Summary: | [WPE][GTK] Limited sandbox escape via VFS syscalls | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Michael Catanzaro <mcatanzaro> | ||||
Component: | WebKitGTK | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | anonymousert2120+1, aperez, bfulgham, bugs-noreply, cgarcia, clopez, ews-feeder, mcatanzaro, pgriffis, product-security, webkit-bug-importer | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | PC | ||||||
OS: | Linux | ||||||
Attachments: |
|
Description
Michael Catanzaro
2021-10-09 11:39:13 PDT
Created attachment 440804 [details]
Patch
Where and how is Syscalls.h used? Maybe I missed it. Comment on attachment 440804 [details]
Patch
It's used by SCMP_SYS. I found its definition in seccomp.h:
#define SCMP_SYS(x) (__SNR_##x)
Comment on attachment 440804 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440804&action=review > Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp:737 > + { SCMP_SYS(clone3), ENOSYS, nullptr }, E.g. this line here... > Source/WebKit/UIProcess/Launcher/glib/Syscalls.h:114 > +#ifndef __SNR_clone3 > +# define __SNR_clone3 __NR_clone3 > +#endif ...might depend on this definition here. Ping reviewers Comment on attachment 440804 [details]
Patch
Seccomp is about the worst possible ever design for such a feature
(for comparison, check pledge/unveil in OpenBSD and marvel!), but
we have no other remedy than to live with it 🤷♂️️
Committed r284451 (243211@main): <https://commits.webkit.org/243211@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 440804 [details]. I've requested a CVE. We received CVE-2021-42762. |