NetBSD Problem Report #40575

From bouyer@antioche.lip6.fr  Sat Feb  7 19:23:01 2009
Return-Path: <bouyer@antioche.lip6.fr>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 56B8D63B879
	for <gnats-bugs@gnats.NetBSD.org>; Sat,  7 Feb 2009 19:23:01 +0000 (UTC)
Message-Id: <200902071922.n17JMr6A000283@antioche.lip6.fr>
Date: Sat, 7 Feb 2009 20:22:53 +0100 (MET)
From: bouyer@antioche.lip6.fr
Reply-To: bouyer@antioche.lip6.fr
To: gnats-bugs@gnats.NetBSD.org
Subject: security.pax.aslr breaks tar -z
X-Send-Pr-Version: 3.95

>Number:         40575
>Category:       kern
>Synopsis:       security.pax.aslr breaks tar -z
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Feb 07 19:25:00 +0000 2009
>Closed-Date:    Tue Nov 27 20:52:04 +0000 2018
>Last-Modified:  Tue Nov 27 20:52:04 +0000 2018
>Originator:     Manuel Bouyer
>Release:        NetBSD 5.0_RC1
>Organization:
>Environment:
System: NetBSD antioche.lip6.fr 5.0_RC1 NetBSD 5.0_RC1 (ANTIOCHE5-64) #5: Sat Feb 7 15:51:51 CET 2009 bouyer@roll:/dsk/l1/misc/bouyer/tmp/amd64/obj/dsk/l1/misc/bouyer/netbsd-5/src/sys/arch/amd64/compile/ANTIOCHE5-64 amd64
Architecture: x86_64
Machine: amd64
>Description:
	antioche:/home/ftp/pub/pkgsrc/packages/NetBSD/x86_64/5.0/All#sysctl -w security.pax.aslr.global=1
	security.pax.aslr.global: 0 -> 1
	antioche:/home/ftp/pub/pkgsrc/packages/NetBSD/x86_64/5.0/All#tar tzvf ttcp-1.12nb2.tgz
	tar: End of archive volume 1 reached
	tar: Sorry, unable to determine archive format.
	antioche:/home/ftp/pub/pkgsrc/packages/NetBSD/x86_64/5.0/All#sysctl -w security.pax.aslr.global=0
	security.pax.aslr.global: 1 -> 0
	antioche:/home/ftp/pub/pkgsrc/packages/NetBSD/x86_64/5.0/All#tar tzvf ttcp-1.12nb2.tgz
	-rw-r--r--  1 root     wheel        430 Jan 16 14:43 +CONTENTS
	-r--r--r--  1 root     wheel         43 Jan 16 14:43 +COMMENT
	-r--r--r--  1 root     wheel        364 Jan 16 14:43 +DESC
	-rw-r--r--  1 root     wheel        424 Jan 16 14:43 +BUILD_VERSION
	-rw-r--r--  1 root     wheel       1906 Jan 16 14:43 +BUILD_INFO
	-rw-r--r--  1 root     wheel          6 Jan 16 14:43 +SIZE_PKG
	-rw-r--r--  1 root     wheel          2 Jan 16 14:43 +SIZE_ALL
	-r-xr-xr-x  1 root     wheel      20408 Jan 16 14:43 bin/ttcp
	-r--r--r--  1 root     wheel       4761 Jan 16 14:43 man/cat1/ttcp.0
	-r--r--r--  1 root     wheel       3885 Jan 16 14:43 man/man1/ttcp.1
	tar: ustar vol 1, 10 files, 40960 bytes read, 0 bytes written in 1 secs (40960 bytes/sec)

	I tracked this down to the read() from the tar's side of the pipe
	with gzip returning 0, before gzip has even started.
	A zcat | tar works fine.
	This is only dependant on security.pax.aslr, other
	security.pax settings have no influence.
>How-To-Repeat:
	set security.pax.aslr.global=1, try  to use tar -z
>Fix:
	workaround: don't set security.pax.aslr.global to 1

>Release-Note:

>Audit-Trail:
From: Pierre Pronchery <khorben@defora.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/40575: security.pax.aslr breaks tar -z
Date: Wed, 4 Jan 2012 01:02:53 +0100

 --YiEDa0DAkWCtVeE4
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable

 			Hi,

 in his problem report from February 7th 2009, Manuel Bouyer mentions a
 problem while decompressing archives through tar, while the
 "security.pax.aslr.global" sysctl is enabled.

 Although I confirm the issue on my systems (NetBSD/amd64, tracking
 either netbsd-5 or -current branches) I have to disagree with this
 statement:
 > This is only dependant on security.pax.aslr, other
 > security.pax settings have no influence.

 On both systems, enabling "security.pax.mprotect.global" (set to "1")
 seems to workaround the issue.

 For the record:

 =3D=3D=3D BEGIN PASTE =3D=3D=3D
 $ tar -tzf xscreensaver-5.14.tar.gz=20
 tar: End of archive volume 1 reached
 tar: Sorry, unable to determine archive format.
 $ ls -l tar.core=20
 -rw-------  1 khorben  wheel  200272 Jan  4 00:42 tar.core
 $ gdb tar tar.core=20
 GNU gdb 6.5
 Copyright (C) 2006 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain condition=
 s.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "x86_64--netbsd"...(no debugging symbols found)

 Reading symbols from /lib/libutil.so.7...(no debugging symbols found)...don=
 e.
 Loaded symbols for /lib/libutil.so.7
 Reading symbols from /lib/libc.so.12...(no debugging symbols found)...done.
 Loaded symbols for /lib/libc.so.12
 Reading symbols from /libexec/ld.elf_so...
 (no debugging symbols found)...done.
 Loaded symbols for /libexec/ld.elf_so
 Core was generated by `tar'.
 Program terminated with signal 11, Segmentation fault.
 #0  0x00007f7ffde03a74 in _rtld_bind_start () from /libexec/ld.elf_so
 (gdb) bt
 #0  0x00007f7ffde03a74 in _rtld_bind_start () from /libexec/ld.elf_so
 #1  0x000077ed06ddf000 in ?? ()
 #2  0x0000000000000021 in ?? ()
 #3  0x0000000000404583 in ar_start_gzip ()
 #4  0x000000000040481e in ar_open ()
 #5  0x0000000000407ea4 in rd_start ()
 #6  0x0000000000405456 in get_arc ()
 #7  0x000000000040580b in list ()
 #8  0x000000000040dde5 in main ()
 (gdb) info registers
 rax            0x0      0
 rbx            0x4168f1 4286705
 rcx            0x77ed06981dea   131859901586922
 rdx            0x9      9
 rsi            0x1      1
 rdi            0xa      10
 rbp            0x5      0x5
 rsp            0x7f7fff4abe78   0x7f7fff4abe78
 r8             0x101010101010101        72340172838076673
 r9             0x8080808080808080       -9187201950435737472
 r10            0x0      0
 r11            0x246    582
 r12            0x41809b 4292763
 r13            0x1a     26
 r14            0x7f7ffde04bf0   140187696909296
 r15            0x3      3
 rip            0x7f7ffde03a74   0x7f7ffde03a74 <_rtld_bind_start>
 eflags         0x10246  [ PF ZF IF RF ]
 cs             0x1f     31
 ss             0x17     23
 ds             0x17     23
 es             0x17     23
 fs             0x17     23
 gs             0x17     23
 (gdb)=20
 =3D=3D=3D END PASTE =3D=3D=3D
 (this is on NetBSD/amd64, tracking the netbsd-5 branch)

 HTH,
 --=20
 khorben

 --YiEDa0DAkWCtVeE4
 Content-Type: application/pgp-signature
 Content-Disposition: inline

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (NetBSD)

 iQIcBAEBAgAGBQJPA5ctAAoJEDU4cZknVYg+p0kQAIqvcIxDYXOlTqnlQcEbbm0D
 XRwCgD+ZsVoHNlI09gBLWjlQMX00LYMqowjp1+WGEz2byP8bwGjuf8u/v+FtXOmu
 2ht8X/XzokCR91ZuzSWRA6E1LYlsljf7oU8GUcCMgUl4ykXWEYuaGUuL8o3dIOw5
 jIFYOAXrbyB7v9wrX5+qGrIbZbfmQzTn5ig/8XYUHTs0pyVVZP/EeFVxffWgq8Ey
 JiDqvFENOSOpFFNCd/cxaMzd/vkMFduRdQVhOfDm2n8RliLCTgTkb68K1mhb3Psb
 t62lLRPuWAP3abHmAKroRKpBxCthtZfTUQ4bZlXxdoPwL07kSzrr0h/SbR++vZPu
 9/1SIrZbeLeiivmOUiinag5wDgp620xf3mO2ednMi4SN3SRuXUOKfWm7n9v1BBAn
 I9YTozwC6EerMuWIT//1dzxuQrbI9HyCE64zNJ3hD+G8eD7XaOcWegFf2A6TxZ9f
 YWMxdGWcubWWzlnIWb3KRcVZ50+UyP5uITW+2pcRVtpiRg6J10adZmIjb72TU031
 3i/a+xNm+zpMN8yO/M50ek4qUAzlUO381Z9Us8Teb7nJE0RMtUGa4C9TsUqc4JZB
 0VXeH0rLd/+1OD3lnXq+iY/NnCpPDAgeDm8GRofvMWz55aV3dKR9CLBSrjWFyzgk
 56Jxq6X42KhZpsEJS3iN
 =Jxyo
 -----END PGP SIGNATURE-----

 --YiEDa0DAkWCtVeE4--

State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Tue, 27 Nov 2018 20:52:04 +0000
State-Changed-Why:
Since ASLR is now default enabled, I strongly suspect this is fixed. Let me know if you are still having issues.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.