linux-image-4.13.0-12-generic, linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-image-4.4.0-81-generic, linux-image-3.13.0-121-generic | Regression: many user-space apps crashing

Status changed to 'Confirmed' because the bug affects multiple users.

The same bug appears on 17.04. 4.10.0-24-generic, which contains CVE-2017-1000364 fix, causes Oracle java plugin to crash. 4.10.0-22-generic, in exactly the same setup, works fine. The console error from Firefox (what most users will see) is

###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv

This makes Java Plugin on latest version of Ubuntu completely unusable.

This bug affects not only Oracle Java plugin but also those applications based on JNI Invocation API. Here is a very simple example to reproduce it.

#include <jni.h>

int main(int argc, char *args[]) {
     JavaVM *jvm;
     JNIEnv *env;
     JavaVMInitArgs vm_args;
     JavaVMOption options [1];
     options[0].optionString = "-Djava.class.path=/usr/lib/java";
     vm_args.version = JNI_VERSION_1_6;
     vm_args.nOptions = 1;
     vm_args.options = options;
     vm_args.ignoreUnrecognized = 0;

     JNI_CreateJavaVM(&jvm, (void**)&env, &vm_args); //crash at this line
            /**............**/

     (*jvm)->DestroyJavaVM(jvm);
            return 0;
}

This is a ***MASSIVE REGRESSION*** affecting many or even all native applications that use the Java Invocation API, including at least Eclipse (crashes a few seconds after startup), and LibreOffice Base with any JDBC database connector (instant crash as soon as it tries to load the JVM).

This should affect all embedded java uses which launch the JVM on the main thread (the regular java launcher does not do that) and is caused by the known buggy (http://www.openwall.com/lists/oss-security/2017/06/22/6) custom CVE-2017-1000364 fix. Testing the upstream patch on debian it seems to be fine (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865549).

https://bugs.launchpad.net/ubuntu/+source/commons-daemon/+bug/1700010

Status changed to 'Confirmed' because the bug affects multiple users.

Status changed to 'Confirmed' because the bug affects multiple users.

Scilab is affected too. It uses openjdk-8.
See bug 1699892 for details.
Scilab is crashing with new kernel (linux-image-3.13.0-121-generic in Trusty / linux-image-4.4.0-81-generic in Xenial), but works with previous one (linux-image-3.13.0-119-generic in Trusty / linux-image-4.4.0-78-generic in Xenial).

Also you can check comments on bug 1698919.
The (incomplete) list of affected applications include:
* LPCxpresso (see https://community.nxp.com/thread/453939 )
* RMongo (see https://stackoverflow.com/a/44699417 )
* Ubiquity UniFi (see
https://community.ubnt.com/t5/UniFi-Wireless/UniFi-Controller-failed-after-dist-upgrade/td-p/1967779
)

Status changed to 'Confirmed' because the bug affects multiple users.

Octave in Trusty is affected too (see bug 1699594).

Interestingly, octave 4.2 comes up successfully under 4.40-81 under Ubuntu
16.04.

On Jun 23, 2017 4:45 PM, "Norbert" <email address hidden> wrote:

> Octave in Trusty is affected too (see bug 1699594).
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1699594).
> https://bugs.launchpad.net/bugs/1699772
>
> Title:
> linux-image-4.4.0-81-generic, linux-image-3.13.0-121-generic
> Regression: many user-space apps crashing
>
> Status in commons-daemon package in Ubuntu:
> Confirmed
> Status in eclipse package in Ubuntu:
> Confirmed
> Status in imagej package in Ubuntu:
> Confirmed
> Status in libreoffice package in Ubuntu:
> Confirmed
> Status in linux package in Ubuntu:
> Confirmed
> Status in octave package in Ubuntu:
> Confirmed
> Status in scilab package in Ubuntu:
> Confirmed
>
> Bug description:
> Distribution: Ubuntu 16.04 x64 (Flavour: KDE Neon User Edition 5.10)
>
> linux-image-4.4.0-81-generic appears to contain a regression, probably
> related to the CVE-2017-1000364 fix backport / patch.
>
> Using this kernel, the Oracle Java browser plugin always crashes
> during stack-related actions on initialization. This means, the plugin
> completely stopped working.
>
>
> It works perfectly fine in linux-image-4.4.0-79-generic (vurlerable to
> CVE-2017-1000364) as well as linux-image-4.11.6-041106-generic, which
> also contains a fix for CVE-2017-1000364.
>
>
> uname -a:
>
> > Linux Zweiblum 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
> I tested Oracle Java 1.8 u131 as well as 1.6 u64 in Firefox 51.0.1 as
> well as Iceweasel / Firefox/3.5.16 in a chroot.
>
> Using linux-image-4.4.0-81-generic it crashes in all combinations
> while with both other kernels it works.
>
>
> I was not able to obtain any detailed crash information from Firefox
> 51.0.1, but Iceweasel 3.5.16 crashed completely, allowing me to obtain a
> stack trace which shows the relation to stack operations performed by the
> plugin, even without proper debug symbols:
>
>
> > (gdb) bt full
> > #0 0x00007fa06d805307 in _expand_stack_to(unsigned char*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #1 0x00007fa06d8053ae in os::Linux::manually_expand_stack(JavaThread*,
> unsigned char*) ()
> > from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #2 0x00007fa06d80cf0b in JVM_handle_linux_signal () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #3 0x00007fa06d802e13 in signalHandler(int, siginfo*, void*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #4 <signal handler called>
>
>
> I first assumed a bug in the Java plugin, but it works fine in Linux
> 4.11.6.
>
>
> The crash will be triggered by any applet, for example the test applet
> at:
>
> * https://java.com/en/download/installed8.jsp
>
>
> I'm running the Ubuntu 16.04 based KDE Neon distribution which somehow
> apparently does not allow me t...

Applications that use jsvc can increase their thread stack space with -Xss1280k or larger (Red Hat, for example, suggested -Xss2m which is much larger).

I confirm issue with full installation of Octave 3.8.1-1ubuntu1 on Trusty
(
dpkg -l | grep octave | grep "^ii" | awk '{print $2;}'
liboctave2:i386 octave octave-audio octave-benchmark octave-biosig octave-common octave-communications octave-communications-common octave-control octave-data-smoothing octave-dataframe
octave-doc octave-econometrics octave-epstk octave-financial octave-fpl octave-ga octave-gdf octave-general octave-geometry octave-gmt octave-gsl octave-htmldoc octave-image octave-info octave-io octave-lhapdf:i386 octave-linear-algebra octave-mapping octave-miscellaneous octave-missing-functions octave-mpi octave-nan octave-nlopt octave-nnet octave-nurbs octave-ocs octave-octcdf octave-octgpr octave-odepkg octave-openmpi-ext octave-optim octave-optiminterp octave-parallel octave-pfstools octave-plot octave-psychtoolbox-3 octave-quaternion octave-signal octave-sockets octave-specfun octave-splines octave-statistics octave-strings octave-struct octave-sundials octave-symbolic octave-tsa octave-vlfeat:i386 octave-vrml octave-zenity qtoctave
)
it crashes on 3.13.0-121-generic. strace says that segmentation fault is after loading openjdk and mmap something. Octave starts normally with 3.13.0-119-generic.

Current state of the problem: Ubuntu kernel developers will prepare new patch in a few days (see https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2017-June/017507.html).

John Johansen:
"The kernel team is aware of the issue, and will be releasing updated
kernels when they are available.

There are currently no plans to revert the kernel patch until the
replacement patches are ready due to the nature of the security
vulnerability. If the regression is preventing you from using the
applications you require then we currently recommend you reboot into
the previous kernel."

Python-jpype is affected too - see https://stackoverflow.com/questions/44719488/segmentation-fault-when-starting-jvm-using-jpype .

ImageJ is affected too (see http://forum.imagej.net/t/unable-to-start-imagej-on-ubuntu-16-04-2-fresh-install/5757/3 ).

Other Xenial kernels (linux-image-4.8.0-56-generic, linux-image-4.10.0-24-generic) are affected too.

For today there is only one kernel with fixed problems - 4.11.6-1 in Debian sid (https://packages.debian.org/sid/linux-image-4.11.0-1-686).

Texas Instruments Code Composer Studio (http://www.ti.com/tool/ccstudio, Eclipse based) is affected too (see http://e2e.ti.com/support/development_tools/code_composer_studio/f/81/p/604599/2226461#2226461 ).

Status changed to 'Confirmed' because the bug affects multiple users.

Scilab is still crashing with kernel from xenial-proposed (4.4.0-82.105).
"JAVA_TOOL_OPTIONS=-Xss1280k scilab" helps, but it is not a solution.

With latest proposed kernel (4.4.0-83.106) Scilab does not crash.

Rustc is affected too (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866185 ).

Status changed to 'Confirmed' because the bug affects multiple users.

4.4.0-83.106 appears to be in the release repo's now and looks like it's fixed the issue for JSVC (commons-daemon (Ubuntu))

4.4.0-83 fixes Eclipse, but LibreOffice Base still crashes with JDBC drivers.

Kernel 4.10.0-26 (deb version 4.10.0-26.30) seems to have fixed crashes in Eclipse.

Upgrade to "Linux ... 4.10.0-26-generic #30-Ubuntu SMP Tue Jun 27 09:30:12 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux" (Ubuntu 17.04 with XFCE under VMware WS Pro 12.5.7 build-5813279) fixed my problems with "jsvc" (starting "tomcat" 8.5.16) and kernel 4.10.0-24.28 ... catching "signal 11" immediately after start.

Many thanks to all of You, having helped to solve the problem!

Scilab and test C-Java program from bug 1700270 work normally with linux-image-4.4.0-83-generic, linux-image-4.8.0-58-generic, linux-image-4.10.0-26-generic.
Thank you!

Thanks very much. I have installed it, and you're right.

Art Edwards

On Jun 29, 2017 3:02 PM, "Norbert" <email address hidden> wrote:

> Scilab and test C-Java program from bug 1700270 work normally with
> linux-image-4.4.0-83-generic, linux-image-4.8.0-58-generic,
> linux-image-4.10.0-26-generic.
> Thank you!
>
> ** Changed in: linux (Ubuntu)
> Status: Confirmed => Fix Released
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1699594).
> https://bugs.launchpad.net/bugs/1699772
>
> Title:
> linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-
> image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression:
> many user-space apps crashing
>
> Status in commons-daemon package in Ubuntu:
> Confirmed
> Status in eclipse package in Ubuntu:
> Confirmed
> Status in imagej package in Ubuntu:
> Confirmed
> Status in libreoffice package in Ubuntu:
> Confirmed
> Status in linux package in Ubuntu:
> Fix Released
> Status in octave package in Ubuntu:
> Confirmed
> Status in python-jpype package in Ubuntu:
> Confirmed
> Status in rustc package in Ubuntu:
> Confirmed
> Status in scilab package in Ubuntu:
> Confirmed
> Status in linux package in Debian:
> Confirmed
>
> Bug description:
> Distribution: Ubuntu 16.04 x64 (Flavour: KDE Neon User Edition 5.10)
>
> linux-image-4.4.0-81-generic appears to contain a regression, probably
> related to the CVE-2017-1000364 fix backport / patch.
>
> Using this kernel, the Oracle Java browser plugin always crashes
> during stack-related actions on initialization. This means, the plugin
> completely stopped working.
>
>
> It works perfectly fine in linux-image-4.4.0-79-generic (vurlerable to
> CVE-2017-1000364) as well as linux-image-4.11.6-041106-generic, which
> also contains a fix for CVE-2017-1000364.
>
>
> uname -a:
>
> > Linux Zweiblum 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
> I tested Oracle Java 1.8 u131 as well as 1.6 u64 in Firefox 51.0.1 as
> well as Iceweasel / Firefox/3.5.16 in a chroot.
>
> Using linux-image-4.4.0-81-generic it crashes in all combinations
> while with both other kernels it works.
>
>
> I was not able to obtain any detailed crash information from Firefox
> 51.0.1, but Iceweasel 3.5.16 crashed completely, allowing me to obtain a
> stack trace which shows the relation to stack operations performed by the
> plugin, even without proper debug symbols:
>
>
> > (gdb) bt full
> > #0 0x00007fa06d805307 in _expand_stack_to(unsigned char*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #1 0x00007fa06d8053ae in os::Linux::manually_expand_stack(JavaThread*,
> unsigned char*) ()
> > from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #2 0x00007fa06d80cf0b in JVM_handle_linux_signal () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #3 0x00007fa06d802e13 in signalHandler(int, siginfo*, void*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/li...

Thanks!

On Jul 4, 2017 3:41 PM, "Bug Watch Updater" <email address hidden>
wrote:

> ** Changed in: linux (Debian)
> Status: Fix Released => Confirmed
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1699594).
> https://bugs.launchpad.net/bugs/1699772
>
> Title:
> linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-
> image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression:
> many user-space apps crashing
>
> Status in commons-daemon package in Ubuntu:
> Confirmed
> Status in eclipse package in Ubuntu:
> Confirmed
> Status in imagej package in Ubuntu:
> Confirmed
> Status in libreoffice package in Ubuntu:
> Confirmed
> Status in linux package in Ubuntu:
> Fix Released
> Status in octave package in Ubuntu:
> Confirmed
> Status in python-jpype package in Ubuntu:
> Confirmed
> Status in rustc package in Ubuntu:
> Confirmed
> Status in scilab package in Ubuntu:
> Confirmed
> Status in linux package in Debian:
> Confirmed
>
> Bug description:
> Distribution: Ubuntu 16.04 x64 (Flavour: KDE Neon User Edition 5.10)
>
> linux-image-4.4.0-81-generic appears to contain a regression, probably
> related to the CVE-2017-1000364 fix backport / patch.
>
> Using this kernel, the Oracle Java browser plugin always crashes
> during stack-related actions on initialization. This means, the plugin
> completely stopped working.
>
>
> It works perfectly fine in linux-image-4.4.0-79-generic (vurlerable to
> CVE-2017-1000364) as well as linux-image-4.11.6-041106-generic, which
> also contains a fix for CVE-2017-1000364.
>
>
> uname -a:
>
> > Linux Zweiblum 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
> I tested Oracle Java 1.8 u131 as well as 1.6 u64 in Firefox 51.0.1 as
> well as Iceweasel / Firefox/3.5.16 in a chroot.
>
> Using linux-image-4.4.0-81-generic it crashes in all combinations
> while with both other kernels it works.
>
>
> I was not able to obtain any detailed crash information from Firefox
> 51.0.1, but Iceweasel 3.5.16 crashed completely, allowing me to obtain a
> stack trace which shows the relation to stack operations performed by the
> plugin, even without proper debug symbols:
>
>
> > (gdb) bt full
> > #0 0x00007fa06d805307 in _expand_stack_to(unsigned char*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #1 0x00007fa06d8053ae in os::Linux::manually_expand_stack(JavaThread*,
> unsigned char*) ()
> > from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #2 0x00007fa06d80cf0b in JVM_handle_linux_signal () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #3 0x00007fa06d802e13 in signalHandler(int, siginfo*, void*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #4 <signal handler called>
>
>
> I first assumed a bug in the Java plugin, but it works fine in Linux
> 4.11.6.
>
>
> The crash will be triggered by any applet, for example th...

I can confirm that LibreOffice Base is crashing on Ubuntu 17.04 during database creation (launched Base, in 'Database Wizard' selected 'Create a new database', 'Embedded database:' -> 'HSQLDB Embedded', click 'Next', click 'Finish', save database file in /tmp/db.odb). After that Base is crashing silently.
I can't install libreoffice-dbg package on zesty (I reported bug 1702556 about it).
LibreOffice Writer does not crash in Zesty.

Libreoffice Base 5.1.6.2 is crashing on Ubuntu 16.04 LTS.
What I did:
0. Installed all updates, "uname -a"
 Linux flash-1604 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:25 UTC 2017 i686 i686 i686 GNU/Linux
1. "sudo apt-get install libreoffice-dbg ure-dbg uno-libs3-dbg libglib2.0-0-dbg"
3. run "gdb --args /usr/lib/libreoffice/program/soffice.bin --base", in Database Wizard selected 'Create a new database', 'Embedded database:' -> 'HSQLDB Embedded', click 'Next', click 'Finish', save database file in /tmp/db.odb.
   "run"
   "bt full"
    Got this backtrace: (see atachment).

Libreoffice Base 5.3.1.2 is crashing on Ubuntu 17.04.
What I did:
0. Installed all updates, "uname -a"
 Linux ubuntu-zesty 4.10.0-26-generic #30-Ubuntu SMP Tue Jun 27 09:29:33 UTC 2017 i686 i686 i686 GNU/Linux
1. "apt-get install libreoffice-core-dbgsym libreoffice-writer-dbgsym ure-dbgsym uno-libs3-dbgsym libreoffice-gtk3-dbgsym libglib2.0-0-dbgsym"
3. run "gdb --args /usr/lib/libreoffice/program/soffice.bin --base", in Database Wizard selected 'Create a new database', 'Embedded database:' -> 'HSQLDB Embedded', click 'Next', click 'Finish', save database file in /tmp/db.odb.
   "run"
   "bt full"
    Got this backtrace: (see atachment).

Hi,
problem still present on linux-image-4.8.0-58-generic with these conditions:
    - while executing JVM launched from >>32-bit<< C (on 64-bit kernel)
    - defining "higher" JVM stack size (eg. -Xss2048k JVM argument)

=> causes JVM segmentation fault

Attached test case (sources + binary + output logs): Bug1699772_i386_jvm_segfault_problem.tgz
test_case1.c (32-bit) => using -Xss1024k => RUNS OK.
test_case2.c (32-bit) => using -Xss2048k => Segmentation fault.
test_case1.c (64-bit) => using -Xss1024k => RUNS OK.
test_case2.c (64-bit) => using -Xss2048k => RUNS OK.

My system:
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"

with linux-generic-hwe-16.04

uname -a
Linux L34001100621 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I can confirm that case2 i386 (see comments 39, 40 by Rostislav Stříbrný (rstribrn) ) produce segmentation fault on
"4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux"
with log:
bash: line 1: 11948 Segmentation fault (core dumped) LD_PRELOAD=/usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so ./test_openjdk_i386_case2

Do not forget to install gcc-multilib package before running test.

Here is backtrace with gdb:
(gdb) bt full
#0 0xf77c52c5 in ?? () from /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so
No symbol table info available.
#1 0xf77c7a34 in ?? () from /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so
No symbol table info available.
#2 0xf77d20a0 in ?? () from /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so
No symbol table info available.
#3 0xf790e1a2 in ?? () from /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so
No symbol table info available.
#4 0xf75cbe45 in JNI_CreateJavaVM () from /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so
No symbol table info available.
#5 0x080485ab in create_vm (jvm=0xffffcebc) at test_case2.c:16
        env = 0xf7fe78c2
        args = {version = 65544, nOptions = 2, options = 0xffffce6c, ignoreUnrecognized = 0 '\000'}
        options = {{optionString = 0x8048730 "-Djava.class.path=.", extraInfo = 0xf7ffd000}, {optionString = 0x8048744 "-Xss2048k",
            extraInfo = 0xffffce90}}
        rv = -142860576
#6 0x08048604 in main (argc=1, argv=0xffffcf84) at test_case2.c:27
        jvm = 0x80486fb <__libc_csu_init+75>
        env = 0x1
        foo_class = 0xffffcf84
        test_method = 0xffffcf8c

In 32-bit Zesty linux 4.10.0-28-generic still crashes LibreOffice Base.

Scilab 6.0 crash with 4.4.0-87-generic under Linux Mint

DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=18
DISTRIB_CODENAME=sarah
DISTRIB_DESCRIPTION="Linux Mint 18 Sarah"
NAME="Linux Mint"
VERSION="18 (Sarah)"
ID=linuxmint
ID_LIKE=ubuntu
PRETTY_NAME="Linux Mint 18"
VERSION_ID="18"
HOME_URL="http://www.linuxmint.com/"
SUPPORT_URL="http://forums.linuxmint.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/linuxmint/"
UBUNTU_CODENAME=xenial
cat: /etc/upstream-release: Is a directory

On Thu, Jul 20, 2017 at 11:54 PM, Bug Watch Updater <
<email address hidden>> wrote:

> ** Changed in: linux (Debian)
> Status: Fix Released => Confirmed
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1699926).
> https://bugs.launchpad.net/bugs/1699772
>
> Title:
> linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-
> image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression:
> many user-space apps crashing
>
> Status in LibreOffice:
> Won't Fix
> Status in commons-daemon package in Ubuntu:
> Confirmed
> Status in eclipse package in Ubuntu:
> Confirmed
> Status in imagej package in Ubuntu:
> Confirmed
> Status in libreoffice package in Ubuntu:
> Confirmed
> Status in linux package in Ubuntu:
> Fix Released
> Status in octave package in Ubuntu:
> Confirmed
> Status in python-jpype package in Ubuntu:
> Confirmed
> Status in rustc package in Ubuntu:
> Confirmed
> Status in scilab package in Ubuntu:
> Confirmed
> Status in linux package in Debian:
> Confirmed
>
> Bug description:
> Distribution: Ubuntu 16.04 x64 (Flavour: KDE Neon User Edition 5.10)
>
> linux-image-4.4.0-81-generic appears to contain a regression, probably
> related to the CVE-2017-1000364 fix backport / patch.
>
> Using this kernel, the Oracle Java browser plugin always crashes
> during stack-related actions on initialization. This means, the plugin
> completely stopped working.
>
>
> It works perfectly fine in linux-image-4.4.0-79-generic (vurlerable to
> CVE-2017-1000364) as well as linux-image-4.11.6-041106-generic, which
> also contains a fix for CVE-2017-1000364.
>
>
> uname -a:
>
> > Linux Zweiblum 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
> I tested Oracle Java 1.8 u131 as well as 1.6 u64 in Firefox 51.0.1 as
> well as Iceweasel / Firefox/3.5.16 in a chroot.
>
> Using linux-image-4.4.0-81-generic it crashes in all combinations
> while with both other kernels it works.
>
>
> I was not able to obtain any detailed crash information from Firefox
> 51.0.1, but Iceweasel 3.5.16 crashed completely, allowing me to obtain a
> stack trace which shows the relation to stack operations performed by the
> plugin, even without proper debug symbols:
>
>
> > (gdb) bt full
> > #0 0x00007fa06d805307 in _expand_stack_to(unsigned char*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info available.
> > #1 0x00007fa06d8053ae in os::Linux::manually_expand_stack(JavaThread*,
> unsigned char*) ()
> > from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
> > No symbol table info a...

@Miroslav Karas (arditure87)
I'm running xenial x86_64 with 4.4.0-87-generic, I can run scilab-5.5.2 (from repos) and scilab-6.0.0 (from scilab.org).

$ uname -a
Linux host 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

It seems that you missed some scilab dependency or have other problems. What happens if you try to start scilab from terminal?

Norbert
You might be right, there might be something missing. I follow the Youtube
video installation, that basically ask you to copy the package, expend and
link the executable. So no real installation. The scilab 6.0 start and
immediately shoot down. I am running concurrently scilab 5.5.2 - no problem
(installed from MInt apps). From command line it open the 5.5.2 version.

On Wed, Jul 26, 2017 at 12:44 PM, Norbert <email address hidden>
wrote:

> @Miroslav Karas (arditure87)
> I'm running xenial x86_64 with 4.4.0-87-generic, I can run scilab-5.5.2
> (from repos) and scilab-6.0.0 (from scilab.org).
>
> $ uname -a
> Linux host 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017
> x86_64 x86_64 x86_64 GNU/Linux
>
> It seems that you missed some scilab dependency or have other problems.
> What happens if you try to start scilab from terminal?
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1699926).
> https://bugs.launchpad.net/bugs/1699772
>
> Title:
> linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-
> image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression:
> many user-space apps crashing
>
> Status in LibreOffice:
> Won't Fix
> Status in commons-daemon package in Ubuntu:
> Confirmed
> Status in eclipse package in Ubuntu:
> Confirmed
> Status in imagej package in Ubuntu:
> Confirmed
> Status in libreoffice package in Ubuntu:
> Confirmed
> Status in linux package in Ubuntu:
> Fix Released
> Status in octave package in Ubuntu:
> Confirmed
> Status in python-jpype package in Ubuntu:
> Confirmed
> Status in rustc package in Ubuntu:
> Confirmed
> Status in scilab package in Ubuntu:
> Confirmed
> Status in linux package in Debian:
> Confirmed
>
> Bug description:
> Distribution: Ubuntu 16.04 x64 (Flavour: KDE Neon User Edition 5.10)
>
> linux-image-4.4.0-81-generic appears to contain a regression, probably
> related to the CVE-2017-1000364 fix backport / patch.
>
> Using this kernel, the Oracle Java browser plugin always crashes
> during stack-related actions on initialization. This means, the plugin
> completely stopped working.
>
>
> It works perfectly fine in linux-image-4.4.0-79-generic (vurlerable to
> CVE-2017-1000364) as well as linux-image-4.11.6-041106-generic, which
> also contains a fix for CVE-2017-1000364.
>
>
> uname -a:
>
> > Linux Zweiblum 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
> I tested Oracle Java 1.8 u131 as well as 1.6 u64 in Firefox 51.0.1 as
> well as Iceweasel / Firefox/3.5.16 in a chroot.
>
> Using linux-image-4.4.0-81-generic it crashes in all combinations
> while with both other kernels it works.
>
>
> I was not able to obtain any detailed crash information from Firefox
> 51.0.1, but Iceweasel 3.5.16 crashed completely, allowing me to obtain a
> stack trace which shows the relation to stack operations performed by the
> plugin, even without proper debug symbols:
>
>
> > (gdb) bt full
> > #0 0x00007fa06d805307 in _expand_stack_to(unsigned char*) () from
> /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
>...

@Miroslav Karas (arditure87)
Scilab 6 has a bug, it should be started with control terminal.
You can create desktop application launcher with this contents of Command field:
   xterm -e /home/full_path_to_scilab-6.0.0/bin/scilab
(you can change xterm to your favorite editor).

