chromium-browser not built PIE on ARM

Bug #716703 reported by Alex Chiang on 2011-02-10
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Medium
Registry Administrators
Lucid
Undecided
Unassigned
Natty
Medium
Registry Administrators

Bug Description

Binary package hint: chromium-browser

Crash on launch, running on armel imx51

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: chromium-browser 9.0.597.94~r73967-0ubuntu0.10.04.1
ProcVersionSignature: Ubuntu 2.6.35-6.14-User Name 2.6.35.8
Uname: Linux 2.6.35-6-charlotte armv7l
Architecture: armel
ChromiumPrefs:
 browser/check_default_browser = **unset** (no such key yet)
 extensions/settings =
  (no entry found in the Preferences file)
CrashCounter: 1
CrashDB: ubuntu
Date: Thu Feb 10 14:31:15 2011
Desktop-Session:
 DESKTOP_SESSION = unity-qt
 GNOME_DESKTOP_SESSION_ID = this-is-deprecated
 XDG_CONFIG_DIRS = /etc/xdg/xdg-unity-qt:/etc/xdg
 XDG_DATA_DIRS = /usr/share/gnome:/usr/local/share/:/usr/share/
DetectedPlugins: (no entry found in the Preferences file)
DistributionChannelDescriptor:
 # This is a distribution channel descriptor
 # For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
 canonical-oem-charlotte-20110209-0
Env:
 MOZ_PLUGIN_PATH = None
 LD_LIBRARY_PATH = None
ExecutablePath: /usr/lib/chromium-browser/chromium-browser
ProcCmdline: /usr/lib/chromium-browser/chromium-browser https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+filebug/149a078a-355d-11e0-940c-0025b3df357a?field.title=chromium-browser+crashed+with+SIGSEGV+in+__static_initialization_and_destruction_0%28%29
ProcEnviron:
 LANGUAGE=en
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
Signal: 11
SourcePackage: chromium-browser
StacktraceTop:
 ?? ()
 __static_initialization_and_destruction_0 ()
 global constructors keyed to logging.cc ()
 __libc_csu_init ()
 __libc_csu_init ()
ThirdParty: True
Title: chromium-browser crashed with SIGSEGV in __static_initialization_and_destruction_0()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
chromium-default: CHROMIUM_FLAGS=""

Alex Chiang (achiang) wrote :
Alex Chiang (achiang) on 2011-02-11
visibility: private → public
Taiten Peng (taitenpeng) wrote :

chromium-browser-9.0.597.94~r73967-0's 10.10 build works well on 10.04, and hey share the same source
download from https://launchpad.net/ubuntu/+source/chromium-browser

however, I'd compare the different of buildlog between 10.04 and 10.10.
10.10 diabled hardening wrapper in the build, but 10.04 doesn't.
I'll try a natively build of chromium-browser-9.0.597.94~r73967 without hardening wrapper on 10.04 armel.

Fabien Tassin (fta) wrote :

I think it's more related to armv7=0 on 10.10+ and armv7=1 in 10.04. I guess it should be the opposite.

See http://src.chromium.org/svn/branches/597/src/build/common.gypi for what's behind this flag.

I can't test myself as i don't have access to any ARM h/w, so i'm open to suggestions.

Taiten Peng (taitenpeng) wrote :

tried disable hardening wrapper and rebuild and it works well now.
attached the rebuilt binary package for test

Taiten Peng (taitenpeng) wrote :

my changes as below

debian/rules
- ifeq (,$(filter 10.10 11.04,$(DEBIAN_DIST_VERSION)))
+ ifeq (,$(filter 10.04 10.10 11.04,$(DEBIAN_DIST_VERSION)))

Kees Cook (kees) wrote :

Browsers are the #1 target for attackers, so it's urgent that we make sure that chromium on ARM is as hardened as on the other architectures. The primary difference between default build and the hardening-wrapper is the use of PIE.

Changed in chromium-browser (Ubuntu Lucid):
status: New → Confirmed
summary: - chromium-browser crashed with SIGSEGV in
- __static_initialization_and_destruction_0()
+ chromium-browser not built PIE
summary: - chromium-browser not built PIE
+ chromium-browser not built PIE on ARM
Changed in chromium-browser (Ubuntu Natty):
importance: Undecided → Medium
milestone: none → natty-alpha-3
status: New → Confirmed
assignee: nobody → Canonical Desktop Team (canonical-desktop-team)
Martin Pitt (pitti) wrote :

So to clarify, disabling PIE is not the solution we are looking for here, it's just a workaround? I. e. the actual bug is that it crashes with PIE?

We don't have arm hardware in the desktop team, so I reassign this to mobile for now. Also, note that chromium is not in main, so the canonical teams don't officially support it. I. e. if it's too hard to fix with PIE on arm, I guess PIE could just be disabled?

Changed in chromium-browser (Ubuntu Natty):
assignee: Canonical Desktop Team (canonical-desktop-team) → Canonical ARM (canonical-arm)
milestone: natty-alpha-3 → ubuntu-11.04-beta
Steve Langasek (vorlon) on 2011-02-15
tags: added: arm-porting-queue
Fabien Tassin (fta) wrote :

@pitti: yes, it's just a workaround. I (as maintainer) don't have the hardware to fix it myself either. Contributions welcome.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 9.0.597.107~r75357-0ubuntu1

---------------
chromium-browser (9.0.597.107~r75357-0ubuntu1) natty; urgency=high

  * New upstream release from the Stable Channel (LP: #726895)
    This release fixes the following security issues:
    + Webkit bugs:
      - [54262] High, URL bar spoof with history interaction. Credit to Jordi
        Chancel.
      - [68263] High, Stylesheet node stale pointer. Credit to Sergey Glazunov.
      - [68741] High, Stale pointer with key frame rule. Credit to Sergey
        Glazunov.
      - [70078] High, Crash with forms controls. Credit to Stefan van Zanden.
      - [70244] High, Crash in SVG rendering. Credit to Sławomir Błażek.
      - [71114] High, Stale node in table child handling. Credit to Martin
        Barbella.
      - [71115] High, Stale pointer in table rendering. Credit to Martin
        Barbella.
      - [71296] High, Stale pointer in SVG animations. Credit to miaubiz.
      - [71386] High, Stale nodes in XHTML. Credit to wushi of team509.
      - [71388] High, Crash in textarea handling. Credit to wushi of team509.
      - [71595] High, Stale pointer in device orientation. Credit to Sergey
        Glazunov.
      - [71855] High, Integer overflow in textarea handling. Credit to miaubiz.
      - [71960] Medium, Out-of-bounds read in WebGL. Credit to Google Chrome
        Security Team (Inferno).
      - [73235] High, Stale pointer in layout. Credit to Martin Barbella.
    + Chromium bugs:
      - [63732] High, Crash with javascript dialogs. Credit to Sergey
        Radchenko.
      - [64-bit only] [70376] Medium, Out-of-bounds read in pickle
        deserialization. Credit to Evgeniy Stepanov of the Chromium development
        community.
      - [71717] Medium, Out-of-bounds read in WebGL. Credit to miaubiz.
      - [72214] High, Accidental exposure of internal extension functions.
        Credit to Tavis Ormandy of the Google Security Team.
      - [72437] High, Use-after-free with blocked plug-ins. Credit to Chamal de
        Silva.
  * Bump the lang-pack package from Suggests to Recommends (LP: #689267)
    - update debian/control
  * Disable PIE on Armel/Lucid (LP: #716703)
    - update debian/rules
  * Add the disk usage to the Apport hooks
    - update debian/apport/chromium-browser.py
  * Drop gyp from Build-Depends, use in-source gyp instead
    - update debian/control
  * Merge back the ffmpeg codecs (from the chromium-codecs-ffmpeg source package)
    - update debian/rules
    - update debian/control
    - add debian/chromium-codecs-ffmpeg-extra.install
    - add debian/chromium-codecs-ffmpeg.install
 -- Fabien Tassin <email address hidden> Tue, 01 Mar 2011 00:14:02 +0100

Changed in chromium-browser (Ubuntu Natty):
status: Confirmed → Fix Released
Fabien Tassin (fta) wrote :

Just committed a workaround (disable PIE on arm) as I don't want to delay the security update, but a real fix is still preferred, reopening

Changed in chromium-browser (Ubuntu Natty):
status: Fix Released → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 9.0.597.107~r75357-0ubuntu0.10.04.1

---------------
chromium-browser (9.0.597.107~r75357-0ubuntu0.10.04.1) lucid-security; urgency=high

  * New upstream release from the Stable Channel (LP: #726895)
    This release fixes the following security issues:
    + Webkit bugs:
      - [54262] High, URL bar spoof with history interaction. Credit to Jordi
        Chancel.
      - [68263] High, Stylesheet node stale pointer. Credit to Sergey Glazunov.
      - [68741] High, Stale pointer with key frame rule. Credit to Sergey
        Glazunov.
      - [70078] High, Crash with forms controls. Credit to Stefan van Zanden.
      - [70244] High, Crash in SVG rendering. Credit to Sławomir Błażek.
      - [71114] High, Stale node in table child handling. Credit to Martin
        Barbella.
      - [71115] High, Stale pointer in table rendering. Credit to Martin
        Barbella.
      - [71296] High, Stale pointer in SVG animations. Credit to miaubiz.
      - [71386] High, Stale nodes in XHTML. Credit to wushi of team509.
      - [71388] High, Crash in textarea handling. Credit to wushi of team509.
      - [71595] High, Stale pointer in device orientation. Credit to Sergey
        Glazunov.
      - [71855] High, Integer overflow in textarea handling. Credit to miaubiz.
      - [71960] Medium, Out-of-bounds read in WebGL. Credit to Google Chrome
        Security Team (Inferno).
      - [73235] High, Stale pointer in layout. Credit to Martin Barbella.
    + Chromium bugs:
      - [63732] High, Crash with javascript dialogs. Credit to Sergey
        Radchenko.
      - [64-bit only] [70376] Medium, Out-of-bounds read in pickle
        deserialization. Credit to Evgeniy Stepanov of the Chromium development
        community.
      - [71717] Medium, Out-of-bounds read in WebGL. Credit to miaubiz.
      - [72214] High, Accidental exposure of internal extension functions.
        Credit to Tavis Ormandy of the Google Security Team.
      - [72437] High, Use-after-free with blocked plug-ins. Credit to Chamal de
        Silva.
  * Bump the lang-pack package from Suggests to Recommends (LP: #689267)
    - update debian/control
  * Disable PIE on Armel/Lucid (LP: #716703)
    - update debian/rules
  * Add the disk usage to the Apport hooks
    - update debian/apport/chromium-browser.py
  * Drop gyp from Build-Depends, use in-source gyp instead
    - update debian/control
  * Merge back the ffmpeg codecs (from the chromium-codecs-ffmpeg source package)
    - update debian/rules
    - update debian/control
    - add debian/chromium-codecs-ffmpeg-extra.install
    - add debian/chromium-codecs-ffmpeg.install
 -- Fabien Tassin <email address hidden> Tue, 01 Mar 2011 00:14:02 +0100

Changed in chromium-browser (Ubuntu Lucid):
status: Confirmed → Fix Released
Jani Monoses (jani) wrote :

this is a crasher in Lucid when built with PIE I guess, but in this case the bug title is misleading.
related to bug 641126 which is about not being able to link with -fPIE in natty.
Should this bug be closed?

Changed in chromium-browser (Ubuntu Natty):
milestone: ubuntu-11.04-beta-1 → ubuntu-11.04-beta-2
Changed in chromium-browser (Ubuntu Natty):
milestone: ubuntu-11.04-beta-2 → ubuntu-11.04
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers