Closed Bug 1719391 Opened 3 years ago Closed 3 years ago

File descriptor leak when constructing sandbox file broker

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Desktop
Linux
defect

Tracking

()

RESOLVED FIXED
91 Branch
Tracking Status
firefox91 --- fixed

People

(Reporter: jld, Assigned: jld)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression)

Attachments

(1 file)

This line in sandbox broker initialization constructs a mozilla::ipc::FileDescriptor (for the client side of the broker's socket pair) from an int, which dups the fd, but in this case the caller intended to transfer ownership.

As a result, every time a content process is started/stopped, we leak a file descriptor in the parent process. This code hasn't been changed in a very long time, so it's possible that this has been the case since sandbox file brokering shipped on desktop. (It was originally written for B2G, but I vaguely remember that I only ever got it working on the emulator.)

Note that we don't leak the broker thread: when the broker instance is destroyed (it's owned by the ContentParent), it forces an EOF on the socket which causes the thread to exit.

There have been a number of bugs recently which came down to mystery fd exhaustion, and it's possible that this bug is the cause (or at least a contributing factor), especially because Fission probably means more turnover of content processes.

This is a one-line fix and we'll probably want to uplift it everywhere.

Has Regression Range: --- → yes
Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1fa9aa100504 Fix fd leak during Linux sandbox file broker creation. r=glandium
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: