Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: crash in seccomp sandbox with glibc 2.34 #31091

Merged
merged 1 commit into from
Sep 23, 2021
Merged

fix: crash in seccomp sandbox with glibc 2.34 #31091

merged 1 commit into from
Sep 23, 2021

Conversation

deepak1556
Copy link
Member

Description of Change

Refs https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1944468

Refs https://bugs.chromium.org/p/chromium/issues/detail?id=1244383
Refs https://bugs.chromium.org/p/chromium/issues/detail?id=1213452

The fix is available in Electron >= 14

Checklist

Release Notes

Notes: fix crash in seccomp sandbox with glibc 2.34

@deepak1556 deepak1556 requested a review from a team as a code owner September 23, 2021 12:01
@electron-cation electron-cation bot added the new-pr 🌱 PR opened in the last 24 hours label Sep 23, 2021
@deepak1556 deepak1556 added 13-x-y backport-check-skip Skip trop's backport validity checking semver/patch backwards-compatible bug fixes labels Sep 23, 2021
@electron-cation electron-cation bot removed the new-pr 🌱 PR opened in the last 24 hours label Sep 23, 2021
@deepak1556 deepak1556 added new-pr 🌱 PR opened in the last 24 hours target/12-x-y labels Sep 23, 2021
@electron-cation electron-cation bot removed the new-pr 🌱 PR opened in the last 24 hours label Sep 23, 2021
@deepak1556 deepak1556 mentioned this pull request Sep 23, 2021
Closed
@deepak1556 deepak1556 merged commit 993ecb5 into 13-x-y Sep 23, 2021
@deepak1556 deepak1556 deleted the robo/update_seccomp_bpf_13_x_y branch September 23, 2021 20:53
@release-clerk
Copy link

release-clerk bot commented Sep 23, 2021

Release Notes Persisted

fix crash in seccomp sandbox with glibc 2.34

@trop trop bot mentioned this pull request Sep 23, 2021
Closed
@trop
Copy link
Contributor

trop bot commented Sep 23, 2021

I have automatically backported this PR to "12-x-y", please check out #31096

@LeoniePhiline LeoniePhiline mentioned this pull request Sep 23, 2021
Open
@darix
Copy link

darix commented Sep 24, 2021

do we have any ETA for a new 13.x release? TIA

@darix darix mentioned this pull request Sep 24, 2021
Closed
3 tasks
@Radagast Radagast mentioned this pull request Sep 26, 2021
Closed
@trop trop bot removed the in-flight/12-x-y label Sep 27, 2021
@deepak1556
Copy link
Member Author

This is now released in v13.5.0

This was referenced Sep 28, 2021
Closed
Merged
@ahjolinna ahjolinna mentioned this pull request Oct 3, 2021
Closed
@DeeDeeG DeeDeeG mentioned this pull request Oct 10, 2021
Open
1 task
@john-highwater john-highwater mentioned this pull request Oct 13, 2021
Closed
@filfreire filfreire mentioned this pull request Jan 4, 2022
Closed
1 task
@katsucodes247 katsucodes247 mentioned this pull request Jan 20, 2022
Merged
@neversun neversun mentioned this pull request Jan 27, 2022
Closed
gentoo-bot pushed a commit to gentoo/glibc that referenced this pull request Feb 3, 2022
@thesamesam @akhuettel
clone-internal.c: make clone3 syscall optional
06b01df 
We're disabling clone3 for now _CONDITIONALLY_ (not by default) to allow
compatibility with applications using older Electron.

Use -DGENTOO_USE_CLONE3 to enable clone3 for now. In future, we will
revert back to always using clone3.

This was impacting e.g. Discord and Skype. This patch stops glibc from using
clone3 internally (which is the only real use of it) and falls back to the old
behaviour.

Specifically, we want electron/electron#31091
to work its way downstream to various Electron applications.

https://bugs.gentoo.org/819045
https://bugs.gentoo.org/827386

https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/glibc/plain/debian/patches/ubuntu/disable-clone3.patch

This is the same as the patch that was considered but ultimately rejected
for 2.34 because Docker got sorted out in time:
https://patchwork.ozlabs.org/project/glibc/patch/[email protected]/.

Signed-off-by: Sam James <[email protected]>
@Radagast Radagast mentioned this pull request Feb 4, 2022
Closed
@sergedroz sergedroz mentioned this pull request Feb 8, 2022
Open
@folknor folknor mentioned this pull request Feb 9, 2022
Closed
6 tasks
@SilverMight SilverMight mentioned this pull request Feb 17, 2022
Open
@DanHamCIC DanHamCIC mentioned this pull request Feb 22, 2022
Closed
@x-arisu x-arisu mentioned this pull request Feb 22, 2022
Open
@nyanpasu64 nyanpasu64 mentioned this pull request Feb 28, 2022
Closed
@icecream17 icecream17 mentioned this pull request Mar 2, 2022
Open
@adatum adatum mentioned this pull request Mar 4, 2022
Closed
@theofficialgman theofficialgman mentioned this pull request Apr 14, 2022
Closed
2 tasks
This was referenced May 17, 2022
Closed
Open
Merged
Closed
@Crilum Crilum mentioned this pull request May 21, 2022
Open
@theofficialgman theofficialgman mentioned this pull request Jun 4, 2022
Closed
2 tasks
@YRTV YRTV mentioned this pull request Aug 10, 2022
Closed
@includenull includenull mentioned this pull request Aug 11, 2022
Open
@HorstBaerbel HorstBaerbel mentioned this pull request Sep 18, 2022
Open
@rheinschiene rheinschiene mentioned this pull request Oct 1, 2022
Closed
2 tasks
lfmunoz
lfmunoz reviewed Jan 17, 2023
View reviewed changes
patches/chromium/linux_sandbox_return_enosys_for_clone3.patch
Subject: Linux sandbox: return ENOSYS for clone3

Because clone3 uses a pointer argument rather than a flags argument, we
cannot examine the contents with seccomp, which is essential to
Copy link

@lfmunoz lfmunoz Jan 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"with seccomp enabled" would better . The way is written makes me think seccomp is used to examine contents

@amsam0 amsam0 mentioned this pull request Dec 23, 2023
Closed
This was referenced Aug 9, 2024
Closed
Merged
zatrazz pushed a commit to zatrazz/glibc that referenced this pull request Oct 8, 2024
@thesamesam @zatrazz
clone-internal.c: make clone3 syscall optional
0abdd2e 
This patch was originally carried in Gentoo to make clone3
optional to avoid breakage for CEF/steam/zoom, and others.

Gentoo made clone3 mandatory but ChromeOS is not there yet,
so we carry this trivial patch to allow us to keep clone3
disabled for a while longer.

See b:288928916 which is tracking the clone3 migration.

Original commit message:

We're disabling clone3 for now _CONDITIONALLY_ (not by default) to allow
compatibility with applications using older Electron.

Use -DGENTOO_USE_CLONE3 to enable clone3 for now. In future, we will
revert back to always using clone3.

This was impacting e.g. Discord and Skype. This patch stops glibc from using
clone3 internally (which is the only real use of it) and falls back to the old
behaviour.

Specifically, we want electron/electron#31091
to work its way downstream to various Electron applications.

https://bugs.gentoo.org/819045
https://bugs.gentoo.org/827386

https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/glibc/plain/debian/patches/ubuntu/disable-clone3.patch

This is the same as the patch that was considered but ultimately rejected
for 2.34 because Docker got sorted out in time:
https://patchwork.ozlabs.org/project/glibc/patch/[email protected]/.

Signed-off-by: Sam James <[email protected]>
@EdisonModesto EdisonModesto mentioned this pull request Nov 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lfmunoz lfmunoz lfmunoz left review comments

@jkleinsc jkleinsc jkleinsc approved these changes

Assignees
No one assigned
Labels
13-x-y backport-check-skip Skip trop's backport validity checking semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@deepak1556 @darix @jkleinsc @lfmunoz