#22692: Backport Linux content sandboxing from Firefox 54 -------------------------------------------------+------------------------- Reporter: jld | Owner: tbb- | team Type: enhancement | Status: new Priority: Very High | Milestone: Component: Applications/Tor Browser | Version: Severity: Major | Resolution: Keywords: TorBrowserTeam201708, | Actual Points: GeorgKoppen201708 | Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by gk): Applying all of the patches (or just the non-optional ones according to comment:description) leads to crashes pretty easily (e.g. on www.theguardian.com). However, that does not seem to be caused by Firefox but rather by selfrando. Before crashing I see something like {{{ Sandbox: seccomp sandbox violation: pid 5231, tid 5231, syscall 25, args 140268925878272 135 199 1 0 18446744073709551612 }}} in my terminal which is not happening without selfrando. I guess selfrando is not happy about its `mremap` getting blocked by the sandbox? The accompanying stack trace of the content process crash is: {{{ #0 0x00007f5862230fa6 in Vector<unsigned char*>::append(unsigned char* const&) (val=<synthetic pointer>: <optimized out>, this=0x7fffffffbd30) at src/RandoLib/RandoLib.h:129 #1 0x00007f5862230fa6 in os::Module::<lambda(const trap_reloc_t&)>::operator() (trap_reloc=<synthetic pointer>..., __closure=<synthetic pointer>) at src/RandoLib/posix/OSImpl.cpp:641 #2 0x00007f5862230fa6 in TrapInfo::for_all_relocations<os::Module::read_got_relocations(const TrapInfo*)::<lambda(const trap_reloc_t&)> >(os::Module::<lambda(const trap_reloc_t&)>) const (this=this@entry=0x7fffffffbc30, func=..., func@entry=...) at src/TrapInfo/TrapInfo.h:672 #3 0x00007f58622321ec in os::Module::read_got_relocations(TrapInfo const*) (this=this@entry=0x7fffffffbcb0, trap_info=trap_info@entry=0x7fffffffbc30) at src/RandoLib/posix/OSImpl.cpp:642 #4 0x00007f58622326dc in os::Module::for_all_exec_sections(bool, void (*)(os::Module const&, os::Module::Section const&, TrapInfo&, bool, void*), void*) (this=0x7fffffffbcb0, self_rando=true, callback=0x7f586222e580 <randomize_exec_section(os::Module const&, os::Module::Section const&, TrapInfo&, bool, void*)>, callback_arg=0x0) at src/RandoLib/posix/OSImpl.cpp:422 #5 0x00007f586222e750 in RandoMain(os::Module::Handle) (asm_module=0x7fffffffbd70) at src/RandoLib/RandoLib.cpp:599 #6 0x00007f58622359cb in Linux_EntryPointImpl () at src/RandoLib/posix/EntryPoint.c:70 #7 0x00007f5862235883 in _TRaP_Linux_EntryPoint_init () at /home/thomas/Arbeit/Tor/debugging/22692/tor-browser_en- US/Browser/libmozavutil.so #8 0x00007f5862210748 in () at /home/thomas/Arbeit/Tor/debugging/22692/tor-browser_en- US/Browser/libmozavutil.so #9 0x0000000000000009 in () #10 0x00007fffffffddf8 in () #11 0x00007f589240385a in call_init (l=0x7f5862182800, argc=-16824, argc@entry=9, argv=argv@entry=0x7fffffffdda8, env=env@entry=0x7fffffffddf8) at dl-init.c:58 #12 0x00007f58924039ab in call_init (env=0x7fffffffddf8, argv=0x7fffffffdda8, argc=9, l=<optimized out>) at dl-init.c:30 #13 0x00007f58924039ab in _dl_init (main_map=main_map@entry=0x7f5862182800, argc=9, argv=0x7fffffffdda8, env=0x7fffffffddf8) at dl-init.c:120 #14 0x00007f5892407f58 in dl_open_worker (a=a@entry=0x7fffffffc100) at dl-open.c:575 #15 0x00007f5892403744 in _dl_catch_error (objname=objname@entry=0x7fffffffc0f0, errstring=errstring@entry=0x7fffffffc0f8, mallocedp=mallocedp@entry=0x7fffffffc0ef, operate=operate@entry=0x7f5892407b70 <dl_open_worker>, args=args@entry=0x7fffffffc100) at dl-error.c:187 #16 0x00007f5892407709 in _dl_open (file=0x7f58607fb820 "/home/thomas/Arbeit/Tor/debugging/22692/tor-browser_en- US/Browser/libmozavutil.so", mode=-2147483646, caller_dlopen=0x7f589257fb9d <PR_dtoa+3405>, nsid=-2, argc=<optimized out>, argv=<optimized out>, env=0x7fffffffddf8) at dl-open.c:660 #17 0x00007f588be8cee9 in dlopen_doit (a=a@entry=0x7fffffffc330) at dlopen.c:66 #18 0x00007f5892403744 in _dl_catch_error (objname=0x7f58835531f0, errstring=0x7f58835531f8, mallocedp=0x7f58835531e8, operate=0x7f588be8ce90 <dlopen_doit>, args=0x7fffffffc330) at dl-error.c:187 #19 0x00007f588be8d531 in _dlerror_run (operate=operate@entry=0x7f588be8ce90 <dlopen_doit>, args=args@entry=0x7fffffffc330) at dlerror.c:163 #20 0x00007f588be8cf82 in __dlopen (file=<optimized out>, mode=<optimized out>) at dlopen.c:87 #21 0x00007f589257fb9d in dtoa (rve=0x7f5800000000, sign=<optimized out>, decpt= 0x7f588ec072a1 <ShowCustomDialog(GtkComboBox*, gpointer)+1056>, ndigits=-1884013950, mode=32600, dd=<optimized out>) at /home/debian/build/tor-browser/nsprpub/pr/src/misc/prdtoa.c:3215 #22 0x00007f589257fb9d in PR_dtoa (d=<optimized out>, mode=32600, ndigits=<optimized out>, decpt=0x7f588ec072a1 <ShowCustomDialog(GtkComboBox*, gpointer)+1056>, sign=<optimized out>, rve=0x7f5800000000, buf=0x7f5800000000 <error: Cannot access memory at address 0x7f5800000000>, bufsize=0) at /home/debian/build/tor-browser/nsprpub/pr/src/misc/prdtoa.c:3411 #23 0x0000000100000050 in () #24 0x0000000000000000 in () }}} I'll contact the selfrando devs and meanwhile continue testing the patches without selfrando compiled in. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22692#comment:9> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs