New issue
Advanced search Search tips

Issue 715138 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crenentials::CanCreateProcessInNewUserNS() fails with an assert when clone returns ENOSPC

Reported by ebied...@gmail.com, Apr 25 2017

Issue description

Chrome Version (from the about:version page):
56.0.2924.87 (64-bit)
57.0.2987.133-1.x86_64
57.0.29.87.98 Built on 8.7 running on Debian 8.7 (64-bit)
58.0.3029.81 (64-bit)

The issue remains in the head of the chromium source tree

Is this the most recent version: yes
OS + version: Linux 4.9 or later
CPU architecture (32-bit / 64-bit): N/A
Window manager: N/A
URLs (if relevant): N/A
Behavior in Linux Firefox: N/A
Behavior in Windows Chrome (if you have access to it): N/A

What steps will reproduce the problem?

# On any system with /proc/sys/kernel/user/max_user_namespaces
# Debian jessie with the jessies-backports kernel (4.9.0.bpo...) is such a system

$ echo 1 > /proc/sys/kernel/unprivileged_userns_clone  # If applicable
$ echo 0 > /proc/sys/kernel/user/max_user_namespaces
# Attempt to start chromium
$ chromimum

17333:17333:0425/091526.964394:FATAL:credentials.cc(137)] Check failed: error == EPERM || error == EUSERS || error == EINVAL || error == ENOSYS. : No space left on device
#0 0x556d753bbfbe <unknown>
#1 0x556d753d061b <unknown>
#2 0x556d753d0c6e <unknown>
#3 0x556d76133549 <unknown>
#4 0x556d74baaedc <unknown>
#5 0x556d7483c7e7 <unknown>
#6 0x556d7484554a <unknown>
#7 0x556d7483be7c <unknown>
#8 0x556d7501e123 <unknown>
#9 0x556d7501cb30 <unknown>
#10 0x556d73b24910 ChromeMain
#11 0x7fb986f6eb45 __libc_start_main
#12 0x556d73b24789 <unknown>


$ gdb /usr/lib/chromium/chromium    
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/chromium/chromium...Reading symbols from /usr/lib/debug/.build-id/e2/06e3acde7124fca936e2a5b2fed8196cc5fb46.debug...(no debugging symbols found)...done.
(no debugging symbols found)...done.
(gdb) r
Starting program: /usr/lib/chromium/chromium 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffeb3cc700 (LWP 18012)]
[18008:18008:0425/091943.211468:FATAL:credentials.cc(137)] Check failed: error == EPERM || error == EUSERS || error == EINVAL || error == ENOSYS. : No space left on device

Program received signal SIGABRT, Aborted.
0x00007ffff0b80067 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff0b80067 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff0b81448 in __GI_abort () at abort.c:89
#2  0x000055555799ca22 in base::debug::BreakDebugger() ()
#3  0x00005555579b2940 in logging::LogMessage::~LogMessage() ()
#4  0x00005555579b2c6e in logging::ErrnoLogMessage::~ErrnoLogMessage() ()
#5  0x0000555558715549 in sandbox::Credentials::CanCreateProcessInNewUserNS() ()
#6  0x000055555718cedc in content::ZygoteHostImpl::Init(base::CommandLine const&) ()
#7  0x0000555556e1e7e7 in content::BrowserMainLoop::EarlyInitialization() ()
#8  0x0000555556e2754a in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) ()
#9  0x0000555556e1de7c in content::BrowserMain(content::MainFunctionParams const&) ()
#10 0x0000555557600123 in content::ContentMainRunnerImpl::Run() ()
#11 0x00005555575feb30 in content::ContentMain(content::ContentMainParams const&) ()
#12 0x0000555556106910 in ChromeMain ()
#13 0x00007ffff0b6cb45 in __libc_start_main (main=0x555556106890 <main>, argc=1, 
    argv=0x7fffffffe158, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe148) at libc-start.c:287
#14 0x0000555556106789 in _start ()
(gdb) 


# Fails mysterious because the assertion information has been stripped
$ google-chrome



What is the expected result?

That chromium will disable it's use of namespace sandboxes when it receives an error and start normally
as chromium does for other errors.

What happens instead?

A Mysterious failure to start chromium or chrome.


Please provide any additional information below. Attach a screenshot
and backtrace if possible.

As of Linux 4.9 a sysctl (/proc/sys/user/max_user_namespaces) has been added to limit the maximum number of user namespaces.  When the limit is reached the kernel returns ENOSPC.  The default value of this limit is high enough it should never be reached.  Being conservative or paranoid sometimes this limit is set to 0.

The new error code was added it make it clear that the failure was only because a user configured limit was reached.  Unfortunately chromium decided to not start in this case.  The patch below should be all that it takes to fix this issue.

diff --git a/sandbox/linux/services/credentials.cc b/sandbox/linux/services/credentials.cc
index 4e47652aaef9..077de07589ab 100644
--- a/sandbox/linux/services/credentials.cc
+++ b/sandbox/linux/services/credentials.cc
@@ -134,7 +134,7 @@ void CheckCloneNewUserErrno(int error) {
   // namespaces are used. EINVAL for kernels that don't support the feature.
   // Valgrind will ENOSYS unshare().
   PCHECK(error == EPERM || error == EUSERS || error == EINVAL ||
-         error == ENOSYS);
+         error == ENOSYS || error == ENOSPC);
 }
 
 // Converts a Capability to the corresponding Linux CAP_XXX value.




 
Cc: ligim...@chromium.org
Components: Internals>Sandbox
Labels: -Type-Bug -Pri-3 ReleaseBlock-Beta M-60 Pri-1 Type-Bug-Regression
Owner: thomasanderson@chromium.org
Status: Assigned (was: Unconfirmed)
Looks like the below patch is the suspect. Assigning to Tom for further updates.

https://chromium.googlesource.com/chromium/src/+/8fb018ae054fc1c71b3887ca3bbba245e4a9db52
Labels: -Type-Bug-Regression Type-Bug
Status: Started (was: Assigned)
This is not a Chromium regression, so changing back to a normal bug.

OP's patch should fix the issue.
Project Member

Comment 3 by bugdroid1@chromium.org, Apr 26 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aebec0b4680564dfd5184cb288c07a2fd0ca50bd

commit aebec0b4680564dfd5184cb288c07a2fd0ca50bd
Author: thomasanderson <thomasanderson@google.com>
Date: Wed Apr 26 08:50:15 2017

Linux sandbox: handle ENOSPC clone failure

Linux 4.9 adds /proc/sys/user/max_user_namespaces to limit the number
of concurrent user namespaces.  Sometimes the limit is set to 0 in
which case clone() will return ENOSPC.  This CL avoids PCHECK()ing in
that case.

BUG= 715138 
R=mdempsky@chromium.org

Review-Url: https://codereview.chromium.org/2842033002
Cr-Commit-Position: refs/heads/master@{#467271}

[modify] https://crrev.com/aebec0b4680564dfd5184cb288c07a2fd0ca50bd/sandbox/linux/services/credentials.cc

Labels: Merge-Request-59
Project Member

Comment 5 by sheriffbot@chromium.org, Apr 27 2017

Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by bugdroid1@chromium.org, Apr 27 2017

Labels: -merge-approved-59 merge-merged-3071
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/788c0bc6e3cdd9fff69ebb0ac48b01dd0370a76a

commit 788c0bc6e3cdd9fff69ebb0ac48b01dd0370a76a
Author: thomasanderson <thomasanderson@chromium.org>
Date: Thu Apr 27 20:56:39 2017

Merge to M59: Linux sandbox: handle ENOSPC clone failure

> Linux 4.9 adds /proc/sys/user/max_user_namespaces to limit the number
> of concurrent user namespaces.  Sometimes the limit is set to 0 in
> which case clone() will return ENOSPC.  This CL avoids PCHECK()ing in
> that case.
>
> BUG= 715138 
> R=mdempsky@chromium.org
>
> Review-Url: https://codereview.chromium.org/2842033002
> Cr-Commit-Position: refs/heads/master@{#467271}

BUG= 715138 
TBR=mdempsky@chromium.org
NOPRESUBMIT=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2852503003
Cr-Commit-Position: refs/branch-heads/3071@{#269}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/788c0bc6e3cdd9fff69ebb0ac48b01dd0370a76a/sandbox/linux/services/credentials.cc

Status: Fixed (was: Started)

Sign in to add a comment