Closed Bug 983518 Opened 6 years ago Closed 6 years ago

Homescreen sandbox crash on QRD kitkat

Categories

(Core :: Security, defect)

ARM
Gonk (Firefox OS)
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla30
blocking-b2g 1.4+
Tracking Status
firefox28 --- wontfix
firefox29 --- wontfix
firefox30 --- fixed
b2g-v1.4 --- fixed

People

(Reporter: pauljt, Assigned: kang)

References

Details

(Whiteboard: [cr 631673])

Attachments

(1 file, 1 obsolete file)

Mvines report that homescreen is crashing with a sandbox error on kitkat. We need to jump on this asap. 

For the KK baseline (i.e., the real v1.4 baseline) , the homescreen gets
killed at boot with a:
	E/Sandbox ( 1241): seccomp sandbox violation: pid 1241, syscall 186, args
3005218204 0 0 3 4308040 0.  Killing process.

Bug can be reproduced using this build:
https://bug961246.bugzilla.mozilla.org/attachment.cgi?id=8381550&t=VRMWJg37
Also enable these configs in arch/arm/configs/msm8226_defconfig first of course:
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
Blocks: 960372
blocking-b2g: --- → 1.4+
Whiteboard: [cr 631673]
(In reply to Paul Theriault [:pauljt] from comment #0)
> 	E/Sandbox ( 1241): seccomp sandbox violation: pid 1241, syscall 186, args 3005218204

sigaltstack.  It should be reasonably safe to whitelist it.  I'm curious what the call stack is, though.
https://www.codeaurora.org/cgit/quic/la/platform/bionic/tree/libc/bionic/pthread_create.cpp?id=d3e32648689e22569dfe45f77bceb358042914fc#n71

---
Crash reason:  SIGSYS
Crash address: 0xb6f4e3cc

Thread 14 (crashed)
 0  libc.so + 0x203cc
     r4 = 0x00a04c48    r5 = 0x00000000    r6 = 0xb5395fe9    r7 = 0x000000ba
     r8 = 0xb5395fe9    r9 = 0xb3202000   r10 = 0xbec812ec    fp = 0xb6f7a2ec
     sp = 0xb32ffd90    lr = 0xb6f3b1b8    pc = 0xb6f4e3cc
    Found by: given as instruction pointer in context
 1  libc.so!__thread_entry [pthread_create.cpp : 99 + 0x6]
     sp = 0xb32ffdb8    pc = 0xb6f3b200
    Found by: stack scanning
 2  libc.so!pthread_create [pthread_create.cpp : 224 + 0x16]
     r4 = 0x00a04c48    r5 = 0xb32ffdd0    r6 = 0x0000000b    r7 = 0x00000078
     sp = 0xb32ffdd0    pc = 0xb6f3b3b4
    Found by: call frame info
Component: General → Security
Product: Firefox OS → Core
Version: unspecified → Trunk
Attached patch sigal.patch (obsolete) — Splinter Review
Reproduced on AU_LINUX_GECKO_B2G_KK_3.5.01.04.00.113 and AU_LINUX_GECKO_B2G_KK_3.5.01.04.00.113.025

Whitelisting the syscall sigaltstack solves it. This stuff is used to keep the signal state in the 'main' stack while handling debugging signals in the alternate stack.

Try: https://tbpl.mozilla.org/?tree=Try&rev=d11b8f4947f1
Attachment #8391546 - Flags: review?(ptheriault)
Comment on attachment 8391546 [details] [diff] [review]
sigal.patch

Review of attachment 8391546 [details] [diff] [review]:
-----------------------------------------------------------------

I'm tired. wrong reviewer.
Attachment #8391546 - Flags: review?(ptheriault) → review?(jld)
Comment on attachment 8391546 [details] [diff] [review]
sigal.patch

Review of attachment 8391546 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/sandbox/linux/seccomp_filter.h
@@ +139,5 @@
>    ALLOW_SYSCALL(epoll_ctl), \
>    ALLOW_SYSCALL(sched_yield), \
>    ALLOW_SYSCALL(sched_getscheduler), \
> +  ALLOW_SYSCALL(sched_setscheduler), \
> +  ALLOW_SYSCALL(sigalstack),

"sigaltstack", with a "t".
Attachment #8391546 - Flags: review?(jld) → review+
https://hg.mozilla.org/mozilla-central/rev/32895b78c93c
Assignee: nobody → gdestuynder
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Blocks: 989172
You need to log in before you can comment on or make changes to this bug.