Date: Wednesday, July 21, 2021 @ 16:41:37 Author: foutrelis Revision: 420250
upgpkg: chromium 92.0.4515.107-3: upstream fixes for glibc and systemd - Replace the patch from Fedora with upstream fixes for glibc 2.33 (https://crbug.com/1164975) - Remove the use_allocator="none" workaround and apply the upstream fix for the network service crashes seen with systemd 249 (FS#71568) (https://crbug.com/1221442) Added: chromium/trunk/linux-sandbox-fix-fstatat-crash.patch chromium/trunk/linux-sandbox-syscall-broker-use-struct-kernel_stat.patch chromium/trunk/make-GetUsableSize-handle-nullptr-gracefully.patch Modified: chromium/trunk/PKGBUILD Deleted: chromium/trunk/chromium-glibc-2.33.patch -----------------------------------------------------------+ PKGBUILD | 17 chromium-glibc-2.33.patch | 144 - linux-sandbox-fix-fstatat-crash.patch | 348 +++ linux-sandbox-syscall-broker-use-struct-kernel_stat.patch | 1384 ++++++++++++ make-GetUsableSize-handle-nullptr-gracefully.patch | 49 5 files changed, 1791 insertions(+), 151 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-07-21 10:14:10 UTC (rev 420249) +++ PKGBUILD 2021-07-21 16:41:37 UTC (rev 420250) @@ -5,7 +5,7 @@ pkgname=chromium pkgver=92.0.4515.107 -pkgrel=2 +pkgrel=3 _launcher_ver=7 _gcc_patchset=7 pkgdesc="A web browser built for speed, simplicity, and security" @@ -25,15 +25,19 @@ https://github.com/foutrelis/chromium-launcher/archive/v$_launcher_ver/chromium-launcher-$_launcher_ver.tar.gz https://github.com/stha09/chromium-patches/releases/download/chromium-${pkgver%%.*}-patchset-$_gcc_patchset/chromium-${pkgver%%.*}-patchset-$_gcc_patchset.tar.xz extend-enable-accelerated-video-decode-flag.patch + linux-sandbox-syscall-broker-use-struct-kernel_stat.patch + linux-sandbox-fix-fstatat-crash.patch + make-GetUsableSize-handle-nullptr-gracefully.patch sql-make-VirtualCursor-standard-layout-type.patch - chromium-glibc-2.33.patch use-oauth2-client-switches-as-default.patch) sha256sums=('6e51ac6512a4e95018eefc9fef1d2e7597f28a1c45c763b3a8eb7dde5f557012' '86859c11cfc8ba106a3826479c0bc759324a62150b271dd35d1a0f96e890f52f' '53a2cbb1b58d652d5424ff9040b6a51b9dc6348ce3edc68344cd0d25f1f4beb2' '66db9132d6f5e06aa26e5de0924f814224a76a9bdf4b61afce161fb1d7643b22' + '268e18ad56e5970157b51ec9fc8eb58ba93e313ea1e49c842a1ed0820d9c1fa3' + '253348550d54b8ae317fd250f772f506d2bae49fb5dc75fe15d872ea3d0e04a5' + '4489e5e7854a7dcd9464133eb4664250ce7149ac1714a0bf10ca0d82d8806568' 'dd317f85e5abfdcfc89c6f23f4c8edbcdebdd5e083dcec770e5da49ee647d150' - '2fccecdcd4509d4c36af873988ca9dbcba7fdb95122894a9fdf502c33a1d7a4b' 'e393174d7695d0bafed69e868c5fbfecf07aa6969f3b64596d0bae8b067e1711') # Possible replacements are listed in build/linux/unbundle/replace_gn_files.py @@ -88,11 +92,11 @@ # runtime -- this allows signing into Chromium without baked-in values patch -Np1 -i ../use-oauth2-client-switches-as-default.patch - # https://crbug.com/1164975 - patch -Np1 -i ../chromium-glibc-2.33.patch - # Upstream fixes patch -Np1 -i ../extend-enable-accelerated-video-decode-flag.patch + patch -Np1 -i ../linux-sandbox-syscall-broker-use-struct-kernel_stat.patch + patch -Np1 -i ../linux-sandbox-fix-fstatat-crash.patch + patch -Np1 -i ../make-GetUsableSize-handle-nullptr-gracefully.patch # https://chromium-review.googlesource.com/c/chromium/src/+/2862724 patch -Np1 -i ../sql-make-VirtualCursor-standard-layout-type.patch @@ -137,7 +141,6 @@ 'host_toolchain="//build/toolchain/linux/unbundle:default"' 'clang_use_chrome_plugins=false' 'is_official_build=true' # implies is_cfi=true on x86_64 - 'use_allocator="none"' # https://crbug.com/1221442 'treat_warnings_as_errors=false' 'fieldtrial_testing_like_official_build=true' 'ffmpeg_branding="Chrome"' Deleted: chromium-glibc-2.33.patch =================================================================== --- chromium-glibc-2.33.patch 2021-07-21 10:14:10 UTC (rev 420249) +++ chromium-glibc-2.33.patch 2021-07-21 16:41:37 UTC (rev 420250) @@ -1,144 +0,0 @@ -# Patch made by Kevin Kofler <ke...@tigcc.ticalc.org> -# https://bugzilla.redhat.com/show_bug.cgi?id=1904652 - -diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ---- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix 2021-01-25 10:11:45.427436398 -0500 -+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2021-01-25 10:12:51.337699003 -0500 -@@ -257,6 +257,18 @@ ResultExpr EvaluateSyscallImpl(int fs_de - return RestrictKillTarget(current_pid, sysno); - } - -+#if defined(__NR_newfstatat) -+ if (sysno == __NR_newfstatat) { -+ return RewriteFstatatSIGSYS(); -+ } -+#endif -+ -+#if defined(__NR_fstatat64) -+ if (sysno == __NR_fstatat64) { -+ return RewriteFstatatSIGSYS(); -+ } -+#endif -+ - if (SyscallSets::IsFileSystem(sysno) || - SyscallSets::IsCurrentDirectory(sysno)) { - return Error(fs_denied_errno); -diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc ---- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix 2021-01-25 10:13:10.179774081 -0500 -+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc 2021-01-25 10:16:18.790525746 -0500 -@@ -6,6 +6,8 @@ - - #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" - -+#include <errno.h> -+#include <fcntl.h> - #include <stddef.h> - #include <stdint.h> - #include <string.h> -@@ -355,6 +357,35 @@ intptr_t SIGSYSSchedHandler(const struct - return -ENOSYS; - } - -+intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, -+ void* aux) { -+ switch (args.nr) { -+#if defined(__NR_newfstatat) -+ case __NR_newfstatat: -+#endif -+#if defined(__NR_fstatat64) -+ case __NR_fstatat64: -+#endif -+#if defined(__NR_newfstatat) || defined(__NR_fstatat64) -+ if (*reinterpret_cast<const char *>(args.args[1]) == '\0' -+ && args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) { -+ return sandbox::sys_fstat64(static_cast<int>(args.args[0]), -+ reinterpret_cast<struct stat64 *>(args.args[2])); -+ } else { -+ errno = EACCES; -+ return -1; -+ } -+ break; -+#endif -+ } -+ -+ CrashSIGSYS_Handler(args, aux); -+ -+ // Should never be reached. -+ RAW_CHECK(false); -+ return -ENOSYS; -+} -+ - bpf_dsl::ResultExpr CrashSIGSYS() { - return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); - } -@@ -387,6 +418,10 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() - return bpf_dsl::Trap(SIGSYSSchedHandler, NULL); - } - -+bpf_dsl::ResultExpr RewriteFstatatSIGSYS() { -+ return bpf_dsl::Trap(SIGSYSFstatatHandler, NULL); -+} -+ - void AllocateCrashKeys() { - #if !defined(OS_NACL_NONSFI) - if (seccomp_crash_key) -diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h ---- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix 2021-01-25 10:16:36.982598236 -0500 -+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h 2021-01-25 10:18:45.705111027 -0500 -@@ -62,6 +62,10 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFail - // sched_setparam(), sched_setscheduler() - SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args, - void* aux); -+// If the fstatat syscall is actually a disguised fstat, calls the regular fstat -+// syscall, otherwise, crashes in the same way as CrashSIGSYS_Handler. -+SANDBOX_EXPORT intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, -+ void* aux); - - // Variants of the above functions for use with bpf_dsl. - SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS(); -@@ -72,6 +76,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr Crash - SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex(); - SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace(); - SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS(); -+SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(); - - // Allocates a crash key so that Seccomp information can be recorded. - void AllocateCrashKeys(); -diff -up chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc ---- chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc.fstatfix 2021-01-25 10:18:53.307141311 -0500 -+++ chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc 2021-01-25 10:19:46.982355293 -0500 -@@ -261,4 +261,13 @@ int sys_sigaction(int signum, - - #endif // defined(MEMORY_SANITIZER) - -+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf) -+{ -+#if defined(__NR_fstat64) -+ return syscall(__NR_fstat64, fd, buf); -+#else -+ return syscall(__NR_fstat, fd, buf); -+#endif -+} -+ - } // namespace sandbox -diff -up chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h.fstatfix chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h ---- chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h.fstatfix 2021-01-25 10:19:53.115379741 -0500 -+++ chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h 2021-01-25 10:20:45.485588421 -0500 -@@ -17,6 +17,7 @@ struct sock_fprog; - struct rlimit64; - struct cap_hdr; - struct cap_data; -+struct stat64; - - namespace sandbox { - -@@ -84,6 +85,9 @@ SANDBOX_EXPORT int sys_sigaction(int sig - const struct sigaction* act, - struct sigaction* oldact); - -+// Recent glibc rewrites fstat to fstatat. -+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf); -+ - } // namespace sandbox - - #endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_ Added: linux-sandbox-fix-fstatat-crash.patch =================================================================== --- linux-sandbox-fix-fstatat-crash.patch (rev 0) +++ linux-sandbox-fix-fstatat-crash.patch 2021-07-21 16:41:37 UTC (rev 420250) @@ -0,0 +1,348 @@ +From 60d5e803ef2a4874d29799b638754152285e0ed9 Mon Sep 17 00:00:00 2001 +From: Matthew Denton <mpden...