745057 – Gimp's help browser needs execmem

Bug 745057 - Gimp's help browser needs execmem

Summary: Gimp's help browser needs execmem

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	webkitgtk
Sub Component:
Version:	16
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kevin Fenzi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-11 10:16 UTC by Göran Uddeborg
Modified:	2012-08-19 18:50 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-19 18:50:48 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Göran Uddeborg 2011-10-11 10:16:09 UTC

Description of problem:
On a system with allow_execmem disabled, Gimp's help browser crashes immediately on start up with a segmentation fault.

Version-Release number of selected component (if applicable):
gimp-help-browser-2.6.11-22.fc16.x86_64
selinux-policy-targeted-3.10.0-38.fc16.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Start gimp
2. Select the menu entry Help→Help
  
Actual results:
A window flashes briefly and disappears.  An error message is written to the terminal if I start gimp from a terminal:

/usr/lib64/gimp/2.0/plug-ins/help-browser: fatal error: Segmenteringsfel

Expected results:
The Gimp help browser should come up.

Additional info:
This is the F16 version of bug 710768.

Doing

chcon -t execmem_exec_t /usr/lib64/gimp/2.0/plug-ins/help-browser

is a way to fix the problem.

The AVC message I get:

time->Tue Oct 11 12:07:28 2011
type=SYSCALL msg=audit(1318327648.420:12700): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=80000000 a2=7 a3=22 items=0 ppid=30561 pid=30575 auid=503 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=pts4 ses=1963 comm="help-browser" exe="/usr/lib64/gimp/2.0/plug-ins/help-browser" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1318327648.420:12700): avc:  denied  { execmem } for  pid=30575 comm="help-browser" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

Comment 1 Daniel Walsh 2011-10-11 16:07:25 UTC

Why would a help browser need executable memory?

Comment 2 Nils Philippsen 2011-10-12 09:06:21 UTC

I have no idea. Checking.

Comment 3 Nils Philippsen 2011-10-12 10:38:37 UTC

Seems to come from Javascript code in webkitgtk, after installing debuginfos, I got this backtrace  (on F-15, but I guess F-16 won't differ much):

nils@gibraltar:~> gimp --stack-trace-mode=always -c
/usr/lib64/gimp/2.0/plug-ins/help-browser: fatal error: Segmentation fault
#0  0x000000399e80eacd in __libc_waitpid (pid=<optimized out>, stat_loc=<optimized out>, options=<optimized out>) at ../sysdeps/unix/sysv/linux/waitpid.c:41
#1  0x00000039a1419572 in g_on_error_stack_trace (prg_name=0x7ffffeb734ba "/usr/lib64/gimp/2.0/plug-ins/help-browser") at gbacktrace.c:192
#2  0x0000003beae11c5f in gimp_plugin_sigfatal_handler (sig_num=<optimized out>) at gimp.c:1615
#3  <signal handler called>
#4  0x0000003731804b41 in WTF::OSAllocator::reserveAndCommit (bytes=<optimized out>, usage=<optimized out>, writable=<optimized out>, executable=<optimized out>) at Source/JavaScriptCore/wtf/OSAllocatorPosix.cpp:97
#5  0x00000037318041bf in reserve (executable=true, usage=WTF::OSAllocator::UnknownUsage, size=1073741824, writable=true) at Source/JavaScriptCore/wtf/PageReservation.h:107
#6  FixedVMPoolAllocator (this=0x7f15b07abd80) at Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp:412
#7  JSC::ExecutableAllocator::isValid (this=<optimized out>) at Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp:503
#8  0x00000037317665d6 in ExecutableAllocator (this=0x7f15b0760800) at Source/JavaScriptCore/jit/ExecutableAllocator.h:185
#9  JSC::JSGlobalData::JSGlobalData (this=0x7f15b075f000, globalDataType=JSC::JSGlobalData::Default, threadStackType=JSC::ThreadStackTypeLarge) at Source/JavaScriptCore/runtime/JSGlobalData.cpp:142
#10 0x0000003731767ba3 in JSC::JSGlobalData::create (type=JSC::ThreadStackTypeLarge) at Source/JavaScriptCore/runtime/JSGlobalData.cpp:257
#11 0x0000003731768b52 in JSC::JSGlobalData::createLeaked (type=JSC::ThreadStackTypeLarge) at Source/JavaScriptCore/runtime/JSGlobalData.cpp:263
#12 0x00000037309d69c2 in WebCore::JSDOMWindowBase::commonJSGlobalData () at Source/WebCore/bindings/js/JSDOMWindowBase.cpp:177
#13 0x0000003730a305cc in WebCore::ScriptController::getAllWorlds (worlds=...) at Source/WebCore/bindings/js/ScriptController.cpp:175
#14 0x0000003730de2492 in WebCore::FrameLoader::dispatchDidClearWindowObjectsInAllWorlds (this=0x7f15b0755470) at Source/WebCore/loader/FrameLoader.cpp:3409
#15 0x0000003730de27c8 in WebCore::FrameLoader::receivedFirstData (this=0x7f15b0755470) at Source/WebCore/loader/FrameLoader.cpp:609
#16 0x0000003730ddb138 in WebCore::DocumentWriter::setEncoding (this=0x7f15b0731070, name=..., userChosen=false) at Source/WebCore/loader/DocumentWriter.cpp:237
#17 0x0000003730dd013e in WebCore::DocumentLoader::commitData (this=0x7f15b0731000, bytes=0x10e5c90 "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www"..., length=8192) at Source/WebCore/loader/DocumentLoader.cpp:319
#18 0x00000037308b4e35 in WebKit::FrameLoaderClient::committedLoad (this=0x7f15b0740b40, loader=0x7f15b0731000, data=0x10e5c90 "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www"..., length=8192) at Source/WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:319
#19 0x0000003730dd0e4d in WebCore::DocumentLoader::commitLoad (this=0x7f15b0731000, data=0x10e5c90 "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www"..., length=8192) at Source/WebCore/loader/DocumentLoader.cpp:307
#20 0x0000003730e1c421 in WebCore::ResourceLoader::didReceiveData (this=0x7f15b0788200, data=0x10e5c90 "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www"..., length=8192, lengthReceived=8192, allAtOnce=<optimized out>) at Source/WebCore/loader/ResourceLoader.cpp:279
#21 0x0000003730e079c5 in WebCore::MainResourceLoader::didReceiveData (this=0x7f15b0788200, data=0x10e5c90 "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www"..., length=8192, lengthReceived=8192, allAtOnce=false) at Source/WebCore/loader/MainResourceLoader.cpp:446
#22 0x0000003730e1b0f2 in WebCore::ResourceLoader::didReceiveData (this=0x7f15b0788200, data=0x10e5c90 "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www"..., length=8192, lengthReceived=8192) at Source/WebCore/loader/ResourceLoader.cpp:430
#23 0x000000373088a27a in WebCore::readCallback (source=<optimized out>, asyncResult=<optimized out>, data=0x0) at Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:802
#24 0x00000039a7454ef9 in async_ready_callback_wrapper (source_object=0x1051520 [GLocalFileInputStream], res=0x10514c0, user_data=0x0) at ginputstream.c:470
#25 0x00000039a7464d18 in complete_in_idle_cb_for_thread (_data=0x10e5280) at gsimpleasyncresult.c:812
#26 0x00000039a14427ed in g_main_dispatch (context=0xa86560) at gmain.c:2441
#27 g_main_context_dispatch (context=0xa86560) at gmain.c:3014
#28 0x00000039a1442fc8 in g_main_context_iterate (context=0xa86560, block=<optimized out>, dispatch=1, self=<optimized out>) at gmain.c:3092
#29 0x00000039a144360d in g_main_loop_run (loop=0xb96190) at gmain.c:3300
#30 0x000000372f34c007 in IA__gtk_main () at gtkmain.c:1256
#31 0x0000000000406f95 in run (name=<optimized out>, nparams=5, param=0xa86730, nreturn_vals=<optimized out>, return_vals=<optimized out>) at help-browser.c:163
#32 0x0000003beae11af5 in gimp_proc_run (proc_run=0xa76aa0) at gimp.c:1917
#33 gimp_loop () at gimp.c:1751
#34 gimp_main (info=<optimized out>, argc=<optimized out>, argv=<optimized out>) at gimp.c:487
#35 0x000000399dc2139d in __libc_start_main (main=0x406070 <main>, argc=6, ubp_av=0x7ffffeb72368, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffffeb72358) at libc-start.c:226
#36 0x00000000004060ad in _start ()

These are the package versions I have installed:
gimp-2.6.11-21.fc15.x86_64
gimp-help-browser-2.6.11-21.fc15.x86_64
gimp-help-2.4.2-6.fc15.noarch
webkitgtk-1.4.2-1.fc15.x86_64

Changing component.

Comment 4 Daniel Walsh 2011-10-12 13:31:44 UTC

Fixed in selinux-policy-3.10.0-40.fc16

Comment 5 Göran Uddeborg 2012-08-19 18:50:48 UTC

I'm not sure if it was fixed exactly in -40, but it is working with the current version.

Note You need to log in before you can comment on or make changes to this bug.