Bug 965356

Summary: Chromium: Check failed: NamespaceUtils::WriteToIdMapFile("/proc/self/gid_map", gid_)
Product: [openSUSE] openSUSE Distribution Reporter: Thomas Formella <thomas-formella>
Component: NetworkAssignee: Jiri Slaby <jslaby>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P2 - High CC: aloisio, astieger, auxsvr, fhassel, forgotten_5AjadAhsgi, forgotten_DzFMRji8Zm, forgotten_LBEQ0ynSVK, forgotten_rn3EW6yyNk, forgotten_sM9JzehKpy, forgotten_XYXg6FVhXD, fredsie, gjjohnson, jeffm, jslaby, kolAflash, landis.reed, markus.zimmermann, martin, mbenes, meissner, mpluskal, nico.kruber, olivier, robert.simai, sinopticsaid, steve.moring, syl-novell-mji, teletwo, tiwai, wvvelzen
Version: 13.2   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 13.2   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Formella 2016-02-05 16:41:23 UTC 
Chromium doesn't start anymore:


thomas@linux-xxxx:~> chromium
Check failed: NamespaceUtils::WriteToIdMapFile("/proc/self/gid_map", gid_)

Version: 48.0.2564.82-67.1-i586
Comment 1 Marcus Meissner 2016-02-05 20:57:28 UTC 
these changed look related.

commit 3836c309b5c1bfa8de5d74dfa3e7025a9a684bb3
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Nov 27 12:21:19 2015 +0100

    userns: Only allow the creator of the userns unprivileged
    mappings (bnc#906545 CVE-2014-8989).

commit acfa70b8c9980b5657484caf3b577689bcae4eb9
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Nov 27 12:21:19 2015 +0100

    userns: Check euid no fsuid when establishing an unprivileged
    uid mapping (bnc#906545 CVE-2014-8989).

commit 5cc48d70925926667576ca885da0251bea9d76b9
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Nov 27 12:21:19 2015 +0100

    userns: Don't allow unprivileged creation of gid mappings
    (bnc#906545 CVE-2014-8989).
Comment 2 Marcus Meissner 2016-02-05 21:01:19 UTC 
*** Bug 965308 has been marked as a duplicate of this bug. ***
Comment 3 Takashi Iwai 2016-02-05 21:15:30 UTC 
It seems that more backports are needed:

f0d62aec931e4ae3333c797d346dc4f188f454ba
  userns: Rename id_map_mutex to userns_state_mutex

9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8
  userns: Add a knob to disable setgroups on a per user namespace basis

66d2f338ee4c449396b6f99f5e75cd18eb6df272
  userns: Allow setting gid_maps without privilege when setgroups is disabled

The second patch breaks kABI, so a fixup is needed as well.

I prepared a test kernel in OBS home:tiwai:bnc965308 repo.  The packages are being built now.  Please check the package later, and let me know whether it works for you.
Comment 4 Timothy Hall 2016-02-06 21:41:31 UTC 
I also have this issue with openSuse 13.2 x86_64 after the new kernel update (kernel-desktop-3.16.7-32.1.x86_64) when using Google Chrome (stable)...  

Running "google-chrome-stable" from konsole will give the error "Check failed: NamespaceUtils::WriteToIdMapFile("/proc/self/gid_map", gid_)"...

If I run "google-chrome-stable --disable-namespace-sandbox" Google Chrome will launch.  That can be found at the following URL...
https://code.google.com/p/chromium/issues/detail?id=480017

Not sure if this is relevant but I notice there is no "/proc/self/setgroups"...

Thanks!
Comment 5 Takashi Iwai 2016-02-07 08:24:59 UTC 
Before anyone adding another "me-too" message: please check whether the kernel mentioned in comment 3 works.
Comment 6 Ilya Shevchenko 2016-02-07 12:58:42 UTC 
I have installed the kernel package from comment 3 and it fixed for me.
Comment 7 Takashi Iwai 2016-02-07 14:47:11 UTC 
Great, thanks for testing.

I pushed the branch.  Jeff, could you pull it and resubmit for release?
Comment 8 Timothy Hall 2016-02-07 16:07:25 UTC 
Using the patch from comment 3 fixes the issue for me as well on openSuse 13.2  x86_64 with google-chrome-stable.

Thanks!!
Comment 9 Takashi Iwai 2016-02-07 17:28:29 UTC 
Good to hear.  Since this is a major regression, we should release a quick fix, IMO.
Comment 10 Forgotten User LBEQ0ynSVK 2016-02-07 18:43:22 UTC 
I am responding to a request by Saurland in the forums to "leave a message".

This bug has resurfaced after the last update of 13.2. Chrome will not launch. Several people are affected. The current work around is to issue:

/usr/bin/google-chrome-stable %U --disable-namespace-sandbox

Here is additional output from my CLI:

[17624:17654:0207/192322:ERROR:logging.h(808)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.kwalletd was not provided by any .service files
[17624:17654:0207/192322:ERROR:native_backend_kwallet_x.cc(411)] Error contacting kwalletd (isEnabled)
[17624:17654:0207/192322:ERROR:logging.h(808)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd: org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)
[17624:17654:0207/192322:ERROR:native_backend_kwallet_x.cc(411)] Error contacting kwalletd (isEnabled)
[WARNING:flash/platform/pepper/pep_module.cpp(63)] SANDBOXED

Hope this helps.
Comment 11 Takashi Iwai 2016-02-07 19:07:08 UTC 
Did you test the kernel package in comment 3?  The fix is being processed now.
  http://download.opensuse.org/repositories/home:/tiwai:/bnc965308/standard/
Comment 12 Marcus Meissner 2016-02-07 19:14:21 UTC 
JeffM, please submit when ready, we will push it through our process
Comment 13 Olivier Calle 2016-02-08 18:06:24 UTC 
I also experienced this bug when trying to launch Google Chrome. Switching to the kernel in comment 3 fixed the issue for me on 13.2 x86_64.
Comment 17 Robert Simai 2016-02-09 10:40:16 UTC 
I can confirm chromium starts again and appears to be fully functional with the patched kernel, I however see some weird console output that I've not seen before:

-->--
robert@theano:~> uname -a
Linux theano 3.16.7-1.g8fa110a-desktop #1 SMP PREEMPT Fri Feb 5 20:54:35 UTC 2016 (8fa110a) x86_64 x86_64 x86_64 GNU/Linux
--<--

-->--
robert@theano:~> chromium 
libva info: VA-API version 0.34.0
libva info: va_getDriverName() returns 0
libva info: Trying to open /usr/lib64/dri/nouveau_drv_video.so
libva info: va_openDriver() returns -1
[3389:3389:0209/112919:FATAL:sandbox_seccomp_bpf_linux.cc(203)] Check failed: policy->PreSandboxHook(). 
#0 0x7f0df41d945e base::debug::StackTrace::StackTrace()
#1 0x7f0df41f4bc7 logging::LogMessage::~LogMessage()
#2 0x7f0dfb54cefb <unknown>
#3 0x7f0dfb54c19a <unknown>
#4 0x7f0dfb54c4e4 <unknown>
#5 0x7f0dfb5529cd <unknown>
#6 0x7f0dfb554256 <unknown>
#7 0x7f0dfafedfa5 <unknown>
#8 0x7f0dfafed521 content::ContentMain()
#9 0x7f0dff85eea8 <unknown>
#10 0x7f0deac06b05 __libc_start_main
#11 0x7f0dff85ed75 <unknown>

