firefox plugin libwidevinecdm.so crashes due to apparmor denial

Bug #1777070 reported by Xav Paice on 2018-06-15
58
This bug affects 8 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
firefox (Ubuntu)
Undecided
Unassigned

Bug Description

Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1

Running firefix, then going to netflix.com and attempting to play a movie. The widevinecdm plugin crashes, the following is found in syslog:

Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400 audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400 audit(1529046802.585:247): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in libxul.so[7fcdfb77a000+6111000]
Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert (-1)
Jun 15 19:13:22 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:24 xplt kernel: [301353.960182] audit: type=1400 audit(1529046804.994:248): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16135 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:24 xplt kernel: [301353.960373] audit: type=1400 audit(1529046804.994:249): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:24 xplt kernel: [301353.960398] plugin-containe[16135]: segfault at 0 ip 00007fe3b57f46af sp 00007ffe6dc0b488 error 6 in libxul.so[7fe3b34c7000+6111000]
Jun 15 19:13:28 xplt kernel: [301357.859177] audit: type=1400 audit(1529046808.895:250): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16139 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:28 xplt kernel: [301357.859328] audit: type=1400 audit(1529046808.895:251): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:28 xplt kernel: [301357.859349] plugin-containe[16139]: segfault at 0 ip 00007fcf32ae06af sp 00007ffeb8a136c8 error 6 in libxul.so[7fcf307b3000+6111000]
Jun 15 19:13:25 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ERROR block_reap:328: [hamster] bad exit code 1
Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
Jun 15 19:13:29 xplt kernel: [301358.227635] audit: type=1400 audit(1529046809.263:252): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16188 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:29 xplt kernel: [301358.227811] audit: type=1400 audit(1529046809.263:253): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:29 xplt kernel: [301358.227844] plugin-containe[16188]: segfault at 0 ip 00007fe5667c66af sp 00007fffe8cc0da8 error 6 in libxul.so[7fe564499000+6111000]
Jun 15 19:13:31 xplt kernel: [301360.574177] audit: type=1400 audit(1529046811.608:254): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16192 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:31 xplt kernel: [301360.574326] audit: type=1400 audit(1529046811.608:255): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:31 xplt kernel: [301360.574352] plugin-containe[16192]: segfault at 0 ip 00007f83507606af sp 00007ffdb3d22f08 error 6 in libxul.so[7f834e433000+6111000]
Jun 15 19:13:35 xplt kernel: [301364.313727] audit: type=1400 audit(1529046815.349:256): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16206 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:35 xplt kernel: [301364.313896] audit: type=1400 audit(1529046815.349:257): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:35 xplt kernel: [301364.313967] plugin-containe[16206]: segfault at 0 ip 00007f5ff6f746af sp 00007fff60c9c768 error 6 in libxul.so[7f5ff4c47000+6111000]
Jun 15 19:13:35 xplt /usr/lib/gdm3/gdm-x-session[6549]: message repeated 3 times: [ ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv]

If I run Firefox from the snap (rev 60.0.2-1) there's no problem.

Xav Paice (xavpaice) on 2018-06-15
affects: chromium-browser (Ubuntu) → firefox (Ubuntu)
tags: added: bionic
Seth Arnold (seth-arnold) wrote :

Hello Xav, thanks for the bug report.

Can you try adding some AppArmor rules to the firefox profile? I suspect this may require a few iterations to find all the issues:

ptrace (trace) peer=@{profile_name},
@{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/lib*so m,

You can add these lines to the 'main body' of /etc/apparmor.d/usr.bin.firefox and reload the profile with apparmor_parser --replace /etc/apparmor.d/usr.bin.firefox

Then try again and see what else is broken.

Thanks

Xav Paice (xavpaice) wrote :

Thanks! I won't claim to understand what that change did, but adding the two lines as requested does seem to resolve the issue. I opened up Netflix and was able to watch, without the crash, and there wasn't any new entries in syslog.

Daniel Richard G. (skunk) wrote :

I think we're going to need more information on how this plugin got in there in the first place. Being able to map a library in a user-writable directory doesn't sound terribly safe...

Olivier Tilloy (osomon) wrote :

As far as I know firefox downloads and unpacks the widevine CDM in the user's profile directory when it is needed to watch DRM-protected videos. This is unlike chrome/chromium that install the widevine so system-wide.

