NetBSD Problem Report #49287
From dholland@macaran.localdomain Tue Oct 14 23:30:58 2014
Return-Path: <dholland@macaran.localdomain>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 2AA27A664A
for <gnats-bugs@gnats.NetBSD.org>; Tue, 14 Oct 2014 23:30:58 +0000 (UTC)
Message-Id: <20141014233013.584996E25C@macaran.localdomain>
Date: Tue, 14 Oct 2014 19:30:13 -0400 (EDT)
From: dholland@eecs.harvard.edu
Reply-To: dholland@eecs.harvard.edu
To: gnats-bugs@NetBSD.org
Subject: something wrong between exec_script and compat32
X-Send-Pr-Version: 3.95
>Number: 49287
>Category: kern
>Synopsis: something wrong between exec_script and compat32
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Oct 14 23:35:00 +0000 2014
>Closed-Date: Sat Oct 25 14:28:04 +0000 2014
>Last-Modified: Tue Apr 14 05:15:00 +0000 2015
>Originator: David A. Holland
>Release: NetBSD 7.99.1 (20140819)
>Organization:
>Environment:
System: NetBSD macaran 7.99.1 NetBSD 7.99.1 (MACARAN) #21: Tue Aug 19 20:08:43 EDT 2014 dholland@macaran:/usr/src/sys/arch/amd64/compile/MACARAN amd64
Architecture: x86_64
Machine: amd64
>Description:
Something causes exec arguments to get scrambled when running scripts
with COMPAT_32. It's not entirely clear yet if this is when execing
from a 32-bit process or when execing a 32-bit interpreter; probably
the latter as it seems to be connected to execing scripts.
>How-To-Repeat:
Enter a 32-bit chroot, and then:
% true
/usr/bin/true: Bad address.
Exit 1
%
% ktrace -d -tav true
[run kdump from outside the chroot]
[observe that the environment strings have made their way into argv]
kdump inside a 32-bit chroot does not work, but that's probably
unrelated.
It looks to me like the NULL at the end of argv is not being handled
right, and it's probably related to the shifting around that execing
scripts requires.
>Fix:
>Release-Note:
>Audit-Trail:
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: kern/49287: something wrong between exec_script and compat32
Date: Wed, 22 Oct 2014 17:02:14 -0400
On Oct 14, 11:35pm, dholland@eecs.harvard.edu (dholland@eecs.harvard.edu) wrote:
-- Subject: kern/49287: something wrong between exec_script and compat32
Can't reproduce this on my amd64 box running current. I untarred
base and etc from the latest i386 build, chrooted inside that
directory and ran usr/bin/true.
christos
From: Nicolas Joly <njoly@pasteur.fr>
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/49287: something wrong between exec_script and compat32
Date: Thu, 23 Oct 2014 01:20:32 +0200
On Wed, Oct 22, 2014 at 05:02:14PM -0400, Christos Zoulas wrote:
> On Oct 14, 11:35pm, dholland@eecs.harvard.edu (dholland@eecs.harvard.edu) wrote:
> -- Subject: kern/49287: something wrong between exec_script and compat32
>
> Can't reproduce this on my amd64 box running current. I untarred
> base and etc from the latest i386 build, chrooted inside that
> directory and ran usr/bin/true.
I can't reproduce the problem with true too ... but i see this one :
njoly@raya [tmp/sh]> cat sample.sh
#! /bin/sh
echo "$#>>$@<<"
njoly@raya [tmp/sh]> chmod +x sample.sh
njoly@raya [tmp/sh]> uname -a
NetBSD raya.lan 7.99.1 NetBSD 7.99.1 (RAYA) #0: Tue Oct 21 23:31:13 CEST 2014 njoly@raya.lan:/local/src/NetBSD/obj.amd64/sys/arch/amd64/compile/RAYA amd64
work on amd64 native :
njoly@raya [tmp/sh]> ./sample.sh 1 2 3
3>>1 2 3<<
njoly@raya [tmp/sh]> sh ./sample.sh 1 2 3
3>>1 2 3<<
fail on amd64 compat netbsd32 chroot :
njoly@raya [netbsd32:sh]> ./sample.sh 1 2 3
2>>2 3<<
njoly@raya [netbsd32:sh]> sh ./sample.sh 1 2 3
3>>1 2 3<<
--
Nicolas Joly
Biology IT Center
Institut Pasteur, Paris.
From: David Holland <dholland@eecs.harvard.edu>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/49287: something wrong between exec_script and compat32
Date: Wed, 22 Oct 2014 19:57:18 -0400
On Wed, Oct 22, 2014 at 09:05:02PM +0000, Christos Zoulas wrote:
> Can't reproduce this on my amd64 box running current. I untarred
> base and etc from the latest i386 build, chrooted inside that
> directory and ran usr/bin/true.
