chromium: Fix sanbox crashes on musl

kraj · otavio · commit 0d7073186806 · 2021-03-21T18:02:30.000-03:00
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
diff --git a/meta-chromium/recipes-browser/chromium/chromium-gn.inc b/meta-chromium/recipes-browser/chromium/chromium-gn.inc
@@ -42,6 +42,9 @@ SRC_URI_append_libc-musl = "\
     file://musl/0015-mallopt-is-glibc-specific-API.patch \
     file://musl/0016-tcmalloc-undef-mmap64.patch \
     file://musl/0017-tcmalloc-no-__sbrk.patch \
+    file://musl/0018--Use-monotonic-clock-for-pthread_cond_timedwait-with-.patch \
+    file://musl/0019-adjust-thread-stack-sizes.patch \
+    file://musl/0020-Fix-tab-crashes-on-musl.patch \
 "
 
 # Append instead of assigning; the gtk-icon-cache class inherited above also
diff --git a/meta-chromium/recipes-browser/chromium/files/musl/0018--Use-monotonic-clock-for-pthread_cond_timedwait-with-.patch b/meta-chromium/recipes-browser/chromium/files/musl/0018--Use-monotonic-clock-for-pthread_cond_timedwait-with-.patch
@@ -0,0 +1,39 @@
+From 7f5b1d8fdc9a641b9c32e47e5bce0fa23447c4cf Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 19 Mar 2021 20:06:34 -0700
+Subject: [PATCH 1/3] Use monotonic clock for pthread_cond_timedwait with musl
+ too.
+
+Sourced from Alpine Linux
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ v8/src/base/platform/condition-variable.cc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/v8/src/base/platform/condition-variable.cc b/v8/src/base/platform/condition-variable.cc
+index 04ea29181..d121acdc5 100644
+--- a/v8/src/base/platform/condition-variable.cc
++++ b/v8/src/base/platform/condition-variable.cc
+@@ -16,7 +16,7 @@ namespace base {
+ 
+ ConditionVariable::ConditionVariable() {
+ #if (V8_OS_FREEBSD || V8_OS_NETBSD || V8_OS_OPENBSD || \
+-     (V8_OS_LINUX && V8_LIBC_GLIBC))
++     V8_OS_LINUX)
+   // On Free/Net/OpenBSD and Linux with glibc we can change the time
+   // source for pthread_cond_timedwait() to use the monotonic clock.
+   pthread_condattr_t attr;
+@@ -92,7 +92,7 @@ bool ConditionVariable::WaitFor(Mutex* mutex, const TimeDelta& rel_time) {
+       &native_handle_, &mutex->native_handle(), &ts);
+ #else
+ #if (V8_OS_FREEBSD || V8_OS_NETBSD || V8_OS_OPENBSD || \
+-     (V8_OS_LINUX && V8_LIBC_GLIBC))
++     V8_OS_LINUX)
+   // On Free/Net/OpenBSD and Linux with glibc we can change the time
+   // source for pthread_cond_timedwait() to use the monotonic clock.
+   result = clock_gettime(CLOCK_MONOTONIC, &ts);
+-- 
+2.31.0
+
diff --git a/meta-chromium/recipes-browser/chromium/files/musl/0019-adjust-thread-stack-sizes.patch b/meta-chromium/recipes-browser/chromium/files/musl/0019-adjust-thread-stack-sizes.patch
@@ -0,0 +1,56 @@
+From 0b2cb722d3d256e20d265ed5421e286e0589d182 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 19 Mar 2021 20:09:10 -0700
+Subject: [PATCH 2/3] adjust thread stack sizes
+
+musl default stack is 128K as compared to glibc's 8M
+adjust the expecations accordingly
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ base/threading/platform_thread_linux.cc      | 3 ++-
+ chrome/app/shutdown_signal_handlers_posix.cc | 8 ++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/base/threading/platform_thread_linux.cc b/base/threading/platform_thread_linux.cc
+index de2e0c169..53cb90def 100644
+--- a/base/threading/platform_thread_linux.cc
++++ b/base/threading/platform_thread_linux.cc
+@@ -437,7 +437,8 @@ void TerminateOnThread() {}
+ 
+ size_t GetDefaultThreadStackSize(const pthread_attr_t& attributes) {
+ #if !defined(THREAD_SANITIZER)
+-  return 0;
++  // use 8mb like glibc to avoid running out of space
++  return (1 << 23);
+ #else
+   // ThreadSanitizer bloats the stack heavily. Evidence has been that the
+   // default stack size isn't enough for some browser tests.
+diff --git a/chrome/app/shutdown_signal_handlers_posix.cc b/chrome/app/shutdown_signal_handlers_posix.cc
+index 621d441e8..472a3a878 100644
+--- a/chrome/app/shutdown_signal_handlers_posix.cc
++++ b/chrome/app/shutdown_signal_handlers_posix.cc
+@@ -187,11 +187,19 @@ void InstallShutdownSignalHandlers(
+   g_shutdown_pipe_read_fd = pipefd[0];
+   g_shutdown_pipe_write_fd = pipefd[1];
+ #if !defined(ADDRESS_SANITIZER)
++# if defined(__GLIBC__)
+   const size_t kShutdownDetectorThreadStackSize = PTHREAD_STACK_MIN * 2;
++# else
++  const size_t kShutdownDetectorThreadStackSize = PTHREAD_STACK_MIN * 2 * 8; // match up musls 2k PTHREAD_STACK_MIN with glibcs 16k
++# endif
+ #else
++# if defined(__GLIBC__)
+   // ASan instrumentation bloats the stack frames, so we need to increase the
+   // stack size to avoid hitting the guard page.
+   const size_t kShutdownDetectorThreadStackSize = PTHREAD_STACK_MIN * 4;
++# else
++  const size_t kShutdownDetectorThreadStackSize = PTHREAD_STACK_MIN * 4 * 8; // match up musls 2k PTHREAD_STACK_MIN with glibcs 16k
++# endif
+ #endif
+   ShutdownDetector* detector = new ShutdownDetector(
+       g_shutdown_pipe_read_fd, std::move(shutdown_callback), task_runner);
+-- 
+2.31.0
+
diff --git a/meta-chromium/recipes-browser/chromium/files/musl/0020-Fix-tab-crashes-on-musl.patch b/meta-chromium/recipes-browser/chromium/files/musl/0020-Fix-tab-crashes-on-musl.patch
@@ -0,0 +1,197 @@
+From b11616073264bba0d45f6a61eac17886f6aa0583 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 19 Mar 2021 20:16:00 -0700
+Subject: [PATCH 3/3] Fix tab crashes on musl
+
+Upstream-Status: Inappropriate [musl-specific]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ .../syscall_parameters_restrictions.cc        | 22 +++++--------------
+ .../linux/seccomp-bpf-helpers/syscall_sets.cc |  5 +++--
+ .../system_headers/arm64_linux_syscalls.h     |  4 ++++
+ .../linux/system_headers/arm_linux_syscalls.h |  4 ++++
+ sandbox/linux/system_headers/linux_syscalls.h |  1 +
+ .../system_headers/mips64_linux_syscalls.h    |  4 ++++
+ .../system_headers/mips_linux_syscalls.h      |  4 ++++
+ .../system_headers/x86_64_linux_syscalls.h    |  4 ++++
+ .../policy/linux/bpf_renderer_policy_linux.cc |  4 ++--
+ 9 files changed, 32 insertions(+), 20 deletions(-)
+
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+index 2a97d3916..0c86cc519 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+@@ -130,21 +130,11 @@ namespace sandbox {
+ // present (as in newer versions of posix_spawn).
+ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+   const Arg<unsigned long> flags(0);
+-
+-  // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
+-  const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
+-                                     CLONE_SIGHAND | CLONE_THREAD |
+-                                     CLONE_SYSVSEM;
+-  const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
+-
+-  const uint64_t kGlibcPthreadFlags =
+-      CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
+-      CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
+-  const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
+-
+-  const BoolExpr android_test =
+-      AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
+-            flags == kGlibcPthreadFlags);
++  const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
++                       CLONE_THREAD | CLONE_SYSVSEM;
++  const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
++                   CLONE_DETACHED;
++  const BoolExpr thread_clone_ok = (flags&~safe)==required;
+ 
+   // The following two flags are the two important flags in any vfork-emulating
+   // clone call. EPERM any clone call that contains both of them.
+@@ -154,7 +144,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+       AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
+             (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
+ 
+-  return If(IsAndroid() ? android_test : glibc_test, Allow())
++  return If(thread_clone_ok, Allow())
+       .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
+       .Else(CrashSIGSYSClone());
+ }
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+index 0db8745cb..8acf30c3e 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+@@ -398,6 +398,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
+ #if defined(__i386__)
+     case __NR_waitpid:
+ #endif
++    case __NR_set_tid_address:
+       return true;
+     case __NR_clone:  // Should be parameter-restricted.
+     case __NR_setns:  // Privileged.
+@@ -410,7 +411,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
+ #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+     case __NR_set_thread_area:
+ #endif
+-    case __NR_set_tid_address:
+     case __NR_unshare:
+ #if !defined(__mips__) && !defined(__aarch64__)
+     case __NR_vfork:
+@@ -520,6 +520,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
+     case __NR_mlock:
+     case __NR_munlock:
+     case __NR_munmap:
++    case __NR_mremap:
++    case __NR_membarrier:
+       return true;
+     case __NR_madvise:
+     case __NR_mincore:
+@@ -537,7 +539,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
+     case __NR_modify_ldt:
+ #endif
+     case __NR_mprotect:
+-    case __NR_mremap:
+     case __NR_msync:
+     case __NR_munlockall:
+     case __NR_readahead:
+diff --git a/sandbox/linux/system_headers/arm64_linux_syscalls.h b/sandbox/linux/system_headers/arm64_linux_syscalls.h
+index a242c18c8..30751fc4a 100644
+--- a/sandbox/linux/system_headers/arm64_linux_syscalls.h
++++ b/sandbox/linux/system_headers/arm64_linux_syscalls.h
+@@ -1119,4 +1119,8 @@
+ #define __NR_rseq 293
+ #endif
+ 
++#if !defined(__NR_membarrier)
++#define __NR_membarrier 283
++#endif
++
+ #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_
+diff --git a/sandbox/linux/system_headers/arm_linux_syscalls.h b/sandbox/linux/system_headers/arm_linux_syscalls.h
+index c39c22b51..32c00852a 100644
+--- a/sandbox/linux/system_headers/arm_linux_syscalls.h
++++ b/sandbox/linux/system_headers/arm_linux_syscalls.h
+@@ -1449,6 +1449,10 @@
+ #define __NR_clock_nanosleep_time64 (__NR_SYSCALL_BASE+407)
+ #endif
+ 
++#if !defined(__NR_membarrier)
++#define __NR_membarrier (__NR_SYSCALL_BASE+389)
++#endif
++
+ // ARM private syscalls.
+ #if !defined(__ARM_NR_BASE)
+ #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
+diff --git a/sandbox/linux/system_headers/linux_syscalls.h b/sandbox/linux/system_headers/linux_syscalls.h
+index 2b78a0cc3..b6fedb5c2 100644
+--- a/sandbox/linux/system_headers/linux_syscalls.h
++++ b/sandbox/linux/system_headers/linux_syscalls.h
+@@ -10,6 +10,7 @@
+ #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
+ 
+ #include "build/build_config.h"
++#include <sys/syscall.h>
+ 
+ #if defined(__x86_64__)
+ #include "sandbox/linux/system_headers/x86_64_linux_syscalls.h"
+diff --git a/sandbox/linux/system_headers/mips64_linux_syscalls.h b/sandbox/linux/system_headers/mips64_linux_syscalls.h
+index ec75815a8..551527083 100644
+--- a/sandbox/linux/system_headers/mips64_linux_syscalls.h
++++ b/sandbox/linux/system_headers/mips64_linux_syscalls.h
+@@ -1271,4 +1271,8 @@
+ #define __NR_memfd_create (__NR_Linux + 314)
+ #endif
+ 
++#if !defined(__NR_membarrier)
++#define __NR_membarrier (__NR_Linux  318)
++#endif
++
+ #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_
+diff --git a/sandbox/linux/system_headers/mips_linux_syscalls.h b/sandbox/linux/system_headers/mips_linux_syscalls.h
+index fa01b3bbc..8695e2b31 100644
+--- a/sandbox/linux/system_headers/mips_linux_syscalls.h
++++ b/sandbox/linux/system_headers/mips_linux_syscalls.h
+@@ -1441,4 +1441,8 @@
+ #define __NR_clock_nanosleep_time64 (__NR_Linux + 407)
+ #endif
+ 
++#if !defined(__NR_membarrier)
++#define __NR_membarrier (__NR_Linux  358)
++#endif
++
+ #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_
+diff --git a/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/sandbox/linux/system_headers/x86_64_linux_syscalls.h
+index b0ae0a2ed..8b1202947 100644
+--- a/sandbox/linux/system_headers/x86_64_linux_syscalls.h
++++ b/sandbox/linux/system_headers/x86_64_linux_syscalls.h
+@@ -1350,5 +1350,9 @@
+ #define __NR_rseq 334
+ #endif
+ 
++#if !defined(__NR_membarrier)
++#define __NR_membarrier 324
++#endif
++
+ #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
+ 
+diff --git a/sandbox/policy/linux/bpf_renderer_policy_linux.cc b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
+index 9fe9575eb..fa1a946f6 100644
+--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
++++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
+@@ -93,11 +93,11 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
+     case __NR_sysinfo:
+     case __NR_times:
+     case __NR_uname:
+-      return Allow();
+-    case __NR_sched_getaffinity:
+     case __NR_sched_getparam:
+     case __NR_sched_getscheduler:
+     case __NR_sched_setscheduler:
++      return Allow();
++    case __NR_sched_getaffinity:
+       return RestrictSchedTarget(GetPolicyPid(), sysno);
+     case __NR_prlimit64:
+       // See crbug.com/662450 and setrlimit comment above.
+-- 
+2.31.0
+

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,9 @@ SRC_URI_append_libc-musl = "\`
`42`	`42`	`file://musl/0015-mallopt-is-glibc-specific-API.patch \`
`43`	`43`	`file://musl/0016-tcmalloc-undef-mmap64.patch \`
`44`	`44`	`file://musl/0017-tcmalloc-no-__sbrk.patch \`
	`45`	`+ file://musl/0018--Use-monotonic-clock-for-pthread_cond_timedwait-with-.patch \`
	`46`	`+ file://musl/0019-adjust-thread-stack-sizes.patch \`
	`47`	`+ file://musl/0020-Fix-tab-crashes-on-musl.patch \`
`45`	`48`	`"`
`46`	`49`
`47`	`50`	`# Append instead of assigning; the gtk-icon-cache class inherited above also`