Olivier Tilloy (osomon) wrote :

And I can confirm that the additions to firefox's apparmor profile suggested by Seth in comment #1 fix the crash of the CDM.

Changed in firefox (Ubuntu):
status: New → Confirmed
Daniel Richard G. (skunk) wrote :

Arrgh... this is not a great way of working (malware could write to that location and then load in code), but as it is what we've got, I've added the rule to a forthcoming Firefox profile update.

Incidentally, Olivier, if you've got a line on who's responsible for the Firefox profile there, it would be very helpful. The profile is no longer maintained by the AppArmor folks, and I'm not sure of a better place to send an update aside from here.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Linda (elindarie) wrote :

Yes, this fixed it for me, too, but I couldn't get it to work, just on the explanation above. Here's a little more detail. Follow the instructions at:

https://forums.linuxmint.com/viewtopic.php?t=295649#p1644426

Worked on Firefox Quantum 69.0 (64-bit) on Ubuntu 18.04.3 LTS bionic.

Now I can watch the Great Courses and other movies on Kanopy for free through my local library account. Yay! Only 6 hours after my first attempt, LOL.

baptx (b4ptx) wrote :

I got it working by adding the 2 lines at the end of the /etc/apparmor.d/usr.bin.firefox just before the closing brack "}". Without these lines, I had to use another workaround by disabling Apparmor completely on Firefox with a command like "sudo aa-complain /usr/lib/firefox/firefox" or using the official Firefox binary from Mozilla instead of the Ubuntu package.

I saw Daniel wrote "this is not a great way of working (malware could write to that location and then load in code)" but do you have an idea how to make it more secure?

When will the fix be added officially to the Firefox Apparmor profile?

baptx (b4ptx) wrote :

If someone does not have a subscription on netflix.com, it is also possible to test Widevine without subscription on spotify.com.

On 10/25/20 5:15 AM, baptx wrote:
> I got it working by adding the 2 lines at the end of the
> /etc/apparmor.d/usr.bin.firefox just before the closing brack "}".
> Without these lines, I had to use another workaround by disabling
> Apparmor completely on Firefox with a command like "sudo aa-complain
> /usr/lib/firefox/firefox" or using the official Firefox binary from
> Mozilla instead of the Ubuntu package.
>
> I saw Daniel wrote "this is not a great way of working (malware could
> write to that location and then load in code)" but do you have an idea
> how to make it more secure?
>
I assume by the 2 lines you mean

ptrace (trace) peer=@{profile_name},
@{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/lib*so m,

from the bug report. Neither of these lines would allow malware to
write to that location. However they do provide some danger.

The first rule allow firefox to ptrace it self, this could potentially
be exploited by injected shell code to further take control of firefox
if say the code gains control of the render process. It won't however
allow removing confinement or attacking other processes the user might
be running.

The second rule allows firefox to load and run code from that location.
But doesn't allow firefox to write to it. So if there is malware on the
system that can write to that location it could have firefox run it.
But if something manages to hack/inject code into firefox it won't be
able to put code there. Dealing with this in apparmor comes down to
making sure the rest of the system confinement is correct, preventing
said malware from writing to that location. Or you could potentially
use IMA to further restrict and only allow signed files from this
location.

The reason this is more dangerous than allowing /lib/*.so or other
system locations is the users home directory can be written by other
processes run by the user. And on most systems, most user processes
are running unconfined hence malware that exists on the system and
isn't confined could write to it.

Again this isn't some much a problem with having the rule in the
apparmor profile but have sufficient policy on the system.

> When will the fix be added officially to the Firefox Apparmor profile?
>
these can be added fairly soon.
https://gitlab.com/apparmor/apparmor/-/merge_requests/684

though that is just landing it upstream and I am not sure when the
next ubuntu upload will be

Christian Boltz (cboltz) wrote :

> The second rule allows firefox to load and run code from that location.
> But doesn't allow firefox to write to it. So if there is malware [...]

That's correct for the added rule, but the profile also has

    owner @{HOME}/.{firefox,mozilla}/** rw,

which means firefox _can_ write to that location.

However, this doesn't make the new rule for @{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/lib*so m, too bad because the profile also allows m for plugins already.

    owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
    owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,

which already allows to run code from more writeable locations.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers