Android Seccomp Crash: SYS_setsockopt SOL_SOCKET SO_SNDTIMEO |
|||||||||||||||
Issue descriptionFrom issue 681960 , there's now crash key logging to help diagnose seccomp violations. This has turned up the following report on arm32. Some of the build fingerprints are from O, so this could be the cause of b/34269482. https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20AND%20product.version%3D%2757.0.2985.0%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27sandbox%3A%3ACrashSIGSYS_Handler%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D&stbtiq=&reportid=0c8599f080000000&index=0#0 seccomp-sigsys nr=0x00000126 arg1=0x0000000000000019 arg2=0x0000000000000001 arg3=0x0000000000000015 arg4=0x00000000eb7b47f4 nr=0x00000126 arg1=0x0000000000000009 arg2=0x0000000000000001 arg3=0x0000000000000015 arg4=0x00000000eb7b47f4 nr=0x00000126 arg1=0x0000000000000009 arg2=0x0000000000000001 arg3=0x0000000000000015 arg4=0x00000000eb7b47f4 Translating those values results in: setsockopt(<FD>, SOL_SOCKET, SO_SNDTIMEO, <POINTER>) We can allow this (and probably getsockopt) in the seccomp policy.
,
Jan 20 2017
Issue 683118 has been merged into this issue.
,
Jan 26 2017
Users experienced this crash on the following builds: Android Beta 56.0.2924.78 - 0.84 CPM, 3 reports, 3 clients (signature sandbox::CrashSIGSYS_Handler) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jan 31 2017
,
Jan 31 2017
,
Feb 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bd716dcb8575e046af147dd1b69f56090c77b4e4 commit bd716dcb8575e046af147dd1b69f56090c77b4e4 Author: rsesek <rsesek@chromium.org> Date: Wed Feb 01 14:32:13 2017 [Android] Allow get/setsockopt SOL_SOCKET SO_SNDTIMEO. BUG= 682488 R=jorgelo@chromium.org Review-Url: https://codereview.chromium.org/2653923005 Cr-Commit-Position: refs/heads/master@{#447507} [modify] https://crrev.com/bd716dcb8575e046af147dd1b69f56090c77b4e4/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
,
Feb 2 2017
Users experienced this crash on the following builds: Android Dev 57.0.2987.19 - 1.32 CPM, 7 reports, 3 clients (signature sandbox::CrashSIGSYS_Handler) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Feb 2 2017
Issue 688151 has been merged into this issue.
,
Feb 2 2017
Adding info from issue 688151: Able to repro on Device: Redmi Note 3 / MMB29M Steps: 1. Have one or more tabs open. 2. Update Chrome to 58.0.3000.0. 3. Launch Chrome. Result: Renderer crash. crash id: ffdd1f3680000000 Note: - If you open a new tab and visit a site, the page doesn't load. - This is fixed in 58.0.3000.3, as a result of revert -https://chromium.googlesource.com/chromium/src/+/2e787edb9ae8ec92fcd45afcf1783ba5c996aae6. Logcat at http://go/chrome-androidlogs1/6/688151
,
Feb 2 2017
candrada: Thanks for repro. Were you able to do so on O (that's what I was testing on and did not see this)?
,
Feb 2 2017
We saw same crash on HTC desire 626S/MMB29M Note : This is looks like M specific issue
,
Feb 3 2017
,
Feb 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2d367b561d91f5f0c46724d66ea64852eadbb15a commit 2d367b561d91f5f0c46724d66ea64852eadbb15a Author: rsesek <rsesek@chromium.org> Date: Fri Feb 03 14:41:21 2017 [Android] Do not restrict the arguments to getsockopt. They were previously un-restricted, and bd716dcb8575e046af147dd1b69f56090c77b4e4 regressed that. BUG= 682488 R=jorgelo@chromium.org Review-Url: https://codereview.chromium.org/2669293003 Cr-Commit-Position: refs/heads/master@{#447995} [modify] https://crrev.com/2d367b561d91f5f0c46724d66ea64852eadbb15a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
,
Feb 3 2017
The revert on master got stuck in the CQ for some reason, but the fix is at #15.
,
Feb 6 2017
After syncing the latest build today, I still got the crash on O using Pixel. logcat: F DEBUG : Revision: '0' F DEBUG : ABI: 'arm' F DEBUG : pid: 5887, tid: 5901, name: CrRendererMain >>> org.chromium.chrome:sandboxed_process3 <<< F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- F DEBUG : Abort message: '[FATAL:trap.cc(100)] Existing signal handler when trying to install SIGSYS. SIGSYS needs to be reserved for seccomp-bpf. F DEBUG : #00 0xd320bccf /data/app/org.chromium.chrome-w8k2ukWgMvNvN97w3lc7aQ==/lib/arm/libbase.cr.so+0x0008accf F DEBUG : #01 0xd321fd0f /data/app/org.chromium.chrome-w8k2ukWgMvNvN97w3lc7aQ==/lib/arm/libbase.cr.so+0x0009ed0f F DEBUG : #02 0xd2bb6ddf /data/app/org.chromium.chrome-w8k2ukWgMvNvN97w3lc7aQ==/lib/arm/libseccomp_bpf.cr.so+0x0000dddf F DEBUG : #03 0xd2bb6e97 /data/app/org.chromium.chrome-w8k2ukWgMvNvN F DEBUG : r0 00000000 r1 0000170d r2 00000006 r3 00000008 F DEBUG : r4 d3539168 r5 0000170d r6 000016ff r7 0000010c F DEBUG : r8 d35392a8 r9 00000000 sl efd28770 fp d353970c F DEBUG : ip 00000000 sp d3539158 lr efcb10c3 pc efce1c80 cpsr 000f0010
,
Feb 6 2017
Latest canary(58.0.3001.3) cut @447896 doesn't contain the fix from C#15({#447995}). Will wait for the next canary to verify this fix.
Based on the recent spike updating the blocker label accordingly.
,
Feb 6 2017
Users experienced this crash on the following builds: Android Dev 58.0.3000.6 - 0.96 CPM, 11 reports, 3 clients (signature sandbox::CrashSIGSYS_Handler) Android Beta 57.0.2987.19 - 0.51 CPM, 31 reports, 29 clients (signature [Defective CPU] sandbox::CrashSIGSYS_Handler) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Feb 6 2017
Users experienced this crash on the following builds: Android Dev 58.0.3000.6 - 0.96 CPM, 11 reports, 3 clients (signature sandbox::CrashSIGSYS_Handler) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Feb 6 2017
We cannot repro the crash,tested on Redmi Note3 and HTC Desire 626S(OPM92) devices with latest M57(57.0.2987.19),58(58.0.3000.6) builds.
,
Feb 7 2017
martiw: That is not the same issue as this. Please file a different bug. Kravula: Thank you for testing.
,
Feb 7 2017
,
Feb 7 2017
,
Feb 7 2017
martiw: The issue you reported is now bug 689640.
,
Feb 7 2017
,
Feb 9 2017
,
Feb 27 2017
Requesting merge since this is fixes issue 691118 on M57.
,
Feb 27 2017
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/403dfed9b16ca8da37e3786921e3aea45c47bee4 commit 403dfed9b16ca8da37e3786921e3aea45c47bee4 Author: Robert Sesek <rsesek@chromium.org> Date: Mon Feb 27 22:46:09 2017 [M57 Merge] Fix socket restrictions in the Android seccomp policy. BUG= 682488 ,691118 TBR=jorgelo@chromium.org --- [Android] Do not restrict the arguments to getsockopt. They were previously un-restricted, and bd716dcb8575e046af147dd1b69f56090c77b4e4 regressed that. BUG= 682488 R=jorgelo@chromium.org Review-Url: https://codereview.chromium.org/2669293003 Cr-Commit-Position: refs/heads/master@{#447995} (cherry picked from commit 2d367b561d91f5f0c46724d66ea64852eadbb15a) --- [Android] Allow get/setsockopt SOL_SOCKET SO_SNDTIMEO. BUG= 682488 R=jorgelo@chromium.org Review-Url: https://codereview.chromium.org/2653923005 Cr-Commit-Position: refs/heads/master@{#447507} (cherry picked from commit bd716dcb8575e046af147dd1b69f56090c77b4e4) Review-Url: https://codereview.chromium.org/2722593003 . Cr-Commit-Position: refs/branch-heads/2987@{#705} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [modify] https://crrev.com/403dfed9b16ca8da37e3786921e3aea45c47bee4/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc |
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by amineer@chromium.org
, Jan 20 2017