Received signal 6
#0 0x7f0df41d945e base::debug::StackTrace::StackTrace()
#1 0x7f0df41d9543 <unknown>
#2 0x7f0deaf9b890 <unknown>
#3 0x7f0deac1a187 __GI_raise
#4 0x7f0deac1b538 __GI_abort
#5 0x7f0df41d7f55 base::debug::BreakDebugger()
#6 0x7f0df41f4c55 logging::LogMessage::~LogMessage()
#7 0x7f0dfb54cefb <unknown>
#8 0x7f0dfb54c19a <unknown>
#9 0x7f0dfb54c4e4 <unknown>
#10 0x7f0dfb5529cd <unknown>
#11 0x7f0dfb554256 <unknown>
#12 0x7f0dfafedfa5 <unknown>
#13 0x7f0dfafed521 content::ContentMain()
#14 0x7f0dff85eea8 <unknown>
#15 0x7f0deac06b05 __libc_start_main
#16 0x7f0dff85ed75 <unknown>
  r8: ffff9302266d0918  r9: ffff9302266d0908 r10: 0000000000000008 r11: 0000000000000202
 r12: 00007ffca77d5d88 r13: 0000000000000000 r14: 00007ffca77d5920 r15: 00000000000000e9
  di: 0000000000000d3d  si: 0000000000000d3d  bp: 00007f0deb9c83e0  bx: 00007ffca77d5d80
  dx: 0000000000000006  ax: 0000000000000000  cx: ffffffffffffffff  sp: 00007ffca77d5598
  ip: 00007f0deac1a187 efl: 0000000000000202 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
[3325:3348:0209/112919:ERROR:browser_gpu_channel_host_factory.cc(132)] Failed to launch GPU process.
--<--
Comment 21 Landis Two 2016-02-09 13:51:57 UTC 
Question:
How will I (we) know the patch has been applied and is available?

If I follow the bug, kernel-source commits (news) and Jeff's commits, it looks 'done'.

Where and when will it be pushed to update repo?

https://en.opensuse.org/Portal:Kernel
http://kernel.opensuse.org/cgit/kernel/log/?h=openSUSE-13.2
Jeff's commit diff: 
http://kernel.opensuse.org/cgit/kernel-source/commit/?id=b989cb47308a35ed4aa27358645c76a4845e307f

Thanks,
Comment 22 Bernhard Wiedemann 2016-02-09 14:00:18 UTC 
This is an autogenerated message for OBS integration:
This bug (965356) was mentioned in
https://build.opensuse.org/request/show/358554 13.2 / kernel-source
Comment 23 Andreas Stieger 2016-02-09 14:19:27 UTC 
(In reply to Landis Two from comment #21)
> How will I (we) know the patch has been applied and is available?

A notification will be posted as a comment in this bug.

The pre-release package will appear first in:
http://download.opensuse.org/update/13.2-test/
Comment 24 Landis Two 2016-02-09 14:45:57 UTC 
(In reply to Andreas Stieger from comment #23)
> (In reply to Landis Two from comment #21)
> > How will I (we) know the patch has been applied and is available?
> 
> A notification will be posted as a comment in this bug.
> 
> The pre-release package will appear first in:
> http://download.opensuse.org/update/13.2-test/

Thank You!
Comment 25 Andreas Stieger 2016-02-10 13:26:42 UTC 
Confirmed fixed with proposed maintenance update for openSUSE 13.2

kernel-desktop-3.16.7-35.1.x86_64 (3.16.7-35-desktop)

As people were asking for a preview:
http://download.opensuse.org/update/13.2-test/
http://download.opensuse.org/repositories/openSUSE:/Maintenance:/4659/
Comment 26 Andreas Stieger 2016-02-10 13:33:39 UTC 
output from comment #17 still present
Comment 27 Robert Simai 2016-02-10 16:18:22 UTC 
(In reply to Andreas Stieger from comment #26)
> output from comment #17 still present

I quickly verified with some previous kernels (3.16.7-24 and 3.16.7-29) and this (or similar) console output exists too, seems I was mistaken! As it's not present when running google-chrome I rather suspect some chromium weirdness and nothing related to this kernel.
Comment 28 Andreas Stieger 2016-02-10 16:29:24 UTC 
(In reply to Robert Simai from comment #27)
> (In reply to Andreas Stieger from comment #26)
> > output from comment #17 still present
> 
> I quickly verified with some previous kernels (3.16.7-24 and 3.16.7-29) and
> this (or similar) console output exists too, seems I was mistaken! As it's
> not present when running google-chrome I rather suspect some chromium
> weirdness and nothing related to this kernel.

bug 966082 : chromium: sandbox related stacktrace printed
Comment 29 Landis Two 2016-02-12 02:28:29 UTC 
using 'test' kernel 3.16.7-35.1 from http://download.opensuse.org/update/13.2-test/ google-chrome-beta starts once more.

