[Webkit-unassigned] [Bug 212380] New: pthread_create() fails with EPERM in the second WebKitWebProcess with sandbox on

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 26 10:08:30 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=212380

            Bug ID: 212380
           Summary: pthread_create() fails with EPERM in the second
                    WebKitWebProcess with sandbox on
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcrha at redhat.com
                CC: bugs-noreply at webkitgtk.org

This is with WebKitGTK 2.28.2, when the sandboxing is enabled. The second WebKitWebView instance, which creates a new WebKitWebProcess, fails to call pthread_create(), which returns EPERM error code, which aborts this new WebProcess with an error on the terminal:

  terminate called after throwing an instance of 'std::system_error'
    what():  Operation not permitted

Found out that the problem is in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp, when I comment out this line:

        // Don't allow faking input to the controlling tty (CVE-2017-5226)
        { SCMP_SYS(ioctl), &ttyArg },

then it works properly.

Steps to reproduce:
a) run MiniBrowser as this from a terminal:

   $ WEBKIT_FORCE_SANDBOX=1 MiniBrowser

b) press Ctrl+T to open a new tab in it
c) type "aa" into the address bar and press Enter

The tab is kept empty, the terminal window contains the error from above.

Notes:
I can reproduce on my bare metal machine, but I cannot reproduce in a virtual machine.
Others do not face this too.

The pthread_create man page says:
    EPERM  No permission to set the scheduling policy and parameters specified in attr.

The backtrace for the terminate:

