Bug#907918: coreutils: chroot from 64 bits segfaults on older debootstrapped 64-bit distributions

Bernhard Übelacker Wed, 12 Sep 2018 09:33:32 -0700

Hello John Comeau,
I just tried to reproduce this crash and could
get it just for a wheezy chroot:



warning: Can't read pathname for load map: Eingabe-/Ausgabefehler.
Core was generated by `/bin/bash -i'.
Program terminated with signal 11, Segmentation fault.
#0  0xffffffffff600400 in ?? ()
(gdb) bt
#0  0xffffffffff600400 in ?? ()
#1  0x00007fbd6eacefed in time () at ../sysdeps/unix/sysv/linux/x86_64/time.S:36
#2  0x0000000000420086 in main (argc=2, argv=0x7ffefa085978, 
env=0x7ffefa085990) at ../bash/shell.c:450


In kernel log that access is also logged:
kernel: bash[472] vsyscall attempted with vsyscall=none ip:ffffffffff600400 
cs:33 sp:7ffefa085818 ax:ffffffffff600400 si:7ffefa086f20 di:0


As far as I read this is a result of changing a special syscall
interface that got used for performance reasons
because of security concerns. (More details [1])

At least as far as I have tested, all Debian kernels after
Stretch release ( >= 4.10 ) behave that way, when using
a libc that relies on the old interface.

A workaround would be to boot linux with the kernel
parameter vsyscall=emulate.


Kind regards,
Bernhard

PS.: Was creating the same bug #907919 intentional or could that be closed?


[1] https://sysdig.com/blog/troubleshooting-containers/

apt install mc htop lz4 systemd-coredump gdb debootstrap



wget 
http://192.168.178.25:9999/debian-9-stretch-deb.debian.org/pool/main/l/linux/linux-image-4.9.0-8-amd64_4.9.110-3+deb9u4_amd64.deb
dpkg -i linux-image-4.9.0-8-amd64_4.9.110-3+deb9u4_amd64.deb
wget 
http://snapshot.debian.org/archive/debian/20170203T152214Z/pool/main/l/linux-signed/linux-image-4.10.0-rc6-amd64_4.10%7Erc6-1%7Eexp2_amd64.deb
dpkg -i linux-image-4.10.0-rc6-amd64_4.10~rc6-1~exp2_amd64.deb
wget 
http://192.168.178.25:9999/debian-10-buster-deb.debian.org/pool/main/l/linux/linux-image-4.11.0-1-amd64_4.11.6-1_amd64.deb
dpkg -i linux-image-4.11.0-1-amd64_4.11.6-1_amd64.deb




debootstrap --arch=amd64 jessie /opt/jessie 
http://192.168.178.25:9999/debian-8-jessie-deb.debian.org/
chroot /opt/jessie
# no crash


##########


debootstrap --arch=amd64 wheezy /opt/wheezy 
http://192.168.178.25:9999/debian-7-wheezy-deb.debian.org/
I: Installing core packages...
W: Failure trying to run: chroot "/opt/wheezy" dpkg --force-depends --install 
/var/cache/apt/archives/base-passwd_3.5.26_amd64.deb
W: See /opt/wheezy/debootstrap/debootstrap.log for details

dmesg -w -T
[Mi Sep 12 15:44:57 2018] dpkg[21278] vsyscall attempted with vsyscall=none 
ip:ffffffffff600400 cs:33 sp:7fff4d8e6588 ax:ffffffffff600400 si:428720 
di:7fff4d8e65a0
[Mi Sep 12 15:44:57 2018] dpkg[21278]: segfault at ffffffffff600400 ip 
ffffffffff600400 sp 00007fff4d8e6588 error 15
[Mi Sep 12 15:44:57 2018] Code: Bad RIP value.

/opt/wheezy/debootstrap/debootstrap.log
2018-09-12 15:44:56 
URL:http://192.168.178.25:9999/debian-7-wheezy-deb.debian.org/pool/main/z/zlib/zlib1g_1.2.7.dfsg-13_amd64.deb
 [87392/87392] -> 
"/opt/wheezy//var/cache/apt/archives/partial/zlib1g_1%3a1.2.7.dfsg-13_amd64.deb"
 [1]
dpkg: warning: parsing file '/var/lib/dpkg/status' near line 5 package 'dpkg':
 missing description
dpkg: warning: parsing file '/var/lib/dpkg/status' near line 5 package 'dpkg':
 missing architecture
Segmentation fault (core dumped)


root@debian:~# chroot /opt/wheezy
Speicherzugriffsfehler (Speicherabzug geschrieben)

dmesg -w -T
[Mi Sep 12 15:47:39 2018] bash[21519] vsyscall attempted with vsyscall=none 
ip:ffffffffff600400 cs:33 sp:7ffe4c83ef68 ax:ffffffffff600400 si:7ffe4c83ff20 
di:0
[Mi Sep 12 15:47:39 2018] bash[21519]: segfault at ffffffffff600400 ip 
ffffffffff600400 sp 00007ffe4c83ef68 error 15
[Mi Sep 12 15:47:39 2018] Code: Bad RIP value.


##########


reboot # into 4.9.0


rm /opt/wheezy -rf
debootstrap --arch=amd64 wheezy /opt/wheezy 
http://192.168.178.25:9999/debian-7-wheezy-deb.debian.org/
mount -t proc proc /opt/wheezy/proc
chroot /opt/wheezy

# inside:
nano /etc/apt/sources.list
    #deb-src http://192.168.178.25:9999/debian-7-wheezy-deb.debian.org wheezy 
main
apt-get update
apt-get install gdb strace libc6-dbg
apt-get build-dep bash
dpkg-reconfigure locales

mkdir /root/libc6/orig -p
cd    /root/libc6/orig
apt-get source libc6

mkdir /root/bash/orig -p
cd    /root/bash/orig
apt-get source bash
cd ..
cp -a orig try1
cd try1/bash-4.2+dfsg/
DEB_BUILD_OPTIONS="noopt nostrip" dpkg-buildpackage -b
cd ..
dpkg -i bash_4.2+dfsg-0.1+deb7u3_amd64.deb


##########


root@debian:~# uname -a
Linux debian 4.18.0-1-amd64 #1 SMP Debian 4.18.6-1 (2018-09-06) x86_64 GNU/Linux

root@debian:~# chroot /opt/wheezy /usr/bin/strace /bin/bash -i 
execve("/bin/bash", ["/bin/bash", "-i"], [/* 11 vars */]) = 0
brk(0)                                  = 0x1894000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7efea8656000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=16142, ...}) = 0
mmap(NULL, 16142, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7efea8652000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libtinfo.so.5", O_RDONLY) = 3
read(3, 
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\323\0\0\0\0\0\0"..., 832) = 
832
fstat(3, {st_mode=S_IFREG|0644, st_size=167952, ...}) = 0
mmap(NULL, 2264608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7efea8210000
mprotect(0x7efea8235000, 2093056, PROT_NONE) = 0
mmap(0x7efea8434000, 20480, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x24000) = 0x7efea8434000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\0\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14768, ...}) = 0
mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7efea800c000
mprotect(0x7efea800e000, 2097152, PROT_NONE) = 0
mmap(0x7efea820e000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7efea820e000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
read(3, 
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\357\1\0\0\0\0\0"..., 832) = 
832
fstat(3, {st_mode=S_IFREG|0755, st_size=1607696, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7efea8651000
mmap(NULL, 3721272, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x7efea7c7f000
mprotect(0x7efea7e03000, 2093056, PROT_NONE) = 0
mmap(0x7efea8002000, 20480, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x183000) = 0x7efea8002000
mmap(0x7efea8007000, 18488, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7efea8007000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7efea8650000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7efea864f000
arch_prctl(ARCH_SET_FS, 0x7efea8650700) = 0
mprotect(0x7efea8002000, 16384, PROT_READ) = 0
mprotect(0x7efea820e000, 4096, PROT_READ) = 0
mprotect(0x7efea8434000, 16384, PROT_READ) = 0
mprotect(0x70a000, 4096, PROT_READ)     = 0
mprotect(0x7efea8658000, 4096, PROT_READ) = 0
munmap(0x7efea8652000, 16142)           = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
open("/dev/tty", O_RDWR|O_NONBLOCK)     = 3
close(3)                                = 0
brk(0)                                  = 0x1894000
brk(0x1895000)                          = 0x1895000
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1534768, ...}) = 0
mmap(NULL, 1534768, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7efea84d8000
close(3)                                = 0
brk(0x1896000)                          = 0x1896000
brk(0x1897000)                          = 0x1897000
getuid()                                = 0
getgid()                                = 0
geteuid()                               = 0
getegid()                               = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
Speicherzugriffsfehler (Speicherabzug geschrieben)

reboot

#########

root@debian:~# uname -a
Linux debian 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64 
GNU/Linux
root@debian:~# chroot /opt/wheezy
root@debian:/#

#########

root@debian:~# uname -a
Linux debian 4.10.0-rc6-amd64 #1 SMP Debian 4.10~rc6-1~exp2 (2017-02-02) x86_64 
GNU/Linux
root@debian:~# chroot /opt/wheezy
Speicherzugriffsfehler (Speicherabzug geschrieben)

#########

root@debian:~# uname -a
Linux debian 4.11.0-1-amd64 #1 SMP Debian 4.11.6-1 (2017-06-19) x86_64 GNU/Linux
root@debian:~# chroot /opt/wheezy
Speicherzugriffsfehler (Speicherabzug geschrieben)

#########

root@debian:~# uname -a
Linux debian 4.18.0-1-amd64 #1 SMP Debian 4.18.6-1 (2018-09-06) x86_64 GNU/Linux
root@debian:~# chroot /opt/wheezy
Speicherzugriffsfehler (Speicherabzug geschrieben)

root@debian:~# journalctl
Sep 12 17:30:18 debian kernel: bash[472] vsyscall attempted with vsyscall=none 
ip:ffffffffff600400 cs:33 sp:7ffefa085818 ax:ffffffffff600400 si:7ffefa086f20 
di:0
Sep 12 17:30:18 debian kernel: bash[472]: segfault at ffffffffff600400 ip 
ffffffffff600400 sp 00007ffefa085818 error 15
Sep 12 17:30:18 debian kernel: Code: Bad RIP value.
Sep 12 17:30:18 debian systemd[1]: Created slice 
system-systemd\x2dcoredump.slice.
Sep 12 17:30:18 debian systemd[1]: Started Process Core Dump (PID 473/UID 0).
Sep 12 17:30:18 debian systemd-coredump[474]: Process 472 (bash) of user 0 
dumped core.
                                              
                                              Stack trace of thread 472:
                                              #0  0xffffffffff600400 n/a (n/a)
                                              #1  0x00007fbd6ea4eead n/a 
(/lib/x86_64-linux-gnu/libc-2.13.so)

#########


reboot # to 4.9.0

cp -a 
/var/lib/systemd/coredump/core.bash.0.dc7593524954463f8335fd93baac51e1.472.1536766218000000.lz4
 /opt/wheezy/
unlz4 
/opt/wheezy/core.bash.0.dc7593524954463f8335fd93baac51e1.472.1536766218000000.lz4

root@debian:~# uname -a
Linux debian 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64 
GNU/Linux
root@debian:~# chroot /opt/wheezy

# inside

root@debian:~# dpkg -l | grep -i libc6
ii  libc6:amd64                   2.27-6                       amd64        GNU 
C Library: Shared libraries
ii  libc6-dbg:amd64               2.27-6                       amd64        GNU 
C Library: detached debugging symbols

root@debian:/# gdb -q /bin/bash --core 
core.bash.0.dc7593524954463f8335fd93baac51e1.472.1536766218000000
Reading symbols from /bin/bash...done.
[New LWP 472]

warning: Can't read pathname for load map: Eingabe-/Ausgabefehler.
Core was generated by `/bin/bash -i'.
Program terminated with signal 11, Segmentation fault.
#0  0xffffffffff600400 in ?? ()
(gdb) bt
#0  0xffffffffff600400 in ?? ()
#1  0x00007fbd6eacefed in time () at ../sysdeps/unix/sysv/linux/x86_64/time.S:36
#2  0x0000000000420086 in main (argc=2, argv=0x7ffefa085978, 
env=0x7ffefa085990) at ../bash/shell.c:450

(gdb) directory /root/libc6/orig/eglibc-2.13/time
Source directories searched: /root/libc6/orig/eglibc-2.13/time:$cdir:$cwd

(gdb) up
#1  0x00007fbd6eacefed in time () at ../sysdeps/unix/sysv/linux/x86_64/time.S:36
36              callq   *%rax

(gdb) disassemble time
Dump of assembler code for function time:
   0x00007fbd6eacefe0 <+0>:     sub    $0x8,%rsp
   0x00007fbd6eacefe4 <+4>:     mov    $0xffffffffff600400,%rax
   0x00007fbd6eacefeb <+11>:    callq  *%rax
   0x00007fbd6eacefed <+13>:    add    $0x8,%rsp
   0x00007fbd6eaceff1 <+17>:    retq   
End of assembler dump.


(gdb) list 23
23      /* For the calculation see asm/vsyscall.h.  */
24      #define VSYSCALL_ADDR_vtime     0xffffffffff600400

(gdb) list time
27      /* Return the current time as a `time_t' and also put it in *T if T is
28         not NULL.  Time is represented as seconds from Jan 1 00:00:00 1970.  
*/
29
30      ENTRY (time)
31              /* Align stack.  */
32              sub     $0x8, %rsp
33              cfi_adjust_cfa_offset(8)
34
35              movq    $VSYSCALL_ADDR_vtime, %rax
36              callq   *%rax
37
38              add     $0x8, %rsp
39              cfi_adjust_cfa_offset(-8)
40              ret
41      PSEUDO_END_NOERRNO(time)
42      libc_hidden_def (time)

(gdb) disassemble 0xffffffffff600400, 0xffffffffff600400+0x10
Dump of assembler code from 0xffffffffff600400 to 0xffffffffff600410:
=> 0xffffffffff600400:  Cannot access memory at address 0xffffffffff600400





https://sysdig.com/blog/troubleshooting-containers/


root@debian:~# cat /proc/cmdline 
BOOT_IMAGE=/boot/vmlinuz-4.18.0-1-amd64 
root=UUID=3de4a194-fb38-4aa0-a7f8-5faf23bafde2 ro vga=788 quiet vsyscall=emulate
root@debian:~# uname -a
Linux debian 4.18.0-1-amd64 #1 SMP Debian 4.18.6-1 (2018-09-06) x86_64 GNU/Linux
root@debian:~# chroot /opt/wheezy

Bug#907918: coreutils: chroot from 64 bits segfaults on older debootstrapped 64-bit distributions

Reply via email to