# HG changeset patch # User Jed Davis # Date 1603832709 0 # Node ID 13d5867b039948a79fa80fc2081a17b8089f1ed7 # Parent 0322427df80a91fdeace25c1508105074dc8adad Bug 1673202 - Call fstat directly in Linux sandbox fstatat interception. r=gcp, a=RyanVM Sandbox policies handle the case of `fstatat(fd, "", AT_EMPTY_PATH|...)` by invoking the SIGSYS handler (because seccomp-bpf can't tell if the string will be empty when the syscall would use it), which makes the equivalent call to `fstat`. Unfortunately, recent development versions of glibc implement `fstat` by calling `fstatat`, which causes unbounded recursion and stack overflow. (This depends on the headers present at build time; see the bug for more details.) This patch switches it to use the `fstat` (or `fstat64` on 32-bit) syscall directly. Differential Revision: https://phabricator.services.mozilla.com/D94798 diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp --- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -241,17 +241,21 @@ class SandboxPolicyCommon : public Sandb auto broker = static_cast(aux); auto fd = static_cast(aArgs.args[0]); auto path = reinterpret_cast(aArgs.args[1]); auto buf = reinterpret_cast(aArgs.args[2]); auto flags = static_cast(aArgs.args[3]); if (fd != AT_FDCWD && (flags & AT_EMPTY_PATH) != 0 && strcmp(path, "") == 0) { - return ConvertError(fstatsyscall(fd, buf)); +#ifdef __NR_fstat64 + return DoSyscall(__NR_fstat64, fd, buf); +#else + return DoSyscall(__NR_fstat, fd, buf); +#endif } if (fd != AT_FDCWD && path[0] != '/') { SANDBOX_LOG_ERROR("unsupported fd-relative fstatat(%d, \"%s\", %p, %d)", fd, path, buf, flags); return BlockedSyscallTrap(aArgs, nullptr); } if ((flags & ~(AT_SYMLINK_NOFOLLOW | AT_NO_AUTOMOUNT)) != 0) {