firefox plugin libwidevinecdm.so crashes due to apparmor denial

Bug #1777070 reported by Xav Paice on 2018-06-15
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
firefox (Ubuntu)
Undecided
Unassigned

Bug Description

Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1

Running firefix, then going to netflix.com and attempting to play a movie. The widevinecdm plugin crashes, the following is found in syslog:

Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400 audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400 audit(1529046802.585:247): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in libxul.so[7fcdfb77a000+6111000]
Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert (-1)
Jun 15 19:13:22 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:24 xplt kernel: [301353.960182] audit: type=1400 audit(1529046804.994:248): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16135 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:24 xplt kernel: [301353.960373] audit: type=1400 audit(1529046804.994:249): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:24 xplt kernel: [301353.960398] plugin-containe[16135]: segfault at 0 ip 00007fe3b57f46af sp 00007ffe6dc0b488 error 6 in libxul.so[7fe3b34c7000+6111000]
Jun 15 19:13:28 xplt kernel: [301357.859177] audit: type=1400 audit(1529046808.895:250): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16139 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:28 xplt kernel: [301357.859328] audit: type=1400 audit(1529046808.895:251): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:28 xplt kernel: [301357.859349] plugin-containe[16139]: segfault at 0 ip 00007fcf32ae06af sp 00007ffeb8a136c8 error 6 in libxul.so[7fcf307b3000+6111000]
Jun 15 19:13:25 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ERROR block_reap:328: [hamster] bad exit code 1
Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:29 xplt kernel: [301358.227635] audit: type=1400 audit(1529046809.263:252): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16188 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:29 xplt kernel: [301358.227811] audit: type=1400 audit(1529046809.263:253): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:29 xplt kernel: [301358.227844] plugin-containe[16188]: segfault at 0 ip 00007fe5667c66af sp 00007fffe8cc0da8 error 6 in libxul.so[7fe564499000+6111000]
Jun 15 19:13:31 xplt kernel: [301360.574177] audit: type=1400 audit(1529046811.608:254): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16192 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:31 xplt kernel: [301360.574326] audit: type=1400 audit(1529046811.608:255): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:31 xplt kernel: [301360.574352] plugin-containe[16192]: segfault at 0 ip 00007f83507606af sp 00007ffdb3d22f08 error 6 in libxul.so[7f834e433000+6111000]
Jun 15 19:13:35 xplt kernel: [301364.313727] audit: type=1400 audit(1529046815.349:256): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16206 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:35 xplt kernel: [301364.313896] audit: type=1400 audit(1529046815.349:257): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:35 xplt kernel: [301364.313967] plugin-containe[16206]: segfault at 0 ip 00007f5ff6f746af sp 00007fff60c9c768 error 6 in libxul.so[7f5ff4c47000+6111000]
Jun 15 19:13:35 xplt /usr/lib/gdm3/gdm-x-session[6549]: message repeated 3 times: [ ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv]

If I run Firefox from the snap (rev 60.0.2-1) there's no problem.

Xav Paice (xavpaice) on 2018-06-15
affects: chromium-browser (Ubuntu) → firefox (Ubuntu)
tags: added: bionic
Seth Arnold (seth-arnold) wrote :

Hello Xav, thanks for the bug report.

Can you try adding some AppArmor rules to the firefox profile? I suspect this may require a few iterations to find all the issues:

ptrace (trace) peer=@{profile_name},
@{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/lib*so m,

You can add these lines to the 'main body' of /etc/apparmor.d/usr.bin.firefox and reload the profile with apparmor_parser --replace /etc/apparmor.d/usr.bin.firefox

Then try again and see what else is broken.

Thanks

Xav Paice (xavpaice) wrote :

Thanks! I won't claim to understand what that change did, but adding the two lines as requested does seem to resolve the issue. I opened up Netflix and was able to watch, without the crash, and there wasn't any new entries in syslog.

Daniel Richard G. (skunk) wrote :

I think we're going to need more information on how this plugin got in there in the first place. Being able to map a library in a user-writable directory doesn't sound terribly safe...

Olivier Tilloy (osomon) wrote :

As far as I know firefox downloads and unpacks the widevine CDM in the user's profile directory when it is needed to watch DRM-protected videos. This is unlike chrome/chromium that install the widevine so system-wide.

Olivier Tilloy (osomon) wrote :

And I can confirm that the additions to firefox's apparmor profile suggested by Seth in comment #1 fix the crash of the CDM.

Changed in firefox (Ubuntu):
status: New → Confirmed
Daniel Richard G. (skunk) wrote :

Arrgh... this is not a great way of working (malware could write to that location and then load in code), but as it is what we've got, I've added the rule to a forthcoming Firefox profile update.

Incidentally, Olivier, if you've got a line on who's responsible for the Firefox profile there, it would be very helpful. The profile is no longer maintained by the AppArmor folks, and I'm not sure of a better place to send an update aside from here.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Linda (elindarie) wrote :

Yes, this fixed it for me, too, but I couldn't get it to work, just on the explanation above. Here's a little more detail. Follow the instructions at:

https://forums.linuxmint.com/viewtopic.php?t=295649#p1644426

Worked on Firefox Quantum 69.0 (64-bit) on Ubuntu 18.04.3 LTS bionic.

Now I can watch the Great Courses and other movies on Kanopy for free through my local library account. Yay! Only 6 hours after my first attempt, LOL.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers