init (chromium-browser) crashed with SIGSEGV

Bug #1300235 reported by Sergio Schneider on 2014-03-31
316
This bug affects 39 people
Affects Status Importance Assigned to Milestone
apport (Ubuntu)
High
Brian Murray
chromium-browser (Ubuntu)
High
Unassigned

Bug Description

Test Case
---------
1) Set your default browser to Chromium.
2) Launch synaptic
3) Click on the home page url for a package.
4) Observe chromium-browser not launch
5) Receive apport crash dialog
5) Also notice the apport crash dialog refers to upstart / systemd

none

ProblemType: CrashDistroRelease: Ubuntu 14.04
Package: upstart 1.12.1-0ubuntu1
Uname: Linux 3.14.0-031400rc8-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
Date: Mon Mar 31 09:53:16 2014
Disassembly: => 0x7fa2b65e94d7: Cannot access memory at address 0x7fa2b65e94d7
ExecutablePath: /sbin/init
InstallationDate: Installed on 2014-03-05 (25 days ago)
InstallationMedia: Xubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140305)
ProcCmdline: /sbin/init
ProcEnviron:
 TERM=linux
 PATH=(custom, no user)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.14.0-031400rc8-generic root=UUID=bef08855-3273-4d41-ac06-bad06bdd08a4 ro quiet splash
SegvAnalysis:
 Segfault happened at: 0x7fa2b65e94d7: Cannot access memory at address 0x7fa2b65e94d7
 PC (0x7fa2b65e94d7) not located in a known VMA region (needed executable region)!
 Stack pointer not within stack segment
SegvReason: executing unknown VMA
Signal: 11SourcePackage: upstart
StacktraceTop:
 ?? ()
 ?? ()
 ?? ()
Title: init crashed with SIGSEGV
UpgradeStatus: No upgrade log present (probably fresh install)
UpstartBugCategory: System
UpstartRunningSystemVersion: init (upstart 1.12.1)
UserGroups:

modified.conffile..etc.default.cups: [modified]
mtime.conffile..etc.default.cups: 2014-03-11T13:23:34.740893

Related branches

CVE References

Sergio Schneider (spsf) wrote :
information type: Private → Public

StacktraceSource:
 #0 0x00007fa2b65e94d7 in ?? ()
 #1 0x0000000000000020 in ?? ()
 #2 0x0000000000000000 in ?? ()
StacktraceTop:
 ?? ()
 ?? ()
 ?? ()

tags: added: apport-failed-retrace
tags: removed: need-amd64-retrace

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in upstart (Ubuntu):
status: New → Confirmed
James Hunt (jamesodhunt) wrote :

This is rather odd - the attachments relate to Upstart, and yet the corefiles on this bug and all the duplicates come from Chrome.

Examples:

/tmp/CoreDump: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from '/opt/google/chrome-unstable/chrome --type=zygote --log-level=0 --enable-logging'

/tmp/CoreDump: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from '/opt/google/chrome-beta/chrome --type=zygote --log-level=0 --enable-logging=std'

/tmp/CoreDump: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from '/opt/google/chrome-beta/chrome --type=zygote --log-level=0 --enable-logging=std'

/tmp/CoreDump: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from '/opt/google/chrome/chrome --type=zygote'

James Hunt (jamesodhunt) wrote :

Please can those affected attach a list of files in their /var/crash/ directory.

Also, can anyone reproduce this issue or was it purely a "one off"?

Brian Murray (brian-murray) wrote :

Please also ensure that you have the latest version of upstart installed it is version 1.12.1-0ubuntu4.

Huubb (huub-van-baal) wrote :
Download full text (5.0 KiB)

Hello James,

I can confirm that the correct version of 'upstart' has been installed
huub@3436JK2:~$ dpkg -s upstart
Package: upstart
Status: install ok installed
Priority: required
Section: admin
Installed-Size: 1621
Maintainer: James Hunt <email address hidden>
Architecture: i386
Multi-Arch: foreign
Version: 1.12.1-0ubuntu4
Replaces: startup-tasks, system-services, sysvinit, upstart-compat-sysv, upstart-job
Provides: startup-tasks, system-services, upstart-compat-sysv, upstart-job
Depends: libc6 (>= 2.15), libdbus-1-3 (>= 1.2.16), libjson-c2 (>= 0.10), libnih-dbus1 (>= 1.0.0), libnih1 (>= 1.0.0), libselinux1 (>= 1.32), libudev1 (>= 183), sysvinit-utils, initscripts, mountall, ifupdown (>= 0.6.10ubuntu5), libjson0 (>= 0.10-1.1ubuntu1), debianutils (>= 4)
Suggests: python3, graphviz, bash-completion, upstart-monitor
Breaks: friendly-recovery (<< 0.2.13), libc6 (<< 2.12.1-0ubuntu12)
Conflicts: lxcguest, startup-tasks, system-services, sysvinit, upstart-compat-sysv, upstart-job
Conffiles:
 /etc/logrotate.d/upstart 070767086a27883ec119e1dde779a856
 /etc/cron.daily/upstart 761747ebd3d1677620d5af50c9900b13
 /etc/dbus-1/system.d/Upstart.conf 64be74cddb0c74b7d98202b40389784c
 /etc/bash_completion.d/upstart 080f7eee4a3f3e5f76197eaa581fb4da
 /etc/X11/Xsession.d/99upstart d150fce36cf22f5504e4dbc89b4826e0
 /etc/X11/Xsession.d/00upstart 46b4576b1f2ceffb2450a88d58786b95
 /etc/init/tty5.conf 6d5794f72a1098b008e53e326a6bb5a0
 /etc/init/rc-sysinit.conf a50c045d9390a6e6c43c18b19cd72fe5
 /etc/init/rcS.conf 8533688686f75d7bcf20da5a0d36d94b
 /etc/init/flush-early-job-log.conf 09e959647877c39f6490ad29b8a35a28
 /etc/init/wait-for-state.conf 20b85b55c3f1e040fdbbf669afe4d2a1
 /etc/init/shutdown.conf 559659602cefe7e8d3c1e76820f5ae5d
 /etc/init/upstart-udev-bridge.conf 2c24bb70877476b5e7016ccf6de745a4
 /etc/init/tty2.conf 0d9326fdda081ac96d92bbc57ff773e4
 /etc/init/failsafe.conf 0b88eeccf6c8fd456e886aa7a76e3291
 /etc/init/rc.conf 3ebc6ddcd00482cfb24ce09a14ded29f
 /etc/init/upstart-file-bridge.conf 57ea7ed6cba1f1259ac87410c59237ca
 /etc/init/console.conf 8d79b0205f2daffb473604ce53e1dc83
 /etc/init/tty1.conf f42f2298f711147ecf177054294861a7
 /etc/init/control-alt-delete.conf 16e6603524084b63b0f0ca04eb56757e
 /etc/init/upstart-socket-bridge.conf 5f3eaca09ee1f03d5d0686ea99f8c051
 /etc/init/tty4.conf 2c78cd865d848bb2674104905151dbe2
 /etc/init/tty3.conf 6608f08adf00a282358a1eeb9bdcf78e
 /etc/init/tty6.conf e8ad2f0411614f9c8dc9c4e364763549
 /etc/init/container-detect.conf 6bae6257355ad7322e7263e567817465
 /etc/upstart-xsessions ec9aa92a5c50938479d711daa9ee774a
Description: event-based init daemon
 upstart is a replacement for the /sbin/init daemon which handles
 starting of tasks and services during boot, stopping them during
 shutdown and supervising them while the system is running.
Homepage: http://upstart.ubuntu.com/
Orig-Maintainer: Steve Langasek <email address hidden>

==================

Furthermore the behavior can be reproduced on my system. Upgrade from 12.04 LTS to 14.04 LTS
Starting Google Chrome result in crashes

==================

Content of /var/crash
huub@3436JK2:/var/crash$ ll
totaal 38256
drwxrwsrwt 2 root whoopsie 4096 apr 16 21:05 ./
drwxr-xr-...

Read more...

James Hunt (jamesodhunt) wrote :

Hi Huubb,

Thanks for this information. This is still very curious since according to your /var/crash/, Upstart did seemingly crash, but on a different day to chrome (chromium) crashing. Also, the upstart crash file seems to have been uploaded before the crash occurred. That might be because you've had multiple init crashes.

Please could you attach both of the following to this bug:

/var/crash/_sbin_init.0.crash
/var/crash/_usr_lib_chromium-browser_chromium-browser.1000.crash

Also, please could you attach file '/tmp/setuid+setgid.log' generated by the following which looks for setuid and setgid root binaries under /opt/google/:

sudo find /opt/google -user root \( -perm +4000 -o -perm +7000 \) -ls > /tmp/setuid+setgid.log

Finally, a couple of questions:

1) How do you start chrome? From the command-line?

2) What user are you running chrome as (huub or root)?

Huubb (huub-van-baal) wrote :
  • out Edit (14.7 MiB, application/octet-stream)

Hello James,

I have attached the file out (tar format) with the 2 .crash files

Running the find command is generating memories to the days I did run Unix V6 and V7 (1979 or something like there)

huub@3436JK2:/var/crash$ sudo find /opt/google -user root \( -perm +4000 -o -perm +7000 \) -ls > /tmp/setuid+setgid.log
huub@3436JK2:/var/crash$ cat /tmp/set*
4859161 16 -rwsr-xr-x 1 root root 13652 apr 2 01:59 /opt/google/chrome/chrome-sandbox

I start chrome from the commandline and or from the dash

I do login as huub into the system and occasionally I used 'sudo' prefix. Not with starting chrome ;-)

James Hunt (jamesodhunt) wrote :

Hi Huubb,

Thanks again. However, please can you attach /var/crash/_sbin_init.0.crash as it doesn't appear in 'out'.

Huubb (huub-van-baal) wrote :
  • files Edit (9.3 MiB, application/octet-stream)

Oops. Too quickly. This time it is added the correct file

James Hunt (jamesodhunt) wrote :

Thanks Huubb - the encoded core files are still shown as belonging to chrome so I'm not sure what is happening here. And until we have either a stacktrace or a core file from init itself, it's going to be difficult to determine the cause of this issue.

If anyone has this problem and does not have chrome / chromium installed, please can they either open a new bug or attach /var/crash/_sbin_init.0.crash to this bug.

Peter Lonjers (plonjers) wrote :

Attaching the file you wanted. I have chrome installed. After doing this will uninstall it to see if error still appears.

Peter Lonjers (plonjers) wrote :

Bla ok need to add a little backround info. So I first noticed this this morning booting my computer. I have default full disk encryption. On boot I saw a system crash not sure if it was the same sbin_init one. But I was at work so I just exited it. But opening nautilous all my files were gone and 3 files seemingly related to encryption were there. And I got asked about setting up my encryption key. So I logged out and back in again and there were no errors and everything looked good. Tonight I tried rebooting my computer several times. Everytime the same thing happened but with two different error messages that are seemingly random. One the sbin one and the other a nautilous one.

After posing my last comment I uninstalled crome and tried again. Weirly this time I did not see an error(having to do with ubuntu--vg_swap_1 press w to wait c to continue ect as my computer booted) I think I saw it all times I tried to reboot sense this morning but I am not sure. On boot nothing crashed this time and I could access everything. But after a little while all my filse disappeared from nautilus and suddenly all kinds of weird things stared happening. Like old launchers like(open office,amazon,ect) that looked like the default ubuntu launchers stared appearing back on my launcher like by magic. Logging in and out fixed the problem. Anyway any help would be greatly appriciated. Let me know if there is anything I can do.

Jeremie Miserez (jmiserez) wrote :

I have the same problem, the same error pops up sometimes when booting the (fresh 14.04) system. I also have full disk encryption (as configured using the Ubuntu installer). Also, the memory address mentioned in the bug report is almost the same: 0x7fcbda1ed4d7.

I have attached the files in /var/crash/

upstart version is "Version: 1.12.1-0ubuntu4"

James Hunt (jamesodhunt) wrote :

Jeremie and Peter - thanks for attaching the crash files, but like the others affected the core file encoded inside '_sbin_init.0.crash' were generated by chrome / chromium-browser so we cannot use these to debug the system crash. There seems to be some strange interaction between chrome, upstart, the kernel and apport but without further information or the ability to reproduce the problem we can't investigate further.

To those affected, you may want to consider either running the packaged version of chromium-browser in Ubuntu, or using a different browser entirely, or even running chrome inside an unprivileged LXC container as documented here:

https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/

Changed in upstart (Ubuntu):
importance: Undecided → High

Yes, I seem to have an interaction with chrome. Once init has crashed I have had chrome fail to read my profile and come up in a very weird state ... reboot fixes ... until the next init crash. I did have two machines running 12.04. I've upgraded one machine to 14.04 and haven't had the problem re-appear ... so far ... but it isn't convenient to upgrade my 12.04 machine just now.

I upgraded to 14.04.1 LTS and I'm still getting the problem and my machine is running like a snail. I've upgraded 2 machines from 12.04 to 14.04 and both gave a warning about the lack of hardware support for my graphics, but the first was fine and the second was not (Shuttle XS35V3L with GMA3650 Intel graphics on D2550 chip).

James Hunt, I currently have a consistent way of reproducing this. First, I have both Chromium and Chrome installed as per below in a fresh+fully updated version of Trusty. Next I opened up Synaptic > typed in the Quick Filter textbox pepper > highlight pepperflashplugin-nonfree > click Visit Homepage and this consistently causes a _sbin_init.0.crash file to appear in var/crash.

For me, the WORKAROUND is just to simply not click the link as the problem has not been reproducible otherwise so far.

For an example errors crash of this, please see https://errors.ubuntu.com/oops/341b7c12-8f2f-11e4-b173-fa163e525ba7 .

Let me know if this isn't enough information to reproduce and I can up the verbosity on my environment.

apt-cache policy google-chrome-stable:i386
google-chrome-stable:i386:
  Installed: 39.0.2171.95-1
  Candidate: 39.0.2171.95-1
  Version table:
 *** 39.0.2171.95-1 0
        500 http://dl.google.com/linux/chrome/deb/ stable/main i386 Packages
        100 /var/lib/dpkg/status

apt-cache policy chromium-browser
chromium-browser:
  Installed: 39.0.2171.65-0ubuntu0.14.04.1.1064
  Candidate: 39.0.2171.65-0ubuntu0.14.04.1.1064
  Version table:
 *** 39.0.2171.65-0ubuntu0.14.04.1.1064 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     34.0.1847.116-0ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages

Changed in upstart (Ubuntu):
status: Confirmed → Triaged
Brian Murray (brian-murray) wrote :

I was able to recreate this using the steps provided on Ubuntu 15.04, however setting Chromium as my default browser in System Settings -> Defaults was insufficient. I had to launch chromium-browser, and then choose to set it as the default browser in its preferences. Also chromium-browser was closed when I clicked on the link in the synaptic. Is that also the case in your testing Christopher?

ProblemType: Crash
Architecture: amd64
Date: Mon Jan 5 15:32:43 2015
DistroRelease: Ubuntu 15.04
ExecutablePath: /sbin/upstart
ExecutableTimestamp: 1417261790

Brian Murray (brian-murray) wrote :

This may be the problematic function, from gtk/rgpkgdetails.cc, in synaptic:

gboolean RGPkgDetailsWindow::cbOpenHomepage(GtkWidget *button, void* data)
{
   RPackage *pkg = (RPackage*)data;
   std::vector<const gchar*> cmd = GetBrowserCommand(pkg->homepage());
   //std::cerr << "cbOpenHomepage: " << cmd[0] << std::endl;
   RunAsSudoUserCommand(cmd);

   return TRUE;
}

Brian Murray, thanks for the follow up. In Trusty, I don't have chromium as my default browser, and it is not running when I click on the link in SPM. I haven't tested any other environment permutation.

Brian Murray (brian-murray) wrote :

This is the output I see when running synaptic-pkexec in a terminal:

Could not create per-user gnome configuration directory `/root/.gnome2/': Permission denied
/usr/bin/xdg-open: 461: /usr/bin/xdg-open: mozilla: not found
/usr/bin/xdg-open: 461: /usr/bin/xdg-open: epiphany: not found
/usr/bin/xdg-open: 461: /usr/bin/xdg-open: konqueror: not found
[0106/083742:ERROR:nss_util.cc(94)] Failed to create /root/.pki/nssdb directory.
[0106/083742:ERROR:nss_util.cc(94)] Failed to create /root/.pki/nssdb directory.
[0106/083742:FATAL:chrome_main_delegate.cc(359)] Check failed: process_type.empty(). Unable to get the user data directory for process type: zygote

And this only happens when running synaptic-pkexec not 'sudo synaptic'.

James Hunt (jamesodhunt) wrote :

Hi Brian - does running synaptic-pkexec in a terminal trigger the crash? If not, we really need a trace showing what happens in cbOpenHomepage, specifically what the 'cmd' vector contains.

I was able to stop the error by removing Chrome from Startup Applications.

I am on a Ubuntu 14.04.

martin (elfkw-at) wrote :

I have the same problem but could not stop the error removing Chrome from Startup Applications.
I am on Ubuntu 14.04, disk not encrypted

summary: - init crashed with SIGSEGV
+ init (chromium-browser) crashed with SIGSEGV
James Hunt (jamesodhunt) wrote :

Playing around with strings(1), I've found this:

$ strings /usr/lib/chromium-browser/libs/libcontent.so|egrep "\<init\>"
init
The SUID sandbox created a new PID namespace but Zygote is not the init process. Please, make sure the SUID binary is up to date.
Error creating an init process to reap zombies
Failed to init random generator!
Failed to init data channel.
SRTP reset to init state
Failed to init SRTP, err=
Image size must match encoder init configuration size
.init

----------

The key terms here are:

- "Error creating an init process to reap zombies"
- "SUID binary"

See: https://code.google.com/p/chromium/codesearch#chromium/src/content/zygote/zygote_main_linux.cc&sq=package:chromium

It appears chromium creates PID namespaces, probably to run plugins/tabs in an isolated environment. But each pid namespace needs a PID 1 process. So, one possibility is that chromium is inadvertently forking and exec'ing "init" (ie "/sbin/init") rather than its own init implementation of an init daemon ("/opt/google/chrome-unstable/chrome --type=zygote"?). And that init (be it upstart or systemd) is crashing as it's being run in a very unusual environment.

James Hunt (jamesodhunt) on 2015-03-16
affects: upstart (Ubuntu) → chromium-browser (Ubuntu)
Brian Murray (brian-murray) wrote :

There is an issue here with apport and how it launches apport if the pid does not equal the global pid.

# Check if we received a valid global PID (kernel >= 3.12). If we do,
# then compare it with the local PID. If they don't match, it's an
# indication that the crash originated from another PID namespace. In that
# case, attempt to forward the crash to apport in that namespace. If
# apport can't be found, then simply log an entry in the host error log
# and exit 0.
if len(sys.argv) == 5 and sys.argv[4].isdigit() and sys.argv[4] != sys.argv[1]:
    if os.path.exists('/proc/%s/root/%s' % (sys.argv[4], __file__)):
        error_log('pid %s (host pid %s) crashed in a container with apport '
                  'support, forwarding' % (sys.argv[1], sys.argv[4]))
        sys.stderr.flush()
        os.execv('/usr/sbin/chroot', ('chroot', '/proc/%s/root/' % sys.argv[4],
                                      __file__, sys.argv[1], sys.argv[2],
                                      sys.argv[3]))

In the last line if we change the arguments to os.execv from sys.argv[1] to sys.argv[4] one will receive a crash report about chromium-browser and not init.

description: updated
Changed in apport (Ubuntu):
status: New → Triaged
importance: Undecided → High
Martin Pitt (pitti) wrote :

Apport fixed upstream in r2941, thanks Brian!

Changed in apport (Ubuntu):
assignee: nobody → Brian Murray (brian-murray)
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.17.1-0ubuntu1

---------------
apport (2.17.1-0ubuntu1) vivid; urgency=medium

  * New upstream bug fix release:
    - SECURITY UPDATE: Fix root privilege escalation through crash forwarding
      to containers.
      Version 2.13 introduced forwarding a crash to a container's apport. By
      crafting a specific file system structure, entering it as a namespace
      ("container"), and crashing something in it, a local user could access
      arbitrary files on the host system with root privileges.
      Thanks to Stéphane Graber for discovering and fixing this!
      (CVE-2015-1318, LP: #1438758)
    - apport-kde tests: Fix imports to make tests work again.
    - Fix UnicodeDecodeError on parsing non-ASCII environment variables.
    - apport: use the proper pid when calling apport in another PID namespace.
      Thanks Brian Murray. (LP: #1300235)
 -- Martin Pitt <email address hidden> Tue, 14 Apr 2015 09:10:17 -0500

Changed in apport (Ubuntu):
status: Fix Committed → Fix Released
Olivier Tilloy (osomon) wrote :

Closing now as this report wasn’t investigated timely and is now too old to be meaningful.
Please do not hesitate to report crashes occurring with recent releases of chromium-browser, they will hopefully be investigated and acted upon in a more timely manner.

Changed in chromium-browser (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers