NetBSD Problem Report #49821
From www@NetBSD.org Mon Apr 6 19:58:54 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 59A12A654B
for <gnats-bugs@gnats.NetBSD.org>; Mon, 6 Apr 2015 19:58:54 +0000 (UTC)
Message-Id: <20150406195853.23270A65BE@mollari.NetBSD.org>
Date: Mon, 6 Apr 2015 19:58:53 +0000 (UTC)
From: alnsn@yandex.ru
Reply-To: alnsn@yandex.ru
To: gnats-bugs@NetBSD.org
Subject: /bin/tar randomly coredumps when security.pax.aslr.enabled is set to 1
X-Send-Pr-Version: www-1.0
>Number: 49821
>Category: bin
>Synopsis: /bin/tar randomly coredumps when security.pax.aslr.enabled is set to 1
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Apr 06 20:00:00 +0000 2015
>Closed-Date: Sat Apr 17 23:44:24 +0000 2021
>Last-Modified: Sat Apr 17 23:44:24 +0000 2021
>Originator: Alexander Nasonov
>Release: amd64 7.99.9
>Organization:
>Environment:
NetBSD neva 7.99.9 NetBSD 7.99.9 (NODRM) #0: Mon Apr 6 18:29:57 BST 2015 alnsn@nebeda.localdomain:/home/alnsn/netbsd-current/src/sys/arch/amd64/compile/obj/NODRM amd64
>Description:
/bin/tar randomly fails to list files in a gzipped or bzip2ed modules.tar file:
$ tar ztpf modules.tar.gz |head
tar: End of archive volume 1 reached
tar: Sorry, unable to determine archive format.
$ tar ztpf modules.tar.gz |head
tar: End of archive volume 1 reached
tar: Sorry, unable to determine archive format.
$ tar ztpf modules.tar.gz |head
tar: End of archive volume 1 reached
tar: Sorry, unable to determine archive format.
$ tar ztpf modules.tar.gz |head
./etc/mtree/set.modules
./stand/amd64
./stand/amd64/7.99.9
./stand/amd64/7.99.9/modules
./stand/amd64/7.99.9/modules/accf_dataready
./stand/amd64/7.99.9/modules/accf_dataready/accf_dataready.kmod
./stand/amd64/7.99.9/modules/accf_httpready
./stand/amd64/7.99.9/modules/accf_httpready/accf_httpready.kmod
./stand/amd64/7.99.9/modules/acpiacad
./stand/amd64/7.99.9/modules/acpiacad/acpiacad.kmod
tar: Listing incomplete. (Broken pipe)
gzip: error writing to output: Broken pipe
It crashes after a fork:
11945 1 tar CALL open(0x7f7fff7f5e51,0,0x1b6)
11945 1 tar NAMI "modules.tar.gz"
11945 1 tar RET open 5
11945 1 tar CALL pipe
11945 1 tar RET pipe 6, 7
11945 1 tar CALL fork
11945 1 tar RET fork 3441/0xd71
11945 1 tar CALL dup2(6,5)
11945 1 tar RET dup2 5
11945 1 tar CALL close(6)
11945 1 tar RET close 0
11945 1 tar CALL close(7)
11945 1 tar RET close 0
11945 1 tar CALL __fstat50(5,0x61fb40)
11945 1 tar RET __fstat50 0
11945 1 tar CALL lseek(5,0,0,1)
11945 1 tar RET lseek -1 errno 29 Illegal seek
11945 1 tar CALL read(5,0x620440,0x7e00)
3441 1 tar EMUL "netbsd"
3441 1 tar RET fork 0
3441 1 tar PSIG SIGSEGV SIG_DFL: code=SEGV_ACCERR, addr=0x7f7ff7c02d60, trap=6)
3441 1 tar NAMI "/var/crash/alnsn/."
3441 1 tar NAMI "/var/crash/alnsn/tar.core"
It's interesting that it crashed on a string containing "PQRVWAPAQARASH":
$ gdb - /var/crash/alnsn/tar.core
[New process 1]
Core was generated by `tar'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f7ff7c02d60 in ?? ()
(gdb) x/s 0x00007f7ff7c02d60
0x7f7ff7c02d60: "\234PQRVWAPAQARASH\213|$PH\213t$X\350J\003"
(gdb)
The files modules.tar.gz, ktrace.out and tar.core are available here:
http://www.netbsd.org/~alnsn/tar-aslr-bug/
>How-To-Repeat:
Download http://www.netbsd.org/~alnsn/tar-aslr-bug/modules.tar.gz
Enable ASLR: sysctl -w security.pax.aslr.enabled=1
Run 'tar ztpf modules.tar.gz' few times.
>Fix:
Not known.
>Release-Note:
>Audit-Trail:
From: Alexander Nasonov <alnsn@yandex.ru>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/49821: /bin/tar randomly coredumps when
security.pax.aslr.enabled is set to 1
Date: Mon, 6 Apr 2015 21:20:22 +0100
Alexander Nasonov wrote:
> It's interesting that it crashed on a string containing "PQRVWAPAQARASH":
>
> $ gdb - /var/crash/alnsn/tar.core
> [New process 1]
> Core was generated by `tar'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 0x00007f7ff7c02d60 in ?? ()
> (gdb) x/s 0x00007f7ff7c02d60
> 0x7f7ff7c02d60: "\234PQRVWAPAQARASH\213|$PH\213t$X\350J\003"
> (gdb)
Passing /bin/tar to gdb reveals some information:
$ gdb /bin/tar /var/crash/alnsn/tar.core
...
Type "apropos word" to search for commands related to "word"...
Reading symbols from /bin/tar...(no debugging symbols found)...done.
[New process 1]
Core was generated by `tar'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f7ff7c02d60 in _rtld_bind_start () from /libexec/ld.elf_so
(gdb) bt
#0 0x00007f7ff7c02d60 in _rtld_bind_start () from /libexec/ld.elf_so
#1 0x00007c1751c1b000 in ?? ()
#2 0x000000000000000a in ?? ()
#3 0x000000000040384d in ar_start_gzip ()
#4 0x0000000000403d65 in ar_open ()
#5 0x0000000000406f51 in rd_start ()
#6 0x00000000004054d0 in get_arc ()
#7 0x0000000000405e9d in list ()
#8 0x0000000000415a0e in main ()
Alex
From: Alexander Nasonov <alnsn@yandex.ru>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/49821: /bin/tar randomly coredumps when
security.pax.aslr.enabled is set to 1
Date: Sat, 25 Jul 2015 21:39:18 +0100
Alexander Nasonov wrote:
> >Description:
> /bin/tar randomly fails to list files in a gzipped or bzip2ed modules.tar file:
>
> $ tar ztpf modules.tar.gz |head
> tar: End of archive volume 1 reached
> tar: Sorry, unable to determine archive format.
It's still reproducible, and like gmake crash which I reported today,
the problem goes away after I run ulimit -s `ulimit -s`.
Alex
From: Joerg Sonnenberger <joerg@britannica.bec.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/49821: /bin/tar randomly coredumps when
security.pax.aslr.enabled is set to 1
Date: Sun, 9 Aug 2015 18:45:47 +0200
On Sat, Jul 25, 2015 at 08:40:01PM +0000, Alexander Nasonov wrote:
> > >Description:
> > /bin/tar randomly fails to list files in a gzipped or bzip2ed modules.tar file:
> >
> > $ tar ztpf modules.tar.gz |head
> > tar: End of archive volume 1 reached
> > tar: Sorry, unable to determine archive format.
>
> It's still reproducible, and like gmake crash which I reported today,
> the problem goes away after I run ulimit -s `ulimit -s`.
What limit do you start with and what is it reduced to?
Joerg
From: Alexander Nasonov <alnsn@yandex.ru>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, alnsn@yandex.ru
Subject: Re: bin/49821: /bin/tar randomly coredumps when
security.pax.aslr.enabled is set to 1
Date: Sun, 9 Aug 2015 23:10:21 +0100
Joerg Sonnenberger wrote:
> On Sat, Jul 25, 2015 at 08:40:01PM +0000, Alexander Nasonov wrote:
> > > >Description:
> > > /bin/tar randomly fails to list files in a gzipped or bzip2ed modules.tar file:
> > >
> > > $ tar ztpf modules.tar.gz |head
> > > tar: End of archive volume 1 reached
> > > tar: Sorry, unable to determine archive format.
> >
> > It's still reproducible, and like gmake crash which I reported today,
> > the problem goes away after I run ulimit -s `ulimit -s`.
>
> What limit do you start with and what is it reduced to?
I start with 4096 and I change it ... to 4096. This trick always fixes
the problem.
Alex
State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sat, 17 Apr 2021 23:44:24 +0000
State-Changed-Why:
Assuming fixed. ASLR is now the default. /bin/tar is unlikely to be broken by default. (I haven't seen this bug).
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.