diff options
Diffstat (limited to 'sandbox/linux/seccomp-bpf/trap.cc')
-rw-r--r-- | sandbox/linux/seccomp-bpf/trap.cc | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/sandbox/linux/seccomp-bpf/trap.cc b/sandbox/linux/seccomp-bpf/trap.cc index 78a78ee..3c30de35 100644 --- a/sandbox/linux/seccomp-bpf/trap.cc +++ b/sandbox/linux/seccomp-bpf/trap.cc @@ -111,26 +111,24 @@ void Trap::SigSysAction(int nr, siginfo_t *info, void *void_context) { } void Trap::SigSys(int nr, siginfo_t *info, void *void_context) { + // Signal handlers should always preserve "errno". Otherwise, we could + // trigger really subtle bugs. + const int old_errno = errno; + // Various sanity checks to make sure we actually received a signal // triggered by a BPF filter. If something else triggered SIGSYS // (e.g. kill()), there is really nothing we can do with this signal. if (nr != SIGSYS || info->si_code != SYS_SECCOMP || !void_context || info->si_errno <= 0 || static_cast<size_t>(info->si_errno) > trap_array_size_) { - // SANDBOX_DIE() can call LOG(FATAL). This is not normally async-signal - // safe and can lead to bugs. We should eventually implement a different - // logging and reporting mechanism that is safe to be called from - // the sigSys() handler. - // TODO: If we feel confident that our code otherwise works correctly, we - // could actually make an argument that spurious SIGSYS should - // just get silently ignored. TBD - SANDBOX_DIE("Unexpected SIGSYS received."); + // ATI drivers seem to send SIGSYS, so this cannot be FATAL. + // See crbug.com/178166. + // TODO(jln): add a DCHECK or move back to FATAL. + RAW_LOG(ERROR, "Unexpected SIGSYS received."); + errno = old_errno; + return; } - // Signal handlers should always preserve "errno". Otherwise, we could - // trigger really subtle bugs. - const int old_errno = errno; - // Obtain the signal context. This, most notably, gives us access to // all CPU registers at the time of the signal. ucontext_t *ctx = reinterpret_cast<ucontext_t *>(void_context); @@ -145,6 +143,11 @@ void Trap::SigSys(int nr, siginfo_t *info, void *void_context) { if (sigsys.ip != reinterpret_cast<void *>(SECCOMP_IP(ctx)) || sigsys.nr != static_cast<int>(SECCOMP_SYSCALL(ctx)) || sigsys.arch != SECCOMP_ARCH) { + // TODO(markus): + // SANDBOX_DIE() can call LOG(FATAL). This is not normally async-signal + // safe and can lead to bugs. We should eventually implement a different + // logging and reporting mechanism that is safe to be called from + // the sigSys() handler. SANDBOX_DIE("Sanity checks are failing after receiving SIGSYS."); } |