^ not 'editor', I mean terminal emulator (such as gnome-terminal).

I confirm this issue, LibreOffice Base crushed any time when i try to do anything in Base. are there any pathches ?

Processor: Intel Pentium T4400 @ 2.20GHz (2 Cores)

Software:
OS: Ubuntu 17.04, Kernel: 4.10.0-26-generic (i686), Desktop: Xfce 4.12, Display Driver: modesetting 1.19.3, OpenGL: 3.3 Mesa 17.2.0-devel, Compiler: GCC 6.3.0 20170406, File-System: ext4, Screen Resolution: 1366x768

Libreoffice 5.3.1.2, ID 1:5.3.1-0ubuntu2, VCL: gtk2

With a 32bit arch, LibreOffice Base crashes in the latest (updated) 16.04 LTS and in 17.04.
With a 64bit arch the 17.07 LibreOfiice Base does not crash.

Regarding OpenJDK 8, it crashes as soon as Xss is set to (or higher than) 1141K in a i386 JVM (32-bit).

I used the example code from bug #1700270. Please note that there is no need to even use the java class: the program will segfault while starting the JVM, so do remove lines 30-34 from either test_case1.c or test_case2.c and set Xss to 1441K (or bigger).

The OpenJDK part where the stack location and size are calculated is in os::Linux::capture_initial_stack() [1], specially _initial_thread_stack_bottom [2].

From GDB I was able to collect the following data from that function:
(gdb) p max_size
$1 = 1171456

Note: max_size is Xss rounded to vm_page_size(), thus 1144K [3].

(gdb) info locals
rlim = {rlim_cur = 8388608, rlim_max = 4294967295}
stack_size = 8380416
stack_start = 4294956864
p = 0xf7ffcf34 <__libc_stack_end>
stack_top = 4294959104
low = 0xfffdd000 ""
high = 0xffffe000 <error: Cannot access memory at address 0xffffe000>

(gdb) x p
0xf7ffcf34 <__libc_stack_end>: 0xffffd740
(gdb) x stack_top
0xffffe000: Cannot access memory at address 0xffffe000
(gdb) x low
0xfffdd000: 0x00000000
(gdb) x high
0xffffe000: Cannot access memory at address 0xffffe000
(gdb) p _initial_thread_stack_size
$43 = 1171456
(gdb) x _initial_thread_stack_bottom
0xffee0000: 0x00000000

Backtrace:
(gdb) bt
#0 os::Linux::capture_initial_stack (max_size=1171456) at ./src/hotspot/src/os/linux/vm/os_linux.cpp:1272
#1 0xf7394287 in os::init_2 () at ./src/hotspot/src/os/linux/vm/os_linux.cpp:4939
#2 0xf74ee886 in Threads::create_vm (args=0xffffd62c, canTryAgain=0xffffd5bf) at ./src/hotspot/src/share/vm/runtime/thread.cpp:3361
#3 0xf7151423 in JNI_CreateJavaVM (vm=0xffffd684, penv=0xffffd624, args=0xffffd62c) at ./src/hotspot/src/share/vm/prims/jni.cpp:5220
#4 0x5655561f in create_vm (jvm=0xffffd684) at test_case.c:16
#5 0x56555685 in main (argc=1, argv=0xffffd744) at test_case.c:25

That information is used by os::Linux::default_guard_size() [4] to fetch both 'bottom' and 'size' used to indicate the start of the guard page - and it has a nice doc explaining the stack layout. The values from default_guard_size are in turn used by os::current_stack_base() [5] to calculate what should be the stack base.

Let me know if there's any additional information I can help with.

[1] http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/tip/src/os/linux/vm/os_linux.cpp#l1081
[2] http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/tip/src/os/linux/vm/os_linux.cpp#l1271
[3] http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/tip/src/os/linux/vm/os_linux.cpp#l5010
[4] http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/tip/src/os_cpu/linux_x86/vm/os_linux_x86.cpp#l714
[5] http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/tip/src/os_cpu/linux_x86/vm/os_linux_x86.cpp#l745

This affects linux-aws 4.4.0-1020-aws as well. I ran into this issue on that kernel. https://github.com/collectd/collectd/issues/2321#issuecomment-311634825

Seems maybe fixed in 4.4.0-1022-aws

libreoffice base still crashing at startup on xenial i386 with kernels 4.4.0-96.119 (in xenial-security) and 4.4.0-97.120 (in xenial-proposed)

Ubuntu 17.10 with all updates. LibreOffice Base is still crashing on 32-bit (kernel is 4.13.0-12-generic).

The crashes of LibreOffice give the following errors:
Sorry, Ubuntu 16.04 has experienced an internal error

ExecutablePath /usr/lib/libreoffice/program/sov\ffice.bin

Package libreoffice-core 1:5.1.6-rc2-oubuntu1~xenial2

Problem type crash

title soffice.bin crahed with SIGSEGV

apport version 2.20.1ubuntu2.10

distro release Ubuntu 16.04

Installation Dae Installed on 2014-03-19

Installationm Meda Ubuntu 12.04.4 LTS “Precise Pangolin” - Release i386 (20140204)

ProcCmdline /usr/lib/libreoffice/program/soffice.bin -writer -splash-pipe=5

ProcVersionSignature Ubuntu 4.4.0-92.115-generic 4.4.76

SegvReason reading unknown VMA

Signal 11

SourceOackage libreoffice

StacktraceAddressSignature /usr/lib/libreoffice.bin:11:/usr/lib/jvm/java-8-openjgk-i386/jre/lib/i386/server/libjvm.so+73fb35:/usr/lib/jvm/java-6-openjdk-i386/jre/lib/i386/server/libjvm.so+7422a4:/usr/lib/jvm/java-8-openjdk-i386/jre/lib/server/libjvm.so+74c790:/usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so+533f5f:/usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so+53439c:/usr/lib/libreoffice/program/libjvmaccesslo/so+3ce7:/usr/lib/libreoffice/program/libjvmaccesslo.so+3d36:/usr/lib/libreoffice/program/libjava_uno.so+13ffc:/usr/lib/libreoffice/program/libjava_uno.so+14a46:/usr/lib/libreoffice/program/libgcc3_uno.so.2720:/usr/lib/libreoffice/program/libgcc3_uno.so+2c6b:/usr/lib/libreoffice/program/libgcc3_uno.so+9235:/usr/lib/libreoffice/program/libjavaloaderlo.so+40ca:/usr/lib/libreoffice/program/libuno_cppuhelpergcc3.so+6a9b4:usr/lib/libreoffice/program/libuno_cppuhelpergcc3.so.3+6bb4d

Tags xenial

Uname Linux 4.4.0.92-generic i386

Upgradestatus Upgraded to xenial on 2016-08-03

UserGroups adm cdrom dip lpadmin plugdev sambashare sudo

I have no uninstalled Oracle Java and will try to find Open JDK to install, and see what happens.

Status changed to 'Confirmed' because the bug affects multiple users.

I back ported debian kernel commit 3f937de to Xenial, Artful and Bionic. I also had to perform a cherry pick of commit b6fb293f2.

I built test kernels for each of these releases, which can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1699772

Can you test these kernels and see if it resolves this bug?

Note, to test this kernel, you need to install both the linux-image and linux-image-extra .deb packages.

Thanks in advance!

Thanks Joseph. The test kernels are for amd64 only, and the bug affects exclusively i386. Could you build test kernels for i386?

I built i386 versions of the test kernel. They can also be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1699772

Also, it might be worthwhile to see if this bug still exists in the latest upstream 4.15 mainline kernel, which can be downloaded from:

http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15/

Just tested in a bionic i386 VM, and unfortunately neither your build of 4.13.0-17 nor upstream 4.15 make the situation better. I'm still seeing libreoffice base crash when creating a new database, and the crash happens in /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so.

Just tested on Xenial i386, LibreOffice Base still crash on both kernels, 4.4.0-112.135~lp1699772 and 4.15.0-041500.201801282230

Thanks for testing my kernel. It sounds like the Debian bug may be different or that the bug might be outside of the kernel.

It was originally reported that this bug was a regression. Can those that can reproduce this bug try the following kernel:

https://launchpad.net/ubuntu/+source/linux/4.4.0-79.100

From that page, select your arch under the "Builds" section. Then install the linux-image and linux-image-extra .deb packages.

LibreOffice Base works fine on Xenial i386 with kernel:

https://launchpad.net/ubuntu/+source/linux/4.4.0-79.100

~# uname -a
Linux WS 4.4.0-79-generic #100-Ubuntu SMP Wed May 17 19:57:27 UTC 2017 i686 i686 i686 GNU/Linux

There were a few commits added for CVE-2017-1000364:

a010365 mm/mmap.c: expand_downwards: don't require the gap if !vm_prev
8105a5d mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
028383b Allow stack to grow up to address space limit
393d9b1 mm: fix new crash in unmapped_area_topdown()
88a1685 mm: larger stack guard gap, between vmas
cf83f7c mm: vma_adjust: remove superfluous confusing update in remove_next == 1 case

I'd like to build some test kernels, each with peeling of one of these commits at a time to try and narrow down which one caused it.

I built the first test kernel with commit a010365 reverted.

The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1699772

Can you test this kernel and see if it resolves this bug?

Note, to test this kernel, you need to install both the linux-image and linux-image-extra .deb packages.

Thanks in advance!

The test kernel are for amd64 only, but the bug affects exclusively on i386. Could you build test kernel for i386?

I built an i386 test kernel with commit a010365 reverted.

The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1699772

Can you test this kernel and see if it resolves this bug?

Note, to test this kernel, you need to install both the linux-image and linux-image-extra .deb packages.

Thanks in advance!

LibreOffice Base still crash on Xenial i386 with kernel from:

http://kernel.ubuntu.com/~jsalisbury/lp1699772

~$ uname -a
Linux WS 4.4.0-112-generic #135~lp1699772v1 SMP Wed Feb 21 21:22:38 UTC 2018 i686 i686 i686 GNU/Linux

I built the next test kernel with commits a010365 and 8105a5d reverted.

The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1699772

Can you test this kernel and see if it resolves this bug?

Note, to test this kernel, you need to install both the linux-image and linux-image-extra .deb packages.

Thanks in advance!

LibreOffice Base still crash with test kernel:

~$ uname -a
Linux WS 4.4.0-112-generic #135~lp1699772v2 SMP Thu Feb 22 00:00:50 UTC 2018 i686 i686 i686 GNU/Linux

I built the next test kernel with commits a010365, 8105a5d and 028383b reverted.

The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1699772

Can you test this kernel and see if it resolves this bug?

Thanks in advance!

LibreOffice Base still crash with test kernel:

~$ uname -a
Linux WS 4.4.0-112-generic #135~lp1699772v3 SMP Thu Feb 22 16:08:07 UTC 2018 i686 i686 i686 GNU/Linux

I built the next test kernel with commits a010365, 8105a5d, 028383b and 393d9b1 reverted.

The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1699772

Can you test this kernel and see if it resolves this bug?

Thanks in advance!

LibreOffice Base still crash with test kernel:

~$ uname -a
Linux WS 4.4.0-112-generic #135~lp1699772v4 SMP Thu Feb 22 18:45:01 UTC 2018 i686 i686 i686 GNU/Linux

I built the next test kernel with commits a010365, 8105a5d, 028383b, 393d9b1 and 88a1685 reverted.

The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1699772

Can you test this kernel and see if it resolves this bug?

Thanks in advance!

LibreOffice Base works fine on Xenial i386 with last test kernel:

~$ uname -a
Linux WS 4.4.0-112-generic #135~lp1699772v5 SMP Thu Feb 22 20:41:29 UTC 2018 i686 i686 i686 GNU/Linux

I built a test kernel with a revert of commit 88a1685. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1699772

Can you test this kernel and see if it resolves this bug?

Note, to test this kernel, you need to install both the linux-image and linux-image-extra .deb packages.

Thanks in advance!

The test kernel are for amd64 only, but the bug affects exclusively on i386. Could you build test kernel for i386?

There is an i386 test kernel there now.
http://kernel.ubuntu.com/~jsalisbury/lp1699772

LibreOffice Base works fine on Xenial i386 with last test kernel:

~$ uname -a
Linux WS 4.4.0-112-generic #135~lp16909772Revert88a1685 SMP Tue Mar 6 08:40:12 UTC 2018 i686 i686 i686 GNU/Linux

It might be worth also testing 4.16-rc4:
http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.16-rc4/

LibreOffice Base crashes with 4.16-rc4 kernel:

~# uname -a
Linux WS 4.16.0-041600rc4-generic #201803041930 SMP Mon Mar 5 00:44:23 UTC 2018 i686 i686 i686 GNU/Linux

We should notify upstream since the bug still occurs with the latest upstream kernel. Would it be possible for you to open an upstream bug report[0]? That will allow the upstream Developers to examine the issue, and may provide a quicker resolution to the bug.

Please follow the instructions on the wiki page[0]. The first step is to email the appropriate mailing list. If no response is received, then a bug may be opened on bugzilla.kernel.org.

Once this bug is reported upstream, please add the tag: 'kernel-bug-reported-upstream'.

[0] https://wiki.ubuntu.com/Bugs/Upstream/kernel

Whenever LibreOffice Writer is launched, it does not load and a crash report appears.
LibreOffice base and Calc opens OK though.

System info:

OS: Ubuntu Budgie 18.04 32-bit
PC: Sony Vaio VGN-FE21H

IcedTea 2.6.14 has backported a fix for the exec guard issue and will be available in Trusty's openjdk-7 version 7u181-2.6.14-0ubuntu0.1.

The fix for OpenJDK-8 will be included in the next security update.

This bug was nominated against a series that is no longer supported, ie artful. The bug task representing the artful nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Is there any chance to have this fixed in Ubuntu 18.04 earlier than 20.04 is released ?

What's interesting, is that lowriter does not crash in 32-bit LinuxMint-Mate 19 (based on Ubuntu Bionic 18.04)
with either 4.15.0-20 initial kernel, or -33 updated from Bionic.
with 32-bit Lubuntu 18.04 it still crashes under -33 kernel, so the fix is clearly in some different place.
probably LinuxMint authors know some magic incantations

Still crashing in cosmic on i386 with libreoffice 6.0.6 and kernel 4.17.0.9.12, and libreoffice 6.1.0 and kernel 4.18.0.7.8.

I've tried to reproduce the crash in a vm running up-to-date i386 cosmic, kernel version 4.18.0-7.8. I'm not seeing any crashes opening up the libreoffice apps. Can you give instructions on how to reproduce? Thanks.

@Seth: I can reliably reproduce the crash in an up-to-date i386 cosmic VM. You need to install libreoffice-base (which is not installed by default, and pulls in all the java dependencies), then run it with "libreoffice --base", go through the initial wizard to create a new HSQLDB database, and that's when the crash happens.

I can reproduce using those steps, opened bug #1795956 from the crash report that was produced.

@ Seth Forshee (sforshee)

the "crash" based bug got marked as dupicate of this bug. So surely this bug report should not be "incomplete" status. What's the progress here?

Trivial to reproduce using libreoffice package in bionic i386 VM as seen in autopkgtests all the time.

As evidenced by http://autopkgtest.ubuntu.com/packages/libreoffice/cosmic/i386, the problem went away in cosmic at some point in November 2018.

xenial and bionic are still affected.

Autopkgtests on cosmic started passing (as far as this bug is concerned − there were other unrelated failures) on 2018-10-10, when openjdk-lts was upgraded from 10.0.2+13-1ubuntu1 to 11~28-3ubuntu1.

openjdk 11 has since been backported to bionic.