Security/Sandbox/2018-05-03

« previous week | index | next week »

tjr

• MinGW Build: Debugging
  • Run a try build with ./mach test ?
• CFI Build
  • Got a working LTO build in TaskCluster
  • Working on CFI Now
• Timer Intermittents: Still investigating bug 1454584
• Finished Tor, Skia, and 1 Fission doc
  • More Fission docs in the pipeline

Alex_Gaynor

• IPC Fuzzing
  • bug 1457899 - landed; switched out a KillHard() for IPC_FAIL_NO_REASON()
  • bug 1323532 - landed; removed some excessive codegen in IPC, will make a follow up cleanup easier to implement (bug 1457536)
  • bug 1456147 - landed; fixed assertion failure in IPC
  • sec bugs

gcp

• bug 1134747 - Investigate possibility of proxying/filtering X11 traffic from Linux desktop content processes
• Mostly fighting with rust

jld

• bug 1243108 - the race condition hunt continues
  • Good news: we're not leaking memory after all.
    • It's the response that's lost… even if we send more responses until the buffer is full.
  • More error checking doesn't help.
  • The response is being written on the right socket.
  • It's not a soundness bug in net/unix/garbage.c, so that's good, I guess.
  • And I have a small(ish) C program that reproduces it a lot faster!
  • Doesn't repro when confined to a single CPU (which suggests the lack of repro under rr isn't a coincidence).
  • (The simple joy of inserting a sched_yield and having it *almost* fix the bug.)
  • Forcing the close() on the sending end of a socketpair to happen after the recvmsg() on the other end seems to “fix” it, and isn't a huge hack?
    • But it seems to approximately double the latency overhead for back-to-back requests. There might be a better way to do this….
• IPC reviews, as usual
• bug 1457657 - nvidia-tls seccomp violation, but it's not really nvidia-tls??

bobowen

• Canvas remoting
  • Found some problems with my initial approach, (too much copying and stuck images).
  • Just finishing off a better one that should solve those.

haik

• bug 1457501 - Mac Crash deadlock triggered by CrashReporter::GetFlatThreadAnnotation() lock acquisition
  • Landed
• bug 1457545 - Mac Crash deadlock triggered by dlsym()/dlopen() deadlock
  • Resuming threads after minidump handling avoids the problem
  • Looking at alternatives, will wait until after merge to land
• bug 1452278 - [Mac] Make nsOSHelperAppService::GetFromTypeAndExtension() not call OS MIME API's in content
  • Generic MIMEInfo class, nsOSHelperAppService
• bug 1458553 - Return of Google Maps all black map with updated Nvidia web driver on Mac
  • Small sandbox tweak to allow file-map-executable for /Library/GPUBundles, on Autoland

handyman

• bug 1366256 - NPAPI sandbox level 3
  • Fix is to add plugin to sandbox file exceptions. Cause is still unclear.
  • If there is a general problem with the local builds then my testing may have been useless. I'm doing a second cursory check with automation builds.
• bug 1419488 - Win7 Shutdown hang in CDeviceEnumerator::DestroyHWndNotificationThread (audio)
  • Can now debug this with a Win 7 VM.
  • Issue is a "hang" due to audio hardware interrupts taking too long (under PnpNotificationThreadWrapper)
  • Theory that we can shut this down on a worker thread w/o blocking main loop
• bug 1450708 - Crash in FunctionBroker
  • crashes finally seem to be gone. uplifted
• bug 1458034 - multiple volume sliders
  • may be back in Windows 10 with v1803 (currently in preview)

round table

• Lightning Talks In SF
  • https://docs.google.com/spreadsheets/d/1sowEK957PjGLeDx_Voe4TdmSnDu1KkbOiBbU3gaY_HA/edit#gid=0
  • Security engineering lightning talks https://docs.google.com/spreadsheets/d/1n3xQQR17ZhvZATDbWR0jKVUudBsOB7pRjJo4AoKji0U/edit#gid=0
• bug 1458083 - win10 loaner has limited permissions
• bug 1458087 - Windows 10 loaners desktop widgets are unusable