Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 906911

Summary: www-client/chromium-113.0.5672.126 built with gcc 12.3 crashes at startup due to UB in GetControlledFrameFeatureList()
Product: Gentoo Linux Reporter: Maciej S. Szmigiero <mail>
Component: Current packagesAssignee: Chromium Project <chromium>
Status: RESOLVED FIXED    
Severity: normal Keywords: PATCH, PullRequest
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.chromium.org/p/chromium/issues/detail?id=1447422
https://github.com/gentoo/gentoo/pull/31344
https://bugs.gentoo.org/show_bug.cgi?id=909198
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: fix

Description Maciej S. Szmigiero 2023-05-21 22:41:41 UTC 
www-client/chromium-113.0.5672.126 built with gcc version 12.3.0 (Gentoo Hardened 12.3.0 p2) crashes at startup in strlen() from BrowserProcessImpl::Init():
#0  0x00007ffff5f78559 in __strlen_avx2 () at /lib64/libc.so.6
#1  0x000055555dda6033 in BrowserProcessImpl::Init() ()
#2  0x000055555ddcfb06 in ChromeBrowserMainParts::PreCreateThreadsImpl() ()
#3  0x000055555ddd011d in ChromeBrowserMainParts::PreCreateThreads() ()

Specifically, it is trying to call strlen((char *)6).

That pointer value of 6 is *not* from a NULL pointer with offset deference but rather comes from GetControlledFrameFeatureList() in chrome/common/initialize_extensions_client.cc which literally returns 6:
0000000000000360 <_Z29GetControlledFrameFeatureListv>:
 360:   55                      push   %rbp
 361:   b8 06 00 00 00          mov    $0x6,%eax        <- HERE
 366:   48 89 e5                mov    %rsp,%rbp
 369:   48 8d 55 d0             lea    -0x30(%rbp),%rdx
 36d:   5d                      pop    %rbp
 36e:   c3                      ret

This is because this function tries to return a pointer to an object past its lifetime - "feature_list[]" has an automatic storage duration since it is declared as "constexpr const char*".

Note the unnecessary "const" here (implied by constexpr) - I assume the intention was to write "constexpr static char*" to declare a static constexpr object.

When "feature_list[]" is made static the generated code looks much more sane and the browser no longer crashes at startup.
Trivial patch to do this attached.
Comment 1 Maciej S. Szmigiero 2023-05-21 22:41:59 UTC 
Created attachment 862149 [details, diff]
fix
Comment 2 Maciej S. Szmigiero 2023-05-21 22:42:32 UTC 
Reported upstream at https://bugs.chromium.org/p/chromium/issues/detail?id=1447422 since the same code is present in chromium git master.
Comment 3 Dan Goodliffe 2023-05-23 10:22:19 UTC 
Had this problem and can confirm the patch fixes it for me too, thanks.
Comment 4 Mike Thompson 2023-06-08 12:20:00 UTC 
Confirmed:  encountered segmentation fault when starting Chromium; a GDB run showed the fault arose in libc.so.6.  Found the current bug report which identified issue that would manifest in libc, so rather than rebuild Chromium w/ debug symbols to investigate the cause, I simply tried the patch.  That did the trick.
Comment 5 Larry the Git Cow gentoo-dev 2023-06-10 05:09:28 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f747a372822f32bb299dc401b548db527c9a20f1

commit f747a372822f32bb299dc401b548db527c9a20f1
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-06-07 14:31:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-06-10 05:09:01 +0000

    www-client/chromium: add 114.0.5735.110
    
    Add myself as a maintainer
    
    Bug: https://bugs.gentoo.org/907999
    Closes: https://bugs.gentoo.org/906911
    Closes: https://bugs.gentoo.org/906962
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Closes: https://github.com/gentoo/gentoo/pull/31344
    Signed-off-by: Sam James <sam@gentoo.org>

 www-client/chromium/Manifest                       |    2 +
 www-client/chromium/chromium-114.0.5735.110.ebuild | 1268 ++++++++++++++++++++
 .../chromium/files/chromium-114-compiler.patch     |  171 +++
 www-client/chromium/files/chromium-114-gcc12.patch |   30 +
 .../chromium/files/chromium-114-sigsegv-dom.patch  |   73 ++
 www-client/chromium/metadata.xml                   |    8 +
 6 files changed, 1552 insertions(+)