>, aOuter=<value optimized out>, aIID=<value optimized out>, aResult=0x443ff930) at /home/jld/src/B2G/gecko/xpcom/glue/GenericFactory.cpp:16 #16 0x406ea20e in nsComponentManagerImpl::CreateInstanceByContractID (this=<value optimized out>, aContractID=0xbedc2414 "@mozilla.org/network/protocol;1?name=http", aDelegate=0x0, aIID=..., aResult=0xbedc239c) at /home/jld/src/B2G/gecko/xpcom/components/nsComponentManager.cpp:1081 #17 0x406eb35e in nsComponentManagerImpl::GetServiceByContractID (this=0x40332c00, aContractID=<value optimized out>, aIID=..., result=0xbedc24e4) at /home/jld/src/B2G/gecko/xpcom/components/nsComponentManager.cpp:1437 #18 0x406a320a in CallGetService (aContractID=0xbedc2414 "@mozilla.org/network/protocol;1?name=http", aIID=..., aResult=0xbedc24e4) at /home/jld/src/B2G/gecko/xpcom/glue/nsComponentManagerUtils.cpp:64 #19 0x40744af6 in CallGetService<nsIProtocolHandler> (aContractID=0xbedc2414 "@mozilla.org/network/protocol;1?name=http", aDestination=0xbedc24e4) at ../../../dist/include/nsServiceManagerUtils.h:98 #20 0x40745706 in nsIOService::GetProtocolHandler (this=0x40302400, scheme=0xbedc24a0 "http", result=0xbedc24e4) at /home/jld/src/B2G/gecko/netwerk/base/src/nsIOService.cpp:413 #21 0x407451ae in nsIOService::NewURI (this=0x40302400, aSpec=..., aCharset=0x0, aBaseURI=0x0, result=0xbedc257c) at /home/jld/src/B2G/gecko/netwerk/base/src/nsIOService.cpp:535 #22 0x409d4244 in NS_NewURI (result=0xbedc257c, spec=..., ioService=<value optimized out>, baseURI=<value optimized out>, charset=<value optimized out>) at ../../dist/include/nsNetUtil.h:158 #23 0x409d4302 in GetPrincipal (aHost=<value optimized out>, aAppId=21, aIsInBrowserElement=false, aPrincipal=0xbedc25e4) at /home/jld/src/B2G/gecko/extensions/cookie/nsPermissionManager.cpp:98 #24 0x409d6484 in nsPermissionManager::Init (this=0x44398190) at /home/jld/src/B2G/gecko/extensions/cookie/nsPermissionManager.cpp:411 #25 0x409d65b4 in nsPermissionManager::GetXPCOMSingleton () at /home/jld/src/B2G/gecko/extensions/cookie/nsPermissionManager.cpp:383 #26 0x409cfa24 in nsIPermissionManagerConstructor (aOuter=0xbedc2414, aIID=..., aResult=0xbedc243d) at /home/jld/src/B2G/gecko/extensions/cookie/nsCookieModule.cpp:17 #27 0x406a0cb4 in mozilla::GenericFactory::CreateInstance (this=<value optimized out>, aOuter=<value optimized out>, aIID=<value optimized out>, aResult=0x443ff540) at /home/jld/src/B2G/gecko/xpcom/glue/GenericFactory.cpp:16 #28 0x406ea20e in nsComponentManagerImpl::CreateInstanceByContractID (this=<value optimized out>, aContractID=0x421404d0 "@mozilla.org/permissionmanager;1", aDelegate=0x0, aIID=..., aResult=0xbedc26ac) at /home/jld/src/B2G/gecko/xpcom/components/nsComponentManager.cpp:1081 #29 0x406eb35e in nsComponentManagerImpl::GetServiceByContractID (this=0x40332c00, aContractID=<value optimized out>, aIID=..., result=0xbedc2700) at /home/jld/src/B2G/gecko/xpcom/components/nsComponentManager.cpp:1437 #30 0x406a320a in CallGetService (aContractID=0x421404d0 "@mozilla.org/permissionmanager;1", aIID=..., aResult=0xbedc2700) at /home/jld/src/B2G/gecko/xpcom/glue/nsComponentManagerUtils.cpp:64 #31 0x406a323e in nsGetServiceByContractID::operator() (this=<value optimized out>, aIID=..., aInstancePtr=0x443ff550) at /home/jld/src/B2G/gecko/xpcom/glue/nsComponentManagerUtils.cpp:252 #32 0x4118eff0 