Your message dated Wed, 17 Apr 2013 10:17:42 +0000 with message-id <e1uspqs-0007x5...@franck.debian.org> and subject line Bug#698064: fixed in aranym 0.9.15-1 has caused the Debian Bug report #698064, regarding aranym: crashes from guest userspace when NatFeat is queried to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 698064: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698064 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: aranym Version: 0.9.14-2 Severity: grave Tags: security Justification: user security hole When running the program whose source code follows below the report, compiled with the following command: gcc -Os -fno-asynchronous-unwind-tables \ -fno-stack-protector -static -o nfimvirt \ nfimvirt.c nfimvrth.S Inside a Debian/m68k guest on ARAnyM running on Debian sid, the guest crashes the virtualisation: Gotcha! Illegal memory access. Atari PC = $80000468 If the Full History was enabled you would see the last 20 instructions here. The program is intended to use NatFeat, as per the specs, to figure out whether it runs under emulation or not. The severity stems from this virtualisation escape: an error or SIGILL or SIGBUS would be an acceptable failure mode, but the guest must not DoS the emulation (this would make offering Debian Porterboxen impossible, for one). This is not exactly a new issue, I think Wouter reported similar findings in the imvirt wishlist bugreport. #!/bin/sh # This is a shell archive (produced by GNU sharutils 4.11.1). # To extract the files from this archive, save it to some FILE, remove # everything before the `#!/bin/sh' line above, then type `sh FILE'. # lock_dir=_sh29846 # Made on 2013-01-13 18:48 UTC by <r...@ara4.mirbsd.org>. # Source directory was `/root'. # # Existing files will *not* be overwritten, unless `-c' is specified. # # This shar contains: # length mode name # ------ ---------- ------------------------------------------ # 2779 -rw-r--r-- nfimvirt.c # 447 -rw-r--r-- nfimvrth.S # MD5SUM=${MD5SUM-md5sum} f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'` test -n "${f}" && md5check=true || md5check=false ${md5check} || \ echo 'Note: not verifying md5sums. Consider installing GNU coreutils.' if test "X$1" = "X-c" then keep_file='' else keep_file=true fi echo=echo save_IFS="${IFS}" IFS="${IFS}:" gettext_dir= locale_dir= set_echo=false for dir in $PATH do if test -f $dir/gettext \ && ($dir/gettext --version >/dev/null 2>&1) then case `$dir/gettext --version 2>&1 | sed 1q` in *GNU*) gettext_dir=$dir set_echo=true break ;; esac fi done if ${set_echo} then set_echo=false for dir in $PATH do if test -f $dir/shar \ && ($dir/shar --print-text-domain-dir >/dev/null 2>&1) then locale_dir=`$dir/shar --print-text-domain-dir` set_echo=true break fi done if ${set_echo} then TEXTDOMAINDIR=$locale_dir export TEXTDOMAINDIR TEXTDOMAIN=sharutils export TEXTDOMAIN echo="$gettext_dir/gettext -s" fi fi IFS="$save_IFS" if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null then if (echo -n test; echo 1,2,3) | grep n >/dev/null then shar_n= shar_c=' ' else shar_n=-n shar_c= ; fi else shar_n= shar_c='\c' ; fi f=shar-touch.$$ st1=200112312359.59 st2=123123592001.59 st2tr=123123592001.5 # old SysV 14-char limit st3=1231235901 if touch -am -t ${st1} ${f} >/dev/null 2>&1 && \ test ! -f ${st1} && test -f ${f}; then shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"' elif touch -am ${st2} ${f} >/dev/null 2>&1 && \ test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"' elif touch -am ${st3} ${f} >/dev/null 2>&1 && \ test ! -f ${st3} && test -f ${f}; then shar_touch='touch -am $3$4$5$6$2 "$8"' else shar_touch=: echo ${echo} 'WARNING: not restoring timestamps. Consider getting and installing GNU `touch'\'', distributed in GNU coreutils...' echo fi rm -f ${st1} ${st2} ${st2tr} ${st3} ${f} # if test ! -d ${lock_dir} ; then : else ${echo} "lock directory ${lock_dir} exists" exit 1 fi if mkdir ${lock_dir} then ${echo} "x - created lock directory ${lock_dir}." else ${echo} "x - failed to create lock directory ${lock_dir}." exit 1 fi # ============= nfimvirt.c ============== if test -n "${keep_file}" && test -f 'nfimvirt.c' then ${echo} "x - SKIPPING nfimvirt.c (file already exists)" else ${echo} "x - extracting nfimvirt.c (text)" sed 's/^X//' << 'SHAR_EOF' > 'nfimvirt.c' && #include <sys/types.h> #include <sys/mman.h> #include <err.h> #include <signal.h> #include <stdarg.h> #include <stdint.h> #include <stdio.h> #include <unistd.h> X #ifndef __GNUC__ #error This file makes use of GNU C extensions. #endif X extern long nf_get_id_asm(const char *feature_name) X asm("nf_get_id_asm") X __attribute__((__cdecl__, __regparm__(0))); extern long nf_call_asm(unsigned long feature_id, ...) X asm("nf_call_asm") X __attribute__((__cdecl__, __regparm__(0))); X volatile sig_atomic_t got_sigill; X void sigill_handler(int sigraised); long nf_get_id(const char *feature_name); X #define nf_call2(id, subid, ...) __extension__({ \ X long nf_call2_res; \ X unsigned long nf_call2_fid; \ X \ X if (got_sigill) \ X errx(2, "nf_call2: previous unhandled SIGILL"); \ X nf_call2_fid = (unsigned long)(id) | (unsigned long)(subid); \ X nf_call2_res = nf_call_asm(nf_call2_fid, ## __VA_ARGS__); \ X if (got_sigill) \ X errx(2, "nf_call2: SIGILL for %08lX", nf_call2_fid); \ X (nf_call2_res); \ }) X #ifdef __KLIBC__ void err(int, const char *, ...) X __attribute__((__noreturn__, __format__(__printf__, 2, 3))); void errx(int, const char *, ...) X __attribute__((__noreturn__, __format__(__printf__, 2, 3))); #endif X int main(void) { X long NF_NAME, NF_VERSION, sres; X char *buf; X unsigned long bufsz = 0, ures; X int pgsz; X X if ((pgsz = getpagesize()) <= 0 || pgsz > 0x10000000) X err(2, "getpagesize() returned %d", pgsz); X while (bufsz < 4096) X bufsz += pgsz; X if ((buf = mmap(NULL, (size_t)bufsz, PROT_READ | PROT_WRITE, X MAP_ANON | MAP_PRIVATE, 0, (off_t)0)) == MAP_FAILED) X err(2, "mmap() %lu bytes failed", bufsz); X if (mlock(buf, bufsz)) X err(2, "mlock() failed"); X X got_sigill = 0; X if (signal(SIGILL, sigill_handler) == SIG_ERR) X err(2, "cannot install SIGILL handler"); X X if ((NF_NAME = nf_get_id("NF_NAME")) == -1L) { X printf("Physical (no NatFeat)\n"); X return (0); X } X if ((NF_VERSION = nf_get_id("NF_VERSION")) == -1L) { X printf("Ambiguous (broken NatFeat)\n"); X return (1); X } X X sres = nf_call2(NF_VERSION, 0); X ures = nf_call2(NF_NAME, 0, buf, bufsz); X buf[bufsz - 1] = 0; X printf("NatFeat v%d.%d (Emulator%s: %s)", (int)((sres >> 16) & 0xFFFF), X (int)(sres & 0xFFFF), ures >= bufsz ? " (truncated)" : "", buf); X ures = nf_call2(NF_NAME, 1, buf, bufsz); X buf[bufsz - 1] = 0; X printf(" on%s: %s\n", ures >= bufsz ? " (truncated)" : "", buf); X X /* munlock, munmap, signal */ X X return (0); } X long nf_get_id(const char *feature_name) { X long res; X X if (got_sigill) X errx(2, "nf_get_id: previous unhandled SIGILL"); X res = nf_get_id_asm(feature_name); X if (got_sigill) { X got_sigill = 0; X return (-1L); X } X return (res & 0xFFF00000); } X void sigill_handler(int sigraised __attribute__((__unused__))) { X got_sigill = 1; } SHAR_EOF (set 20 13 01 13 18 41 08 'nfimvirt.c' eval "${shar_touch}") && \ chmod 0644 'nfimvirt.c' if test $? -ne 0 then ${echo} "restore of nfimvirt.c failed" fi if ${md5check} then ( ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'nfimvirt.c': 'MD5 check failed' ) << \SHAR_EOF 4715c8dcdd33d3297720a5e0617501ba nfimvirt.c SHAR_EOF else test `LC_ALL=C wc -c < 'nfimvirt.c'` -ne 2779 && \ ${echo} "restoration warning: size of 'nfimvirt.c' is not 2779" fi fi # ============= nfimvrth.S ============== if test -n "${keep_file}" && test -f 'nfimvrth.S' then ${echo} "x - SKIPPING nfimvrth.S (file already exists)" else ${echo} "x - extracting nfimvrth.S (text)" sed 's/^X//' << 'SHAR_EOF' > 'nfimvrth.S' && X .text X X .p2align 2 X .globl nf_get_id_asm #ifdef __ELF__ X .type nf_get_id_asm,@function #endif nf_get_id_asm: X .byte 0x73 /* NatFeat */ X .byte 0x00 /* nf_get_id */ X rts #ifdef __ELF__ X .size nf_get_id_asm, . - nf_get_id_asm #endif X X .p2align 2 X .globl nf_call_asm #ifdef __ELF__ X .type nf_call_asm,@function #endif nf_call_asm: X .byte 0x73 /* NatFeat */ X .byte 0x01 /* nf_call */ X rts #ifdef __ELF__ X .size nf_call_asm, . - nf_call_asm #endif SHAR_EOF (set 20 13 01 13 18 08 36 'nfimvrth.S' eval "${shar_touch}") && \ chmod 0644 'nfimvrth.S' if test $? -ne 0 then ${echo} "restore of nfimvrth.S failed" fi if ${md5check} then ( ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'nfimvrth.S': 'MD5 check failed' ) << \SHAR_EOF c0e9906c254931d54f4716dcb42271c9 nfimvrth.S SHAR_EOF else test `LC_ALL=C wc -c < 'nfimvrth.S'` -ne 447 && \ ${echo} "restoration warning: size of 'nfimvrth.S' is not 447" fi fi if rm -fr ${lock_dir} then ${echo} "x - removed lock directory ${lock_dir}." else ${echo} "x - failed to remove lock directory ${lock_dir}." exit 1 fi exit 0 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-xen-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/mksh Versions of packages aranym depends on: ii libc6 2.13-38 ii libgcc1 1:4.7.2-4 ii libgmp10 2:5.0.5+dfsg-2 ii libmpfr4 3.1.0-5 ii libsdl-image1.2 1.2.12-2 ii libsdl1.2debian 1.2.15-5 ii libstdc++6 4.7.2-4 ii libusb-1.0-0 2:1.0.12-2 ii libx11-6 2:1.5.0-1 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages aranym recommends: ii bridge-utils 1.5-6 ii uml-utilities 20070815-1.3 aranym suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: aranym Source-Version: 0.9.15-1 We believe that the bug you reported is fixed in the latest version of aranym, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 698...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonin Kral <a.k...@sh.cvut.cz> (supplier of updated aranym package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 17 Apr 2013 11:43:15 +0200 Source: aranym Binary: aranym Architecture: amd64 i386 source Version: 0.9.15-1 Distribution: unstable Urgency: low Maintainer: Antonin Kral <a.k...@sh.cvut.cz> Changed-By: Antonin Kral <a.k...@sh.cvut.cz> Closes: 698064 Description: aranym - Atari Running on Any Machine Changes: aranym (0.9.15-1) unstable; urgency=low . * new upstream realease (Closes:#698064) Checksums-Sha1: 79f4413a7859b5d7bd6ab267f99d8fea7a8f617b 1189 aranym_0.9.15-1.dsc 0480afe9a52f5469aa4139c8018a47694774e077 1768346 aranym_0.9.15.orig.tar.gz 1a786a07cb358ee6a0778d4a1e37386d5a61eea6 6220 aranym_0.9.15-1.debian.tar.gz 8f6feb55880b2809bfdec184e65f8697678165d4 1941768 aranym_0.9.15-1_i386.deb bab5f2fd3ddbfe0d0c739c33003d8c3d959e8311 1468204 aranym_0.9.15-1_amd64.deb Checksums-Sha256: 2fd3b3a35571f99a9f2020d5d076e0e8ed99da65f125b27fc220d7dd010ccd23 1189 aranym_0.9.15-1.dsc fa685a5b5fc6c1dfd0211e3505df88d12f3279f05bad532fe769ac9456281179 1768346 aranym_0.9.15.orig.tar.gz 3d255661d86fb966a4f15399a373056f18e4dd266746d974d906aec147911e03 6220 aranym_0.9.15-1.debian.tar.gz 8bfb0ce1c75d979e1f188dfb5fa30edea547c4d7dc72a7471e7c7302248b5499 1941768 aranym_0.9.15-1_i386.deb 0961e028ca4528d68395a5ae4b1a660526d0d1b2d45f00bf7d964146df29d856 1468204 aranym_0.9.15-1_amd64.deb Files: 1b5f547c2633ec3d688ce020d19bc2af 1189 otherosfs extra aranym_0.9.15-1.dsc 5ec3a3fbf7a2cef7d6eb666be79134bb 1768346 otherosfs extra aranym_0.9.15.orig.tar.gz a36be2894c4f47e157077e8ebb7b5a0d 6220 otherosfs extra aranym_0.9.15-1.debian.tar.gz 2324a05b2fd07cd3a323ce95986c7d11 1941768 otherosfs extra aranym_0.9.15-1_i386.deb a0b5360c6b53979ffc27588023cc2211 1468204 otherosfs extra aranym_0.9.15-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFucqQACgkQluuhBRvyMFqoPACeJ4qPmd4GpvKSnm6Q6DlOhFmE MCYAoJOOFlDegXS8dji5tBUg74yyjXJK =7DJZ -----END PGP SIGNATURE-----
--- End Message ---
