thunderbird: Abort trap on empty promises

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

thunderbird: Abort trap on empty promises

Klemens Nanni-2
Just upgraded my X230 incl. packages as usual, however thunderbird dies
almost immediately upon start:

        $ sysctl -n kern.version
        OpenBSD 6.6-current (GENERIC.MP) #402: Sat Oct 26 22:53:27 MDT 2019
            [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

        $ pkg_info thunderbird | head -n1
        Information for inst:thunderbird-68.2.0
        $ thunderbird
        Abort trap (core dumped)

The core dump is useless and a cannot rebuild with symbols at the moment.
However:

        $ tail -n1 /var/log/messages
        Oct 27 16:43:58 eru /bsd: thunderbird[84106]: pledge "stdio", syscall 87
        $ grep -w 87 /sys/kern/syscalls.c
                "clock_gettime",                        /* 87 = clock_gettime */
        $ ktrace -di thunderbird
        Abort trap (core dumped)
        $ kdump
        ...
        10377 thunderbird CALL  pledge(0xc5e1686e484,0)
        10377 thunderbird STRU  promise=""
        10377 thunderbird RET   pledge 0
        10377 thunderbird CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7fffff96d8)
        10377 thunderbird PLDG  clock_gettime, "stdio", errno 1 Operation not permitted
        10377 thunderbird PSIG  SIGABRT SIG_DFL
        ...

Thunderbird's WRKSRC only contains one pledge(2) call:

        dom/ipc/ContentChild.cpp
        3948:  if (pledge(promisesString.get(), NULL) == -1) {

This stuff is Rust and i have no clue of either that language or
Thunderbird internals - does anyone else see crashes?

Do you need more information from my system?
My last upgrade is about 12 days behind on this machine, I have not
bisected anything so far.

Reply | Threaded
Open this post in threaded view
|

Re: thunderbird: Abort trap on empty promises

Sebastien Marie-3
On Sun, Oct 27, 2019 at 05:18:03PM +0100, Klemens Nanni wrote:

> Just upgraded my X230 incl. packages as usual, however thunderbird dies
> almost immediately upon start:
>
> $ sysctl -n kern.version
> OpenBSD 6.6-current (GENERIC.MP) #402: Sat Oct 26 22:53:27 MDT 2019
>    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> $ pkg_info thunderbird | head -n1
> Information for inst:thunderbird-68.2.0
> $ thunderbird
> Abort trap (core dumped)
>
> The core dump is useless and a cannot rebuild with symbols at the moment.
> However:
>
> $ tail -n1 /var/log/messages
> Oct 27 16:43:58 eru /bsd: thunderbird[84106]: pledge "stdio", syscall 87
> $ grep -w 87 /sys/kern/syscalls.c
>        "clock_gettime",                        /* 87 = clock_gettime */
> $ ktrace -di thunderbird
> Abort trap (core dumped)
> $ kdump
> ...
> 10377 thunderbird CALL  pledge(0xc5e1686e484,0)
> 10377 thunderbird STRU  promise=""
> 10377 thunderbird RET   pledge 0
> 10377 thunderbird CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7fffff96d8)
> 10377 thunderbird PLDG  clock_gettime, "stdio", errno 1 Operation not permitted
> 10377 thunderbird PSIG  SIGABRT SIG_DFL
> ...

with pledge(""), it is expected that things will not work well.
 
> Thunderbird's WRKSRC only contains one pledge(2) call:
>
> dom/ipc/ContentChild.cpp
> 3948:  if (pledge(promisesString.get(), NULL) == -1) {
>
> This stuff is Rust and i have no clue of either that language or
> Thunderbird internals - does anyone else see crashes?

for me, a .cpp file is c++ (and the syntax for if isn't like Rust).
 
> Do you need more information from my system?
> My last upgrade is about 12 days behind on this machine, I have not
> bisected anything so far.

Did you try with new profile ?

--
Sebastien Marie

Reply | Threaded
Open this post in threaded view
|

Re: thunderbird: Abort trap on empty promises

Klemens Nanni-2
On Sun, Oct 27, 2019 at 06:04:00PM +0100, Sebastien Marie wrote:
> for me, a .cpp file is c++ (and the syntax for if isn't like Rust).
He, you're right.  Grepping showed other Rust bits as well, I mixed it up.

> Did you try with new profile ?
Just moved ~/.thunderbird out of the way but with no avail, still aborts.

Reply | Threaded
Open this post in threaded view
|

Re: thunderbird: Abort trap on empty promises

joshua stein-3
In reply to this post by Klemens Nanni-2
On Sun, 27 Oct 2019 at 17:18:03 +0100, Klemens Nanni wrote:

> 10377 thunderbird CALL  pledge(0xc5e1686e484,0)
> 10377 thunderbird STRU  promise=""
> 10377 thunderbird RET   pledge 0
> 10377 thunderbird CALL  clock_gettime(CLOCK_MONOTONIC,0x7f7fffff96d8)
> 10377 thunderbird PLDG  clock_gettime, "stdio", errno 1 Operation not permitted
> 10377 thunderbird PSIG  SIGABRT SIG_DFL
> ...
>
> Thunderbird's WRKSRC only contains one pledge(2) call:
>
> dom/ipc/ContentChild.cpp
> 3948:  if (pledge(promisesString.get(), NULL) == -1) {

That's the code from Firefox that is supposed to read the pledge
promises from the security.sandbox.pledge.main preference, but
that's only enabled if built with MOZ_SANDBOX.  That define is only
supposed to get set when the --enable-sandbox flag is passed to
the configure script, as the www/mozilla-firefox port does:

    CONFIGURE_ARGS +=       --enable-sandbox

Mozilla broke that in in version 69, so even though --enable-sandbox
was passed, sandboxing wasn't enabled on OpenBSD:

https://bugzilla.mozilla.org/show_bug.cgi?id=1579323

Apparently the way that got fixed forces it to be enabled by default
now without --enable-sandbox being passed, and Thunderbird uses that
same code.  So now sandboxing is enabled on Thunderbird but there
are no pledge strings defined in the default preferences.

So I think the fix is to now pass --disable-sandbox in
mail/mozilla-thunderbird/Makefile.

As a workaround, you can add this to
/usr/local/lib/thunderbird/defaults/pref/all-openbsd.js:

    pref("security.sandbox.pledge.main", "junk");

That will cause pledge() to fail rather than continuing with an
empty list of pledge promises.

Reply | Threaded
Open this post in threaded view
|

Re: thunderbird: Abort trap on empty promises

Laurence Tratt
In reply to this post by Klemens Nanni-2
On Sun, Oct 27, 2019 at 05:18:03PM +0100, Klemens Nanni wrote:

Hello Klemens,

> $ thunderbird
> Abort trap (core dumped)

Having updated yesterday, I see exactly this and gdb also confirms that it's
borking on the call to clock_gettime.

The problem seems to be that the port's files/all-openbsd.js is out of date
(or incomplete or ...).  If you look at the relevant bit of the code [1] you
can see that it's trying to read the preferences for
security.sandbox.pledge.main or security.sandbox.pledge.content, but the
Thunderbird port defines neither. mozilla-firefox does however, so I simply
copied these lines from mozilla-firefox's files/all-openbsd.js:

  pref("security.sandbox.pledge.main","stdio rpath wpath cpath inet proc exec prot _exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mcast video");
  pref("security.sandbox.pledge.content","stdio rpath wpath cpath inet recvfd send fd prot_exec unix drm ps");

to /usr/local/lib/thunderbird/defaults/pref/all-openbsd.js and Thunderbird
started working happily again.

Whether Thunderbird needs such a wide set of pledges or not is a question
above my pay grade. At the very least this is a quick hack to get
Thunderbird working again on OpenBSD and, perhaps, a useful pointer to
someone who understands this beast better than I do as to what a long-term
fix might be!


Laurie

[1] https://dxr.mozilla.org/comm-central/source/dom/ipc/ContentChild.cpp#3938
--
Personal                                             http://tratt.net/laurie/
Software Development Team                                http://soft-dev.org/
   https://github.com/ltratt              http://twitter.com/laurencetratt


Reply | Threaded
Open this post in threaded view
|

Re: thunderbird: Abort trap on empty promises

Klemens Nanni-2
In reply to this post by joshua stein-3
On Sun, Oct 27, 2019 at 12:56:40PM -0500, joshua stein wrote:
> As a workaround, you can add this to
> /usr/local/lib/thunderbird/defaults/pref/all-openbsd.js:
>
>     pref("security.sandbox.pledge.main", "junk");
>
> That will cause pledge() to fail rather than continuing with an
> empty list of pledge promises.
I appended this line to ~/.thunderbird/*.default/prefs.js and
thunderbird starts again, thanks.  semarie also mentioned this as
workaround off-list.

However, prefs.js seems to be rewritten, so closing and opening
Thunderbird results in SIGBART again.  Won't happen with the global
all-openbsd.js for sure, though.

Reply | Threaded
Open this post in threaded view
|

Re: thunderbird: Abort trap on empty promises

Sebastien Marie-3
On Mon, Oct 28, 2019 at 09:26:09AM +0100, Klemens Nanni wrote:

> On Sun, Oct 27, 2019 at 12:56:40PM -0500, joshua stein wrote:
> > As a workaround, you can add this to
> > /usr/local/lib/thunderbird/defaults/pref/all-openbsd.js:
> >
> >     pref("security.sandbox.pledge.main", "junk");
> >
> > That will cause pledge() to fail rather than continuing with an
> > empty list of pledge promises.
> I appended this line to ~/.thunderbird/*.default/prefs.js and
> thunderbird starts again, thanks.  semarie also mentioned this as
> workaround off-list.
>
> However, prefs.js seems to be rewritten, so closing and opening
> Thunderbird results in SIGBART again.  Won't happen with the global
> all-openbsd.js for sure, though.
>

Hi,

The following diff should unbreak mail/mozilla-thunderbird for now.

It is a quick fix to have usuable thunderbird, waiting for a proper fix.

It just adds invalid promises (instead of the default valid empty promise). It
will make thunderbird to show a warning and will effectively disable pledge(2)
(as before without sandbox).

Comments or OK ?
--
Sebastien Marie


diff b436a83da999a4084ff25dcf1e369d46323e095a /data/semarie/repos/openbsd/ports
blob - d51a055e80dad3159cd5f912c1cb6d4d2d58eb33
file + mail/mozilla-thunderbird/Makefile
--- mail/mozilla-thunderbird/Makefile
+++ mail/mozilla-thunderbird/Makefile
@@ -6,6 +6,7 @@ COMMENT-lightning = Mozilla Thunderbird calendar exten
 
 # Don't forget to bump mail/thunderbird-i18n after updates.
 
+REVISION = 0
 MOZILLA_VERSION = 68.2.0
 MOZILLA_BRANCH = release
 MOZILLA_PROJECT = thunderbird
blob - fa8943ff89953b08fce94e90039b8b211877eb8c
file + mail/mozilla-thunderbird/files/all-openbsd.js
--- mail/mozilla-thunderbird/files/all-openbsd.js
+++ mail/mozilla-thunderbird/files/all-openbsd.js
@@ -2,3 +2,6 @@
 // enable systemwide extensions by default
 pref("extensions.autoDisableScopes", 3);
 pref("spellchecker.dictionary_path", "${LOCALBASE}/share/mozilla-dicts/");
+// quick fix to effectively disable sandbox for now
+pref("security.sandbox.pledge.main", "notyet");
+pref("security.sandbox.pledge.content", "notyet");

Reply | Threaded
Open this post in threaded view
|

Re: thunderbird: Abort trap on empty promises

joshua stein-3
On Mon, 28 Oct 2019 at 20:04:06 +0100, Sebastien Marie wrote:

> On Mon, Oct 28, 2019 at 09:26:09AM +0100, Klemens Nanni wrote:
> > On Sun, Oct 27, 2019 at 12:56:40PM -0500, joshua stein wrote:
> > > As a workaround, you can add this to
> > > /usr/local/lib/thunderbird/defaults/pref/all-openbsd.js:
> > >
> > >     pref("security.sandbox.pledge.main", "junk");
> > >
> > > That will cause pledge() to fail rather than continuing with an
> > > empty list of pledge promises.
> > I appended this line to ~/.thunderbird/*.default/prefs.js and
> > thunderbird starts again, thanks.  semarie also mentioned this as
> > workaround off-list.
> >
> > However, prefs.js seems to be rewritten, so closing and opening
> > Thunderbird results in SIGBART again.  Won't happen with the global
> > all-openbsd.js for sure, though.
> >
>
> Hi,
>
> The following diff should unbreak mail/mozilla-thunderbird for now.
>
> It is a quick fix to have usuable thunderbird, waiting for a proper fix.
>
> It just adds invalid promises (instead of the default valid empty promise). It
> will make thunderbird to show a warning and will effectively disable pledge(2)
> (as before without sandbox).
>
> Comments or OK ?

Either pass --disable-sandbox in CONFIGURE_ARGS to disable the
pledge code, or someone that uses Thunderbird can figure out which
pledge promises are actually needed to make it work and add those to
all-openbsd.js.

It doesn't really make sense to keep building it with sandboxing
enabled just to disable it from the preferences.

Reply | Threaded
Open this post in threaded view
|

Re: thunderbird: Abort trap on empty promises

Theo de Raadt-2
joshua stein <[hidden email]> wrote:

> On Mon, 28 Oct 2019 at 20:04:06 +0100, Sebastien Marie wrote:
> > On Mon, Oct 28, 2019 at 09:26:09AM +0100, Klemens Nanni wrote:
> > > On Sun, Oct 27, 2019 at 12:56:40PM -0500, joshua stein wrote:
> > > > As a workaround, you can add this to
> > > > /usr/local/lib/thunderbird/defaults/pref/all-openbsd.js:
> > > >
> > > >     pref("security.sandbox.pledge.main", "junk");
> > > >
> > > > That will cause pledge() to fail rather than continuing with an
> > > > empty list of pledge promises.
> > > I appended this line to ~/.thunderbird/*.default/prefs.js and
> > > thunderbird starts again, thanks.  semarie also mentioned this as
> > > workaround off-list.
> > >
> > > However, prefs.js seems to be rewritten, so closing and opening
> > > Thunderbird results in SIGBART again.  Won't happen with the global
> > > all-openbsd.js for sure, though.
> > >
> >
> > Hi,
> >
> > The following diff should unbreak mail/mozilla-thunderbird for now.
> >
> > It is a quick fix to have usuable thunderbird, waiting for a proper fix.
> >
> > It just adds invalid promises (instead of the default valid empty promise). It
> > will make thunderbird to show a warning and will effectively disable pledge(2)
> > (as before without sandbox).
> >
> > Comments or OK ?
>
> Either pass --disable-sandbox in CONFIGURE_ARGS to disable the
> pledge code, or someone that uses Thunderbird can figure out which
> pledge promises are actually needed to make it work and add those to
> all-openbsd.js.
>
> It doesn't really make sense to keep building it with sandboxing
> enabled just to disable it from the preferences.

No kidding.

How was this code commited without testing?

Reply | Threaded
Open this post in threaded view
|

Re: thunderbird: Abort trap on empty promises

Stuart Henderson
In reply to this post by joshua stein-3
On 2019/10/28 14:09, joshua stein wrote:

> On Mon, 28 Oct 2019 at 20:04:06 +0100, Sebastien Marie wrote:
> > On Mon, Oct 28, 2019 at 09:26:09AM +0100, Klemens Nanni wrote:
> > > On Sun, Oct 27, 2019 at 12:56:40PM -0500, joshua stein wrote:
> > > > As a workaround, you can add this to
> > > > /usr/local/lib/thunderbird/defaults/pref/all-openbsd.js:
> > > >
> > > >     pref("security.sandbox.pledge.main", "junk");
> > > >
> > > > That will cause pledge() to fail rather than continuing with an
> > > > empty list of pledge promises.
> > > I appended this line to ~/.thunderbird/*.default/prefs.js and
> > > thunderbird starts again, thanks.  semarie also mentioned this as
> > > workaround off-list.
> > >
> > > However, prefs.js seems to be rewritten, so closing and opening
> > > Thunderbird results in SIGBART again.  Won't happen with the global
> > > all-openbsd.js for sure, though.
> > >
> >
> > Hi,
> >
> > The following diff should unbreak mail/mozilla-thunderbird for now.
> >
> > It is a quick fix to have usuable thunderbird, waiting for a proper fix.
> >
> > It just adds invalid promises (instead of the default valid empty promise). It
> > will make thunderbird to show a warning and will effectively disable pledge(2)
> > (as before without sandbox).
> >
> > Comments or OK ?

OK with me.

> Either pass --disable-sandbox in CONFIGURE_ARGS to disable the
> pledge code, or someone that uses Thunderbird can figure out which
> pledge promises are actually needed to make it work and add those to
> all-openbsd.js.
>
> It doesn't really make sense to keep building it with sandboxing
> enabled just to disable it from the preferences.
>

It makes it easier to test and figure out which pledges are needed
if one doesn't have to rebuild the damn thing..

Reply | Threaded
Open this post in threaded view
|

Re: thunderbird: Abort trap on empty promises

Theo de Raadt-2
Stuart Henderson <[hidden email]> wrote:

> On 2019/10/28 14:09, joshua stein wrote:
> > On Mon, 28 Oct 2019 at 20:04:06 +0100, Sebastien Marie wrote:
> > > On Mon, Oct 28, 2019 at 09:26:09AM +0100, Klemens Nanni wrote:
> > > > On Sun, Oct 27, 2019 at 12:56:40PM -0500, joshua stein wrote:
> > > > > As a workaround, you can add this to
> > > > > /usr/local/lib/thunderbird/defaults/pref/all-openbsd.js:
> > > > >
> > > > >     pref("security.sandbox.pledge.main", "junk");
> > > > >
> > > > > That will cause pledge() to fail rather than continuing with an
> > > > > empty list of pledge promises.
> > > > I appended this line to ~/.thunderbird/*.default/prefs.js and
> > > > thunderbird starts again, thanks.  semarie also mentioned this as
> > > > workaround off-list.
> > > >
> > > > However, prefs.js seems to be rewritten, so closing and opening
> > > > Thunderbird results in SIGBART again.  Won't happen with the global
> > > > all-openbsd.js for sure, though.
> > > >
> > >
> > > Hi,
> > >
> > > The following diff should unbreak mail/mozilla-thunderbird for now.
> > >
> > > It is a quick fix to have usuable thunderbird, waiting for a proper fix.
> > >
> > > It just adds invalid promises (instead of the default valid empty promise). It
> > > will make thunderbird to show a warning and will effectively disable pledge(2)
> > > (as before without sandbox).
> > >
> > > Comments or OK ?
>
> OK with me.
>
> > Either pass --disable-sandbox in CONFIGURE_ARGS to disable the
> > pledge code, or someone that uses Thunderbird can figure out which
> > pledge promises are actually needed to make it work and add those to
> > all-openbsd.js.
> >
> > It doesn't really make sense to keep building it with sandboxing
> > enabled just to disable it from the preferences.
> >
>
> It makes it easier to test and figure out which pledges are needed
> if one doesn't have to rebuild the damn thing..

it's quite the experiment when it ships broken by default.