I reproduced it with current (both amd64 and i386) from 20141017 -
maybe it's been fixed since then, but I doubt it.
I couldn't reproduce the crash, but I did get the corrupted argv. (I
suspect the crash depends on exactly the right combination of
circumstances.)
Try one of these:
------
#include <stdio.h>
int main(int argc, char *argv[]) {
for (int i=0; i<=argc; i++) printf("%d: %s\n", i, argv[i]);
}
------
and make it the interpreter of a script, then run the script, both
with and without arguments.
--
- David A. Holland / dholland@eecs.harvard.edu
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/49287: something wrong between exec_script and compat32
Date: Thu, 23 Oct 2014 03:53:10 +0000
On Thu, Oct 23, 2014 at 12:00:01AM +0000, David Holland wrote:
> I couldn't reproduce the crash, but I did get the corrupted argv. (I
> suspect the crash depends on exactly the right combination of
> circumstances.)
ok, the argv is already broke by the time it gets to
netbsd32_copyargs().
Given printfs in the obvious places in there, I get
exec32: arg: /argtest32
exec32: arg: ./zy0
exec32: arg: ENV=/root/.shrc
exec32: arg: BLOCKSIZE=1k
exec32: arg: PWD=/
exec32: arg: HOME=/root
exec32: arg: PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/pkg/sbin:/usr/pkg/bin:/usr/X11R7/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin
exec32: arg: HOST=
exec32: arg: TERM=vt100
exec32: arg: OLDPWD=/mnt
exec32: arg: USER=root
exec32: arg: LOGNAME=root
exec32: arg: SHELL=/bin/sh
exec32: env: ENV=/root/.shrc
exec32: env: BLOCKSIZE=1k
exec32: env: PWD=/
exec32: env: HOME=/root
exec32: env: PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/pkg/sbin:/usr/pkg/bin:/usr/X11R7/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin
exec32: env: HOST=
exec32: env: TERM=vt100
exec32: env: OLDPWD=/mnt
exec32: env: USER=root
exec32: env: LOGNAME=root
exec32: env: SHELL=/bin/sh
where ./zy0 is the test script.
--
David A. Holland
dholland@netbsd.org
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49287 CVS commit: src/sys/kern
Date: Fri, 24 Oct 2014 17:13:30 -0400
Module Name: src
Committed By: christos
Date: Fri Oct 24 21:13:30 UTC 2014
Modified Files:
src/sys/kern: kern_exec.c
Log Message:
PR/49287: David Holland: Skip the right number of bytes to go over the first
argument in the argv vector. Fixes netbsd32 script execution, where you lost
the first argument because it skipped 8 bytes instead of 4.
To generate a diff of this commit:
cvs rdiff -u -r1.408 -r1.409 src/sys/kern/kern_exec.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: PR/49287 CVS commit: src/sys/kern
Date: Sat, 25 Oct 2014 04:25:34 +0000
On Fri, Oct 24, 2014 at 09:15:00PM +0000, Christos Zoulas wrote:
> Modified Files:
> src/sys/kern: kern_exec.c
>
> Log Message:
> PR/49287: David Holland: Skip the right number of bytes to go over
> the first argument in the argv vector. Fixes netbsd32 script
> execution, where you lost the first argument because it skipped 8
> bytes instead of 4.
Just to confirm, this works... I will file pullup-7.
--
David A. Holland
dholland@netbsd.org
State-Changed-From-To: open->pending-pullups
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sat, 25 Oct 2014 04:56:28 +0000
State-Changed-Why:
pullup-7 #156
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49287 CVS commit: [netbsd-7] src/sys/kern
Date: Sat, 25 Oct 2014 10:00:47 +0000
Module Name: src
Committed By: martin
Date: Sat Oct 25 10:00:47 UTC 2014
Modified Files:
src/sys/kern [netbsd-7]: kern_exec.c
Log Message:
Pull up following revision(s) (requested by dholland in ticket #156):
sys/kern/kern_exec.c: revision 1.409
PR/49287: David Holland: Skip the right number of bytes to go over the first
argument in the argv vector. Fixes netbsd32 script execution, where you lost
the first argument because it skipped 8 bytes instead of 4.
To generate a diff of this commit:
cvs rdiff -u -r1.408 -r1.408.2.1 src/sys/kern/kern_exec.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sat, 25 Oct 2014 14:28:04 +0000
State-Changed-Why:
fixed, thanks.
From: Masao Uebayashi <uebayasi@gmail.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/49287: something wrong between exec_script and compat32
Date: Sun, 14 Dec 2014 15:29:27 +0900
The fix done in src/sys/kern/kern_exec.c Rev. 1.409 was slightly wrong. The
pointer sizes of the execve() caller and the execve() target may be different.
