1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
# HG changeset patch
# User Jed Davis <jld@mozilla.com>
Bug 1673202 - Call fstat directly in Linux sandbox fstatat interception. r?gcp
Sandbox policies handle the case of `fstatat(fd, "", AT_EMPTY_PATH|...)`
by invoking the SIGSYS handler (because seccomp-bpf can't tell if the
string will be empty when the syscall would use it), which makes the
equivalent call to `fstat`.
Unfortunately, recent development versions of glibc implement `fstat` by
calling `fstatat`, which causes unbounded recursion and stack overflow.
(This depends on the headers present at build time; see the bug for more
details.) This patch switches it to use the `fstat` (or `fstat64` on
32-bit) syscall directly.
Differential Revision: https://phabricator.services.mozilla.com/D94798
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
index 9bdb10c49e085..a128cce7b266c 100644
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -294,17 +294,21 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto fd = static_cast<int>(aArgs.args[0]);
auto path = reinterpret_cast<const char*>(aArgs.args[1]);
auto buf = reinterpret_cast<statstruct*>(aArgs.args[2]);
auto flags = static_cast<int>(aArgs.args[3]);
if (fd != AT_FDCWD && (flags & AT_EMPTY_PATH) != 0 &&
strcmp(path, "") == 0) {
- return ConvertError(fstatsyscall(fd, buf));
+#ifdef __NR_fstat64
+ return DoSyscall(__NR_fstat64, fd, buf);
+#else
+ return DoSyscall(__NR_fstat, fd, buf);
+#endif
}
if (fd != AT_FDCWD && path[0] != '/') {
SANDBOX_LOG_ERROR("unsupported fd-relative fstatat(%d, \"%s\", %p, 0x%x)",
fd, path, buf, flags);
return BlockedSyscallTrap(aArgs, nullptr);
}
|