[Kernel-packages] [Bug 1699772] Re: linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression: many user-space apps crashing

[Tiago Stürmer Daitx]

Regarding OpenJDK 8, it crashes as soon as Xss is set to (or higher
than) 1141K in a i386 JVM (32-bit).

I used the example code from bug #1700270. Please note that there is no
need to even use the java class: the program will segfault while
starting the JVM, so do remove lines 30-34 from either test_case1.c or
test_case2.c and set Xss to 1441K (or bigger).

The OpenJDK part where the stack location and size are calculated is in
os::Linux::capture_initial_stack() [1], specially
_initial_thread_stack_bottom [2].

>From GDB I was able to collect the following data from that function:
(gdb) p max_size
$1 = 1171456

Note: max_size is Xss rounded to vm_page_size(), thus 1144K [3].

(gdb) info locals
rlim = {rlim_cur = 8388608, rlim_max = 4294967295}
stack_size = 8380416
stack_start = 4294956864
p = 0xf7ffcf34 <__libc_stack_end>
stack_top = 4294959104
low = 0xfffdd000 ""
high = 0xffffe000 <error: Cannot access memory at address 0xffffe000>

(gdb) x p
0xf7ffcf34 <__libc_stack_end>:  0xffffd740
(gdb) x stack_top
0xffffe000:     Cannot access memory at address 0xffffe000
(gdb) x low
0xfffdd000:     0x00000000
(gdb) x high
0xffffe000:     Cannot access memory at address 0xffffe000
(gdb) p _initial_thread_stack_size
$43 = 1171456
(gdb) x _initial_thread_stack_bottom
0xffee0000:     0x00000000

Backtrace:
(gdb) bt
#0  os::Linux::capture_initial_stack (max_size=1171456) at 
./src/hotspot/src/os/linux/vm/os_linux.cpp:1272
#1  0xf7394287 in os::init_2 () at 
./src/hotspot/src/os/linux/vm/os_linux.cpp:4939
#2  0xf74ee886 in Threads::create_vm (args=0xffffd62c, canTryAgain=0xffffd5bf) 
at ./src/hotspot/src/share/vm/runtime/thread.cpp:3361
#3  0xf7151423 in JNI_CreateJavaVM (vm=0xffffd684, penv=0xffffd624, 
args=0xffffd62c) at ./src/hotspot/src/share/vm/prims/jni.cpp:5220
#4  0x5655561f in create_vm (jvm=0xffffd684) at test_case.c:16
#5  0x56555685 in main (argc=1, argv=0xffffd744) at test_case.c:25


That information is used by os::Linux::default_guard_size() [4] to fetch both 
'bottom' and 'size' used to indicate the start of the guard page - and it has a 
nice doc explaining the stack layout. The values from default_guard_size are in 
turn used by os::current_stack_base() [5] to calculate what should be the stack 
base.

Let me know if there's any additional information I can help with.

[1] 
http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/tip/src/os/linux/vm/os_linux.cpp#l1081
[2] 
http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/tip/src/os/linux/vm/os_linux.cpp#l1271
[3] 
http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/tip/src/os/linux/vm/os_linux.cpp#l5010
[4] 
http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/tip/src/os_cpu/linux_x86/vm/os_linux_x86.cpp#l714
[5] 
http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/tip/src/os_cpu/linux_x86/vm/os_linux_x86.cpp#l745

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1699772

Title:
  linux-image-4.10.0-24-generic, linux-image-4.8.0-56-generic, linux-
  image-4.4.0-81-generic, linux-image-3.13.0-121-generic Regression:
  many user-space apps crashing

Status in LibreOffice:
  Won't Fix
Status in commons-daemon package in Ubuntu:
  Confirmed
Status in eclipse package in Ubuntu:
  Confirmed
Status in imagej package in Ubuntu:
  Confirmed
Status in libreoffice package in Ubuntu:
  Confirmed
Status in linux package in Ubuntu:
  Confirmed
Status in octave package in Ubuntu:
  Confirmed
Status in python-jpype package in Ubuntu:
  Confirmed
Status in rustc package in Ubuntu:
  Confirmed
Status in scilab package in Ubuntu:
  Confirmed
Status in linux package in Debian:
  Confirmed

Bug description:
  Distribution: Ubuntu 16.04 x64 (Flavour: KDE Neon User Edition 5.10)

  linux-image-4.4.0-81-generic appears to contain a regression, probably
  related to the CVE-2017-1000364 fix backport / patch.

  Using this kernel, the Oracle Java browser plugin always crashes
  during stack-related actions on initialization. This means, the plugin
  completely stopped working.

  
  It works perfectly fine in linux-image-4.4.0-79-generic (vurlerable to 
CVE-2017-1000364) as well as linux-image-4.11.6-041106-generic, which also 
contains a fix for CVE-2017-1000364.


  uname -a:

  > Linux Zweiblum 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06
  UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


  I tested Oracle Java 1.8 u131 as well as 1.6 u64 in Firefox 51.0.1 as
  well as Iceweasel / Firefox/3.5.16 in a chroot.

  Using linux-image-4.4.0-81-generic it crashes in all combinations
  while with both other kernels it works.

  
  I was not able to obtain any detailed crash information from Firefox 51.0.1, 
but Iceweasel 3.5.16 crashed completely, allowing me to obtain a stack trace 
which shows the relation to stack operations performed by the plugin, even 
without proper debug symbols:

  
  > (gdb) bt full
  > #0  0x00007fa06d805307 in _expand_stack_to(unsigned char*) () from 
/opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
  > No symbol table info available.
  > #1  0x00007fa06d8053ae in os::Linux::manually_expand_stack(JavaThread*, 
unsigned char*) ()
  >    from /opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
  > No symbol table info available.
  > #2  0x00007fa06d80cf0b in JVM_handle_linux_signal () from 
/opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
  > No symbol table info available.
  > #3  0x00007fa06d802e13 in signalHandler(int, siginfo*, void*) () from 
/opt/java-8-oracle/jre/lib/amd64/server/libjvm.so
  > No symbol table info available.
  > #4  <signal handler called>

  
  I first assumed a bug in the Java plugin, but it works fine in Linux 4.11.6.

  
  The crash will be triggered by any applet, for example the test applet at:

  * https://java.com/en/download/installed8.jsp

  
  I'm running the Ubuntu 16.04 based KDE Neon distribution which somehow 
apparently does not allow me to use apport to report this bug:

  > $ LANG= apport-cli linux-image-4.4.0-81-generic
  > 
  > *** Collecting problem information
  > 
  > The collected information can be sent to the developers to improve the
  > application. This might take a few minutes.
  > .........
  > 
  > *** Problem in linux-image-4.4.0-81-generic
  > 
  > The problem cannot be reported:
  > 
  > This is not an official KDE package. Please remove any third party package 
and try again.

  If someone can tell me how to get apport working for this package, I
  can use it to collect additional information, but (unfortunately?) the
  problem should be fairly easy to reproduce...

To manage notifications about this bug go to:
https://bugs.launchpad.net/df-libreoffice/+bug/1699772/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp