Following on from http://codereview.chromium.org/3380018/show and http://codereview.chromium.org/3414016/show, for the sake of completeness, I am filing a bug on this.

There is a vulnerability in process_sigaction() in sigaction.cc, which does the following:

SecureMem::sendSystemCall(threadFdPub, false, -1, mem, sigaction_req.sysnum, sigaction_req.signum, sigaction_req.action, sigaction_req.old_action, sigaction_req.sigsetsize);

It receives the syscall number sigaction_req.sysnum in a message, but it passes it on to the trusted thread for execution without checking it.

This means an attacker can execute any syscall with 4 arguments. The only constraint is that the first argument cannot be 11.

Fixed in r125.