(gdb) bt full
#0  0x00007fbe37a2ba25 in raise () at /lib64/libc.so.6
#1  0x00007fbe37a14895 in abort () at /lib64/libc.so.6
#2  0x00007fbe33fba961 in __gnu_cxx::__verbose_terminate_handler() () at ../../../../libstdc++-v3/libsupc++/vterminate.cc:95
        terminating = true
        t = <optimized out>
#3  0x00007fbe33fc642c in __cxxabiv1::__terminate(void (*)()) (handler=<optimized out>) at ../../../../libstdc++-v3/libsupc++/eh_terminate.cc:48
#4  0x00007fbe33fc6497 in std::terminate() () at ../../../../libstdc++-v3/libsupc++/eh_terminate.cc:58
#5  0x00007fbe33fc6749 in __cxxabiv1::__cxa_throw(void*, std::type_info*, void (*)(void*))
    (obj=obj at entry=0x562a31c5eb70, tinfo=tinfo at entry=0x7fbe340ff550 <typeinfo for std::system_error>, dest=dest at entry=0x7fbe33ff47f0 <std::system_error::~system_error()>) at ../../../../libstdc++-v3/libsupc++/eh_throw.cc:95
        globals = <optimized out>
        header = 0x562a31c5eaf0
#6  0x00007fbe33fbd7e1 in std::__throw_system_error(int) (__i=1) at /usr/src/debug/gcc-10.1.1-1.fc32.x86_64/obj-x86_64-redhat-linux/x86_64-redhat-linux/libstdc++-v3/include/ext/new_allocator.h:89
#7  0x00007fbe33ff4d9d in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (this=this at entry=0x7fff1cad41b8, state=std::unique_ptr<std::thread::_State> = {...})
    at ../../../../../libstdc++-v3/src/c++11/thread.cc:139
        err = <optimized out>
#8  0x00007fbe36399ca8 in std::thread::thread<void (*)(bmalloc::Scavenger*), bmalloc::Scavenger*, void>(void (*&&)(bmalloc::Scavenger*), bmalloc::Scavenger*&&) (__f=<optimized out>, this=0x7fff1cad41b8)
    at /usr/include/c++/10/bits/unique_ptr.h:171
#9  bmalloc::Scavenger::Scavenger(std::lock_guard<bmalloc::Mutex> const&) (this=0x7fbe366ee780 <bmalloc::StaticPerProcessStorageTraits<bmalloc::Scavenger>::Storage::s_memory>) at ../Source/bmalloc/bmalloc/Scavenger.cpp:90
#10 0x00007fbe3639794e in bmalloc::StaticPerProcess<bmalloc::Scavenger>::getSlowCase() () at /usr/include/c++/10/new:175
        lock = {_M_device = @0x7fbe366ee808}
#11 0x00007fbe36393f1d in bmalloc::Heap::Heap(bmalloc::HeapKind, std::lock_guard<bmalloc::Mutex>&) () at /usr/include/c++/10/bits/atomic_base.h:741
#12 0x00007fbe36391b98 in bmalloc::PerHeapKindBase<bmalloc::Heap>::PerHeapKindBase<std::lock_guard<bmalloc::Mutex>&>(std::lock_guard<bmalloc::Mutex>&) (this=<optimized out>) at /usr/include/c++/10/new:175
        i = 2
        lock = {_M_device = @0x7fbe3af18020}
#13 bmalloc::PerHeapKind<bmalloc::Heap>::PerHeapKind<std::lock_guard<bmalloc::Mutex>&>(std::lock_guard<bmalloc::Mutex>&) (this=<optimized out>) at ../Source/bmalloc/bmalloc/PerHeapKind.h:95
        lock = {_M_device = @0x7fbe3af18020}
#14 bmalloc::PerProcess<bmalloc::PerHeapKind<bmalloc::Heap> >::getSlowCase() () at ../Source/bmalloc/bmalloc/PerProcess.h:113
        lock = {_M_device = @0x7fbe3af18020}
#15 0x00007fbe3639121d in bmalloc::PerProcess<bmalloc::PerHeapKind<bmalloc::Heap> >::get() () at /usr/include/c++/10/array:185
        object = <optimized out>
#16 bmalloc::Cache::Cache(bmalloc::HeapKind) (this=0x7fbe3af1fd40, heapKind=bmalloc::HeapKind::JSValueGigacage) at ../Source/bmalloc/bmalloc/Cache.cpp:48
#17 0x00007fbe36391cb8 in bmalloc::PerHeapKindBase<bmalloc::Cache>::PerHeapKindBase<>() (this=0x7fbe3af19000) at /usr/include/c++/10/new:175
        i = 2
        t = 0x7fbe3af19000
#18 bmalloc::PerHeapKind<bmalloc::Cache>::PerHeapKind<>() (this=0x7fbe3af19000) at ../Source/bmalloc/bmalloc/PerHeapKind.h:95
        t = 0x7fbe3af19000
#19 bmalloc::PerThread<bmalloc::PerHeapKind<bmalloc::Cache> >::getSlowCase() () at ../Source/bmalloc/bmalloc/PerThread.h:145
        t = 0x7fbe3af19000
#20 0x00007fbe363913a1 in bmalloc::Cache::allocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (heapKind=heapKind at entry=bmalloc::HeapKind::Primary, size=1) at ../Source/bmalloc/bmalloc/Cache.cpp:65
#21 0x00007fbe3632b513 in bmalloc::Cache::allocate(bmalloc::HeapKind, unsigned long) (size=<optimized out>, heapKind=bmalloc::HeapKind::Primary) at DerivedSources/ForwardingHeaders/bmalloc/Cache.h:81
        caches = <optimized out>
#22 bmalloc::api::malloc(unsigned long, bmalloc::HeapKind) (kind=bmalloc::HeapKind::Primary, size=<optimized out>) at DerivedSources/ForwardingHeaders/bmalloc/bmalloc.h:49
