Bug 1860267 - Allow mremap in all process types when not using mozjemalloc. r=gcp

Previously this was allowed only in content processes, but we've gained other process types over the years, and it's possible for libc realloc's mremap case to be reached in any process type (if less common in practice). This restricts the flags argument to contain at most `MREMAP_MAYMOVE`, to allow what dlmalloc descendants (glibc, bionic) use for `realloc`. Note that this does not affect normal builds, only ones which opt out of our own malloc implemtnation, typically in order to use some kind of memory instrumentation like valgrind. Differential Revision: https://phabricator.services.mozilla.com/D192028
2023-10-31 02:12:23 +00:00 · 2023-10-31 02:12:23 +00:00 · f0ed8c3525
commit f0ed8c3525
parent 63569191d0
1 changed files with 11 additions and 4 deletions
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@ -901,7 +901,7 @@ class SandboxPolicyCommon : public SandboxPolicyBase {

      CASES_FOR_clock_gettime:
      CASES_FOR_clock_getres:
-      CASES_FOR_clock_nanosleep : {
+      CASES_FOR_clock_nanosleep: {
        // clockid_t can encode a pid or tid to monitor another
        // process or thread's CPU usage (see CPUCLOCK_PID and related
        // definitions in include/linux/posix-timers.h in the kernel
@ -956,7 +956,7 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
      CASES_FOR_fstat:
        return Allow();

-      CASES_FOR_fcntl : {
+      CASES_FOR_fcntl: {
        Arg<int> cmd(1);
        Arg<int> flags(2);
        // Typical use of F_SETFL is to modify the flags returned by
@ -1021,6 +1021,13 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
        // that might use brk.
      case __NR_brk:
        return Allow();
+
+        // Similarly, mremap (bugs: 1047620, 1286119, 1860267)
+      case __NR_mremap: {
+        Arg<int> flags(3);
+        return If((flags & ~MREMAP_MAYMOVE) == 0, Allow())
+            .Else(SandboxPolicyBase::EvaluateSyscall(sysno));
+      }
 #endif

        // madvise hints used by malloc; see bug 1303813 and bug 1364533
@ -1424,7 +1431,7 @@ class ContentSandboxPolicy : public SandboxPolicyCommon {
            .Else(SandboxPolicyCommon::EvaluateSyscall(sysno));
      }

-      CASES_FOR_fcntl : {
+      CASES_FOR_fcntl: {
        Arg<int> cmd(1);
        return Switch(cmd)
            // Nvidia GL and fontconfig (newer versions) use fcntl file locking.
@ -2017,7 +2024,7 @@ class SocketProcessSandboxPolicy final : public SandboxPolicyCommon {
            .Else(SandboxPolicyCommon::EvaluateSyscall(sysno));
      }

-      CASES_FOR_fcntl : {
+      CASES_FOR_fcntl: {
        Arg<int> cmd(1);
        return Switch(cmd)
            .Case(F_DUPFD_CLOEXEC, Allow())