in nsCOMPtr<nsIPermissionManager>::assign_from_gs_contractid (aPrincipal=0x443f36e0, aType=0x422c302f "allowXULXBL", aPerm=1, aExactHostMatch=false) at ../../../dist/include/nsCOMPtr.h:1242 #33 nsCOMPtr (aPrincipal=0x443f36e0, aType=0x422c302f "allowXULXBL", aPerm=1, aExactHostMatch=false) at ../../../dist/include/nsCOMPtr.h:623 #34 TestSitePerm (aPrincipal=0x443f36e0, aType=0x422c302f "allowXULXBL", aPerm=1, aExactHostMatch=false) at /home/jld/src/B2G/gecko/content/base/src/nsContentUtils.cpp:2886 #35 0x4118f0e6 in nsContentUtils::IsSitePermAllow (aPrincipal=0x40332c00, aType=0x421404d0 "@mozilla.org/permissionmanager;1") at /home/jld/src/B2G/gecko/content/base/src/nsContentUtils.cpp:2904 #36 0x4118f13a in nsContentUtils::AllowXULXBLForPrincipal (aPrincipal=0x443f36e0) at /home/jld/src/B2G/gecko/content/base/src/nsContentUtils.cpp:6034 #37 0x40f89172 in TreatAsRemoteXUL (this=0x4418bac0, aDocument=<value optimized out>, aState=<value optimized out>, aForceReuseInnerWindow=<value optimized out>) at /home/jld/src/B2G/gecko/dom/base/nsGlobalWindow.cpp:2133 #38 CreateNativeGlobalForInner (this=0x4418bac0, aDocument=<value optimized out>, aState=<value optimized out>, aForceReuseInnerWindow=<value optimized out>) at /home/jld/src/B2G/gecko/dom/base/nsGlobalWindow.cpp:2170 #39 nsGlobalWindow::SetNewDocument (this=0x4418bac0, aDocument=<value optimized out>, aState=<value optimized out>, aForceReuseInnerWindow=<value optimized out>) at /home/jld/src/B2G/gecko/dom/base/nsGlobalWindow.cpp:2381 #40 0x4151b48a in nsDocumentViewer::InitInternal (this=0x44352680, aParentWidget=<value optimized out>, aState=<value optimized out>, aBounds=<value optimized out>, aDoCreation=true, aNeedMakeCX=true, aForceSetNewDocument=true) at /home/jld/src/B2G/gecko/layout/base/nsDocumentViewer.cpp:894 #41 0x4151b632 in nsDocumentViewer::Init (this=<value optimized out>, aParentWidget=<value optimized out>, aBounds=...) at /home/jld/src/B2G/gecko/layout/base/nsDocumentViewer.cpp:635 #42 0x4175c03a in nsDocShell::SetupNewViewer (this=0x4430f000, aNewViewer=<value optimized out>) at /home/jld/src/B2G/gecko/docshell/base/nsDocShell.cpp:8464 #43 0x41758796 in nsDocShell::Embed (this=0x4430f000, aContentViewer=0x44352680, aCommand=<value optimized out>, aExtraInfo=<value optimized out>) at /home/jld/src/B2G/gecko/docshell/base/nsDocShell.cpp:6480 #44 0x4175a5d8 in nsDocShell::CreateAboutBlankContentViewer (this=0x4430f000, aPrincipal=<value optimized out>, aBaseURI=<value optimized out>, aTryToSaveOldPresentation=<value optimized out>) at /home/jld/src/B2G/gecko/docshell/base/nsDocShell.cpp:7256 #45 0x4175ac94 in nsDocShell::EnsureContentViewer (this=0x4430f000) at /home/jld/src/B2G/gecko/docshell/base/nsDocShell.cpp:7141 #46 0x417570d6 in nsDocShell::GetInterface (this=0x4430f000, aIID=..., aSink=0xbedc2c98) at /home/jld/src/B2G/gecko/docshell/base/nsDocShell.cpp:1023 #47 0x406a4332 in nsGetInterface::operator() (this=0xbedc2c8c, aIID=..., aInstancePtr=0xbedc2c98) at /home/jld/src/B2G/gecko/xpcom/glue/nsIInterfaceRequestorUtils.cpp:19 #48 0x40f67f2c in nsCOMPtr<nsIDocument>::assign_from_helper (this=<value optimized out>) at ../../dist/include/nsCOMPtr.h:1262 #49 nsCOMPtr (this=<value optimized out>) at ../../dist/include/nsCOMPtr.h:640 #50 nsPIDOMWindow::MaybeCreateDoc (this=<value optimized out>) at /home/jld/src/B2G/gecko/dom/base/nsGlobalWindow.cpp:3320 #51 0x40f67f96 in nsPIDOMWindow::GetDoc (this=0x4418bad0) at /home/jld/src/B2G/gecko/dom/base/nsPIDOMWindow.h:185 #52 nsPIDOMWindow::EnsureInnerWindow (this=0x4418bad0) at /home/jld/src/B2G/gecko/dom/base/nsPIDOMWindow.h:319 #53 0x40f67fda in nsGlobalWindow::WrapObject (this=0x4418bac0, cx=<value optimized out>, scope=...) at /home/jld/src/B2G/gecko/dom/base/nsGlobalWindow.h:339 #54 0x40ee0b60 in XPCConvert::NativeInterface2JSObject (d=..., dest=0x0, aHelper=<value optimized out>, iid=<value optimized out>, Interface=0x0, allowNativeWrapper=true, pErr=0xbedc2f78) at /home/jld/src/B2G/gecko/js/xpconnect/src/XPCConvert.cpp:835 #55 0x40ee2748 in XPCConvert::NativeData2JS (d=..., s=<value optimized out>, type=<value optimized out>, iid=0xbedc2f1c, pErr=0xbedc2f78) at /home/jld/src/B2G/gecko/js/xpconnect/src/XPCConvert.cpp:326 #56 0x40f0164c in CallMethodHelper::GatherAndConvertResults (this=0xbedc2fd8) at /home/jld/src/B2G/gecko/js/xpconnect/src/XPCWrappedNative.cpp:2101 #57 CallMethodHelper::Call (this=0xbedc2fd8) at /home/jld/src/B2G/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1914 #58 0x40f0290a in XPCWrappedNative::CallMethod (ccx=..., mode=<value optimized out>) at /home/jld/src/B2G/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1867 #59 0x40f08b84 in XPCWrappedNative::GetAttribute (cx=<value optimized out>, argc=0, vp=0xbedc34a8) at /home/jld/src/B2G/gecko/js/xpconnect/src/xpcprivate.h:2159 #60 XPC_WN_GetterSetter (cx=<value optimized out>, argc=0, vp=0xbedc34a8) at /home/jld/src/B2G/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1335 #61 0x41db4ab0 in js::CallJSNative (cx=0x403cf240, native=0x40f08a31 <XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/jld/src/B2G/gecko/js/src/../../js/src/jscntxtinlines.h:220 #62 0x41dc73f6 in js::Invoke (cx=0x403cf240, args=..., construct=js::NO_CONSTRUCT) at /home/jld/src/B2G/gecko/js/src/vm/Interpreter.cpp:465 #63 0x41dc7c10 in js::Invoke (cx=0x403cf240, thisv=..., fval=..., argc=0, argv=0x0, rval=...) at /home/jld/src/B2G/gecko/js/src/vm/Interpreter.cpp:521 #64 0x41dc7d3a in js::InvokeGetterOrSetter (cx=0x403cf240, obj=0x44420160, fval=..., argc=0, argv=0x0, rval=...) at /home/jld/src/B2G/gecko/js/src/vm/Interpreter.cpp:592 #65 0x41d0c638 in js::Shape::get (cx=0x403cf240, obj=<value optimized out>, receiver=..., pobj=..., shape=..., vp=...) at /home/jld/src/B2G/gecko/js/src/../../js/src/vm/Shape-inl.h:68 #66 NativeGetInline<(js::AllowGC)1> (cx=0x403cf240, obj=<value optimized out>, receiver=..., pobj=..., shape=..., vp=...) at /home/jld/src/B2G/gecko/js/src/jsobj.cpp:4079 #67 0x41d0df48 in js::NativeGet (cx=0x4418bac0, obj=<value optimized out>, pobj=..., shape=<value optimized out>, vp=...) at /home/jld/src/B2G/gecko/js/src/jsobj.cpp:4099 #68 0x41dc1c6a in FetchName<false> (cx=0x403cf240, state=...) at /home/jld/src/B2G/gecko/js/src/../../js/src/vm/Interpreter-inl.h:192 #69 NameOperation (cx=0x403cf240, state=...) at /home/jld/src/B2G/gecko/js/src/vm/Interpreter.cpp:316 #70 Interpret (cx=0x403cf240, state=...) at /home/jld/src/B2G/gecko/js/src/vm/Interpreter.cpp:2730 #71 0x41dc6e76 in js::RunScript (cx=0x403cf240, state=...) at /home/jld/src/B2G/gecko/js/src/vm/Interpreter.cpp:422 #72 0x41dc800c in ExecuteKernel (cx=0x403cf240, script=..., scopeChainArg=<value optimized out>, rval=<value optimized out>) at /home/jld/src/B2G/gecko/js/src/vm/Interpreter.cpp:619 #73 js::Execute (cx=0x403cf240, script=..., scopeChainArg=<value optimized out>, rval=<value optimized out>) at /home/jld/src/B2G/gecko/js/src/vm/Interpreter.cpp:656 #74 0x41c8c5fc in JS_ExecuteScript (cx=0x403cf240, objArg=<value optimized out>, scriptArg=0x44483c48, rval=0x0) at /home/jld/src/B2G/gecko/js/src/jsapi.cpp:4761 #75 0x411f5980 in nsFrameScriptExecutor::LoadFrameScriptInternal (this=<value optimized out>, aURL=<value optimized out>, aRunInGlobalScope=true) at /home/jld/src/B2G/gecko/content/base/src/nsFrameMessageManager.cpp:1423 #76 0x40e792e0 in mozilla::dom::TabChild::RecvLoadRemoteScript (this=0x403b56e0, aURL=..., aRunInGlobalScope=@0xbedc3eb7) at /home/jld/src/B2G/gecko/dom/ipc/TabChild.cpp:2109 #77 0x40e7923a in mozilla::dom::TabChild::InitTabChildGlobal (this=0x403b56e0, aScriptLoading=mozilla::dom::TabChild::DEFAULT_LOAD_SCRIPTS) at /home/jld/src/B2G/gecko/dom/ipc/TabChild.cpp:2239 #78 0x40e7db7e in mozilla::dom::TabChild::RecvShow (this=0x403b56e0, size=<value optimized out>) at /home/jld/src/B2G/gecko/dom/ipc/TabChild.cpp:1435 (And then 25 more frames that go from the IPC dispatcher to main().)
Here's the patch I've been using as a workaround. I don't know if it's actually the right solution.
Attachment #8360809 - Flags: review?(gdestuynder)
Comment on attachment 8360809 [details] [diff] [review] bug960365-whitelist-uname-hg0.diff Review of attachment 8360809 [details] [diff] [review]: ----------------------------------------------------------------- thats what current uname() returns: struct utsname { char sysname[]; /* Operating system name (e.g., "Linux") */ char nodename[]; /* Name within "some implementation-defined network" */ char release[]; /* Operating system release (e.g., "2.6.28") */ char version[]; /* Operating system version */ char machine[]; /* Hardware identifier */ #ifdef _GNU_SOURCE char domainname[]; /* NIS or YP domain name */ #endif }; I'd rather not have it due to the principle of least privilege but it's not harmful per se. Information leakage but none of which is really sensitive. If that's the only call i'd say we could allow it - or maybe better, only allow it if debug is set.
Attachment #8360809 - Flags: review?(gdestuynder) → review+
This actually isn't debug-only — what controls it is whether content process prelaunch is disabled. See bug 936320 comment #5.
Summary: Allow uname in seccomp whitelist for debug builds (or stop calling it) → Allow uname in seccomp whitelist for nsSystemInfo (instantiated late on debug / non-prelaunch b2g)
I tried instantiating "@mozilla.org/system-info;1" and discarding it in ContentChild::RecvAppInfo before the non-prelaunch early return, and that prevents the crash — i.e., the magic of XPCOM is caching the service instance, so the info that uname would reveal is present in the address space anyway. So I've added a comment to that effect, and removed the now-duplicate uname I noticed in SECCOMP_WHITELIST_DESKTOP_LINUX.
Attachment #8360809 - Attachment is obsolete: true
Attachment #8361923 - Flags: review?(gdestuynder)
Attachment #8361923 - Flags: review?(gdestuynder) → review+
https://hg.mozilla.org/mozilla-central/rev/125f93e10010
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: