From a2451f13e5649d83a1bce8bf22c686924f7c2da2 Mon Sep 17 00:00:00 2001 From: Jed Davis Date: Fri, 27 Oct 2017 19:51:26 -0600 Subject: [PATCH] Bug 1412480 - Statically check for overly large syscall arguments. r=gcp See the previous patch for an explanation of the mistake that this is meant to catch. Note that, even for arguments that really are 64-bit on 32-bit platforms (typically off_t), it's generally not safe to pass them directly to syscall(): some architectures, like ARM, use ABIs that require such arguments to be passed in aligned register pairs, and they'll be aligned differently for syscall() vs. the actual system call due to the leading system call number argument. The syscall(2) man page discusses this and documents that such arguments should be split into high/low halves, passed separately, and manually padded. Therefore, this patch rejects any argument types larger than a word. MozReview-Commit-ID: FVhpri4zcWk --HG-- extra : rebase_source : 0329fe68be2a4e16fb71736627f0190e005c9972 --- security/sandbox/linux/SandboxFilter.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp index 0ddab4a7eaed..3ab6ba0f9440 100644 --- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -15,6 +15,7 @@ #include "SandboxOpenedFiles.h" #endif #include "mozilla/PodOperations.h" +#include "mozilla/TemplateLib.h" #include "mozilla/UniquePtr.h" #include @@ -105,6 +106,8 @@ protected: template static intptr_t DoSyscall(long nr, Args... args) { + static_assert(tl::And<(sizeof(Args) <= sizeof(void*))...>::value, + "each syscall arg is at most one word"); return ConvertError(syscall(nr, args...)); }