Google Git
Sign in
chromium / chromium / src / 8079cee5f9f963f525051a53128affdcf9dc3fa4
commit8079cee5f9f963f525051a53128affdcf9dc3fa4[log] [tgz]
authorKyle Horimoto <khorimoto@chromium.org>Fri Apr 16 03:02:28 2021
committerChromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com>Fri Apr 16 03:02:28 2021
treeec6b52acd1a2864d79e1ae8510d8895a21c89bf9
parentcc68781020815770d5e56cf555c858681ab6d002 [diff]
Revert "Linux sandbox: fix fstatat() crash"

This reverts commit 7dc8a6aaa03d40a92150d86abd3f2fc4ba807193.

Reason for revert: Causes https://bugs.chromium.org/p/chromium/issues/detail?id=1199431
Exempt-From-Owner-Approval: Urgent revert

Original change's description:
> Linux sandbox: fix fstatat() crash
>
> Glibc has started rewriting fstat(fd, stat_buf) to
> fstatat(fd, "", stat_buf, AT_EMPTY_PATH). This works because when
> AT_EMPTY_PATH is specified, and the second argument is an empty string,
> then fstatat just performs an fstat on fd like normal.
>
> Unfortunately, fstatat() also allows stat-ing arbitrary pathnames like
> with fstatat(AT_FDCWD, "/i/am/a/file", stat_buf, 0);
> The baseline policy needs to prevent this usage of fstatat() since it
> doesn't allow access to arbitrary pathnames.
>
> Sadly, if the second argument is not an empty string, AT_EMPTY_PATH is
> simply ignored by current kernels.
>
> This means fstatat() is completely unsandboxable with seccomp, since
> we *need* to verify that the second argument is the empty string, but
> we can't dereference pointers in seccomp (due to limitations of BPF,
> and the difficulty of addressing these limitations due to TOCTOU
> issues).
>
> So, this CL Traps (raises a SIGSYS via seccomp) on any fstatat syscall.
> The signal handler, which runs in the sandboxed process, checks for
> AT_EMPTY_PATH and the empty string, and then rewrites any applicable
> fstatat() back into the old-style fstat().
>
> Bug: 1164975
> Change-Id: Ie7394a32f9cc9f915c2d8400f068df2f914831a2
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2801873
> Commit-Queue: Matthew Denton <mpdenton@chromium.org>
> Reviewed-by: Robert Sesek <rsesek@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#873132}

Bug: 1164975
Change-Id: I06296096dd4dbf2cc64b41bb2bcf7dd00c74cbcc
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2830830
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Reviewed-by: David Staessens <dstaessens@chromium.org>
Reviewed-by: Azeem Arshad <azeemarshad@chromium.org>
Auto-Submit: Kyle Horimoto <khorimoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#873172}
7 files changed
tree: ec6b52acd1a2864d79e1ae8510d8895a21c89bf9
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. cloud_print/
  13. codelabs/
  14. components/
  15. content/
  16. courgette/
  17. crypto/
  18. dbus/
  19. device/
  20. docs/
  21. extensions/
  22. fuchsia/
  23. gin/
  24. google_apis/
  25. google_update/
  26. gpu/
  27. headless/
  28. infra/
  29. ios/
  30. ipc/
  31. jingle/
  32. media/
  33. mojo/
  34. native_client_sdk/
  35. net/
  36. pdf/
  37. ppapi/
  38. printing/
  39. remoting/
  40. rlz/
  41. sandbox/
  42. services/
  43. skia/
  44. sql/
  45. storage/
  46. styleguide/
  47. testing/
  48. third_party/
  49. tools/
  50. ui/
  51. url/
  52. weblayer/
  53. .clang-format
  54. .clang-tidy
  55. .eslintrc.js
  56. .git-blame-ignore-revs
  57. .gitattributes
  58. .gitignore
  59. .gn
  60. .vpython
  61. .vpython3
  62. .yapfignore
  63. AUTHORS
  64. BUILD.gn
  65. CODE_OF_CONDUCT.md
  66. codereview.settings
  67. DEPS
  68. DIR_METADATA
  69. ENG_REVIEW_OWNERS
  70. LICENSE
  71. LICENSE.chromium_os
  72. OWNERS
  73. PRESUBMIT.py
  74. PRESUBMIT_test.py
  75. PRESUBMIT_test_mocks.py
  76. README.md
  77. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

To check out the source code locally, don't use git clone! Instead, follow the instructions on how to get the code.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .

For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.