@chromium.org> +Date: Wed, 21 Jul 2021 12:55:11 +0000 +Subject: [PATCH] Linux sandbox: fix fstatat() crash + +This is a reland of https://crrev.com/c/2801873. + +Glibc has started rewriting fstat(fd, stat_buf) to +fstatat(fd, "", stat_buf, AT_EMPTY_PATH). This works because when +AT_EMPTY_PATH is specified, and the second argument is an empty string, +then fstatat just performs an fstat on fd like normal. + +Unfortunately, fstatat() also allows stat-ing arbitrary pathnames like +with fstatat(AT_FDCWD, "/i/am/a/file", stat_buf, 0); +The baseline policy needs to prevent this usage of fstatat() since it +doesn't allow access to arbitrary pathnames. + +Sadly, if the second argument is not an empty string, AT_EMPTY_PATH is +simply ignored by current kernels. + +This means fstatat() is completely unsandboxable with seccomp, since +we *need* to verify that the second argument is the empty string, but +we can't dereference pointers in seccomp (due to limitations of BPF, +and the difficulty of addressing these limitations due to TOCTOU +issues). + +So, this CL Traps (raises a SIGSYS via seccomp) on any fstatat syscall. +The signal handler, which runs in the sandboxed process, checks for +AT_EMPTY_PATH and the empty string, and then rewrites any applicable +fstatat() back into the old-style fstat(). + +Bug: 1164975 +Change-Id: I3df6c04c0d781eb1f181d707ccaaead779337291 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3042179 +Reviewed-by: Robert Sesek <rse...@chromium.org> +Commit-Queue: Matthew Denton <mpden...@chromium.org> +Cr-Commit-Position: refs/heads/master@{#903873} +--- + .../seccomp-bpf-helpers/baseline_policy.cc | 8 ++++++ + .../baseline_policy_unittest.cc | 17 ++++++++++++- + .../seccomp-bpf-helpers/sigsys_handlers.cc | 25 +++++++++++++++++++ + .../seccomp-bpf-helpers/sigsys_handlers.h | 14 +++++++++++ + .../linux/syscall_broker/broker_process.cc | 21 ++++++++++------ + .../syscall_broker/broker_process_unittest.cc | 18 ++++++------- + sandbox/linux/system_headers/linux_stat.h | 4 +++ + 7 files changed, 89 insertions(+), 18 deletions(-) + +diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +index f2a60bb4d7..9df0d2dbd3 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +@@ -20,6 +20,7 @@ + #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" + #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" + #include "sandbox/linux/services/syscall_wrappers.h" ++#include "sandbox/linux/system_headers/linux_stat.h" + #include "sandbox/linux/system_headers/linux_syscalls.h" + + #if !defined(SO_PEEK_OFF) +@@ -304,6 +305,13 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, + return Allow(); + } + ++ // The fstatat syscalls are file system syscalls, which will be denied below ++ // with fs_denied_errno. However some allowed fstat syscalls are rewritten by ++ // libc implementations to fstatat syscalls, and we need to rewrite them back. ++ if (sysno == __NR_fstatat_default) { ++ return RewriteFstatatSIGSYS(fs_denied_errno); ++ } ++ + if (SyscallSets::IsFileSystem(sysno) || + SyscallSets::IsCurrentDirectory(sysno)) { + return Error(fs_denied_errno); +diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc +index 68c29b564b..57d307e09d 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc +@@ -51,7 +51,8 @@ namespace sandbox { + + namespace { + +-// This also tests that read(), write() and fstat() are allowed. ++// This also tests that read(), write(), fstat(), and fstatat(.., "", .., ++// AT_EMPTY_PATH) are allowed. + void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) { + BPF_ASSERT_LE(0, read_end.get()); + BPF_ASSERT_LE(0, write_end.get()); +@@ -60,6 +61,20 @@ void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) { + BPF_ASSERT_EQ(0, sys_ret); + BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode)); + ++ sys_ret = fstatat(read_end.get(), "", &stat_buf, AT_EMPTY_PATH); ++ BPF_ASSERT_EQ(0, sys_ret); ++ BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode)); ++ ++ // Make sure fstatat with anything other than an empty string is denied. ++ sys_ret = fstatat(read_end.get(), "/", &stat_buf, AT_EMPTY_PATH); ++ BPF_ASSERT_EQ(sys_ret, -1); ++ BPF_ASSERT_EQ(EPERM, errno); ++ ++ // Make sure fstatat without AT_EMPTY_PATH is denied. ++ sys_ret = fstatat(read_end.get(), "", &stat_buf, 0); ++ BPF_ASSERT_EQ(sys_ret, -1); ++ BPF_ASSERT_EQ(EPERM, errno); ++ + const ssize_t kTestTransferSize = 4; + static const char kTestString[kTestTransferSize] = {'T', 'E', 'S', 'T'}; + ssize_t transfered = 0; +diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc +index 64edbd68bd..71068a0452 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc +@@ -6,6 +6,7 @@ + + #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" + ++#include <fcntl.h> + #include <stddef.h> + #include <stdint.h> + #include <string.h> +@@ -22,6 +23,7 @@ + #include "sandbox/linux/seccomp-bpf/syscall.h" + #include "sandbox/linux/services/syscall_wrappers.h" + #include "sandbox/linux/system_headers/linux_seccomp.h" ++#include "sandbox/linux/system_headers/linux_stat.h" + #include "sandbox/linux/system_headers/linux_syscalls.h" + + #if defined(__mips__) +@@ -355,6 +357,24 @@ intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args, + return -ENOSYS; + } + ++intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, ++ void* fs_denied_errno) { ++ if (args.nr == __NR_fstatat_default) { ++ if (*reinterpret_cast<const char*>(args.args[1]) == '\0' && ++ args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) { ++ return syscall(__NR_fstat_default, static_cast<int>(args.args[0]), ++ reinterpret_cast<default_stat_struct*>(args.args[2])); ++ } ++ return -reinterpret_cast<intptr_t>(fs_denied_errno); ++ } ++ ++ CrashSIGSYS_Handler(args, fs_denied_errno); ++ ++ // Should never be reached. ++ RAW_CHECK(false); ++ return -ENOSYS; ++} ++ + bpf_dsl::ResultExpr CrashSIGSYS() { + return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); + } +@@ -387,6 +407,11 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() { + return bpf_dsl::Trap(SIGSYSSchedHandler, NULL); + } + ++bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno) { ++ return bpf_dsl::Trap(SIGSYSFstatatHandler, ++ reinterpret_cast<void*>(fs_denied_errno)); ++} ++ + void AllocateCrashKeys() { + #if !defined(OS_NACL_NONSFI) + if (seccomp_crash_key) +diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h +index 7a958b93b2..8cd735ce15 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h ++++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h +@@ -62,6 +62,19 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFailure(const arch_seccomp_data& args, + // sched_setparam(), sched_setscheduler() + SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args, + void* aux); ++// If the fstatat() syscall is functionally equivalent to an fstat() syscall, ++// then rewrite the syscall to the equivalent fstat() syscall which can be ++// adequately sandboxed. ++// If the fstatat() is not functionally equivalent to an fstat() syscall, we ++// fail with -fs_denied_errno. ++// If the syscall is not an fstatat() at all, crash in the same way as ++// CrashSIGSYS_Handler. ++// This is necessary because glibc and musl have started rewriting fstat(fd, ++// stat_buf) as fstatat(fd, "", stat_buf, AT_EMPTY_PATH). We rewrite the latter ++// back to the former, which is actually sandboxable. ++SANDBOX_EXPORT intptr_t ++SIGSYSFstatatHandler(const struct arch_seccomp_data& args, ++ void* fs_denied_errno); + + // Variants of the above functions for use with bpf_dsl. + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS(); +@@ -72,6 +85,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSKill(); + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex(); + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace(); + SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS(); ++SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno); + + // Allocates a crash key so that Seccomp information can be recorded. + void AllocateCrashKeys(); +diff --git a/sandbox/linux/syscall_broker/broker_process.cc b/sandbox/linux/syscall_broker/broker_process.cc +index c2176eb785..e9dad37485 100644 +--- a/sandbox/linux/syscall_broker/broker_process.cc ++++ b/sandbox/linux/syscall_broker/broker_process.cc +@@ -113,44 +113,49 @@ bool BrokerProcess::IsSyscallAllowed(int sysno) const { + } + + bool BrokerProcess::IsSyscallBrokerable(int sysno, bool fast_check) const { ++ // The syscalls unavailable on aarch64 are all blocked by Android's default ++ // seccomp policy, even on non-aarch64 architectures. I.e., the syscalls XX() ++ // with a corresponding XXat() versions are typically unavailable in aarch64 ++ // and are default disabled in Android. So, we should refuse to broker them ++ // to be consistent with the platform's restrictions. + switch (sysno) { +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_access: + #endif + case __NR_faccessat: + return !fast_check || allowed_command_set_.test(COMMAND_ACCESS); + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_mkdir: + #endif + case __NR_mkdirat: + return !fast_check || allowed_command_set_.test(COMMAND_MKDIR); + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_open: + #endif + case __NR_openat: + return !fast_check || allowed_command_set_.test(COMMAND_OPEN); + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_readlink: + #endif + case __NR_readlinkat: + return !fast_check || allowed_command_set_.test(COMMAND_READLINK); + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_rename: + #endif + case __NR_renameat: + case __NR_renameat2: + return !fast_check || allowed_command_set_.test(COMMAND_RENAME); + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_rmdir: + return !fast_check || allowed_command_set_.test(COMMAND_RMDIR); + #endif + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_stat: + case __NR_lstat: + #endif +@@ -175,7 +180,7 @@ bool BrokerProcess::IsSyscallBrokerable(int sysno, bool fast_check) const { + return !fast_check || allowed_command_set_.test(COMMAND_STAT); + #endif + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_unlink: + return !fast_check || allowed_command_set_.test(COMMAND_UNLINK); + #endif +diff --git a/sandbox/linux/syscall_broker/broker_process_unittest.cc b/sandbox/linux/syscall_broker/broker_process_unittest.cc +index c65f25a78a..f0db08d84e 100644 +--- a/sandbox/linux/syscall_broker/broker_process_unittest.cc ++++ b/sandbox/linux/syscall_broker/broker_process_unittest.cc +@@ -1596,52 +1596,52 @@ TEST(BrokerProcess, IsSyscallAllowed) { + const base::flat_map<BrokerCommand, base::flat_set<int>> kSysnosForCommand = { + {COMMAND_ACCESS, + {__NR_faccessat, +-#if defined(__NR_access) ++#if defined(__NR_access) && !defined(OS_ANDROID) + __NR_access + #endif + }}, + {COMMAND_MKDIR, + {__NR_mkdirat, +-#if defined(__NR_mkdir) ++#if defined(__NR_mkdir) && !defined(OS_ANDROID) + __NR_mkdir + #endif + }}, + {COMMAND_OPEN, + {__NR_openat, +-#if defined(__NR_open) ++#if defined(__NR_open) && !defined(OS_ANDROID) + __NR_open + #endif + }}, + {COMMAND_READLINK, + {__NR_readlinkat, +-#if defined(__NR_readlink) ++#if defined(__NR_readlink) && !defined(OS_ANDROID) + __NR_readlink + #endif + }}, + {COMMAND_RENAME, + {__NR_renameat, +-#if defined(__NR_rename) ++#if defined(__NR_rename) && !defined(OS_ANDROID) + __NR_rename + #endif + }}, + {COMMAND_UNLINK, + {__NR_unlinkat, +-#if defined(__NR_unlink) ++#if defined(__NR_unlink) && !defined(OS_ANDROID) + __NR_unlink + #endif + }}, + {COMMAND_RMDIR, + {__NR_unlinkat, +-#if defined(__NR_rmdir) ++#if defined(__NR_rmdir) && !defined(OS_ANDROID) + __NR_rmdir + #endif + }}, + {COMMAND_STAT, + { +-#if defined(__NR_stat) ++#if defined(__NR_stat) && !defined(OS_ANDROID) + __NR_stat, + #endif +-#if defined(__NR_lstat) ++#if defined(__NR_lstat) && !defined(OS_ANDROID) + __NR_lstat, + #endif + #if defined(__NR_fstatat) +diff --git a/sandbox/linux/system_headers/linux_stat.h b/sandbox/linux/system_headers/linux_stat.h +index 35788eb22a..83b89efc75 100644 +--- a/sandbox/linux/system_headers/linux_stat.h ++++ b/sandbox/linux/system_headers/linux_stat.h +@@ -157,6 +157,10 @@ struct kernel_stat { + }; + #endif + ++#if !defined(AT_EMPTY_PATH) ++#define AT_EMPTY_PATH 0x1000 ++#endif ++ + // On 32-bit systems, we default to the 64-bit stat struct like libc + // implementations do. Otherwise we default to the normal stat struct which is + // already 64-bit. Added: linux-sandbox-syscall-broker-use-struct-kernel_stat.patch =================================================================== --- linux-sandbox-syscall-broker-use-struct-kernel_stat.patch (rev 0) +++ linux-sandbox-syscall-broker-use-struct-kernel_stat.patch 2021-07-21 16:41:37 UTC (rev 420250) @@ -0,0 +1,1384 @@ +From 4b438323d68840453b5ef826c3997568e2e0e8c7 Mon Sep 17 00:00:00 2001 +From: Matthew Denton <mpden...@chromium.org> +Date: Mon, 19 Jul 2021 14:03:13 +0000 +Subject: [PATCH] Reland "Reland "Linux sandbox syscall broker: use struct + kernel_stat"" + +This reverts commit ff277a52ece0b216617d770f201ed66955fe70b9. + +Reason for revert: reland + +The fix included in the reland is that fstatat64() needs to be +allowed in the broker process's seccomp policy. + +This CL also includes some extra tests that the kernel_stat structures +match the layout the kernel expects. + +Bug: 1164975, 1199431 +Test: trogdor Chromebook successfully boots and allows login. + +Original change's description: +> Revert "Reland "Linux sandbox syscall broker: use struct kernel_stat"" +> +> This reverts commit cffbc4432af79f720ae3c75dff380b853701bd64. +> +> Reason for revert: https://bugs.chromium.org/p/chromium/issues/detail?id=1199431 +> +> Original change's description: +> > Reland "Linux sandbox syscall broker: use struct kernel_stat" +> > +> > This reverts commit 23030dc650cdfa22631f25bef937905f27f06a2c. +> > +> > Original change's description: +> > > Revert "Linux sandbox syscall broker: use struct kernel_stat" +> > > +> > > This reverts commit 784b0fcd8a3ca6bcd3acb9cfd624ec9cbbac2789. +> > > +> > > Reason for revert: Causing failure in +> > > Step "sandbox_linux_unittests" failing on builder "Linux ChromiumOS MSan Tests" +> > > See crbug.com/1198480 +> > > +> > > Original change's description: +> > > > Linux sandbox syscall broker: use struct kernel_stat +> > > > +> > > > The struct stat used in libc is different (in size and field ordering) +> > > > from the structure assumed by the Linux kernel. So, when emulating +> > > > system calls, we need to use the struct definition the kernel expects. +> > > > +> > > > This CL adds linux_stat.h that includes definitions of the different +> > > > kernel structs. +> > > > +> > > > Change-Id: I53cad35c2251dff0f6b7ea77528cfa58ef3cab4a +> > > > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2780876 +> > > > Commit-Queue: Matthew Denton <mpden...@chromium.org> +> > > > Reviewed-by: Robert Sesek <rse...@chromium.org> +> > > > Cr-Commit-Position: refs/heads/master@{#871767} +> > > +> > > Change-Id: Icbec38f2103c8424dec79ab1870b97c3e83f9361 +> > > No-Presubmit: true +> > > No-Tree-Checks: true +> > > No-Try: true +> > > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2821812 +> > > Auto-Submit: Victor Vianna <victorvia...@google.com> +> > > Owners-Override: Victor Vianna <victorvia...@google.com> +> > > Commit-Queue: Rubber Stamper <rubber-stam...@appspot.gserviceaccount.com> +> > > Bot-Commit: Rubber Stamper <rubber-stam...@appspot.gserviceaccount.com> +> > > Cr-Commit-Position: refs/heads/master@{#871882} +> > +> > Change-Id: I1f39bb5242961474def594ff7dbea52009f2cee4 +> > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2824115 +> > Auto-Submit: Matthew Denton <mpden...@chromium.org> +> > Commit-Queue: Matthew Denton <mpden...@chromium.org> +> > Reviewed-by: Robert Sesek <rse...@chromium.org> +> > Cr-Commit-Position: refs/heads/master@{#872812} +> +> Fixed: 1199431 +> Change-Id: Iebfc0c48201bf22ff9c54d8d5c8a43d26a880098 +> No-Presubmit: true +> No-Tree-Checks: true +> No-Try: true +> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2830459 +> Auto-Submit: Kyle Horimoto <khorim...@chromium.org> +> Commit-Queue: Matthew Denton <mpden...@chromium.org> +> Commit-Queue: Kinuko Yasuda <kin...@chromium.org> +> Reviewed-by: Matthew Denton <mpden...@chromium.org> +> Reviewed-by: Kinuko Yasuda <kin...@chromium.org> +> Owners-Override: Kinuko Yasuda <kin...@chromium.org> +> Cr-Commit-Position: refs/heads/master@{#873173} + +Change-Id: Ibe6a485070f33489aaa157b51b908c2d23d174d7 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2848936 +Reviewed-by: Robert Sesek <rse...@chromium.org> +Commit-Queue: Matthew Denton <mpden...