507370 – www-client/google-chrome-34.0.1847.116_p1 - (p)nacl fails

Bug 507370 - www-client/google-chrome-34.0.1847.116_p1 - (p)nacl fails

Summary: www-client/google-chrome-34.0.1847.116_p1 - (p)nacl fails

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal (vote)
Assignee:	Chromium Project

URL:	https://gonativeclient.appspot.com/demo
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-11 06:11 UTC by razamatan
Modified:	2014-04-16 05:47 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
grsec disabled kernel config (.config,102.18 KB, text/x-mpsub) 2014-04-15 09:06 UTC, razamatan	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description razamatan 2014-04-11 06:11:57 UTC

while trying to follow along w/ the nacl sdk examples from google code, i realized that nothing was loading for me using google chrome on my gentoo box.

i tried other sites that had nacl demos and none loaded.  i even tried the nacl based ssh extension (https://chrome.google.com/webstore/detail/secure-shell/pnhechapfaindjhompbnflcldabbghjo) and that failed to load, too.

i know that these used to work, but i can't install a previous version of google-chrome to verify.

dmesg looking for potential grsec log info turns out some warnings for nice, rtprio and core limit hits (all nothing serious, except for the core limit, which i'm guessing is being hit when the nacl stuff fails).

Reproducible: Always

Steps to Reproduce:
1.  amd64 gentoo using hardened-sources-3.13.6-r3
2.  google-chrome-34.0.1847.116_p1
3.  visit https://gonativeclient.appspot.com/demo
4.  try loading a demo
5.  try loading any (p)nacl based page
Actual Results:  
(p)nacl doesn't work

Expected Results:  
things work

Comment 1 razamatan 2014-04-11 15:58:07 UTC

output from command line

[WARNING:flash/platform/pepper/pep_module.cpp(63)] SANDBOXED
[196,2513540864:08:55:37.749613] SelLdrLauncherBase::RetrieveSockAddr: RecvMsg() returned -5
[196,2513540864:08:55:37.749705] SelLdrLauncherBase::SetupCommand: getting sel_ldr socket address failed
[SRPC:HOST:196,2513540864:08:55:37.749747] NaClSrpcInvokeBySignature(channel=0x35abf6df400):missing signature [log:is:]
[5446:5475:0411/085537:ERROR:nacl_process_host.cc(272)] NaCl process exited with status 9 (0x9)
[196,2513540864:08:55:37.749800] scheduling to get crash log
[196,2513540864:08:55:37.749895] should fire soon

Comment 2 Mike Gilbert gentoo-dev

2014-04-11 17:52:05 UTC

Anything in the kernel log (dmseg)?

Comment 3 Mike Gilbert gentoo-dev

2014-04-11 18:30:58 UTC

Oh sorry, you already mentioned looking for that.

I will try to reproduce on my (non-hardened) workstation this weekend.

Comment 4 razamatan 2014-04-12 01:58:08 UTC

dmesg output is of this variety:

[38339.714212] grsec: denied resource overstep by requesting 30 for RLIMIT_NICE against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:18471] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100
[38398.809718] grsec: denied resource overstep by requesting 8 for RLIMIT_RTPRIO against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:18856] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100
[38398.809728] grsec: denied resource overstep by requesting 30 for RLIMIT_NICE against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:18856] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100
[38445.447557] grsec: denied resource overstep by requesting 8 for RLIMIT_RTPRIO against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:19157] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100
[38445.447568] grsec: denied resource overstep by requesting 30 for RLIMIT_NICE against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:19157] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100
[38518.044200] grsec: denied resource overstep by requesting 8 for RLIMIT_RTPRIO against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:19638] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100
[38518.044207] grsec: denied resource overstep by requesting 30 for RLIMIT_NICE against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:19638] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100

Comment 5 Mike Gilbert gentoo-dev

2014-04-12 02:59:45 UTC

I'm having no problems on a non-hardened ~amd64 system.

Reassigning.

Comment 6 Mike Gilbert gentoo-dev

2014-04-12 03:23:00 UTC

Eh, maybe that's a bit premature... I really have no idea what the problem is here.

Comment 7 razamatan 2014-04-12 07:19:46 UTC

visit https://gonativeclient.appspot.com/demo then click on some demo.  the demo fails to load.

Comment 8 Mike Gilbert gentoo-dev

2014-04-12 14:17:58 UTC

(In reply to razamatan from comment #7)
> visit https://gonativeclient.appspot.com/demo then click on some demo.  the
> demo fails to load.

That works for me. The demo loads and functions perfectly.

I suspect your problem has something to do with your hardened system, but I do not have enough information to know for sure.

The only useful info we have so far is this:

[5446:5475:0411/085537:ERROR:nacl_process_host.cc(272)] NaCl process exited with status 9 (0x9)

Comment 9 razamatan 2014-04-13 05:18:41 UTC

yeah.. i've been pouring over the chromium source looking for the exit code definitions but haven't found what 9 indicates.

Comment 10 razamatan 2014-04-15 07:27:36 UTC

got some more interesting log messages...

[351166.882474] PAX: terminating task: /opt/google/chrome/nacl_helper(nacl_helper):31126, uid/euid: 1000/1000, PC: 000002957d489a80, SP: 000003db792ac9f8
[351166.882475] PAX: bytes at PC: c3 1e 57 fd ff ff ff ff 58 1e 57 fd ff ff ff ff 00 00 00 00 
[351166.882482] PAX: bytes at SP-8: 000002957d489a80 000000551c3bd1bb 000002957d496c00 000002957d489a80 000002957d489a80 000000551c3bd20f 000002957d489980 000002957d496c00 000002957d489980 000000551c394d35 0000000000000001 
[351166.882494] grsec: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for /opt/google/chrome/nacl_helper[nacl_helper:31126] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/nacl_helper[nacl_helper:30657] uid/euid:1000/1000 gid/egid:100/100


i've set /opt/google/chrome/[chrome,nacl_helper,chrome-sandbox] to the following paxctl(-ng) settings but they seem to take no effect:

/opt/google/chrome/chrome-sandbox:
        PT_PAX    : -em--
        XATTR_PAX : -em--

Comment 11 razamatan 2014-04-15 08:05:06 UTC

i've updated to the pax settings outlined in

http://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Google_Chrome_15.0.874.106

and it still doesn't work.  :|

Comment 12 razamatan 2014-04-15 09:06:41 UTC

Created attachment 374960 [details]
grsec disabled kernel config

so i recompiled my kernel (genkernel derived, 3.13.6-hardened-r3) w/o any grsec or pax enabled.

there's no more grsec logs in my dmesg, but i'm still not getting any working nacl apps.

Comment 13 razamatan 2014-04-16 05:47:46 UTC

super odd.  when trying to revert the pax settings to default, i ended up just re-installing google-chrome.  turns out, after the reinstall, the demos work again.  i'll try slowly enabling grsec options and see if it'll keep working...

closing this bug and will open a new one if the issue arises again.