I have not had other issues with the test kernel.

Thank You.
Comment 30 Marcus Meissner 2016-02-12 08:57:27 UTC 
The update took 2 days to build due to aarch64 using a slow qemu host, sorry.

The QA team will piock it up next week, i expect released around wednesday.
Comment 31 Andreas Stieger 2016-02-13 19:30:45 UTC 
*** Bug 966600 has been marked as a duplicate of this bug. ***
Comment 32 David Hodgson 2016-02-13 19:43:58 UTC 
works for me.  Thanks.
Comment 33 Olivier Calle 2016-02-19 00:33:17 UTC 
Do you know when this would land in 13.2? It would be nice to only reboot once for this bug and the glibc bug which landed today.
Comment 34 Simcha Lerner 2016-02-21 12:24:57 UTC 
(In reply to Marcus Meissner from comment #30)
> The update took 2 days to build due to aarch64 using a slow qemu host, sorry.
> 
> The QA team will piock it up next week, i expect released around wednesday.

Any update on when this will be released?

This has inconvenienced a lot of people, with many unaware of what went wrong or how to work around it.

Several people that I provide openSUSE support to had not found out about how to get around this problem and were unhappy that they were having to use Firefox.

Thanks!
Comment 35 Andreas Stieger 2016-02-21 18:18:32 UTC 
Still in QA, sorry.
Will go out as soon as it's through.
Comment 36 Marcus Meissner 2016-02-22 07:21:43 UTC 
i have just released it, will be available in 1 hour or so.

sorry it took so long.
Comment 37 Swamp Workflow Management 2016-02-22 11:12:24 UTC 
openSUSE-SU-2016:0537-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 907378,961500,963767,965308,965356
CVE References: CVE-2016-0723,CVE-2016-2069
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.17.1, cloop-2.639-14.17.1, crash-7.0.8-17.1, hdjmod-1.28-18.18.1, ipset-6.23-17.1, kernel-debug-3.16.7-35.1, kernel-default-3.16.7-35.1, kernel-desktop-3.16.7-35.1, kernel-docs-3.16.7-35.2, kernel-ec2-3.16.7-35.1, kernel-obs-build-3.16.7-35.2, kernel-obs-qa-3.16.7-35.1, kernel-obs-qa-xen-3.16.7-35.1, kernel-pae-3.16.7-35.1, kernel-source-3.16.7-35.1, kernel-syms-3.16.7-35.1, kernel-vanilla-3.16.7-35.1, kernel-xen-3.16.7-35.1, pcfclock-0.44-260.17.1, vhba-kmp-20140629-2.17.1, virtualbox-4.3.36-43.2, xen-4.4.3_08-40.1, xtables-addons-2.6-17.1
Comment 38 Olivier Calle 2016-02-22 18:32:58 UTC 
(In reply to Marcus Meissner from comment #36)
> i have just released it, will be available in 1 hour or so.
> 
> sorry it took so long.

Please forgive me if I misunderstand something about the process, but it looks like something is still not right. The release announcement showed up on security-announce about 7 hours ago, but right now (~18:30 UTC) the latest kernel is still 3.16.7-32.1 here: http://download.opensuse.org/update/13.2/x86_64/ when it should be -35.1, right?
Comment 39 Andreas Stieger 2016-02-22 21:32:42 UTC 
(In reply to Olivier Calle from comment #38)
> Please forgive me if I misunderstand something about the process, but it
> looks like something is still not right. The release announcement showed up
> on security-announce about 7 hours ago, but right now (~18:30 UTC) the
> latest kernel is still 3.16.7-32.1 here:
> http://download.opensuse.org/update/13.2/x86_64/ when it should be -35.1,
> right?

Something went wrong putting up the binaries. This is being worked on.
Comment 40 Andreas Stieger 2016-02-23 06:30:33 UTC 
(In reply to Andreas Stieger from comment #39)
> Something went wrong putting up the binaries. This is being worked on.

These are now up for everyone's updating pleasure.
Comment 41 Ilya Shevchenko 2016-02-23 09:13:43 UTC 
Thanks! Good job!
Comment 42 Forgotten User XYXg6FVhXD 2016-02-23 11:03:22 UTC 
Dear Friends.. I have applied the updates and reboot my system.

I sill can not open Chromium the normal way.

I only can open it as suggested with "chromium --disable-namespace-sandbox"

I'm lost, any idea why the update did not correct this issue ?

Thanks
Comment 43 Robert Simai 2016-02-23 11:07:28 UTC 
Works for me, with the new (desktop-) kernel:

robert@theano:~> uname -a
Linux theano 3.16.7-35-desktop #1 SMP PREEMPT Sun Feb 7 17:32:21 UTC 2016 (832c776) x86_64 x86_64 x86_64 GNU/Linux
Comment 44 Forgotten User XYXg6FVhXD 2016-02-23 11:39:21 UTC 
Now working.. Thanks a lot !
Comment 45 Simcha Lerner 2016-02-23 17:32:01 UTC 
(In reply to Pedro Montes de Oca from comment #42)
> Dear Friends.. I have applied the updates and reboot my system.
> 
> I sill can not open Chromium the normal way.
> 
> I only can open it as suggested with "chromium --disable-namespace-sandbox"
> 
> I'm lost, any idea why the update did not correct this issue ?
> 
> Thanks

First thing to do is see if you are actually booting the new kernel.

"uname -r" should show "3.16.7-35-desktop"

If it isn't, things to check include whether your grub boot menu is defaulting to another kernel version or whether you need to fix symlinks in /boot.

If you are running the latest kernel, something may be bollixed with chrome.  Temporarily rename ~/.config/google-chrome to something else and do a forced reinstall of chrome to see if this fixes things.  (I've found that chrome's --disable-extensions option isn't a full safe mode equivalent, so I use the above brute force method instead.)

Hope you manage to get things straightened out.  This update, once it hit the repo, fixed the chrome problem for myself and the local users that I support.

Good luck and let us know how it works out.
Comment 46 Forgotten User XYXg6FVhXD 2016-02-23 19:24:50 UTC 
(In reply to Simcha Lerner from comment #45)
> (In reply to Pedro Montes de Oca from comment #42)
> > Dear Friends.. I have applied the updates and reboot my system.
> > 
> > I sill can not open Chromium the normal way.
> > 
> > I only can open it as suggested with "chromium --disable-namespace-sandbox"
> > 
> > I'm lost, any idea why the update did not correct this issue ?
> > 
> > Thanks
> 
> First thing to do is see if you are actually booting the new kernel.
> 
> "uname -r" should show "3.16.7-35-desktop"
> 
> If it isn't, things to check include whether your grub boot menu is
> defaulting to another kernel version or whether you need to fix symlinks in
> /boot.
> 
> If you are running the latest kernel, something may be bollixed with chrome.
> Temporarily rename ~/.config/google-chrome to something else and do a forced
> reinstall of chrome to see if this fixes things.  (I've found that chrome's
> --disable-extensions option isn't a full safe mode equivalent, so I use the
> above brute force method instead.)
> 
> Hope you manage to get things straightened out.  This update, once it hit
> the repo, fixed the chrome problem for myself and the local users that I
> support.
> 
> Good luck and let us know how it works out.

Dear Simcha

Exactly.. I realized my system was not booting the new kernel and I reported inmediatly here as well as "Resolved".

Now is all ok.

Thank You !