For the SECCOMP event, check if the event msg is in the range of one of the known architectures.

If it isn't, assume that the process has exited and the event msg contains an exit code. PiperOrigin-RevId: 471258449 Change-Id: I44408c30fe7fb39e20b55cea871f3efb68fcde67
2024-03-22 13:11:30 +08:00 · 2022-08-31 08:09:05 -07:00 · 2022-08-31 08:09:05 -07:00 · 75c7081622
commit 75c7081622
parent e541f79abd
2 changed files with 13 additions and 0 deletions
--- a/sandboxed_api/config.h
+++ b/sandboxed_api/config.h
@ -55,6 +55,7 @@ enum Architecture : uint16_t {
  kPPC64LE,
  kArm64,
  kArm,
+  kMax = kArm
 };

 }  // namespace cpu
--- a/sandboxed_api/sandbox2/monitor.cc
+++ b/sandboxed_api/sandbox2/monitor.cc
@ -929,6 +929,18 @@ void Monitor::LogSyscallViolation(const Syscall& syscall) const {
 }

 void Monitor::EventPtraceSeccomp(pid_t pid, int event_msg) {
+  if (event_msg < sapi::cpu::Architecture::kUnknown ||
+      event_msg > sapi::cpu::Architecture::kMax) {
+    // We've observed that, if the process has exited, the event_msg may contain
+    // the exit status even though we haven't received the exit event yet.
+    // To work around this, if the event msg is not in the range of the known
+    // architectures, we assume that it's an exit status. We deal with it by
+    // ignoring this event, and we'll get the exit event in the next iteration.
+    LOG(WARNING) << "received event_msg for unknown architecture: " << event_msg
+                 << "; the program may have exited";
+    return;
+  }
+
  // If the seccomp-policy is using RET_TRACE, we request that it returns the
  // syscall architecture identifier in the SECCOMP_RET_DATA.
  const auto syscall_arch = static_cast<sapi::cpu::Architecture>(event_msg);