Android Seccomp Crash: SYS_rt_tgsigqueueinfo on N+ |
||||
Issue descriptionFrom http://b/31171101 Fatal signal 11 (SIGSEGV), code 1, fault addr 0x30dc074 in tid 15300 (CrRendererMain) 08-30 12:16:46.872 377 377 W : debuggerd: handling request: pid=15284 uid=99010 gid=99010 tid=15300 08-30 12:16:46.892 15365 15365 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 08-30 12:16:46.892 15365 15365 F DEBUG : Build fingerprint: [REDACTED] 08-30 12:16:46.892 15365 15365 F DEBUG : Revision: '0' 08-30 12:16:46.892 15365 15365 F DEBUG : ABI: 'arm' 08-30 12:16:46.893 15365 15365 F DEBUG : pid: 15284, tid: 15300, name: CrRendererMain >>> com.android.chrome:sandboxed_process0 <<< 08-30 12:16:46.893 15365 15365 F DEBUG : signal 31 (?), code 1 (?), fault addr -------- 08-30 12:16:46.893 15365 15365 F DEBUG : r0 00003bb4 r1 00003bc4 r2 0000000b r3 ee044890 08-30 12:16:46.893 15365 15365 F DEBUG : r4 ee044740 r5 ee0447c0 r6 00003bc4 r7 0000016b 08-30 12:16:46.893 15365 15365 F DEBUG : r8 ee0447c0 r9 00003bc4 sl 0000000b fp ee0447c0 08-30 12:16:46.893 15365 15365 F DEBUG : ip ee044728 sp ee044718 lr f30ed291 pc f31150a8 cpsr 60030010 08-30 12:16:46.960 15365 15365 F DEBUG : 08-30 12:16:46.960 15365 15365 F DEBUG : backtrace: 08-30 12:16:46.960 15365 15365 F DEBUG : #00 pc 0003a0a8 /system/bin/linker (__dl_syscall+32) 08-30 12:16:46.960 15365 15365 F DEBUG : #01 pc 0001228d /system/bin/linker (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+740) 08-30 12:16:46.960 15365 15365 F DEBUG : #02 pc 00001f51 /system/bin/app_process32 (InvokeUserSignalHandler+156) 08-30 12:16:46.961 15365 15365 F DEBUG : #03 pc 00137ec9 /system/lib/libart.so (_ZN3art12FaultManager11HandleFaultEiP7siginfoPv+216) 08-30 12:16:46.961 15365 15365 F DEBUG : #04 pc 00017fec /system/lib/libc.so 08-30 12:16:46.961 15365 15365 F DEBUG : #05 pc 00dea472 /system/app/Chrome/Chrome.apk (offset 0x4632000) 08-30 12:16:47.354 5090 6396 I WifiHAL : Got channel list with 11 channels 08-30 12:16:47.355 5090 6396 I WifiHAL : Got channel list with 9 channels 08-30 12:16:47.356 5090 6396 I WifiHAL : Got channel list with 0 channels 08-30 12:16:47.356 5090 6396 W WifiHAL : Ignoring invalid attribute type = 37, size = 0 08-30 12:16:47.716 15284 15300 F libc : failed to resend signal during crash: Invalid argument 08-30 12:16:47.726 377 377 W : debuggerd: resuming target 15284 08-30 12:16:47.743 5090 7032 I ActivityManager: Process com.android.chrome:sandboxed_process0 (pid 15284) has died 08-30 12:16:47.743 5090 7032 D ActivityManager: cleanUpApplicationRecord -- 15284 08-30 12:16:47.743 5090 7032 W ActivityManager: Scheduling restart of crashed service com.android.chrome/org.chromium.content.app.SandboxedProcessService0 in 1000ms 08-30 12:16:47.743 15261 15261 W cr_ChildProcessConnect: onServiceDisconnected (crash or killed by oom): pid=15284 08-30 12:16:47.747 15261 15261 D cr_ChildProcLauncher: [ChildProcessLauncher.java:748] stopping child connection: pid=15284 08-30 12:16:47.751 4005 4048 E QC-QMI : linux_qmi_qmux_io_wake_lock: Err in writing wakelock=qmuxd_port_wl_0, error [1:Operation not permitted] 08-30 12:16:47.753 15261 15261 I cr_TabWebContentsObs: renderProcessGone() for tab id: 6, oom protected: true, already needs reload: false 08-30 12:16:47.753 4005 4048 E QC-QMI : linux_qmi_qmux_io_wake_unlock: Err in writing wakelock=qmuxd_port_wl_0, error [1:Operation not permitted] 08-30 12:16:47.757 5090 5142 E KernelMemoryBandwidthStats: Failed to read memory bandwidth: /sys/kernel/memory_state_time/show_stat (No such file or directory) 08-30 12:16:47.760 15261 15360 I cr_MinidumpDirObserver: Detects a new minidump chromium-renderer-minidump-60678a16cf595613.dmp0 send intent to MinidumpUploadService 08-30 12:16:47.774 15261 15261 D cr_ChildProcLauncher: [ChildProcessLauncher.java:116] Allocator freed a connection, sandbox: true, slot: 0 08-30 12:16:47.786 15261 15261 D cr_tabmodel: [TabPersistentStore.java:678] Serializing tab lists; counts: 1, 0, 0 08-30 12:16:47.805 15261 15376 I cr_LogcatExtraction: Trying to extract logcat for minidump 08-30 12:16:48.575 15261 15376 I cr_LogcatExtraction: Output crash dump: This is because of this change in Android N that changed the way signals are rethrown from using tgkill() to a raw rt_tsigqueueinfo(): https://android.googlesource.com/platform/bionic/+/61cf3f3e033d2d7d13b06e0ae009ff12db787860%5E%21/#F0. Note that in Android master, the code has moved from bionic into system/core: https://android.googlesource.com/platform/system/core/+/9c02dc5916c1cee43e4a0840d0d5099878e3793c%5E%21/#F0. We could allow rt_tsigqueueinfo but restrict the tgid to the current PID. It doesn't look like we can restrict any of the other args, though.
,
Sep 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a52c715618a5f2ad02f507c6ad3ef6282c112bc7 commit a52c715618a5f2ad02f507c6ad3ef6282c112bc7 Author: rsesek <rsesek@chromium.org> Date: Thu Sep 08 22:33:38 2016 [Android] Allow __NR_rt_tgsigqueueinfo under seccomp. BUG= 644759 Review-Url: https://codereview.chromium.org/2313393003 Cr-Commit-Position: refs/heads/master@{#417419} [modify] https://crrev.com/a52c715618a5f2ad02f507c6ad3ef6282c112bc7/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc [modify] https://crrev.com/a52c715618a5f2ad02f507c6ad3ef6282c112bc7/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
,
Sep 12 2016
,
Sep 15 2016
How about we merge it to M54 branch 2840? You're approved, hooray!
,
Sep 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e643e6d2b821cfd0bc24c727132cf9c3eef34e9a commit e643e6d2b821cfd0bc24c727132cf9c3eef34e9a Author: Robert Sesek <rsesek@chromium.org> Date: Thu Sep 15 18:00:01 2016 [Android] Allow __NR_rt_tgsigqueueinfo under seccomp. BUG= 644759 Review-Url: https://codereview.chromium.org/2313393003 Cr-Commit-Position: refs/heads/master@{#417419} (cherry picked from commit a52c715618a5f2ad02f507c6ad3ef6282c112bc7) Review URL: https://codereview.chromium.org/2343943002 . Cr-Commit-Position: refs/branch-heads/2840@{#378} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [modify] https://crrev.com/e643e6d2b821cfd0bc24c727132cf9c3eef34e9a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc [modify] https://crrev.com/e643e6d2b821cfd0bc24c727132cf9c3eef34e9a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
,
Oct 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e643e6d2b821cfd0bc24c727132cf9c3eef34e9a commit e643e6d2b821cfd0bc24c727132cf9c3eef34e9a Author: Robert Sesek <rsesek@chromium.org> Date: Thu Sep 15 18:00:01 2016 [Android] Allow __NR_rt_tgsigqueueinfo under seccomp. BUG= 644759 Review-Url: https://codereview.chromium.org/2313393003 Cr-Commit-Position: refs/heads/master@{#417419} (cherry picked from commit a52c715618a5f2ad02f507c6ad3ef6282c112bc7) Review URL: https://codereview.chromium.org/2343943002 . Cr-Commit-Position: refs/branch-heads/2840@{#378} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [modify] https://crrev.com/e643e6d2b821cfd0bc24c727132cf9c3eef34e9a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc [modify] https://crrev.com/e643e6d2b821cfd0bc24c727132cf9c3eef34e9a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h |
||||
►
Sign in to add a comment |
||||
Comment 1 by rsesek@chromium.org
, Sep 7 2016