The current code fails if a 32-bit binary calls a 64-bit fake-argument program.
Index: sys/sys/exec.h
===================================================================
RCS file: /cvsroot/src/sys/sys/exec.h,v
retrieving revision 1.146
diff -p -u -r1.146 exec.h
--- sys/sys/exec.h 5 Sep 2014 05:42:50 -0000 1.146
+++ sys/sys/exec.h 14 Dec 2014 06:21:46 -0000
@@ -230,6 +230,7 @@ struct exec_package {
#define EXEC_32 0x0020 /* 32-bit binary emulation */
#define EXEC_FORCEAUX 0x0040 /* always use ELF AUX vector */
#define EXEC_TOPDOWN_VM 0x0080 /* may use top-down VM layout */
+#define EXEC_FROM32 0x0100 /* exec'ed from 32-bit binary */
struct exec_vmcmd {
int (*ev_proc)(struct lwp *, struct exec_vmcmd *);
Index: sys/kern/kern_exec.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_exec.c,v
retrieving revision 1.410
diff -p -u -r1.410 kern_exec.c
--- sys/kern/kern_exec.c 9 Nov 2014 17:50:01 -0000 1.410
+++ sys/kern/kern_exec.c 14 Dec 2014 06:21:47 -0000
@@ -673,7 +673,7 @@ execve_loadvm(struct lwp *l, const char
epp->ep_emul_arg_free = NULL;
memset(&epp->ep_vmcmds, 0, sizeof(epp->ep_vmcmds));
epp->ep_vap = &data->ed_attr;
- epp->ep_flags = 0;
+ epp->ep_flags = (p->p_flag & PK_32) ? EXEC_FROM32 : 0;
MD_TOPDOWN_INIT(epp);
epp->ep_emul_root = NULL;
epp->ep_interp = NULL;
@@ -1335,9 +1335,15 @@ execve1(struct lwp *l, const char *path,
}
static size_t
+fromptrsz(const struct exec_package *epp)
+{
+ return (epp->ep_flags & EXEC_FROM32) ? sizeof(int) : sizeof(char *);
+}
+
+static size_t
ptrsz(const struct exec_package *epp)
{
- return (epp->ep_flags & EXEC_32) ? sizeof(int) : sizeof(char *);
+ return (epp->ep_flags & EXEC_32) ? sizeof(int) : sizeof(char *);
}
static size_t
@@ -1508,7 +1514,7 @@ copyinargs(struct execve_data * restrict
return EINVAL;
}
if (epp->ep_flags & EXEC_SKIPARG)
- args = (const void *)((const char *)args + ptrsz(epp));
+ args = (const void *)((const char *)args + fromptrsz(epp));
i = 0;
error = copyinargstrs(data, args, fetch_element, &dp, &i, ktr_execarg);
if (error != 0) {
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49287 CVS commit: src/sys
Date: Sun, 14 Dec 2014 16:35:24 -0500
Module Name: src
Committed By: christos
Date: Sun Dec 14 21:35:24 UTC 2014
Modified Files:
src/sys/kern: kern_exec.c
src/sys/sys: exec.h
Log Message:
PR/49287: Masao Uebayashi: Handle exec_script argument vector from the 32 ->
64 bit case. When execing a 64 bit shell from a 32 bit binary the argument
vector was still incorrect.
XXX: Pullup 7
To generate a diff of this commit:
cvs rdiff -u -r1.410 -r1.411 src/sys/kern/kern_exec.c
cvs rdiff -u -r1.146 -r1.147 src/sys/sys/exec.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Masao Uebayashi <uebayasi@gmail.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: PR/49287 CVS commit: src/sys
Date: Mon, 15 Dec 2014 09:48:37 +0900
Forgot to mention that this 32->64 problem was found & reported by HIROSE Yuuji.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49287 CVS commit: [netbsd-7] src/sys
Date: Tue, 14 Apr 2015 05:12:17 +0000
Module Name: src
Committed By: snj
Date: Tue Apr 14 05:12:17 UTC 2015
Modified Files:
src/sys/kern [netbsd-7]: kern_exec.c
src/sys/sys [netbsd-7]: exec.h
Log Message:
Pull up following revision(s) (requested by christos in ticket #686):
sys/kern/kern_exec.c: revision 1.411
sys/sys/exec.h: revision 1.147
PR/49287: Masao Uebayashi: Handle exec_script argument vector from the 32 ->
64 bit case. When execing a 64 bit shell from a 32 bit binary the argument
vector was still incorrect.
To generate a diff of this commit:
cvs rdiff -u -r1.408.2.2 -r1.408.2.3 src/sys/kern/kern_exec.c
cvs rdiff -u -r1.145 -r1.145.4.1 src/sys/sys/exec.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.