Bug#1004368: chromium: "Stack smashing detected" messages

[Spiky Caterpillar]

Package: chromium
Version: 97.0.4692.99-1~deb11u2
Severity: normal
X-Debbugs-Cc: spikycaterpil...@deekoo.net

Chromium complains about stack smashing whenever started. I'm starting it from
an xterm, and the output when starting to a blank tab with Google as the search
engine is:

[122740:122740:0126/025300.330856:ERROR:gpu_init.cc(457)] Passthrough is not supported, GL is disabled, ANGLE is
[122696:122727:0126/025301.818616:ERROR:nss_util.cc(286)] After loading Root Certs, loaded==false: NSS error code: -8018
*** stack smashing detected ***: terminated
*** stack smashing detected ***: terminated
[122696:122727:0126/025304.329684:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
[122696:122727:0126/025304.329873:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()
*** stack smashing detected ***: terminated

With Google as the default search engine, opening a new tab will give me two
more "*** stack smashing detected ***: terminated" lines.

(Note: I disabled hardware acceleration to see if it would make the stack
smashing go away, it didn't.)

If I set the default search engine to Debian, I get:

[122448:122448:0126/025217.558330:ERROR:gpu_init.cc(457)] Passthrough is not supported, GL is disabled, ANGLE is
[122405:122461:0126/025219.779173:ERROR:nss_util.cc(286)] After loading Root Certs, loaded==false: NSS error code: -8018
[122405:122432:0126/025221.869024:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
[122405:122432:0126/025221.869057:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()
*** stack smashing detected ***: terminated

The stack smashing messages go away when I upgrade to 97.0.4692.99-1 (in
unstable).


I don't see stack smashing messages running Chromium 100.0.4853.0 (Build
revision 963308, linux binary downloaded from chromium.org's recommended
source).
I also don't see stack smashing messages if I switch to unstable and upgrade
Chromium to 97.0.4692.99-1 (which pulls in an updated libc, among other
things. I'll include the system info for the unstable version in this message
too)

Ordinarily I wouldn't bother reporting a bug that appears fixed in unstable,
but the stack smashing messages seem like they may be a sign of a security
hole - and the fact that they appear linked to third-party network service
integration makes them seem a bit ominous.


-- System Information (stable, shows bug):
Debian Release: 11.2
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-2-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chromium depends on:
ii chromium-common 97.0.4692.99-1~deb11u2
ii libasound2 1.2.4-1.1
ii libatk-bridge2.0-0 2.38.0-1
ii libatk1.0-0 2.36.0-2
ii libatomic1 10.2.1-6
ii libatspi2.0-0 2.38.0-4
ii libc6 2.31-13+deb11u2
ii libcairo2 1.16.0-5
ii libcups2 2.3.3op2-3+deb11u1
ii libdbus-1-3 1.12.20-2
ii libdrm2 2.4.104-1
ii libevent-2.1-7 2.1.12-stable-1
ii libexpat1 2.2.10-2
ii libflac8 1.3.3-2
ii libfontconfig1 2.13.1-4.2
ii libfreetype6 2.10.4+dfsg-1
ii libgbm1 20.3.5-1
ii libgcc-s1 10.2.1-6
ii libglib2.0-0 2.66.8-1
ii libharfbuzz0b 2.7.4-1
ii libicu67 67.1-7
ii libjpeg62-turbo 1:2.0.6-4
ii libjsoncpp24 1.9.4-4
ii liblcms2-2 2.12~rc1-2
ii libminizip1 1.1-8+b1
ii libnspr4 2:4.29-1
ii libnss3 2:3.61-1+deb11u2
ii libopenjp2-7 2.4.0-3
ii libopus0 1.3.1-0.1
ii libpango-1.0-0 1.46.2-3
ii libpng16-16 1.6.37-3
ii libpulse0 14.2-2
ii libre2-9 20210201+dfsg-1
ii libsnappy1v5 1.1.8-1
ii libstdc++6 10.2.1-6
ii libwebp6 0.6.1-2.1
ii libwebpdemux2 0.6.1-2.1
ii libwebpmux3 0.6.1-2.1
ii libx11-6 2:1.7.2-1
ii libxcb1 1.14-3
ii libxcomposite1 1:0.4.5-1
ii libxdamage1 1:1.1.5-2
ii libxext6 2:1.3.3-1.1
ii libxfixes3 1:5.0.3-2
ii libxkbcommon0 1.0.3-2
ii libxml2 2.9.10+dfsg-6.7
ii libxrandr2 2:1.5.1-1
ii libxslt1.1 1.1.34-4
ii zlib1g 1:1.2.11.dfsg-2

