Closed
Bug 1481978
Opened 6 years ago
Closed 6 years ago
Unsafe heap allocation in SandboxFork::StartChrootServer
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla63
People
(Reporter: jld, Assigned: jld)
References
Details
Attachments
(1 file, 1 obsolete file)
|
(deleted),
patch
|
glandium
:
review+
|
Details | Diff | Splinter Review |
Just like bug 1480401, but for this line of code in SandboxFork::StartChrootServer
instead:
> base::CloseSuperfluousFds([this](int fd) { return fd == mChrootServer; });
|
Assignee | |
Updated•6 years ago
|
status-firefox62:
--- → affected
status-firefox63:
--- → affected
|
|
Assignee | |
Comment 1•6 years ago
|
||
Attachment #8998689 -
Flags: review?(gpascutto)
|
||
Comment 2•6 years ago
|
||
It seems like CloseSuperfluousFds is a continuous footgun. Why not change it so that it doesn't take a possibly heap allocated value?
|
|
Assignee | |
Comment 3•6 years ago
|
||
Attachment #8998689 -
Attachment is obsolete: true
Attachment #8998689 -
Flags: review?(gpascutto)
Attachment #8998704 -
Flags: review?(gpascutto)
|
|
||
Comment 4•6 years ago
|
||
Comment on attachment 8998704 [details] [diff] [review]
Patch [v2; removes footgun]
Review of attachment 8998704 [details] [diff] [review]:
-----------------------------------------------------------------
::: ipc/chromium/src/base/process_util_posix.cc
@@ +120,5 @@
> };
> typedef mozilla::UniquePtr<DIR, ScopedDIRClose> ScopedDIR;
>
>
> +void CloseSuperfluousFds(void* aCtx, bool (*aShouldPreserve)(void*, int))
I was about to say "third party, yadayada", but we've crossed that bridge with the std::function version anyways.
::: security/sandbox/linux/launch/SandboxLaunch.cpp
@@ +589,5 @@
> SANDBOX_LOG_ERROR("capset (chroot helper): %s", strerror(errno));
> MOZ_DIAGNOSTIC_ASSERT(false);
> }
>
> + base::CloseSuperfluousFds(this, [](void* aCtx, int aFd) {
You could pass down mChrootServer instead of this.
Attachment #8998704 -
Flags: review?(gpascutto) → review+
|
|
Assignee | |
Comment 5•6 years ago
|
||
(In reply to Mike Hommey [:glandium] from comment #4)
> Comment on attachment 8998704 [details] [diff] [review]
…
> ::: ipc/chromium/src/base/process_util_posix.cc
…
> I was about to say "third party, yadayada", but we've crossed that bridge
> with the std::function version anyways.
ipc/chromium/src can be freely modified; we gave up on the idea of trying to re-merge with upstream years ago, and “upstream” no longer really exists after Chromium's switch to Mojo.
> ::: security/sandbox/linux/launch/SandboxLaunch.cpp
> > + base::CloseSuperfluousFds(this, [](void* aCtx, int aFd) {
>
> You could pass down mChrootServer instead of this.
I could, but the casts for that are more visual noise than this way, and `this` works.
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/542197624ba2
Change IPC CloseSuperfluousFds to prevent accidentally heap-allocating closures. r=glandium
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Wontfix for 62 from discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1480401#c17.
You need to log in
before you can comment on or make changes to this bug.
Description
•