File descriptor leak when constructing sandbox file broker
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox91 | --- | fixed |
People
(Reporter: jld, Assigned: jld)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression)
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
This line in sandbox broker initialization constructs a mozilla::ipc::FileDescriptor
(for the client side of the broker's socket pair) from an int, which dup
s the fd, but in this case the caller intended to transfer ownership.
As a result, every time a content process is started/stopped, we leak a file descriptor in the parent process. This code hasn't been changed in a very long time, so it's possible that this has been the case since sandbox file brokering shipped on desktop. (It was originally written for B2G, but I vaguely remember that I only ever got it working on the emulator.)
Note that we don't leak the broker thread: when the broker instance is destroyed (it's owned by the ContentParent
), it forces an EOF on the socket which causes the thread to exit.
There have been a number of bugs recently which came down to mystery fd exhaustion, and it's possible that this bug is the cause (or at least a contributing factor), especially because Fission probably means more turnover of content processes.
This is a one-line fix and we'll probably want to uplift it everywhere.
Assignee | ||
Comment 1•3 years ago
|
||
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 3•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Updated•3 years ago
|
Description
•