summaryrefslogtreecommitdiffstats
path: root/sandbox
diff options
context:
space:
mode:
authorjln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-09-04 21:33:22 +0000
committerjln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-09-04 21:33:22 +0000
commit50c79657b611ac92cbe54dc94ecb2f60d802688b (patch)
tree275883ebca2bddfc06319f499f5c2df233edf635 /sandbox
parent116697fc2c89b6e1046b8066364f9868ba1ae41f (diff)
downloadchromium_src-50c79657b611ac92cbe54dc94ecb2f60d802688b.zip
chromium_src-50c79657b611ac92cbe54dc94ecb2f60d802688b.tar.gz
chromium_src-50c79657b611ac92cbe54dc94ecb2f60d802688b.tar.bz2
Linux sandbox: do not crash on spurious SIGSYS.
SIGSYS is a reserved signal for sandboxing on Linux. When we receive a spurious SIGSYS, we typically crash. This patch changes this behavior to only log an error. BUG=178166 R=markus@chromium.org Review URL: https://codereview.chromium.org/23686010 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@221274 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox')
-rw-r--r--sandbox/linux/seccomp-bpf/trap.cc27
1 files changed, 15 insertions, 12 deletions
diff --git a/sandbox/linux/seccomp-bpf/trap.cc b/sandbox/linux/seccomp-bpf/trap.cc
index 78a78ee..3c30de35 100644
--- a/sandbox/linux/seccomp-bpf/trap.cc
+++ b/sandbox/linux/seccomp-bpf/trap.cc
@@ -111,26 +111,24 @@ void Trap::SigSysAction(int nr, siginfo_t *info, void *void_context) {
}
void Trap::SigSys(int nr, siginfo_t *info, void *void_context) {
+ // Signal handlers should always preserve "errno". Otherwise, we could
+ // trigger really subtle bugs.
+ const int old_errno = errno;
+
// Various sanity checks to make sure we actually received a signal
// triggered by a BPF filter. If something else triggered SIGSYS
// (e.g. kill()), there is really nothing we can do with this signal.
if (nr != SIGSYS || info->si_code != SYS_SECCOMP || !void_context ||
info->si_errno <= 0 ||
static_cast<size_t>(info->si_errno) > trap_array_size_) {
- // SANDBOX_DIE() can call LOG(FATAL). This is not normally async-signal
- // safe and can lead to bugs. We should eventually implement a different
- // logging and reporting mechanism that is safe to be called from
- // the sigSys() handler.
- // TODO: If we feel confident that our code otherwise works correctly, we
- // could actually make an argument that spurious SIGSYS should
- // just get silently ignored. TBD
- SANDBOX_DIE("Unexpected SIGSYS received.");
+ // ATI drivers seem to send SIGSYS, so this cannot be FATAL.
+ // See crbug.com/178166.
+ // TODO(jln): add a DCHECK or move back to FATAL.
+ RAW_LOG(ERROR, "Unexpected SIGSYS received.");
+ errno = old_errno;
+ return;
}
- // Signal handlers should always preserve "errno". Otherwise, we could
- // trigger really subtle bugs.
- const int old_errno = errno;
-
// Obtain the signal context. This, most notably, gives us access to
// all CPU registers at the time of the signal.
ucontext_t *ctx = reinterpret_cast<ucontext_t *>(void_context);
@@ -145,6 +143,11 @@ void Trap::SigSys(int nr, siginfo_t *info, void *void_context) {
if (sigsys.ip != reinterpret_cast<void *>(SECCOMP_IP(ctx)) ||
sigsys.nr != static_cast<int>(SECCOMP_SYSCALL(ctx)) ||
sigsys.arch != SECCOMP_ARCH) {
+ // TODO(markus):
+ // SANDBOX_DIE() can call LOG(FATAL). This is not normally async-signal
+ // safe and can lead to bugs. We should eventually implement a different
+ // logging and reporting mechanism that is safe to be called from
+ // the sigSys() handler.
SANDBOX_DIE("Sanity checks are failing after receiving SIGSYS.");
}