Issue 655300 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	rsesek@chromium.org
Closed:	Nov 2016
Cc:	█ jln@chromium.org rickyz@chromium.org wfh@chromium.org
Components:	Internals>Sandbox
EstimatedDays:	----
NextAction:	----
OS:	Android
Pri:	2
Type:	Bug
Stability-Crash M-56 merge-merged-2913

Blocking:
issue 166704

Android Seccomp Crash: SYS_getsockname

Project Member Reported by rsesek@chromium.org, Oct 12 2016

Issue description

Observed using this query:

SELECT ProductData.Value AS BuildFP, cpu.Architecture, (crash.Address & 0x3FF) AS sysno, COUNT(ReportID), ANY(ReportID) AS ReportID
FROM (FLATTEN(crash.prod.latest, ProductData))
WHERE Product.Name = 'Chrome_Android'
AND CrashedStackTrace.StackFrame.FunctionName CONTAINS 'sandbox::CrashSIGSYS_Handler'
AND CAST(SUBSTR(Product.Version, 6) AS FLOAT) > 2822
AND ProductData.Key = 'android_build_fp'
GROUP BY BuildFP, cpu.Architecture, sysno
ORDER BY cpu.Architecture, sysno

Seeing this on arm32 and arm64. sysno for arm32 = 286. sysno for arm64 = 204.

This is related to issue 635085 (security-restricted). Given that issue, I'm inclined to NOT allow this but to return an errno if possible instead.

Project Member

Comment 1 by bugdroid1@chromium.org, Nov 7 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1f6acfe7dd08165baad36302b4388248e2854936

commit 1f6acfe7dd08165baad36302b4388248e2854936
Author: rsesek <rsesek@chromium.org>
Date: Mon Nov 07 23:49:41 2016

[Android] Block __NR_getsockname via EPERM rather than SIGSYS.

While EPERM is not a documented errno return value for getsockname, some systems
issue this syscall and we do not want to permit it. Use EPERM to block it
instead of the baseline-policy SIGSYS so that the process does not crash. (Note
that SELinux would return EACCES for a neverallow getattr on socket files, so
EPERM is a useful differentiator).

This also fixes a bug in the i386 policy that attempts to restrict the
__NR_socketcall arguments. But since those reside in a userspace struct, they
are not safe to consult.

BUG= 655300 
R=rickyz@chromium.org

Review-Url: https://codereview.chromium.org/2483953003
Cr-Commit-Position: refs/heads/master@{#430422}

[modify] https://crrev.com/1f6acfe7dd08165baad36302b4388248e2854936/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc

Project Member

Comment 2 by bugdroid1@chromium.org, Nov 8 2016

Labels: merge-merged-2913

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3df454eb35c5521120ca5dc02611e0f06cfc94cc

commit 3df454eb35c5521120ca5dc02611e0f06cfc94cc
Author: Alex Mineer <amineer@chromium.org>
Date: Tue Nov 08 06:56:23 2016

Revert "[Android] Block __NR_getsockname via EPERM rather than SIGSYS."

This reverts commit 1f6acfe7dd08165baad36302b4388248e2854936.

BUG=663249, 655300 

Cr-Commit-Position: refs/branch-heads/2913@{#5}
Cr-Branched-From: 75d01e1f338c8a452f7d9aa80c2bfa463c0ce4f0-refs/heads/master@{#430459}

[modify] https://crrev.com/3df454eb35c5521120ca5dc02611e0f06cfc94cc/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc

Project Member

Comment 3 by bugdroid1@chromium.org, Nov 8 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6cf1cba773058a061075f2a05c06f7fa61d3143b

commit 6cf1cba773058a061075f2a05c06f7fa61d3143b
Author: rsesek <rsesek@chromium.org>
Date: Tue Nov 08 15:38:36 2016

[Android] Fix x86 build after 1f6acfe7dd08.

../../content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc:45:10:
  error: 'sandbox::bpf_dsl::BoolExpr content::{anonymous}::RestrictSocketArguments()'
  defined but not used [-Werror=unused-function]

BUG=663249, 655300 
TBR=rickyz@chromium.org

Review-Url: https://codereview.chromium.org/2483253002
Cr-Commit-Position: refs/heads/master@{#430621}

[modify] https://crrev.com/6cf1cba773058a061075f2a05c06f7fa61d3143b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc

Comment 4 by rsesek@chromium.org, Nov 14 2016

Labels: M-56
Status: Fixed (was: Assigned)

►

Issue 655300 link

Issue metadata

Android Seccomp Crash: SYS_getsockname

Issue description

Comment 1 by bugdroid1@chromium.org, Nov 7 2016

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Nov 8 2016

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Nov 8 2016

Comment 3 Deleted

Comment 4 by rsesek@chromium.org, Nov 14 2016

Comment 4 Deleted

Sign in to add a comment