Firefox crashes if the security slider is left at the default on certain pages.

Just letting en.wikipedia.org load with the "Security Level" set to non-high is enough.

Stack trace of thread 3:
#0  0x00000397b4a2d015 n/a (/home/amnesia/sandboxed-tor-browser/tor-browser/Browser/libxul.so)

I did lightly test the default security setting, and haven't seen this before, but my day to day use model follows "Leave the slider on High and forget that it exists", so it's not that surprising.

added component::archived/tor browser sandbox owner::yawning priority::high resolution::fixed severity::normal status::closed type::defect labels

sudo -E strace -ff -o /tmp/ff.trace -u yawning ./bin/sandboxed-tor-browser reveals this is a NULL pointer deref somewhere in libxul.so.

mprotect(0x32130c10000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x32130c10000, 4096, PROT_READ|PROT_EXEC) = 0
mprotect(0x32130c10000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x32130c10000, 4096, PROT_READ|PROT_EXEC) = 0
mprotect(0x32130c10000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x32130c10000, 4096, PROT_READ|PROT_EXEC) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x3959d088b68} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---

Trac:
Cc: N/A to gk

High with:

• noscript.forbidMedia -> false
• noscript.global -> true

Is the minimum required to trigger this. Though if the page gets loaded once, (eg: set it to high, load it, then mess with the configs) the crash doesn't happen. It doesn't appear that FF is trying to dlopen anything either....

As far as I can tell this has nothing to do with the restricted libraries either, because disabling that and pulling in all of /lib and /usr/lib on my system still causes bad things to happen.

Nothing to do with seccomp either (disabling that doesn't change things).

Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
0x000003ad7714e7c8 in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction (
    this=this@entry=0x3fb1070e940, fun=fun@entry=..., strict=false, generatorKind=js::NotGenerator)
    at /home/debian/build/tor-browser/js/src/frontend/Parser.cpp:2880
2880	/home/debian/build/tor-browser/js/src/frontend/Parser.cpp: No such file or directory.
(gdb) bt
#0  0x000003ad7714e7c8 in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction(JS::Handle<JSFunction*>, bool, js::GeneratorKind) (this=this@entry=0x3fb1070e940, fun=fun@entry=..., strict=false, generatorKind=js::NotGenerator)
    at /home/debian/build/tor-browser/js/src/frontend/Parser.cpp:2880
#1  0x000003ad770930ab in js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long) (cx=cx@entry=0x3ad5b93a400, lazy=lazy@entry=..., chars=0x3ad56267ac4 u"($,jQuery,require,module){(function($){if(document.selection&&document.selection.createRange){$.fn.extend({focus:(function(jqFocus){return function(){var $w,state,result;if(arguments.length===0){$w=$("..., length=9692) at /home/debian/build/tor-browser/js/src/frontend/BytecodeCompiler.cpp:799
#2  0x000003ad76e9b6b7 in JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) (cx=cx@entry=0x3ad5b93a400, fun=fun@entry=...)
    at /home/debian/build/tor-browser/js/src/jsfun.cpp:1422
#3  0x000003ad76fa7901 in JSFunction::getOrCreateScript(JSContext*) (cx=0x3ad5b93a400, this=<optimized out>) at /home/debian/build/tor-browser/js/src/jsfun.h:389
#4  0x000003ad76fa7901 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=cx@entry=0x3ad5b93a400, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /home/debian/build/tor-browser/js/src/vm/Interpreter.cpp:447
#5  0x000003ad76fa8035 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (cx=cx@entry=0x3ad5b93a400, thisv=..., fval=..., argc=argc@entry=4, argv=argv@entry=0x3fb1070f4b0, rval=..., rval@entry=...)
    at /home/debian/build/tor-browser/js/src/vm/Interpreter.cpp:496
#6  0x000003ad76c62718 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, uint32_t, JS::Value*, JS::MutableHandleValue) (cx=0x3ad5b93a400, frame=0x3fb1070f528, stub_=0x3ad5a44ecc8, argc=4, vp=0x3fb1070f4a0, res=...)
    at /home/debian/build/tor-browser/js/src/jit/BaselineIC.cpp:6162
#7  0x000003ad7a67e280 in  ()
#8  0x000003ad66826280 in  ()
#9  0x000003fb1070f458 in  ()
#10 0x000003ad5b93a418 in  ()
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
#11 0xffffffffffffffff in #12 0x000003ad79670e00 in js::jit::DoCallFallbackInfo ()
    at /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/libxul.so
#13 0x000003ad668646a0 in  ()
#14 0x000003ad6867b833 in  ()
#15 0x0000000000000c02 in  ()
#16 0x000003fb1070f528 in  ()
#17 0x000003ad5a44ecc8 in  ()
#18 0x0000000000000004 in  ()
#19 0x000003fb1070f4a0 in  ()
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
#20 0xffffffffffffffff in #21 0xffffffffffffffff in #22 0xffffffffffffffff in #23 0xffffffffffffffff in #24 0xffffffffffffffff in #25 0xffffffffffffffff in #26 0x000003fb1070f568 in  ()
#27 0x000003ad5a44ecc8 in  ()
#28 0x000003ad663d358b in  ()
#29 0x0000000000001001 in  ()
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
Python Exception <class 'SystemError'> <built-in function isinstance> returned a result with an error set: 
#30 0xffffffffffffffff in #31 0xffffffffffffffff in #32 0xffffffffffffffff in #33 0xffffffffffffffff in #34 0xffffffffffffffff in #35 0xffffffffffffffff in #36 0xffffffffffffffff in #37 0x0000000000000000 in  ()

Ah ok, I know what's wrong.

The sandbox code sets a rlimit with this: limStack = 512 * 1024 // 512 KiB

/proc/$PID/status at the time of the crash has this: VmStk: 516 kB

Firefox being a proper modern C++ application, uses a suprising amount of stack space. The solution is to crank the rlimit up to a more traditional value like 8 MiB.

https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?id=db42366aabfd4ed975e34197a09a4a6fff4aa322

Why wikipedia of all places, causes the JS interpreter to use more stack than any other website I've visited with the security slider set to "YOLO", I have no idea. 8 MiB is totally overkill to be honest, but that's a typical value on modern systems, and the rlimits() are mostly there to prevent runaway resource consumption.

Trac:
Resolution: N/A to fixed
Status: new to closed

closed