Versions of packages chromium recommends:
ii chromium-sandbox 97.0.4692.99-1~deb11u2

Versions of packages chromium suggests:
pn chromium-driver <none>
pn chromium-l10n <none>
pn chromium-shell <none>

Versions of packages chromium-common depends on:
ii libc6 2.31-13+deb11u2
ii libstdc++6 10.2.1-6
ii libx11-6 2:1.7.2-1
ii libxext6 2:1.3.3-1.1
ii x11-utils 7.7+5
ii xdg-utils 1.1.3-4.1
ii zlib1g 1:1.2.11.dfsg-2

Versions of packages chromium-common recommends:
ii chromium-sandbox 97.0.4692.99-1~deb11u2
ii fonts-liberation 1:1.07.4-11
ii gnome-flashback [notification-daemon] 3.38.0-2
ii gnome-shell [notification-daemon] 3.38.6-1~deb11u1
ii libgl1-mesa-dri 20.3.5-1
ii libu2f-udev 1.1.10-3
ii notification-daemon 3.20.0-4
ii system-config-printer 1.5.14-1
ii upower 0.99.11-2

Versions of packages chromium-sandbox depends on:
ii libc6 2.31-13+deb11u2

-- no debconf information

-- System Information (unstable, does not show bug):
Debian Release: 11.2
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-2-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chromium depends on:
ii chromium-common 97.0.4692.99-1
ii libasound2 1.2.4-1.1
ii libatk-bridge2.0-0 2.38.0-1
ii libatk1.0-0 2.36.0-2
ii libatomic1 10.2.1-6
ii libatspi2.0-0 2.38.0-4
ii libc6 2.33-4
ii libcairo2 1.16.0-5
ii libcups2 2.3.3op2-3+deb11u1
ii libdbus-1-3 1.12.20-2
ii libdrm2 2.4.104-1
ii libevent-2.1-7 2.1.12-stable-1
ii libexpat1 2.2.10-2
ii libflac8 1.3.3-2
ii libfontconfig1 2.13.1-4.2
ii libfreetype6 2.11.1+dfsg-1
ii libgbm1 20.3.5-1
ii libgcc-s1 10.2.1-6
ii libglib2.0-0 2.66.8-1
ii libharfbuzz0b 2.7.4-1
ii libicu67 67.1-7
ii libjpeg62-turbo 1:2.0.6-4
ii libjsoncpp25 1.9.5-2
ii liblcms2-2 2.12~rc1-2
ii libminizip1 1.1-8+b1
ii libnspr4 2:4.29-1
ii libnss3 2:3.61-1+deb11u2
ii libopenjp2-7 2.4.0-3
ii libopus0 1.3.1-0.1
ii libpango-1.0-0 1.46.2-3
ii libpng16-16 1.6.37-3
ii libpulse0 14.2-2
ii libre2-9 20210201+dfsg-1
ii libsnappy1v5 1.1.8-1
ii libstdc++6 11.2.0-14
ii libwebp6 0.6.1-2.1
ii libwebpdemux2 0.6.1-2.1
ii libwebpmux3 0.6.1-2.1
ii libx11-6 2:1.7.2-1
ii libxcb1 1.14-3
ii libxcomposite1 1:0.4.5-1
ii libxdamage1 1:1.1.5-2
ii libxext6 2:1.3.3-1.1
ii libxfixes3 1:5.0.3-2
ii libxkbcommon0 1.0.3-2
ii libxml2 2.9.10+dfsg-6.7
ii libxrandr2 2:1.5.1-1
ii libxslt1.1 1.1.34-4
ii zlib1g 1:1.2.11.dfsg-2

Versions of packages chromium recommends:
ii chromium-sandbox 97.0.4692.99-1~deb11u2

Versions of packages chromium suggests:
pn chromium-driver <none>
pn chromium-l10n <none>
pn chromium-shell <none>

Versions of packages chromium-common depends on:
ii libc6 2.33-4
ii libstdc++6 11.2.0-14
ii libx11-6 2:1.7.2-1
ii libxext6 2:1.3.3-1.1
ii x11-utils 7.7+5
ii xdg-utils 1.1.3-4.1
ii zlib1g 1:1.2.11.dfsg-2

Versions of packages chromium-common recommends:
ii chromium-sandbox 97.0.4692.99-1~deb11u2
ii fonts-liberation 1:1.07.4-11
ii gnome-flashback [notification-daemon] 3.38.0-2
ii gnome-shell [notification-daemon] 3.38.6-1~deb11u1
ii libgl1-mesa-dri 20.3.5-1
ii libu2f-udev 1.1.10-3
ii notification-daemon 3.20.0-4
ii system-config-printer 1.5.14-1
ii upower 0.99.11-2

Versions of packages chromium-sandbox depends on:
ii libc6 2.33-4

-- no debconf information

[Andres Salomon]

On Wed, 26 Jan 2022 03:50:53 +0200 Spiky Caterpillar wrote:
>
> Chromium complains about stack smashing whenever started. I'm starting it from
> an xterm, and the output when starting to a blank tab with Google as the search
> engine is:
>
> [122740:122740:0126/025300.330856:ERROR:gpu_init.cc(457)] Passthrough is not supported, GL is disabled, ANGLE is
> [122696:122727:0126/025301.818616:ERROR:nss_util.cc(286)] After loading Root Certs, loaded==false: NSS error code: -8018
> *** stack smashing detected ***: terminated
> *** stack smashing detected ***: terminated
> [122696:122727:0126/025304.329684:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
> [122696:122727:0126/025304.329873:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()
> *** stack smashing detected ***: terminated

The stack smashing errors are related to building with the clang-11 compiler; the reason you don't see them with unstable's version of chromium is because unstable uses clang-13. Similarly, upstream google's chromium builds against some clang-14 pre-release. I could disable stack protection from the stable builds of chromium, but stack protection could potentially be useful for actual security bugs. So for now, I'm planning to just leave it enabled and ignore the messages.

At some point, it is likely that clang-13 will be backported to stable (similar to how clang-11 was backported to oldstable, which allowed firefox-esr to use it instead of oldstable's clang-7). Once that happens, I plan to use clang-13 for building chromium in stable, and the messages will go away.

> [122448:122448:0126/025217.558330:ERROR:gpu_init.cc(457)] Passthrough is not supported, GL is disabled, ANGLE is
> [122405:122461:0126/025219.779173:ERROR:nss_util.cc(286)] After loading Root Certs, loaded==false: NSS error code: -8018
> [122405:122432:0126/025221.869024:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
> [122405:122432:0126/025221.869057:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()
> *** stack smashing detected ***: terminated
>

[...]

> hole - and the fact that they appear linked to third-party network service
> integration makes them seem a bit ominous.

The nss_util.cc error is unrelated to the stack smashing errors, and it's also one that I haven't seen before. It's pretty odd; it's from LoadNSSModule("Root Certs", "libnssckbi.so", nullptr) failing to load that library. I see that you have libnss3 (from stable) installed, so I'm wondering what's going on. That error is coming from libnspr4 (PR_GetError), and I couldn't find it in the source code but I did find it on a mozilla developer webpage as SEC_ERROR_UNKNOWN_PKCS11_ERROR. It seems to say that it's failing to load a certificate, so maybe there's something wrong your root certificates? I'm not entirely sure where it's finding the root certificates, they might be built into the nss3 library or they might be in /etc/ssl/certs/.

Do you have the ca-certificates package installed? Does https work normally in the browser?

[Andres Salomon]

On Wed, 26 Jan 2022 03:11:16 -0500 Andres Salomon wrote:
> > *** stack smashing detected ***: terminated
> >

I backported clang-13 to debian stable and used it to build chromium. Nothing else was backported or changed (other than the requisite changes needed to tell chromium to use clang-13 and friends instead of clang). The stack smashing error messages disappeared. So this is absolutely an issue with building against clang-11 in stable.