stack smashing detected causing crash before any UI elements are drawn
Reported by
tcall...@redhat.com,
May 1 2016
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Steps to reproduce the problem: 1. Run chromium-browser What is the expected behavior? What went wrong? I've attached the GDB output with seccomp-sandbox disabled to show the issue clearly, but it looks like there is stack-smashing happening in the libgpu component. I've never debugged stack smashing before. Fedora 24 is using GCC 6. All libraries are compiled with -fstack-protector-strong. Crashed report ID: No. Crash happens earlier. How much crashed? Whole browser Is it a problem with a plugin? No Did this work before? N/A Chrome version: 50.0.2661.94 Channel: stable OS Version: Fedora 24 x86_64
,
May 2 2016
Thanks for the report. I would request you to please provide us with crash id from chrome://crash ? Which will help us expedite the triaging process. Thank you!
,
May 2 2016
The crash happens before the UI is loaded so we aren't able to access chrome://crash
,
May 3 2016
Hey, thanks for all of your packaging work! Can you post the /usr/lib64/chromium-browser/lib/libgpu.so corresponding to that gdb session?
,
May 3 2016
Hm, that libgpu didn't seem to match the stack trace, but I downloaded https://copr-be.cloud.fedoraproject.org/results/spot/chromium/fedora-23-x86_64/00182133-chromium/chromium-libs-50.0.2661.94-2.fc23.x86_64.rpm, and that one seemed to match. Based on where this function is happening, this looks like an issue with RE2 versions. The crash is happening in this function: https://code.google.com/p/chromium/codesearch#chromium/src/gpu/config/gpu_control_list.cc&l=99 What's happening is: That function thinks the RE2 class is has a certain size (something that's <= 216 bytes), and allocates that much space on the stack. It calls RE2's constructor from a library, and that thinks the RE2 class is >216 bytes large, and initializes it accordingly. As a result, the stack canary is getting clobbered. From the http://copr-dist-git.fedorainfracloud.org/cgit/spot/chromium/re2.git/tree/re2.spec, it looks like re2 is built from a tarball at https://github.com/google/re2/archive/2016-04-01.tar.gz. I'm not familiar with how unbundling works, but based on http://copr-dist-git.fedorainfracloud.org/cgit/spot/chromium/chromium.git/tree/chromium.spec?h=f23#n559, it looks like the third_party/re2 directory is preserved, so chromium is likely building against the headers in that directory. Here is a diff from re2.h in the tarball to re2.h in chromium: https://gist.github.com/anonymous/267f095daef2defb15129fa464885102 It looks like some fields were removed in chromium's re2.h, so chromium thinks RE2 is smaller than it actually is - this agrees with the above theory for what's going on. Perhaps re2 needs to be removed from the unbundling exclusion list?
,
May 3 2016
Er, or more accurately, some fields were added to re2.h outside of chromium. I'm going to mark this as WontFix since it doesn't look like a bug that can be fixed in chromium, but happy to continue discussing solutions, etc. here.
,
May 3 2016
That totally makes sense. Thanks for tracking down where I screwed up. :) I'll get new packages out today that don't have this issue.
,
May 3 2016
|
||||
►
Sign in to add a comment |
||||
Comment 1 Deleted