Opened 3 years ago

Closed 3 years ago

#20970 closed defect (fixed)

Firefox crashes if the security slider is left at the default on certain pages.

Reported by: yawning Owned by: yawning
Priority: High Milestone:
Component: Archived/Tor Browser Sandbox Version:
Severity: Normal Keywords:
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Just letting en.wikipedia.org load with the "Security Level" set to non-high is enough.

Stack trace of thread 3:
#0  0x00000397b4a2d015 n/a (/home/amnesia/sandboxed-tor-browser/tor-browser/Browser/libxul.so)

I did lightly test the default security setting, and haven't seen this before, but my day to day use model follows "Leave the slider on High and forget that it exists", so it's not that surprising.

Child Tickets

Change History (7)

comment:1 Changed 3 years ago by yawning

sudo -E strace -ff -o /tmp/ff.trace -u yawning ./bin/sandboxed-tor-browser reveals this is a NULL pointer deref somewhere in libxul.so.

mprotect(0x32130c10000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x32130c10000, 4096, PROT_READ|PROT_EXEC) = 0
mprotect(0x32130c10000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x32130c10000, 4096, PROT_READ|PROT_EXEC) = 0
mprotect(0x32130c10000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x32130c10000, 4096, PROT_READ|PROT_EXEC) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x3959d088b68} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---

comment:2 Changed 3 years ago by gk

Cc: gk added

comment:3 Changed 3 years ago by yawning

High with:

  • noscript.forbidMedia -> false
  • noscript.global -> true

Is the minimum required to trigger this. Though if the page gets loaded once, (eg: set it to high, load it, then mess with the configs) the crash doesn't happen. It doesn't appear that FF is trying to dlopen anything either....

comment:4 Changed 3 years ago by yawning

As far as I can tell this has nothing to do with the restricted libraries either, because disabling that and pulling in all of /lib and /usr/lib on my system still causes bad things to happen.

comment:5 Changed 3 years ago by yawning

Nothing to do with seccomp either (disabling that doesn't change things).

Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
0x000003ad7714e7c8 in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction (
    this=this@entry=0x3fb1070e940, fun=fun@entry=..., strict=false, generatorKind=js::NotGenerator)
    at /home/debian/build/tor-browser/js/src/frontend/Parser.cpp:2880
2880	/home/debian/build/tor-browser/js/src/frontend/Parser.cpp: No such file or directory.
(gdb) bt
#0  0x000003ad7714e7c8 in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction(JS::Handle<JSFunction*>, bool, js::GeneratorKind) (this=this@entry=0x3fb1070e940, fun=fun@entry=..., strict=false, generatorKind=js::NotGenerator)
    at /home/debian/build/tor-browser/js/src/frontend/Parser.cpp:2880
#1  0x000003ad770930ab in js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long) (cx=cx@entry=0x3ad5b93a400, lazy=lazy@entry=..., chars=0x3ad56267ac4 u"($,jQuery,require,module){(function($){if(document.selection&&document.selection.createRange){$.fn.extend({focus:(function(jqFocus){return function(){var $w,state,result;if(arguments.length===0){$w=$("..., length=9692) at /home/debian/build/tor-browser/js/src/frontend/BytecodeCompiler.cpp:799
#2  0x000003ad76e9b6b7 in JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) (cx=cx@entry=0x3ad5b93a400, fun=fun@entry=...)
    at /home/debian/build/tor-browser/js/src/jsfun.cpp:1422
#3  0x000003ad76fa7901 in JSFunction::getOrCreateScript(JSContext*) (cx=0x3ad5b93a400, this=<optimized out>) at /home/debian/build/tor-browser/js/src/jsfun.h:389
#4  0x000003ad76fa7901 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=cx@entry=0x3ad5b93a400, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /home/debian/build/tor-browser/js/src/vm/Interpreter.cpp:447
#5  0x000003ad76fa8035 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (cx=cx@entry=0x3ad5b93a400, thisv=..., fval=..., argc=argc@entry=4, argv=argv@entry=0x3fb1070f4b0, rval=..., rval@entry=...)
    at /home/debian/build/tor-browser/js/src/vm/Interpreter.cpp:496
#6  0x000003ad76c62718 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, uint32_t, JS::Value*, JS::MutableHandleValue) (cx=0x3ad5b93a400, frame=0x3fb1070f528, stub_=0x3ad5a44ecc8, argc=4, vp=0x3fb1070f4a0, res=...)
    at /home/debian/build/tor-browser/js/src/jit/BaselineIC.cpp:6162
#7  0x000003ad7a67e280 in  ()
#8  0x000003ad66826280 in  ()
#9  0x000003fb1070f458 in  ()
#10 0x000003ad5b93a418 in  ()
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
#11 0xffffffffffffffff in #12 0x000003ad79670e00 in js::jit::DoCallFallbackInfo ()
    at /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/libxul.so
#13 0x000003ad668646a0 in  ()
#14 0x000003ad6867b833 in  ()
#15 0x0000000000000c02 in  ()
#16 0x000003fb1070f528 in  ()
#17 0x000003ad5a44ecc8 in  ()
#18 0x0000000000000004 in  ()
#19 0x000003fb1070f4a0 in  ()
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
#20 0xffffffffffffffff in #21 0xffffffffffffffff in #22 0xffffffffffffffff in #23 0xffffffffffffffff in #24 0xffffffffffffffff in #25 0xffffffffffffffff in #26 0x000003fb1070f568 in  ()
#27 0x000003ad5a44ecc8 in  ()
#28 0x000003ad663d358b in  ()
#29 0x0000000000001001 in  ()
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
#30 0xffffffffffffffff in #31 0xffffffffffffffff in #32 0xffffffffffffffff in #33 0xffffffffffffffff in #34 0xffffffffffffffff in #35 0xffffffffffffffff in #36 0xffffffffffffffff in #37 0x0000000000000000 in  ()

comment:6 Changed 3 years ago by yawning

Ah ok, I know what's wrong.

The sandbox code sets a rlimit with this: limStack = 512 * 1024 // 512 KiB

/proc/$PID/status at the time of the crash has this: VmStk: 516 kB

Firefox being a proper modern C++ application, uses a suprising amount of stack space. The solution is to crank the rlimit up to a more traditional value like 8 MiB.

comment:7 Changed 3 years ago by yawning

Resolution: fixed
Status: newclosed

https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?id=db42366aabfd4ed975e34197a09a4a6fff4aa322

Why wikipedia of all places, causes the JS interpreter to use more stack than any other website I've visited with the security slider set to "YOLO", I have no idea. 8 MiB is totally overkill to be honest, but that's a typical value on modern systems, and the rlimits() are mostly there to prevent runaway resource consumption.

Note: See TracTickets for help on using tickets.