#23 WTF::fastMalloc(unsigned long) (size=<optimized out>) at ../Source/WTF/wtf/FastMalloc.cpp:483
#24 0x00007fbe33ff3900 in __once_proxy () at ../../../../../libstdc++-v3/src/c++11/system_error.cc:379
#25 0x00007fbe35f7390c in operator() (__closure=<optimized out>) at ../Source/JavaScriptCore/runtime/InitializeThreading.cpp:78
        thread = <optimized out>
        initializeThreadingOnceFlag = {_M_once = 1}
#26 std::__invoke_impl<void, JSC::initializeThreading()::<lambda()> > (__f=...) at /usr/include/c++/10/bits/invoke.h:60
        initializeThreadingOnceFlag = {_M_once = 1}
#27 std::__invoke<JSC::initializeThreading()::<lambda()> > (__fn=...) at /usr/include/c++/10/bits/invoke.h:95
        initializeThreadingOnceFlag = {_M_once = 1}
#28 operator() (this=<optimized out>) at /usr/include/c++/10/mutex:717
        initializeThreadingOnceFlag = {_M_once = 1}
#29 operator() (this=0x0) at /usr/include/c++/10/mutex:722
        initializeThreadingOnceFlag = {_M_once = 1}
#30 _FUN() () at /usr/include/c++/10/mutex:722
        initializeThreadingOnceFlag = {_M_once = 1}
#31 0x00007fbe34af5acf in __pthread_once_slow () at /lib64/libpthread.so.0
#32 0x00007fbe35f745c1 in __gthread_once (__func=<optimized out>, __once=0x7fbe366e5fc8 <JSC::initializeThreading()::initializeThreadingOnceFlag>) at /usr/include/c++/10/x86_64-redhat-linux/bits/gthr-default.h:700
        __callable = {____f = @0x7fff1cad43df}
        __e = <optimized out>
        initializeThreadingOnceFlag = {_M_once = 1}
#33 std::call_once<JSC::initializeThreading()::<lambda()> > (__once=..., __f=...) at /usr/include/c++/10/mutex:729
        __callable = {____f = @0x7fff1cad43df}
        __e = <optimized out>
        initializeThreadingOnceFlag = {_M_once = 1}
#34 JSC::initializeThreading() () at ../Source/JavaScriptCore/runtime/InitializeThreading.cpp:65
        initializeThreadingOnceFlag = {_M_once = 1}
#35 0x00007fbe3859751d in WebKit::InitializeWebKit2() () at ../Source/WebKit/Shared/WebKit2Initialize.cpp:42
#36 0x00007fbe3895c315 in WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMainGtk>(int, char**) (argc=3, argv=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/text/StringImpl.h:1110
        auxiliaryMain = 
              {<WebKit::AuxiliaryProcessMainBase> = {_vptr.AuxiliaryProcessMainBase = 0x7fbe3acba0b0 <vtable for WebKit::WebProcessMainGtk+16>, m_parameters = {uiProcessName = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, clientIdentifier = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, processIdentifier = {<WTF::constexpr_Optional_base<WTF::ObjectIdentifier<WebCore::ProcessIdentifierType> >> = {init_ = true, storage_ = {dummy_ = 42 '*', value_ = {<WTF::ObjectIdentifierBase> = {<No data fields>}, m_identifier = 2090, static m_generationProtected = false}}}, <No data fields>}, connectionIdentifier = 33, extraInitializationData = {m_impl = {static smallMaxLoadNumerator = <optimized out>, static smallMaxLoadDenominator = <optimized out>, static largeMaxLoadNumerator = <optimized out>, static largeMaxLoadDenominator = <optimized out>, static maxSmallTableCapacity = <optimized out>, static minLoad = <optimized out>, static tableSizeOffset = <optimized out>, static tableSizeMaskOffset = <optimized out>, static keyCountOffset = <optimized out>, static deletedCountOffset = <optimized out>, static metadataSize = <optimized out>, m_table = 0x0}}, processType = WebKit::AuxiliaryProcess::ProcessType::WebContent}}, <No data fields>}
#37 0x00007fbe37a16042 in __libc_start_main () at /lib64/libc.so.6
#38 0x0000562a3005b86e in _start ()
(gdb) f 5
#5  0x00007fbe33fc6749 in __cxxabiv1::__cxa_throw (obj=obj at entry=0x562a31c5eb70, tinfo=tinfo at entry=0x7fbe340ff550 <typeinfo for std::system_error>, dest=dest at entry=0x7fbe33ff47f0 <std::system_error::~system_error()>)
    at ../../../../libstdc++-v3/libsupc++/eh_throw.cc:95
95        std::terminate ();
(gdb) p *((std::system_error *) obj)
$2 = {<std::runtime_error> = {<std::exception> = {_vptr.exception = 0x7fbe340ff698 <vtable for std::system_error+16>}, _M_msg = "Operation not permitted"}, _M_code = {_M_value = 1, 
    _M_cat = 0x7fbe341081e8 <(anonymous namespace)::generic_category_instance>}}

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200526/3541442a/attachment-0001.htm>

More information about the webkit-unassigned mailing list