diff options
Diffstat (limited to 'mozilla-1673202.patch')
| -rw-r--r-- | mozilla-1673202.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/mozilla-1673202.patch b/mozilla-1673202.patch new file mode 100644 index 0000000..711a975 --- /dev/null +++ b/mozilla-1673202.patch @@ -0,0 +1,46 @@ +# HG changeset patch +# User Jed Davis <jld@mozilla.com> + +Bug 1673202 - Call fstat directly in Linux sandbox fstatat interception. r?gcp + +Sandbox policies handle the case of `fstatat(fd, "", AT_EMPTY_PATH|...)` +by invoking the SIGSYS handler (because seccomp-bpf can't tell if the +string will be empty when the syscall would use it), which makes the +equivalent call to `fstat`. + +Unfortunately, recent development versions of glibc implement `fstat` by +calling `fstatat`, which causes unbounded recursion and stack overflow. +(This depends on the headers present at build time; see the bug for more +details.) This patch switches it to use the `fstat` (or `fstat64` on +32-bit) syscall directly. + +Differential Revision: https://phabricator.services.mozilla.com/D94798 + +diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp +index 9bdb10c49e085..a128cce7b266c 100644 +--- a/security/sandbox/linux/SandboxFilter.cpp ++++ b/security/sandbox/linux/SandboxFilter.cpp +@@ -294,17 +294,21 @@ class SandboxPolicyCommon : public SandboxPolicyBase { + auto broker = static_cast<SandboxBrokerClient*>(aux); + auto fd = static_cast<int>(aArgs.args[0]); + auto path = reinterpret_cast<const char*>(aArgs.args[1]); + auto buf = reinterpret_cast<statstruct*>(aArgs.args[2]); + auto flags = static_cast<int>(aArgs.args[3]); + + if (fd != AT_FDCWD && (flags & AT_EMPTY_PATH) != 0 && + strcmp(path, "") == 0) { +- return ConvertError(fstatsyscall(fd, buf)); ++#ifdef __NR_fstat64 ++ return DoSyscall(__NR_fstat64, fd, buf); ++#else ++ return DoSyscall(__NR_fstat, fd, buf); ++#endif + } + + if (fd != AT_FDCWD && path[0] != '/') { + SANDBOX_LOG_ERROR("unsupported fd-relative fstatat(%d, \"%s\", %p, 0x%x)", + fd, path, buf, flags); + return BlockedSyscallTrap(aArgs, nullptr); + } + + |