@chromium.org> +Cr-Commit-Position: refs/heads/master@{#902981} +--- + sandbox/linux/BUILD.gn | 1 + + .../seccomp_broker_process_unittest.cc | 40 +++- + sandbox/linux/seccomp-bpf-helpers/DEPS | 1 - + ...scall_parameters_restrictions_unittests.cc | 4 - + sandbox/linux/services/syscall_wrappers.cc | 50 ++++- + sandbox/linux/services/syscall_wrappers.h | 15 ++ + .../services/syscall_wrappers_unittest.cc | 129 +++++++++++- + sandbox/linux/syscall_broker/DEPS | 3 +- + sandbox/linux/syscall_broker/broker_client.cc | 4 +- + sandbox/linux/syscall_broker/broker_client.h | 4 +- + sandbox/linux/syscall_broker/broker_host.cc | 23 ++- + .../syscall_broker/broker_process_unittest.cc | 74 +++---- + .../remote_syscall_arg_handler_unittest.cc | 36 ++-- + .../syscall_broker/syscall_dispatcher.cc | 67 ++++--- + .../linux/syscall_broker/syscall_dispatcher.h | 27 ++- + sandbox/linux/system_headers/linux_stat.h | 188 ++++++++++++++++++ + sandbox/linux/system_headers/linux_time.h | 26 +++ + sandbox/linux/tests/test_utils.cc | 15 ++ + sandbox/linux/tests/test_utils.h | 2 + + .../policy/linux/bpf_broker_policy_linux.cc | 4 +- + 20 files changed, 595 insertions(+), 118 deletions(-) + create mode 100644 sandbox/linux/system_headers/linux_stat.h + +diff --git a/sandbox/linux/BUILD.gn b/sandbox/linux/BUILD.gn +index 2f778dd0bc..ccbbc91716 100644 +--- a/sandbox/linux/BUILD.gn ++++ b/sandbox/linux/BUILD.gn +@@ -443,6 +443,7 @@ source_set("sandbox_services_headers") { + "system_headers/linux_ptrace.h", + "system_headers/linux_seccomp.h", + "system_headers/linux_signal.h", ++ "system_headers/linux_stat.h", + "system_headers/linux_syscalls.h", + "system_headers/linux_time.h", + "system_headers/linux_ucontext.h", +diff --git a/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc b/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc +index 9da9c68911..8a941983b1 100644 +--- a/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc ++++ b/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc +@@ -34,6 +34,7 @@ + #include "sandbox/linux/syscall_broker/broker_file_permission.h" + #include "sandbox/linux/syscall_broker/broker_process.h" + #include "sandbox/linux/system_headers/linux_seccomp.h" ++#include "sandbox/linux/system_headers/linux_stat.h" + #include "sandbox/linux/system_headers/linux_syscalls.h" + #include "sandbox/linux/tests/scoped_temporary_file.h" + #include "sandbox/linux/tests/test_utils.h" +@@ -202,6 +203,26 @@ namespace { + // not accept this as a valid error number. E.g. bionic accepts up to 255, glibc + // and musl up to 4096. + const int kFakeErrnoSentinel = 254; ++ ++void ConvertKernelStatToLibcStat(default_stat_struct& in_stat, ++ struct stat& out_stat) { ++ out_stat.st_dev = in_stat.st_dev; ++ out_stat.st_ino = in_stat.st_ino; ++ out_stat.st_mode = in_stat.st_mode; ++ out_stat.st_nlink = in_stat.st_nlink; ++ out_stat.st_uid = in_stat.st_uid; ++ out_stat.st_gid = in_stat.st_gid; ++ out_stat.st_rdev = in_stat.st_rdev; ++ out_stat.st_size = in_stat.st_size; ++ out_stat.st_blksize = in_stat.st_blksize; ++ out_stat.st_blocks = in_stat.st_blocks; ++ out_stat.st_atim.tv_sec = in_stat.st_atime_; ++ out_stat.st_atim.tv_nsec = in_stat.st_atime_nsec_; ++ out_stat.st_mtim.tv_sec = in_stat.st_mtime_; ++ out_stat.st_mtim.tv_nsec = in_stat.st_mtime_nsec_; ++ out_stat.st_ctim.tv_sec = in_stat.st_ctime_; ++ out_stat.st_ctim.tv_nsec = in_stat.st_ctime_nsec_; ++} + } // namespace + + // There are a variety of ways to make syscalls in a sandboxed process. One is +@@ -217,6 +238,10 @@ class Syscaller { + + virtual int Open(const char* filepath, int flags) = 0; + virtual int Access(const char* filepath, int mode) = 0; ++ // NOTE: we use struct stat instead of default_stat_struct, to make the libc ++ // syscaller simpler. Copying from default_stat_struct (the structure returned ++ // from a stat sycall) to struct stat (the structure exposed by a libc to its ++ // users) is simpler than going in the opposite direction. + virtual int Stat(const char* filepath, + bool follow_links, + struct stat* statbuf) = 0; +@@ -243,8 +268,12 @@ class IPCSyscaller : public Syscaller { + int Stat(const char* filepath, + bool follow_links, + struct stat* statbuf) override { +- return broker_->GetBrokerClientSignalBased()->Stat(filepath, follow_links, +- statbuf); ++ default_stat_struct buf; ++ int ret = broker_->GetBrokerClientSignalBased()->DefaultStatForTesting( ++ filepath, follow_links, &buf); ++ if (ret >= 0) ++ ConvertKernelStatToLibcStat(buf, *statbuf); ++ return ret; + } + + int Rename(const char* oldpath, const char* newpath) override { +@@ -300,10 +329,13 @@ class DirectSyscaller : public Syscaller { + int Stat(const char* filepath, + bool follow_links, + struct stat* statbuf) override { +- int ret = follow_links ? syscall(__NR_stat, filepath, statbuf) +- : syscall(__NR_lstat, filepath, statbuf); ++ struct kernel_stat buf; ++ int ret = syscall(__NR_newfstatat, AT_FDCWD, filepath, &buf, ++ follow_links ? 0 : AT_SYMLINK_NOFOLLOW); + if (ret < 0) + return -errno; ++ ++ ConvertKernelStatToLibcStat(buf, *statbuf); + return ret; + } + +diff --git a/sandbox/linux/seccomp-bpf-helpers/DEPS b/sandbox/linux/seccomp-bpf-helpers/DEPS +index 4419fd1da3..95d1bb6cbb 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/DEPS ++++ b/sandbox/linux/seccomp-bpf-helpers/DEPS +@@ -3,5 +3,4 @@ include_rules = [ + "+sandbox/linux/seccomp-bpf", + "+sandbox/linux/services", + "+sandbox/linux/system_headers", +- "+third_party/lss/linux_syscall_support.h", + ] +diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc +index 903e702eab..76c393032c 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc +@@ -37,10 +37,6 @@ + #include "sandbox/linux/system_headers/linux_time.h" + #include "sandbox/linux/tests/unit_tests.h" + +-#if !defined(OS_ANDROID) +-#include "third_party/lss/linux_syscall_support.h" // for MAKE_PROCESS_CPUCLOCK +-#endif +- + namespace sandbox { + + namespace { +diff --git a/sandbox/linux/services/syscall_wrappers.cc b/sandbox/linux/services/syscall_wrappers.cc +index fcfd2aa129..3bec18a14e 100644 +--- a/sandbox/linux/services/syscall_wrappers.cc ++++ b/sandbox/linux/services/syscall_wrappers.cc +@@ -4,6 +4,7 @@ + + #include "sandbox/linux/services/syscall_wrappers.h" + ++#include <fcntl.h> + #include <pthread.h> + #include <sched.h> + #include <setjmp.h> +@@ -14,11 +15,13 @@ + #include <unistd.h> + #include <cstring> + ++#include "base/check.h" + #include "base/compiler_specific.h" + #include "base/logging.h" + #include "build/build_config.h" + #include "sandbox/linux/system_headers/capability.h" + #include "sandbox/linux/system_headers/linux_signal.h" ++#include "sandbox/linux/system_headers/linux_stat.h" + #include "sandbox/linux/system_headers/linux_syscalls.h" + + namespace sandbox { +@@ -217,7 +220,7 @@ asm( + #undef STR + #undef XSTR + +-#endif ++#endif // defined(ARCH_CPU_X86_FAMILY) + + int sys_sigaction(int signum, + const struct sigaction* act, +@@ -241,7 +244,7 @@ int sys_sigaction(int signum, + #error "Unsupported architecture." + #endif + } +-#endif ++#endif // defined(ARCH_CPU_X86_FAMILY) + } + + LinuxSigAction linux_oldact = {}; +@@ -259,6 +262,47 @@ int sys_sigaction(int signum, + return result; + } + +-#endif // defined(MEMORY_SANITIZER) ++#endif // !defined(OS_NACL_NONSFI) ++ ++int sys_stat(const char* path, struct kernel_stat* stat_buf) { ++ int res; ++#if !defined(__NR_stat) ++ res = syscall(__NR_newfstatat, AT_FDCWD, path, stat_buf, 0); ++#else ++ res = syscall(__NR_stat, path, stat_buf); ++#endif ++ if (res == 0) ++ MSAN_UNPOISON(stat_buf, sizeof(*stat_buf)); ++ return res; ++} ++ ++int sys_lstat(const char* path, struct kernel_stat* stat_buf) { ++ int res; ++#if !defined(__NR_lstat) ++ res = syscall(__NR_newfstatat, AT_FDCWD, path, stat_buf, AT_SYMLINK_NOFOLLOW); ++#else ++ res = syscall(__NR_lstat, path, stat_buf); ++#endif ++ if (res == 0) ++ MSAN_UNPOISON(stat_buf, sizeof(*stat_buf)); ++ return res; ++} ++ ++int sys_fstatat64(int dirfd, ++ const char* pathname, ++ struct kernel_stat64* stat_buf, ++ int flags) { ++#if defined(__NR_fstatat64) ++ int res = syscall(__NR_fstatat64, dirfd, pathname, stat_buf, flags); ++ if (res == 0) ++ MSAN_UNPOISON(stat_buf, sizeof(*stat_buf)); ++ return res; ++#else // defined(__NR_fstatat64) ++ // We should not reach here on 64-bit systems, as the *stat*64() are only ++ // necessary on 32-bit. ++ RAW_CHECK(false); ++ return -ENOSYS; ++#endif ++} + + } // namespace sandbox +diff --git a/sandbox/linux/services/syscall_wrappers.h b/sandbox/linux/services/syscall_wrappers.h +index 1975bfbd88..b55340e4a2 100644 +--- a/sandbox/linux/services/syscall_wrappers.h ++++ b/sandbox/linux/services/syscall_wrappers.h +@@ -17,6 +17,8 @@ struct sock_fprog; + struct rlimit64; + struct cap_hdr; + struct cap_data; ++struct kernel_stat; ++struct kernel_stat64; + + namespace sandbox { + +@@ -84,6 +86,19 @@ SANDBOX_EXPORT int sys_sigaction(int signum, + const struct sigaction* act, + struct sigaction* oldact); + ++// Some architectures do not have stat() and lstat() syscalls. In that case, ++// these wrappers will use newfstatat(), which is available on all other ++// architectures, with the same capabilities as stat() and lstat(). ++SANDBOX_EXPORT int sys_stat(const char* path, struct kernel_stat* stat_buf); ++SANDBOX_EXPORT int sys_lstat(const char* path, struct kernel_stat* stat_buf); ++ ++// Takes care of unpoisoning |stat_buf| for MSAN. Check-fails if fstatat64() is ++// not a supported syscall on the current platform. ++SANDBOX_EXPORT int sys_fstatat64(int dirfd, ++ const char* pathname, ++ struct kernel_stat64* stat_buf, ++ int flags); ++ + } // namespace sandbox + + #endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_ +diff --git a/sandbox/linux/services/syscall_wrappers_unittest.cc b/sandbox/linux/services/syscall_wrappers_unittest.cc +index 32820f60a8..64b9cea80f 100644 +--- a/sandbox/linux/services/syscall_wrappers_unittest.cc ++++ b/sandbox/linux/services/syscall_wrappers_unittest.cc +@@ -5,15 +5,19 @@ + #include "sandbox/linux/services/syscall_wrappers.h" + + #include <stdint.h> ++#include <string.h> + #include <sys/syscall.h> + #include <sys/types.h> + #include <sys/wait.h> + #include <unistd.h> +-#include <cstring> + ++#include "base/logging.h" ++#include "base/memory/page_size.h" + #include "base/posix/eintr_wrapper.h" + #include "build/build_config.h" + #include "sandbox/linux/system_headers/linux_signal.h" ++#include "sandbox/linux/system_headers/linux_stat.h" ++#include "sandbox/linux/tests/scoped_temporary_file.h" + #include "sandbox/linux/tests/test_utils.h" + #include "sandbox/linux/tests/unit_tests.h" + #include "testing/gtest/include/gtest/gtest.h" +@@ -93,6 +97,129 @@ TEST(SyscallWrappers, LinuxSigSet) { + linux_sigset); + } + ++TEST(SyscallWrappers, Stat) { ++ // Create a file to stat, with 12 bytes of data. ++ ScopedTemporaryFile tmp_file; ++ EXPECT_EQ(12, write(tmp_file.fd(), "blahblahblah", 12)); ++ ++ // To test we have the correct stat structures for each kernel/platform, we ++ // will right-align them on a page, with a guard page after. ++ char* two_pages = static_cast<char*>(TestUtils::MapPagesOrDie(2)); ++ TestUtils::MprotectLastPageOrDie(two_pages, 2); ++ char* page1_end = two_pages + base::GetPageSize(); ++ ++ // First, check that calling stat with |stat_buf| pointing to the last byte on ++ // a page causes EFAULT. ++ int res = sys_stat(tmp_file.full_file_name(), ++ reinterpret_cast<struct kernel_stat*>(page1_end - 1)); ++ ASSERT_EQ(res, -1); ++ ASSERT_EQ(errno, EFAULT); ++ ++ // Now, check that we have the correctly sized stat structure. ++ struct kernel_stat* sb = reinterpret_cast<struct kernel_stat*>( ++ page1_end - sizeof(struct kernel_stat)); ++ // Memset to c's so we can check the kernel zero'd the padding... ++ memset(sb, 'c', sizeof(struct kernel_stat)); ++ res = sys_stat(tmp_file.full_file_name(), sb); ++ ASSERT_EQ(res, 0); ++ ++ // Following fields may never be consistent but should be non-zero. ++ // Don't trust the platform to define fields with any particular sign. ++ EXPECT_NE(0u, static_cast<unsigned int>(sb->st_dev)); ++ EXPECT_NE(0u, static_cast<unsigned int>(sb->st_ino)); ++ EXPECT_NE(0u, static_cast<unsigned int>(sb->st_mode)); ++ EXPECT_NE(0u, static_cast<unsigned int>(sb->st_blksize)); ++ EXPECT_NE(0u, static_cast<unsigned int>(sb->st_blocks)); ++ ++// We are the ones that made the file. ++// Note: normally gid and uid overflow on backwards-compatible 32-bit systems ++// and we end up with dummy uids and gids in place here. ++#if defined(ARCH_CPU_64_BITS) ++ EXPECT_EQ(geteuid(), sb->st_uid); ++ EXPECT_EQ(getegid(), sb->st_gid); ++#endif ++ ++ // Wrote 12 bytes above which should fit in one block. ++ EXPECT_EQ(12u, sb->st_size); ++ ++ // Can't go backwards in time, 1500000000 was some time ago. ++ EXPECT_LT(1500000000u, static_cast<unsigned int>(sb->st_atime_)); ++ EXPECT_LT(1500000000u, static_cast<unsigned int>(sb->st_mtime_)); ++ EXPECT_LT(1500000000u, static_cast<unsigned int>(sb->st_ctime_)); ++ ++ // Checking the padding for good measure. ++#if defined(__x86_64__) ++ EXPECT_EQ(0u, sb->__pad0); ++ EXPECT_EQ(0u, sb->__unused4[0]); ++ EXPECT_EQ(0u, sb->__unused4[1]); ++ EXPECT_EQ(0u, sb->__unused4[2]); ++#elif defined(__aarch64__) ++ EXPECT_EQ(0u, sb->__pad1); ++ EXPECT_EQ(0, sb->__pad2); ++ EXPECT_EQ(0u, sb->__unused4); ++ EXPECT_EQ(0u, sb->__unused5); ++#endif ++} ++ ++TEST(SyscallWrappers, LStat) { ++ // Create a file to stat, with 12 bytes of data. ++ ScopedTemporaryFile tmp_file; ++ EXPECT_EQ(12, write(tmp_file.fd(), "blahblahblah", 12)); ++ ++ // Also create a symlink. ++ std::string symlink_name; ++ { ++ ScopedTemporaryFile tmp_file2; ++ symlink_name = tmp_file2.full_file_name(); ++ } ++ int rc = symlink(tmp_file.full_file_name(), symlink_name.c_str()); ++ if (rc != 0) { ++ PLOG(ERROR) << "Couldn't symlink " << symlink_name << " to target " ++ << tmp_file.full_file_name(); ++ GTEST_FAIL(); ++ } ++ ++ struct kernel_stat lstat_info; ++ rc = sys_lstat(symlink_name.c_str(), &lstat_info); ++ if (rc < 0 && errno == EOVERFLOW) { ++ GTEST_SKIP(); ++ } ++ if (rc != 0) { ++ PLOG(ERROR) << "Couldn't sys_lstat " << symlink_name; ++ GTEST_FAIL(); ++ } ++ ++ struct kernel_stat stat_info; ++ rc = sys_stat(symlink_name.c_str(), &stat_info); ++ if (rc < 0 && errno == EOVERFLOW) { ++ GTEST_SKIP(); ++ } ++ if (rc != 0) { ++ PLOG(ERROR) << "Couldn't sys_stat " << symlink_name; ++ GTEST_FAIL(); ++ } ++ ++ struct kernel_stat tmp_file_stat_info; ++ rc = sys_stat(tmp_file.full_file_name(), &tmp_file_stat_info); ++ if (rc < 0 && errno == EOVERFLOW) { ++ GTEST_SKIP(); ++ } ++ if (rc != 0) { ++ PLOG(ERROR) << "Couldn't sys_stat " << tmp_file.full_file_name(); ++ GTEST_FAIL(); ++ } ++ ++ // lstat should produce information about a symlink. ++ ASSERT_TRUE(S_ISLNK(lstat_info.st_mode)); ++ ++ // stat-ing symlink_name and tmp_file should produce the same inode. ++ ASSERT_EQ(stat_info.st_ino, tmp_file_stat_info.st_ino); ++ ++ // lstat-ing symlink_name should give a different inode than stat-ing ++ // symlink_name. ++ ASSERT_NE(stat_info.st_ino, lstat_info.st_ino); ++} ++ + } // namespace + + } // namespace sandbox +diff --git a/sandbox/linux/syscall_broker/DEPS b/sandbox/linux/syscall_broker/DEPS +index c477f7d363..149c463b06 100644 +--- a/sandbox/linux/syscall_broker/DEPS ++++ b/sandbox/linux/syscall_broker/DEPS +@@ -1,4 +1,5 @@ + include_rules = [ +- "+sandbox/linux/system_headers", + "+sandbox/linux/bpf_dsl", ++ "+sandbox/linux/services", ++ "+sandbox/linux/system_headers", + ] +diff --git a/sandbox/linux/syscall_broker/broker_client.cc b/sandbox/linux/syscall_broker/broker_client.cc +index 6b1b5be433..e24f659fcf 100644 +--- a/sandbox/linux/syscall_broker/broker_client.cc ++++ b/sandbox/linux/syscall_broker/broker_client.cc +@@ -166,7 +166,7 @@ int BrokerClient::Rmdir(const char* path) const { + + int BrokerClient::Stat(const char* pathname, + bool follow_links, +- struct stat* sb) const { ++ struct kernel_stat* sb) const { + if (!pathname || !sb) + return -EFAULT; + +@@ -181,7 +181,7 @@ int BrokerClient::Stat(const char* pathname, + + int BrokerClient::Stat64(const char* pathname, + bool follow_links, +- struct stat64* sb) const { ++ struct kernel_stat64* sb) const { + if (!pathname || !sb) + return -EFAULT; + +diff --git a/sandbox/linux/syscall_broker/broker_client.h b/sandbox/linux/syscall_broker/broker_client.h +index 05e14c83f2..26ca78101c 100644 +--- a/sandbox/linux/syscall_broker/broker_client.h ++++ b/sandbox/linux/syscall_broker/broker_client.h +@@ -61,10 +61,10 @@ class SANDBOX_EXPORT BrokerClient : public SyscallDispatcher { + int Rmdir(const char* path) const override; + int Stat(const char* pathname, + bool follow_links, +- struct stat* sb) const override; ++ struct kernel_stat* sb) const override; + int Stat64(const char* pathname, + bool follow_links, +- struct stat64* sb) const override; ++ struct kernel_stat64* sb) const override; + int Unlink(const char* unlink) const override; + + private: +diff --git a/sandbox/linux/syscall_broker/broker_host.cc b/sandbox/linux/syscall_broker/broker_host.cc +index 1cd03a18df..1cdc01a888 100644 +--- a/sandbox/linux/syscall_broker/broker_host.cc ++++ b/sandbox/linux/syscall_broker/broker_host.cc +@@ -20,9 +20,11 @@ + #include "base/files/scoped_file.h" + #include "base/logging.h" + #include "base/posix/eintr_wrapper.h" ++#include "sandbox/linux/services/syscall_wrappers.h" + #include "sandbox/linux/syscall_broker/broker_command.h" + #include "sandbox/linux/syscall_broker/broker_permission_list.h" + #include "sandbox/linux/syscall_broker/broker_simple_message.h" ++#include "sandbox/linux/system_headers/linux_stat.h" + #include "sandbox/linux/system_headers/linux_syscalls.h" + + namespace sandbox { +@@ -193,10 +195,12 @@ void StatFileForIPC(const BrokerCommandSet& allowed_command_set, + RAW_CHECK(reply->AddIntToMessage(-permission_list.denied_errno())); + return; + } ++ + if (command_type == COMMAND_STAT) { +- struct stat sb; +- int sts = +- follow_links ? stat(file_to_access, &sb) : lstat(file_to_access, &sb); ++ struct kernel_stat sb; ++ ++ int sts = follow_links ? sandbox::sys_stat(file_to_access, &sb) ++ : sandbox::sys_lstat(file_to_access, &sb); + if (sts < 0) { + RAW_CHECK(reply->AddIntToMessage(-errno)); + return; +@@ -205,10 +209,12 @@ void StatFileForIPC(const BrokerCommandSet& allowed_command_set, + RAW_CHECK( + reply->AddDataToMessage(reinterpret_cast<char*>(&sb), sizeof(sb))); + } else { ++#if defined(__NR_fstatat64) + DCHECK(command_type == COMMAND_STAT64); +- struct stat64 sb; +- int sts = follow_links ? stat64(file_to_access, &sb) +- : lstat64(file_to_access, &sb); ++ struct kernel_stat64 sb; ++ ++ int sts = sandbox::sys_fstatat64(AT_FDCWD, file_to_access, &sb, ++ follow_links ? 0 : AT_SYMLINK_NOFOLLOW); + if (sts < 0) { + RAW_CHECK(reply->AddIntToMessage(-errno)); + return; +@@ -216,6 +222,11 @@ void StatFileForIPC(const BrokerCommandSet& allowed_command_set, + RAW_CHECK(reply->AddIntToMessage(0)); + RAW_CHECK( + reply->AddDataToMessage(reinterpret_cast<char*>(&sb), sizeof(sb))); ++#else // defined(__NR_fstatat64) ++ // We should not reach here on 64-bit systems, as the *stat*64() are only ++ // necessary on 32-bit. ++ RAW_CHECK(false); ++#endif + } + } + +diff --git a/sandbox/linux/syscall_broker/broker_process_unittest.cc b/sandbox/linux/syscall_broker/broker_process_unittest.cc +index 55ba6bccb2..c65f25a78a 100644 +--- a/sandbox/linux/syscall_broker/broker_process_unittest.cc ++++ b/sandbox/linux/syscall_broker/broker_process_unittest.cc +@@ -811,7 +811,7 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + const char* bad_leading_path5 = "/mbogo/fictitioux"; + const char* bad_leading_path6 = "/mbogo/fictitiousa"; + +- struct stat sb; ++ default_stat_struct sb; + + { + // Actual file with permissions to see file but command not allowed. +@@ -824,7 +824,7 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + + memset(&sb, 0, sizeof(sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + tempfile_name, follow_links, &sb)); + } + +@@ -840,7 +840,7 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + + memset(&sb, 0, sizeof(sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + nonesuch_name, follow_links, &sb)); + } + { +@@ -852,7 +852,7 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + + memset(&sb, 0, sizeof(sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + tempfile_name, follow_links, &sb)); + } + { +@@ -864,38 +864,39 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + ASSERT_TRUE(open_broker.Init(base::BindOnce(&NoOpCallback))); + + memset(&sb, 0, sizeof(sb)); +- EXPECT_EQ(-ENOENT, open_broker.GetBrokerClientSignalBased()->Stat( +- nonesuch_name, follow_links, &sb)); ++ EXPECT_EQ(-ENOENT, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ nonesuch_name, follow_links, &sb)); + + // Gets denied all the way back to root since no create permission. + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + leading_path1, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + leading_path2, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + leading_path3, follow_links, &sb)); + + // Not fooled by substrings. + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path1, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path2, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path3, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path4, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path5, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path6, follow_links, &sb)); + } + { +@@ -907,37 +908,41 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + ASSERT_TRUE(open_broker.Init(base::BindOnce(&NoOpCallback))); + + memset(&sb, 0, sizeof(sb)); +- EXPECT_EQ(-ENOENT, open_broker.GetBrokerClientSignalBased()->Stat( +- nonesuch_name, follow_links, &sb)); ++ EXPECT_EQ(-ENOENT, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ nonesuch_name, follow_links, &sb)); + + // Gets ENOENT all the way back to root since it has create permission. +- EXPECT_EQ(-ENOENT, open_broker.GetBrokerClientSignalBased()->Stat( +- leading_path1, follow_links, &sb)); +- EXPECT_EQ(-ENOENT, open_broker.GetBrokerClientSignalBased()->Stat( +- leading_path2, follow_links, &sb)); ++ EXPECT_EQ(-ENOENT, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ leading_path1, follow_links, &sb)); ++ EXPECT_EQ(-ENOENT, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ leading_path2, follow_links, &sb)); + + // But can always get the root. +- EXPECT_EQ(0, open_broker.GetBrokerClientSignalBased()->Stat( +- leading_path3, follow_links, &sb)); ++ EXPECT_EQ(0, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ leading_path3, follow_links, &sb)); + + // Not fooled by substrings. + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path1, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path2, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path3, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path4, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path5, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path6, follow_links, &sb)); + } + { +@@ -949,8 +954,9 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + ASSERT_TRUE(open_broker.Init(base::BindOnce(&NoOpCallback))); + + memset(&sb, 0, sizeof(sb)); +- EXPECT_EQ(0, open_broker.GetBrokerClientSignalBased()->Stat( +- tempfile_name, follow_links, &sb)); ++ EXPECT_EQ(0, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ tempfile_name, follow_links, &sb)); + + // Following fields may never be consistent but should be non-zero. + // Don't trust the platform to define fields with any particular sign. +@@ -968,9 +974,9 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + EXPECT_EQ(12, sb.st_size); + + // Can't go backwards in time, 1500000000 was some time ago. +- EXPECT_LT(1500000000u, static_cast<unsigned int>(sb.st_atime)); +- EXPECT_LT(1500000000u, static_cast<unsigned int>(sb.st_mtime)); +- EXPECT_LT(1500000000u, static_cast<unsigned int>(sb.st_ctime)); ++ EXPECT_LT(1500000000u, static_cast<unsigned int>(sb.st_atime_)); ++ EXPECT_LT(1500000000u, static_cast<unsigned int>(sb.st_mtime_)); ++ EXPECT_LT(1500000000u, static_cast<unsigned int>(sb.st_ctime_)); + } + } + +diff --git a/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc b/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc +index fffa9bb708..f517a9867c 100644 +--- a/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc ++++ b/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc +@@ -16,6 +16,7 @@ + #include "base/memory/page_size.h" + #include "base/posix/unix_domain_socket.h" + #include "base/test/bind.h" ++#include "sandbox/linux/tests/test_utils.h" + #include "sandbox/linux/tests/unit_tests.h" + #include "testing/gtest/include/gtest/gtest.h" + +@@ -52,19 +53,6 @@ void VerifyCorrectString(std::string str, size_t size) { + } + } + +-void* MapPagesOrDie(size_t num_pages) { +- void* addr = mmap(nullptr, num_pages * base::GetPageSize(), +- PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); +- PCHECK(addr); +- return addr; +-} +- +-void MprotectLastPageOrDie(char* addr, size_t num_pages) { +- size_t last_page_offset = (num_pages - 1) * base::GetPageSize(); +- PCHECK(mprotect(addr + last_page_offset, base::GetPageSize(), PROT_NONE) >= +- 0); +-} +- + pid_t ForkWaitingChild(base::OnceCallback<void(int)> + after_parent_signals_callback = base::DoNothing(), + base::ScopedFD* parent_sync_fd = nullptr) { +@@ -105,13 +93,13 @@ void ReadTest(const ReadTestConfig& test_config) { + size_t total_pages = (test_config.start_at + test_config.total_size + + base::GetPageSize() - 1) / + base::GetPageSize(); +- char* mmap_addr = static_cast<char*>(MapPagesOrDie(total_pages)); ++ char* mmap_addr = static_cast<char*>(TestUtils::MapPagesOrDie(total_pages)); + char* addr = mmap_addr + test_config.start_at; + FillBufferWithPath(addr, test_config.total_size, + test_config.include_null_byte); + + if (test_config.last_page_inaccessible) +- MprotectLastPageOrDie(mmap_addr, total_pages); ++ TestUtils::MprotectLastPageOrDie(mmap_addr, total_pages); + + pid_t pid = ForkWaitingChild(); + munmap(mmap_addr, base::GetPageSize() * total_pages); +@@ -212,7 +200,7 @@ SANDBOX_TEST(BrokerRemoteSyscallArgHandler, ReadChunkPlus1EndingOnePastPage) { + } + + SANDBOX_TEST(BrokerRemoteSyscallArgHandler, ReadChildExited) { +- void* addr = MapPagesOrDie(1); ++ void* addr = TestUtils::MapPagesOrDie(1); + FillBufferWithPath(static_cast<char*>(addr), strlen(kPathPart) + 1, true); + + base::ScopedFD parent_sync, child_sync; +@@ -240,10 +228,10 @@ SANDBOX_TEST(BrokerRemoteSyscallArgHandler, ReadChildExited) { + } + + SANDBOX_TEST(BrokerRemoteSyscallArgHandler, BasicWrite) { +- void* read_from = MapPagesOrDie(1); ++ void* read_from = TestUtils::MapPagesOrDie(1); + const size_t write_size = base::GetPageSize(); + FillBufferWithPath(static_cast<char*>(read_from), write_size, false); +- char* write_to = static_cast<char*>(MapPagesOrDie(1)); ++ char* write_to = static_cast<char*>(TestUtils::MapPagesOrDie(1)); + base::ScopedFD parent_signal_fd; + const std::vector<int> empty_fd_vec; + +@@ -278,8 +266,8 @@ SANDBOX_TEST(BrokerRemoteSyscallArgHandler, BasicWrite) { + } + + SANDBOX_TEST(BrokerRemoteSyscallArgHandler, WriteToInvalidAddress) { +- char* write_to = static_cast<char*>(MapPagesOrDie(1)); +- MprotectLastPageOrDie(write_to, 1); ++ char* write_to = static_cast<char*>(TestUtils::MapPagesOrDie(1)); ++ TestUtils::MprotectLastPageOrDie(write_to, 1); + base::ScopedFD parent_signal_fd; + const std::vector<int> empty_fd_vec; + +@@ -295,11 +283,11 @@ SANDBOX_TEST(BrokerRemoteSyscallArgHandler, WriteToInvalidAddress) { + } + + SANDBOX_TEST(BrokerRemoteSyscallArgHandler, WritePartiallyToInvalidAddress) { +- char* read_from = static_cast<char*>(MapPagesOrDie(2)); ++ char* read_from = static_cast<char*>(TestUtils::MapPagesOrDie(2)); + const size_t write_size = base::GetPageSize(); + FillBufferWithPath(static_cast<char*>(read_from), write_size, false); +- char* write_to = static_cast<char*>(MapPagesOrDie(2)); +- MprotectLastPageOrDie(write_to, 2); ++ char* write_to = static_cast<char*>(TestUtils::MapPagesOrDie(2)); ++ TestUtils::MprotectLastPageOrDie(write_to, 2); + write_to += base::GetPageSize() / 2; + base::ScopedFD parent_signal_fd; + const std::vector<int> empty_fd_vec; +@@ -314,7 +302,7 @@ SANDBOX_TEST(BrokerRemoteSyscallArgHandler, WritePartiallyToInvalidAddress) { + } + + SANDBOX_TEST(BrokerRemoteSyscallArgHandler, WriteChildExited) { +- char* addr = static_cast<char*>(MapPagesOrDie(1)); ++ char* addr = static_cast<char*>(TestUtils::MapPagesOrDie(1)); + FillBufferWithPath(static_cast<char*>(addr), strlen(kPathPart) + 1, true); + + base::ScopedFD parent_sync, child_sync; +diff --git a/sandbox/linux/syscall_broker/syscall_dispatcher.cc b/sandbox/linux/syscall_broker/syscall_dispatcher.cc +index b9ee93c14a..8a42397ef8 100644 +--- a/sandbox/linux/syscall_broker/syscall_dispatcher.cc ++++ b/sandbox/linux/syscall_broker/syscall_dispatcher.cc +@@ -19,8 +19,18 @@ namespace syscall_broker { + #define BROKER_UNPOISON_STRING(x) + #endif + ++int SyscallDispatcher::DefaultStatForTesting(const char* pathname, ++ bool follow_links, ++ default_stat_struct* sb) { ++#if defined(__NR_fstatat64) ++ return Stat64(pathname, follow_links, sb); ++#elif defined(__NR_newfstatat) ++ return Stat(pathname, follow_links, sb); ++#endif ++} ++ + int SyscallDispatcher::PerformStatat(const arch_seccomp_data& args, +- bool arch64) { ++ bool stat64) { + if (static_cast<int>(args.args[0]) != AT_FDCWD) + return -EPERM; + // Only allow the AT_SYMLINK_NOFOLLOW flag which is used by some libc +@@ -30,13 +40,29 @@ int SyscallDispatcher::PerformStatat(const arch_seccomp_data& args, + + const bool follow_links = + !(static_cast<int>(args.args[3]) & AT_SYMLINK_NOFOLLOW); +- if (arch64) { ++ if (stat64) { + return Stat64(reinterpret_cast<const char*>(args.args[1]), follow_links, +- reinterpret_cast<struct stat64*>(args.args[2])); ++ reinterpret_cast<struct kernel_stat64*>(args.args[2])); + } + + return Stat(reinterpret_cast<const char*>(args.args[1]), follow_links, +- reinterpret_cast<struct stat*>(args.args[2])); ++ reinterpret_cast<struct kernel_stat*>(args.args[2])); ++} ++ ++int SyscallDispatcher::PerformUnlinkat(const arch_seccomp_data& args) { ++ if (static_cast<int>(args.args[0]) != AT_FDCWD) ++ return -EPERM; ++ ++ int flags = static_cast<int>(args.args[2]); ++ ++ if (flags == AT_REMOVEDIR) { ++ return Rmdir(reinterpret_cast<const char*>(args.args[1])); ++ } ++ ++ if (flags != 0) ++ return -EPERM; ++ ++ return Unlink(reinterpret_cast<const char*>(args.args[1])); + } + + int SyscallDispatcher::DispatchSyscall(const arch_seccomp_data& args) { +@@ -127,59 +153,42 @@ int SyscallDispatcher::DispatchSyscall(const arch_seccomp_data& args) { + #if defined(__NR_stat) + case __NR_stat: + return Stat(reinterpret_cast<const char*>(args.args[0]), true, +- reinterpret_cast<struct stat*>(args.args[1])); ++ reinterpret_cast<struct kernel_stat*>(args.args[1])); + #endif + #if defined(__NR_stat64) + case __NR_stat64: + return Stat64(reinterpret_cast<const char*>(args.args[0]), true, +- reinterpret_cast<struct stat64*>(args.args[1])); ++ reinterpret_cast<struct kernel_stat64*>(args.args[1])); + #endif + #if defined(__NR_lstat) + case __NR_lstat: + // See https://crbug.com/847096 + BROKER_UNPOISON_STRING(reinterpret_cast<const char*>(args.args[0])); + return Stat(reinterpret_cast<const char*>(args.args[0]), false, +- reinterpret_cast<struct stat*>(args.args[1])); ++ reinterpret_cast<struct kernel_stat*>(args.args[1])); + #endif + #if defined(__NR_lstat64) + case __NR_lstat64: + // See https://crbug.com/847096 + BROKER_UNPOISON_STRING(reinterpret_cast<const char*>(args.args[0])); + return Stat64(reinterpret_cast<const char*>(args.args[0]), false, +- reinterpret_cast<struct stat64*>(args.args[1])); +-#endif +-#if defined(__NR_fstatat) +- case __NR_fstatat: +- return PerformStatat(args, /*arch64=*/false); ++ reinterpret_cast<struct kernel_stat64*>(args.args[1])); + #endif + #if defined(__NR_fstatat64) + case __NR_fstatat64: +- return PerformStatat(args, /*arch64=*/true); ++ return PerformStatat(args, /*stat64=*/true); + #endif + #if defined(__NR_newfstatat) + case __NR_newfstatat: +- return PerformStatat(args, /*arch64=*/false); ++ return PerformStatat(args, /*stat64=*/false); + #endif + #if defined(__NR_unlink) + case __NR_unlink: + return Unlink(reinterpret_cast<const char*>(args.args[0])); + #endif + #if defined(__NR_unlinkat) +- case __NR_unlinkat: { +- if (static_cast<int>(args.args[0]) != AT_FDCWD) +- return -EPERM; +- +- int flags = static_cast<int>(args.args[2]); +- +- if (flags == AT_REMOVEDIR) { +- return Rmdir(reinterpret_cast<const char*>(args.args[1])); +- } +- +- if (flags != 0) +- return -EPERM; +- +- return Unlink(reinterpret_cast<const char*>(args.args[1])); +- } ++ case __NR_unlinkat: ++ return PerformUnlinkat(args); + #endif // defined(__NR_unlinkat) + default: + RAW_CHECK(false); +diff --git a/sandbox/linux/syscall_broker/syscall_dispatcher.h b/sandbox/linux/syscall_broker/syscall_dispatcher.h +index d8b8874ad9..1d6653caf3 100644 +--- a/sandbox/linux/syscall_broker/syscall_dispatcher.h ++++ b/sandbox/linux/syscall_broker/syscall_dispatcher.h +@@ -9,13 +9,15 @@ + #include <cstddef> + + #include "sandbox/linux/system_headers/linux_seccomp.h" ++#include "sandbox/linux/system_headers/linux_stat.h" ++#include "sandbox/sandbox_export.h" + + namespace sandbox { + namespace syscall_broker { + + // An abstract class that defines all the system calls we perform for the + // sandboxed process. +-class SyscallDispatcher { ++class SANDBOX_EXPORT SyscallDispatcher { + public: + // Emulates access()/faccessat(). + // X_OK will always return an error in practice since the broker process +@@ -40,19 +42,34 @@ class SyscallDispatcher { + virtual int Rmdir(const char* path) const = 0; + + // Emulates stat()/stat64()/lstat()/lstat64()/fstatat()/newfstatat(). ++ // Stat64 is only available on 32-bit systems. + virtual int Stat(const char* pathname, + bool follow_links, +- struct stat* sb) const = 0; ++ struct kernel_stat* sb) const = 0; + virtual int Stat64(const char* pathname, + bool follow_links, +- struct stat64* sb) const = 0; ++ struct kernel_stat64* sb) const = 0; + + // Emulates unlink()/unlinkat(). + virtual int Unlink(const char* unlink) const = 0; + ++ // Different architectures use a different syscall from the stat family by ++ // default in glibc. E.g. 32-bit systems use *stat*64() and fill out struct ++ // kernel_stat64, whereas 64-bit systems use *stat*() and fill out struct ++ // kernel_stat. Some tests want to call the SyscallDispatcher directly, and ++ // should be using the default stat in order to test against glibc. ++ int DefaultStatForTesting(const char* pathname, ++ bool follow_links, ++ default_stat_struct* sb); ++ + // Validates the args passed to a *statat*() syscall and performs the syscall +- // using Stat() or Stat64(). +- int PerformStatat(const arch_seccomp_data& args, bool arch64); ++ // using Stat(), or on 32-bit systems it uses Stat64() for the *statat64() ++ // syscalls. ++ int PerformStatat(const arch_seccomp_data& args, bool stat64); ++ ++ // Validates the args passed to an unlinkat() syscall and performs the syscall ++ // using either Unlink() or Rmdir(). ++ int PerformUnlinkat(const arch_seccomp_data& args); + + // Reads the syscall number and arguments, imposes some policy (e.g. the *at() + // system calls must only allow AT_FDCWD as the first argument), and +diff --git a/sandbox/linux/system_headers/linux_stat.h b/sandbox/linux/system_headers/linux_stat.h +new file mode 100644 +index 0000000000..35788eb22a +--- /dev/null ++++ b/sandbox/linux/system_headers/linux_stat.h +@@ -0,0 +1,188 @@ ++// Copyright 2021 The Chromium Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_STAT_H_ ++#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_STAT_H_ ++ ++#include <stdint.h> ++ ++#include "build/build_config.h" ++#include "sandbox/linux/system_headers/linux_syscalls.h" ++ ++#if defined(ARCH_CPU_MIPS_FAMILY) ++#if defined(ARCH_CPU_64_BITS) ++struct kernel_stat { ++#else ++struct kernel_stat64 { ++#endif ++ unsigned st_dev; ++ unsigned __pad0[3]; ++ unsigned long long st_ino; ++ unsigned st_mode; ++ unsigned st_nlink; ++ unsigned st_uid; ++ unsigned st_gid; ++ unsigned st_rdev; ++ unsigned __pad1[3]; ++ long long st_size; ++ unsigned st_atime_; ++ unsigned st_atime_nsec_; ++ unsigned st_mtime_; ++ unsigned st_mtime_nsec_; ++ unsigned st_ctime_; ++ unsigned st_ctime_nsec_; ++ unsigned st_blksize; ++ unsigned __pad2; ++ unsigned long long st_blocks; ++}; ++#else ++struct kernel_stat64 { ++ unsigned long long st_dev; ++ unsigned char __pad0[4]; ++ unsigned __st_ino; ++ unsigned st_mode; ++ unsigned st_nlink; ++ unsigned st_uid; ++ unsigned st_gid; ++ unsigned long long st_rdev; ++ unsigned char __pad3[4]; ++ long long st_size; ++ unsigned st_blksize; ++ unsigned long long st_blocks; ++ unsigned st_atime_; ++ unsigned st_atime_nsec_; ++ unsigned st_mtime_; ++ unsigned st_mtime_nsec_; ++ unsigned st_ctime_; ++ unsigned st_ctime_nsec_; ++ unsigned long long st_ino; ++}; ++#endif ++ ++#if defined(__i386__) || defined(__ARM_ARCH_3__) || defined(__ARM_EABI__) ++struct kernel_stat { ++ /* The kernel headers suggest that st_dev and st_rdev should be 32bit ++ * quantities encoding 12bit major and 20bit minor numbers in an interleaved ++ * format. In reality, we do not see useful data in the top bits. So, ++ * we'll leave the padding in here, until we find a better solution. ++ */ ++ unsigned short st_dev; ++ short pad1; ++ unsigned st_ino; ++ unsigned short st_mode; ++ unsigned short st_nlink; ++ unsigned short st_uid; ++ unsigned short st_gid; ++ unsigned short st_rdev; ++ short pad2; ++ unsigned st_size; ++ unsigned st_blksize; ++ unsigned st_blocks; ++ unsigned st_atime_; ++ unsigned st_atime_nsec_; ++ unsigned st_mtime_; ++ unsigned st_mtime_nsec_; ++ unsigned st_ctime_; ++ unsigned st_ctime_nsec_; ++ unsigned __unused4; ++ unsigned __unused5; ++}; ++#elif defined(__x86_64__) ++struct kernel_stat { ++ uint64_t st_dev; ++ uint64_t st_ino; ++ uint64_t st_nlink; ++ unsigned st_mode; ++ unsigned st_uid; ++ unsigned st_gid; ++ unsigned __pad0; ++ uint64_t st_rdev; ++ int64_t st_size; ++ int64_t st_blksize; ++ int64_t st_blocks; ++ uint64_t st_atime_; ++ uint64_t st_atime_nsec_; ++ uint64_t st_mtime_; ++ uint64_t st_mtime_nsec_; ++ uint64_t st_ctime_; ++ uint64_t st_ctime_nsec_; ++ int64_t __unused4[3]; ++}; ++#elif (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) ++struct kernel_stat { ++ unsigned st_dev; ++ int st_pad1[3]; ++ unsigned st_ino; ++ unsigned st_mode; ++ unsigned st_nlink; ++ unsigned st_uid; ++ unsigned st_gid; ++ unsigned st_rdev; ++ int st_pad2[2]; ++ long st_size; ++ int st_pad3; ++ long st_atime_; ++ long st_atime_nsec_; ++ long st_mtime_; ++ long st_mtime_nsec_; ++ long st_ctime_; ++ long st_ctime_nsec_; ++ int st_blksize; ++ int st_blocks; ++ int st_pad4[14]; ++}; ++#elif defined(__aarch64__) ++struct kernel_stat { ++ unsigned long st_dev; ++ unsigned long st_ino; ++ unsigned int st_mode; ++ unsigned int st_nlink; ++ unsigned int st_uid; ++ unsigned int st_gid; ++ unsigned long st_rdev; ++ unsigned long __pad1; ++ long st_size; ++ int st_blksize; ++ int __pad2; ++ long st_blocks; ++ long st_atime_; ++ unsigned long st_atime_nsec_; ++ long st_mtime_; ++ unsigned long st_mtime_nsec_; ++ long st_ctime_; ++ unsigned long st_ctime_nsec_; ++ unsigned int __unused4; ++ unsigned int __unused5; ++}; ++#endif ++ ++// On 32-bit systems, we default to the 64-bit stat struct like libc ++// implementations do. Otherwise we default to the normal stat struct which is ++// already 64-bit. ++// These defines make it easy to call the right syscall to fill out a 64-bit ++// stat struct, which is the default in libc implementations but requires ++// different syscall names on 32 and 64-bit platforms. ++#if defined(__NR_fstatat64) ++ ++namespace sandbox { ++using default_stat_struct = struct kernel_stat64; ++} // namespace sandbox ++ ++#define __NR_fstatat_default __NR_fstatat64 ++#define __NR_fstat_default __NR_fstat64 ++ ++#elif defined(__NR_newfstatat) ++ ++namespace sandbox { ++using default_stat_struct = struct kernel_stat; ++} // namespace sandbox ++ ++#define __NR_fstatat_default __NR_newfstatat ++#define __NR_fstat_default __NR_fstat ++ ++#else ++#error "one of fstatat64 and newfstatat must be defined" ++#endif ++ ++#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_STAT_H_ +diff --git a/sandbox/linux/system_headers/linux_time.h b/sandbox/linux/system_headers/linux_time.h +index 780f24dddd..f18c806611 100644 +--- a/sandbox/linux/system_headers/linux_time.h ++++ b/sandbox/linux/system_headers/linux_time.h +@@ -11,6 +11,32 @@ + #define CPUCLOCK_CLOCK_MASK 3 + #endif + ++#if !defined(CPUCLOCK_PROF) ++#define CPUCLOCK_PROF 0 ++#endif ++ ++#if !defined(CPUCLOCK_VIRT) ++#define CPUCLOCK_VIRT 1 ++#endif ++ ++#if !defined(CPUCLOCK_SCHED) ++#define CPUCLOCK_SCHED 2 ++#endif ++ ++#if !defined(CPUCLOCK_PERTHREAD_MASK) ++#define CPUCLOCK_PERTHREAD_MASK 4 ++#endif ++ ++#if !defined(MAKE_PROCESS_CPUCLOCK) ++#define MAKE_PROCESS_CPUCLOCK(pid, clock) \ ++ ((int)(~(unsigned)(pid) << 3) | (int)(clock)) ++#endif ++ ++#if !defined(MAKE_THREAD_CPUCLOCK) ++#define MAKE_THREAD_CPUCLOCK(tid, clock) \ ++ ((int)(~(unsigned)(tid) << 3) | (int)((clock) | CPUCLOCK_PERTHREAD_MASK)) ++#endif ++ + #if !defined(CLOCKFD) + #define CLOCKFD 3 + #endif +diff --git a/sandbox/linux/tests/test_utils.cc b/sandbox/linux/tests/test_utils.cc +index 847c20b20c..cf6041a4b4 100644 +--- a/sandbox/linux/tests/test_utils.cc ++++ b/sandbox/linux/tests/test_utils.cc +@@ -5,12 +5,14 @@ + #include "sandbox/linux/tests/test_utils.h" + + #include <errno.h> ++#include <sys/mman.h> + #include <sys/stat.h> + #include <sys/types.h> + #include <sys/wait.h> + #include <unistd.h> + + #include "base/check_op.h" ++#include "base/memory/page_size.h" + #include "base/posix/eintr_wrapper.h" + + namespace sandbox { +@@ -39,4 +41,17 @@ void TestUtils::HandlePostForkReturn(pid_t pid) { + } + } + ++void* TestUtils::MapPagesOrDie(size_t num_pages) { ++ void* addr = mmap(nullptr, num_pages * base::GetPageSize(), ++ PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); ++ PCHECK(addr); ++ return addr; ++} ++ ++void TestUtils::MprotectLastPageOrDie(char* addr, size_t num_pages) { ++ size_t last_page_offset = (num_pages - 1) * base::GetPageSize(); ++ PCHECK(mprotect(addr + last_page_offset, base::GetPageSize(), PROT_NONE) >= ++ 0); ++} ++ + } // namespace sandbox +diff --git a/sandbox/linux/tests/test_utils.h b/sandbox/linux/tests/test_utils.h +index 7cf9749fe4..43b028b1e3 100644 +--- a/sandbox/linux/tests/test_utils.h ++++ b/sandbox/linux/tests/test_utils.h +@@ -19,6 +19,8 @@ class TestUtils { + // makes sure that if fork() succeeded the child exits + // and the parent waits for it. + static void HandlePostForkReturn(pid_t pid); ++ static void* MapPagesOrDie(size_t num_pages); ++ static void MprotectLastPageOrDie(char* addr, size_t num_pages); + + private: + DISALLOW_IMPLICIT_CONSTRUCTORS(TestUtils); +diff --git a/sandbox/policy/linux/bpf_broker_policy_linux.cc b/sandbox/policy/linux/bpf_broker_policy_linux.cc +index 2963bb9ca8..6dc8c0581b 100644 +--- a/sandbox/policy/linux/bpf_broker_policy_linux.cc ++++ b/sandbox/policy/linux/bpf_broker_policy_linux.cc +@@ -93,8 +93,8 @@ ResultExpr BrokerProcessPolicy::EvaluateSyscall(int sysno) const { + return Allow(); + break; + #endif +-#if defined(__NR_fstatat) +- case __NR_fstatat: ++#if defined(__NR_fstatat64) ++ case __NR_fstatat64: + if (allowed_command_set_.test(syscall_broker::COMMAND_STAT)) + return Allow(); + break; Added: make-GetUsableSize-handle-nullptr-gracefully.patch =================================================================== --- make-GetUsableSize-handle-nullptr-gracefully.patch (rev 0) +++ make-GetUsableSize-handle-nullptr-gracefully.patch 2021-07-21 16:41:37 UTC (rev 420250) @@ -0,0 +1,49 @@ +From 61e16c92ff24bb71b9b7309a9d6d470ee91738bc Mon Sep 17 00:00:00 2001 +From: Bartek Nowierski <bart...@chromium.org> +Date: Wed, 21 Jul 2021 15:01:38 +0000 +Subject: [PATCH] [PA] Make GetUsableSize() handle nullptr gracefully + +malloc_usable_size() is expected to not crush on NULL and return 0. + +Bug: 1221442 +Change-Id: I6a3b90dcf3a8ad18114c206d87b98f60d5f50eb1 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3042177 +Commit-Queue: Bartek Nowierski <bart...@chromium.org> +Commit-Queue: Kentaro Hara <hara...@chromium.org> +Auto-Submit: Bartek Nowierski <bart...@chromium.org> +Reviewed-by: Kentaro Hara <hara...@chromium.org> +Cr-Commit-Position: refs/heads/master@{#903900} +--- + .../allocator/partition_allocator/partition_alloc_unittest.cc | 4 ++++ + base/allocator/partition_allocator/partition_root.h | 3 +++ + 2 files changed, 7 insertions(+) + +diff --git a/base/allocator/partition_allocator/partition_alloc_unittest.cc b/base/allocator/partition_allocator/partition_alloc_unittest.cc +index c12120114aa7..8863984cd805 100644 +--- a/base/allocator/partition_allocator/partition_alloc_unittest.cc ++++ b/base/allocator/partition_allocator/partition_alloc_unittest.cc +@@ -2838,6 +2838,10 @@ TEST_F(PartitionAllocTest, OptimizedGetSlotNumber) { + } + } + ++TEST_F(PartitionAllocTest, GetUsableSizeNull) { ++ EXPECT_EQ(0ULL, PartitionRoot<ThreadSafe>::GetUsableSize(nullptr)); ++} ++ + TEST_F(PartitionAllocTest, GetUsableSize) { + size_t delta = SystemPageSize() + 1; + for (size_t size = 1; size <= kMinDirectMappedDownsize; size += delta) { +diff --git a/base/allocator/partition_allocator/partition_root.h b/base/allocator/partition_allocator/partition_root.h +index b72a1d94a4e4..baac952597d1 100644 +--- a/base/allocator/partition_allocator/partition_root.h ++++ b/base/allocator/partition_allocator/partition_root.h +@@ -1220,6 +1220,9 @@ ALWAYS_INLINE bool PartitionRoot<thread_safe>::TryRecommitSystemPagesForData( + // PartitionAlloc's internal data. Used as malloc_usable_size. + template <bool thread_safe> + ALWAYS_INLINE size_t PartitionRoot<thread_safe>::GetUsableSize(void* ptr) { ++ // malloc_usable_size() is expected to handle NULL gracefully and return 0. ++ if (!ptr) ++ return 0; + auto* slot_span = SlotSpan::FromSlotInnerPtr(ptr); + auto* root = FromSlotSpan(slot_span); + return slot_span->GetUsableSize(root);
