Closed Bug 983518 Opened 11 years ago Closed 11 years ago

Homescreen sandbox crash on QRD kitkat

Categories

(Core :: Security, defect)

ARM
Gonk (Firefox OS)
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla30
blocking-b2g 1.4+
Tracking Status
firefox28 --- wontfix
firefox29 --- wontfix
firefox30 --- fixed
b2g-v1.4 --- fixed

People

(Reporter: pauljt, Assigned: kang)

References

Details

(Whiteboard: [cr 631673])

Attachments

(1 file, 1 obsolete file)

Mvines report that homescreen is crashing with a sandbox error on kitkat. We need to jump on this asap. For the KK baseline (i.e., the real v1.4 baseline) , the homescreen gets killed at boot with a: E/Sandbox ( 1241): seccomp sandbox violation: pid 1241, syscall 186, args 3005218204 0 0 3 4308040 0. Killing process. Bug can be reproduced using this build: https://bug961246.bugzilla.mozilla.org/attachment.cgi?id=8381550&t=VRMWJg37
Also enable these configs in arch/arm/configs/msm8226_defconfig first of course: +CONFIG_SECCOMP=y +CONFIG_SECCOMP_FILTER=y
blocking-b2g: --- → 1.4+
Whiteboard: [cr 631673]
(In reply to Paul Theriault [:pauljt] from comment #0) > E/Sandbox ( 1241): seccomp sandbox violation: pid 1241, syscall 186, args 3005218204 sigaltstack. It should be reasonably safe to whitelist it. I'm curious what the call stack is, though.
https://www.codeaurora.org/cgit/quic/la/platform/bionic/tree/libc/bionic/pthread_create.cpp?id=d3e32648689e22569dfe45f77bceb358042914fc#n71 --- Crash reason: SIGSYS Crash address: 0xb6f4e3cc Thread 14 (crashed) 0 libc.so + 0x203cc r4 = 0x00a04c48 r5 = 0x00000000 r6 = 0xb5395fe9 r7 = 0x000000ba r8 = 0xb5395fe9 r9 = 0xb3202000 r10 = 0xbec812ec fp = 0xb6f7a2ec sp = 0xb32ffd90 lr = 0xb6f3b1b8 pc = 0xb6f4e3cc Found by: given as instruction pointer in context 1 libc.so!__thread_entry [pthread_create.cpp : 99 + 0x6] sp = 0xb32ffdb8 pc = 0xb6f3b200 Found by: stack scanning 2 libc.so!pthread_create [pthread_create.cpp : 224 + 0x16] r4 = 0x00a04c48 r5 = 0xb32ffdd0 r6 = 0x0000000b r7 = 0x00000078 sp = 0xb32ffdd0 pc = 0xb6f3b3b4 Found by: call frame info
Component: General → Security
Product: Firefox OS → Core
Version: unspecified → Trunk
Attached patch sigal.patch (obsolete) — Splinter Review
Reproduced on AU_LINUX_GECKO_B2G_KK_3.5.01.04.00.113 and AU_LINUX_GECKO_B2G_KK_3.5.01.04.00.113.025 Whitelisting the syscall sigaltstack solves it. This stuff is used to keep the signal state in the 'main' stack while handling debugging signals in the alternate stack. Try: https://tbpl.mozilla.org/?tree=Try&rev=d11b8f4947f1
Attachment #8391546 - Flags: review?(ptheriault)
Comment on attachment 8391546 [details] [diff] [review] sigal.patch Review of attachment 8391546 [details] [diff] [review]: ----------------------------------------------------------------- I'm tired. wrong reviewer.
Attachment #8391546 - Flags: review?(ptheriault) → review?(jld)
Comment on attachment 8391546 [details] [diff] [review] sigal.patch Review of attachment 8391546 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/sandbox/linux/seccomp_filter.h @@ +139,5 @@ > ALLOW_SYSCALL(epoll_ctl), \ > ALLOW_SYSCALL(sched_yield), \ > ALLOW_SYSCALL(sched_getscheduler), \ > + ALLOW_SYSCALL(sched_setscheduler), \ > + ALLOW_SYSCALL(sigalstack), "sigaltstack", with a "t".
Attachment #8391546 - Flags: review?(jld) → review+
Assignee: nobody → gdestuynder
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Blocks: 989172
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: