[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [sandboxed-tor-browser/master] Disable PI futex calls in the Tor Browser sandbox (x86_64).
commit af2f433511ba613c7139709d2abebdba6820e8ca
Author: Yawning Angel <yawning@xxxxxxxxxxxxxxx>
Date: Sat Dec 3 21:32:34 2016 +0000
Disable PI futex calls in the Tor Browser sandbox (x86_64).
There are rumors that PI futexes have scary race conditions, that enable
an exploit that is being sold by the forces of darkness. On systems where
we can filter futex kernel args, we reject such calls.
However this breaks PulseAudio, because PI futex usage is determined at
compile time. This fixes up the mutex creation call, to never request PI
mutexes.
Thanks to the unnamed reporter who filed the issues on the tails, bug
tracker and chatted with me on IRC about it.
Note: This could be enabled unconditionally (ie: also on x86), but since
that platform doesn't filter syscalls by argument due to seccomp-bpf
limitations, it seems somewhat pointless.
See: https://labs.riseup.net/code/issues/11524
---
data/torbrowser-launcher-whitelist.seccomp | 29 +++++++-
.../internal/sandbox/application.go | 9 +++
src/tbb_stub/tbb_stub.c | 81 ++++++++++++++++++++++
3 files changed, 117 insertions(+), 2 deletions(-)
diff --git a/data/torbrowser-launcher-whitelist.seccomp b/data/torbrowser-launcher-whitelist.seccomp
index f47a290..7e47052 100644
--- a/data/torbrowser-launcher-whitelist.seccomp
+++ b/data/torbrowser-launcher-whitelist.seccomp
@@ -1,7 +1,32 @@
TIOCGPGRP=21519
-# futex: FUTEX_CMP_REQUEUE_PRIVATE || FUTEX_LOCK_PI_PRIVATE || FUTEX_UNLOCK_PI_PRIVATE || FUTEX_WAIT || FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || FUTEX_WAIT_PRIVATE || FUTEX_WAKE || FUTEX_WAKE_OP_PRIVATE || FUTEX_WAKE_PRIVATE || FUTEX_WAIT_BITSET_PRIVATE || FUTEX_UNLOCK_PI
-futex: arg1 == 0 || arg1 == 128 || arg1 == 129 || arg1 == 132 || arg1 == 133 || arg1 == 393 || arg1 == 134 || arg1 == 1 || arg1 == 135 || arg1 == 139 || arg1 == 140 || arg1 == 137 || arg1 == 7
+FUTEX_WAIT=0
+FUTEX_WAKE=1
+FUTEX_FD=2
+FUTEX_REQUEUE=3
+FUTEX_CMP_REQUEUE=3
+FUTEX_WAKE_OP=5
+#FUTEX_LOCK_PI=6
+#FUTEX_UNLOCK_PI=7
+FUTEX_WAIT_BITSET=9
+FUTEX_PRIVATE_FLAG=128
+FUTEX_CLOCK_REALTIME=256
+
+FUTEX_WAIT_PRIVATE=FUTEX_WAIT | FUTEX_PRIVATE_FLAG
+FUTEX_WAKE_PRIVATE=FUTEX_WAKE | FUTEX_PRIVATE_FLAG
+FUTEX_CMP_REQUEUE_PRIVATE=FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG
+FUTEX_WAKE_OP_PRIVATE=FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG
+#FUTEX_LOCK_PI_PRIVATE=FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG
+#FUTEX_UNLOCK_PI_PRIVATE=FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG
+FUTEX_WAIT_BITSET_PRIVATE=FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG
+
+# XXX/yawning: Because we patch PulseAudio's mutex creation, we can omit
+# FUTEX_LOCK_PI_PRIVATE, FUTEX_UNLOCK_PI_PRIVATE, FUTEX_UNLOCK_PI.
+#
+# This is deliberate and aims to avoid rumored scary race conditions in the
+# PI futex code.
+futex: arg1 == FUTEX_CMP_REQUEUE_PRIVATE || arg1 == FUTEX_WAIT || arg1 == FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || arg1 == FUTEX_WAIT_PRIVATE || arg1 == FUTEX_WAKE || arg1 == FUTEX_WAKE_OP_PRIVATE || arg1 == FUTEX_WAKE_PRIVATE || arg1 == FUTEX_WAIT_BITSET_PRIVATE
+
lseek: 1
open: 1
read: 1
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
index 6ce948e..edac173 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go
@@ -232,6 +232,15 @@ func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (cm
ldLibraryPath = ldLibraryPath + ":" + paLibsPath
h.roBind(paLibsPath, restrictedPulseDir, false)
extraLdLibraryPath = extraLdLibraryPath + ":" + restrictedPulseDir
+
+ matches, err := filepath.Glob(paLibsPath + "/*.so")
+ if err != nil {
+ return nil, err
+ }
+ for _, v := range matches {
+ _, f := filepath.Split(v)
+ extraLibs = append(extraLibs, f)
+ }
} else {
log.Printf("sandbox: Failed to find pulse audio libraries.")
}
diff --git a/src/tbb_stub/tbb_stub.c b/src/tbb_stub/tbb_stub.c
index 7e2bb1f..e431222 100644
--- a/src/tbb_stub/tbb_stub.c
+++ b/src/tbb_stub/tbb_stub.c
@@ -51,6 +51,9 @@
#ifdef __i386__
#include <sys/time.h>
#include <sys/resource.h>
+#else
+#include <glob.h>
+#include <stdbool.h>
#endif
static pthread_once_t stub_init_once = PTHREAD_ONCE_INIT;
@@ -177,6 +180,7 @@ XQueryExtension(Display *display, _Xconst char *name, int *major, int *event, in
}
#ifdef __i386__
+
static int (*real_getrlimit)(__rlimit_resource_t, struct rlimit *);
int
@@ -195,6 +199,83 @@ getrlimit(__rlimit_resource_t resource, struct rlimit *rlim)
return real_getrlimit(resource, rlim);
}
+
+#else
+
+typedef struct pa_mutex pm;
+static pm* (*real_pa_mutex_new)(bool, bool);
+
+static char *
+glob_library(const char *lib_glob) {
+ glob_t gb;
+ char *lib = NULL;
+ size_t i;
+
+ if (glob(lib_glob, GLOB_MARK, NULL, &gb) != 0) {
+ return NULL;
+ }
+
+ for (i = 0; i < gb.gl_pathc; i++) {
+ const char *path = gb.gl_pathv[i];
+ size_t plen = strlen(path);
+
+ if (plen > 0 && path[plen] != '/') {
+ lib = strndup(path, plen);
+ break;
+ }
+ }
+
+ globfree(&gb);
+
+ return lib;
+}
+
+/* There are rumors that PI futexes have scary race conditions, that enable
+ * an exploit that is being sold by the forces of darkness. On systems where
+ * we can filter futex kernel args, we reject such calls.
+ *
+ * However this breaks PulseAudio, because PI futex usage is determined at
+ * compile time. This fixes up the mutex creation call, to never request PI
+ * mutexes.
+ *
+ * Thanks to the unnamed reporter who filed the issues on the tails, bug
+ * tracker and chatted with me on IRC about it.
+ * See: https://labs.riseup.net/code/issues/11524
+ *
+ * Note: This could be enabled unconditionally (ie: also on x86), but since
+ * that platform doesn't filter syscalls by argument due to seccomp-bpf
+ * limitations, it seems somewhat pointless.
+ */
+pm *
+pa_mutex_new(bool recursive, bool inherit_priority) {
+ (void) inherit_priority;
+
+ pthread_once(&stub_init_once, stub_init);
+
+ if (real_pa_mutex_new == NULL) {
+ void *handle;
+ char *lib;
+
+ if ((lib = glob_library("/usr/lib/pulseaudio/libpulsecore-*.so")) == NULL) {
+ fprintf(stderr, "ERROR: Failed to find `libpulsecore-*.so`");
+ abort();
+ }
+
+ if ((handle = real_dlopen(lib, RTLD_LAZY|RTLD_LOCAL)) == NULL) {
+ fprintf(stderr, "ERROR: Failed to dlopen() libpulsecore.so: %s\n", dlerror());
+ abort();
+ }
+ free(lib);
+
+ if ((real_pa_mutex_new = dlsym(handle, "pa_mutex_new")) == NULL) {
+ fprintf(stderr, "ERROR: Failed to find `pa_mutex_new()` symbol: %s\n", dlerror());
+ abort();
+ }
+ dlclose(handle);
+ }
+ return real_pa_mutex_new(recursive, false);
+}
+
#endif
/* Initialize the stub. */
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits