NetBSD Problem Report #55043
From www@netbsd.org Tue Mar 3 05:46:13 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id C1A131A9217
for <gnats-bugs@gnats.NetBSD.org>; Tue, 3 Mar 2020 05:46:13 +0000 (UTC)
Message-Id: <20200303054612.AD8021A9242@mollari.NetBSD.org>
Date: Tue, 3 Mar 2020 05:46:12 +0000 (UTC)
From: thorpej@me.com
Reply-To: thorpej@me.com
To: gnats-bugs@NetBSD.org
Subject: pkgsrc/security/sudo reliably crashes on mips
X-Send-Pr-Version: www-1.0
>Number: 55043
>Category: toolchain
>Synopsis: pkgsrc/security/sudo reliably crashes on mips
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: thorpej
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Mar 03 05:50:00 +0000 2020
>Closed-Date: Wed Mar 04 03:26:39 +0000 2020
>Last-Modified: Sun Mar 08 10:25:01 +0000 2020
>Originator: Jason Thorpe
>Release: NetBSD 9.99.48
>Organization:
Riscy Business
>Environment:
NetBSD cobalt 9.99.48 NetBSD 9.99.48 (GENERIC) #1: Sun Mar 1 17:27:01 PST 2020
mipsel, o32
>Description:
Running "sudo" or "visudo" from a freshly-built pkgsrc/security/sudo reliably crashes. This does not seem to apply to all natively built binaries, as digest and gnu m4 were successfully used to build the sudo package.
Classified as a toolchain problem because it seems to be croaking when processing global constructors:
cobalt:thorpej 15$ visudo
Memory fault (core dumped)
r/pkg/sbin/visudo visudo.core <
GNU gdb (GDB) 8.3
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "mipsel--netbsd".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/pkg/sbin/visudo...
(No debugging symbols found in /usr/pkg/sbin/visudo)
[New process 1]
Core was generated by `visudo'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x7dea4db0 in __do_global_ctors_aux ()
from /usr/pkg/lib/sudo/libsudo_util.so.0
(gdb)
>How-To-Repeat:
Run "visudo" or "sudo" from the sudo package on mips.
>Fix:
N/A
>Release-Note:
>Audit-Trail:
From: Rin Okuyama <rokuyama.rk@gmail.com>
To: gnats-bugs@netbsd.org, Jason Thorpe <thorpej@me.com>
Cc:
Subject: Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips
Date: Tue, 3 Mar 2020 15:00:10 +0900
Seems like GNU_RELRO v.s. 8KB-page problem observed on mips64:
https://mail-index.netbsd.org/port-evbmips/2016/09/11/msg000291.html
sudo still crashes also on mips64.
From: Jason Thorpe <thorpej@me.com>
To: Rin Okuyama <rokuyama.rk@gmail.com>
Cc: gnats-bugs@netbsd.org
Subject: Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips
Date: Mon, 2 Mar 2020 22:45:00 -0800
> On Mar 2, 2020, at 10:00 PM, Rin Okuyama <rokuyama.rk@gmail.com> =
wrote:
>=20
> Seems like GNU_RELRO v.s. 8KB-page problem observed on mips64:
>=20
> https://mail-index.netbsd.org/port-evbmips/2016/09/11/msg000291.html
>=20
> sudo still crashes also on mips64.
Maybe not? This is mipsel o32.
cobalt:thorpej 6$ cc -o hello hello.c
cobalt:thorpej 7$ ./hello =
=20
Hello, World!
cobalt:thorpej 8$ cc -Wl,-z,relro -o hello-relro hello.c
cobalt:thorpej 9$ ./hello-relro =
=20
Hello, World!
cobalt:thorpej 10$ sysctl hw.pagesize
hw.pagesize =3D 8192
cobalt:thorpej 11$=20
In my case, 0x7dea4db0 is reported as the faulting PC (in =
libsudo_util.so), and:
(gdb) disas __do_global_ctors_aux
Dump of assembler code for function __do_global_ctors_aux:
0x7dea4d78 <+0>: lui gp,0x2
0x7dea4d7c <+4>: addiu gp,gp,-15336
0x7dea4d80 <+8>: addu gp,gp,t9
0x7dea4d84 <+12>: lw v0,-32740(gp)
0x7dea4d88 <+16>: addiu sp,sp,-40
0x7dea4d8c <+20>: lbu v1,-27615(v0)
0x7dea4d90 <+24>: sw gp,16(sp)
0x7dea4d94 <+28>: sw ra,36(sp)
0x7dea4d98 <+32>: sw s1,32(sp)
0x7dea4d9c <+36>: sw s0,28(sp)
0x7dea4da0 <+40>: bnez v1,0x7dea4e1c =
<__do_global_ctors_aux+164>
0x7dea4da4 <+44>: li a0,1
0x7dea4da8 <+48>: lw v1,-32460(gp)
0x7dea4dac <+52>: nop
=3D> 0x7dea4db0 <+56>: beqz v1,0x7dea4dd4 =
<__do_global_ctors_aux+92>
0x7dea4db4 <+60>: sb a0,-27615(v0)
0x7dea4db8 <+64>: lw a1,-32740(gp)
0x7dea4dbc <+68>: lw t9,-32460(gp)
0x7dea4dc0 <+72>: lw a0,-32736(gp)
0x7dea4dc4 <+76>: jalr t9
As far as I can tell, this is:
if (register_frame_info)
register_frame_info(__EH_FRAME_LIST__, =
&dwarf_eh_object);
...in crtbegin (note the "sb" in the delay slot of the "beqz" is the =
"__initialized =3D 1;" just above in the function...)
(gdb) print/x $v1
$3 =3D 0x7de6d5ec
(gdb)=20
...which the debugger, at least, does believe is __register_frame_info() =
function (register_frame_info is a weak ref to it):
(gdb) disas 0x7de6d5ec
Dump of assembler code for function __register_frame_info:
0x7de6d5ec <+0>: lui gp,0x2
0x7de6d5f0 <+4>: addiu gp,gp,-20972
0x7de6d5f4 <+8>: addu gp,gp,t9
0x7de6d5f8 <+12>: lw t9,-32596(gp)
0x7de6d5fc <+16>: move a3,zero
0x7de6d600 <+20>: jr t9
0x7de6d604 <+24>: move a2,zero
End of assembler dump.
-- thorpej
From: Jason Thorpe <thorpej@me.com>
To: Rin Okuyama <rokuyama.rk@gmail.com>
Cc: gnats-bugs@netbsd.org
Subject: Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips
Date: Mon, 2 Mar 2020 22:45:00 -0800
(Re-sending to wider audience.)
> On Mar 2, 2020, at 10:00 PM, Rin Okuyama <rokuyama.rk@gmail.com> =
wrote:
>=20
> Seems like GNU_RELRO v.s. 8KB-page problem observed on mips64:
>=20
> https://mail-index.netbsd.org/port-evbmips/2016/09/11/msg000291.html
>=20
> sudo still crashes also on mips64.
Maybe not? This is mipsel o32.
cobalt:thorpej 6$ cc -o hello hello.c
cobalt:thorpej 7$ ./hello =
=20
Hello, World!
cobalt:thorpej 8$ cc -Wl,-z,relro -o hello-relro hello.c
cobalt:thorpej 9$ ./hello-relro =
=20
Hello, World!
cobalt:thorpej 10$ sysctl hw.pagesize
hw.pagesize =3D 8192
cobalt:thorpej 11$=20
In my case, 0x7dea4db0 is reported as the faulting PC (in =
libsudo_util.so), and:
(gdb) disas __do_global_ctors_aux
Dump of assembler code for function __do_global_ctors_aux:
0x7dea4d78 <+0>: lui gp,0x2
0x7dea4d7c <+4>: addiu gp,gp,-15336
0x7dea4d80 <+8>: addu gp,gp,t9
0x7dea4d84 <+12>: lw v0,-32740(gp)
0x7dea4d88 <+16>: addiu sp,sp,-40
0x7dea4d8c <+20>: lbu v1,-27615(v0)
0x7dea4d90 <+24>: sw gp,16(sp)
0x7dea4d94 <+28>: sw ra,36(sp)
0x7dea4d98 <+32>: sw s1,32(sp)
0x7dea4d9c <+36>: sw s0,28(sp)
0x7dea4da0 <+40>: bnez v1,0x7dea4e1c =
<__do_global_ctors_aux+164>
0x7dea4da4 <+44>: li a0,1
0x7dea4da8 <+48>: lw v1,-32460(gp)
0x7dea4dac <+52>: nop
=3D> 0x7dea4db0 <+56>: beqz v1,0x7dea4dd4 =
<__do_global_ctors_aux+92>
0x7dea4db4 <+60>: sb a0,-27615(v0)
0x7dea4db8 <+64>: lw a1,-32740(gp)
0x7dea4dbc <+68>: lw t9,-32460(gp)
0x7dea4dc0 <+72>: lw a0,-32736(gp)
0x7dea4dc4 <+76>: jalr t9
As far as I can tell, this is:
if (register_frame_info)
register_frame_info(__EH_FRAME_LIST__, &dwarf_eh_object);
...in crtbegin (note the "sb" in the delay slot of the "beqz" is the =
"__initialized =3D 1;" just above in the function...)
(gdb) print/x $v1
$3 =3D 0x7de6d5ec
(gdb)=20
...which the debugger, at least, does believe is __register_frame_info() =
function (register_frame_info is a weak ref to it):
(gdb) disas 0x7de6d5ec
Dump of assembler code for function __register_frame_info:
0x7de6d5ec <+0>: lui gp,0x2
0x7de6d5f0 <+4>: addiu gp,gp,-20972
0x7de6d5f4 <+8>: addu gp,gp,t9
0x7de6d5f8 <+12>: lw t9,-32596(gp)
0x7de6d5fc <+16>: move a3,zero
0x7de6d600 <+20>: jr t9
0x7de6d604 <+24>: move a2,zero
End of assembler dump.
-- thorpej
From: Rin Okuyama <rokuyama.rk@gmail.com>
To: gnats-bugs@netbsd.org, toolchain-manager@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, thorpej@me.com
Cc:
Subject: Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips
Date: Wed, 4 Mar 2020 00:03:04 +0900
On 2020/03/03 23:25, Jason Thorpe wrote:
...
> > On Mar 2, 2020, at 10:00 PM, Rin Okuyama <rokuyama.rk@gmail.com> =
> wrote:
> >=20
> > Seems like GNU_RELRO v.s. 8KB-page problem observed on mips64:
> >=20
> > https://mail-index.netbsd.org/port-evbmips/2016/09/11/msg000291.html
> >=20
> > sudo still crashes also on mips64.
>
> Maybe not? This is mipsel o32.
...
OK, sorry for noise.
Note that sudo works fine on mips64, if environment variable
ax_cv_check_ldflags___Wl__z_relro=no is given to configure script,
which forcibly disables PT_GNU_RELRO segment header.
Thanks,
rin
From: Jason Thorpe <thorpej@me.com>
To: Rin Okuyama <rokuyama.rk@gmail.com>
Cc: gnats-bugs@netbsd.org,
toolchain-manager@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips
Date: Tue, 3 Mar 2020 07:44:31 -0800
> On Mar 3, 2020, at 7:03 AM, Rin Okuyama <rokuyama.rk@gmail.com> wrote:
>=20
> Note that sudo works fine on mips64, if environment variable
> ax_cv_check_ldflags___Wl__z_relro=3Dno is given to configure script,
> which forcibly disables PT_GNU_RELRO segment header.
I will try it and see what happens. It's entirely possible that I'm =
just lucky with the trivial example.
-- thorpej
From: Jason Thorpe <thorpej@me.com>
To: gnats-bugs@netbsd.org
Cc: toolchain-manager@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips
Date: Tue, 3 Mar 2020 08:05:51 -0800
> On Mar 2, 2020, at 10:05 PM, Rin Okuyama <rokuyama.rk@gmail.com> =
wrote:
>=20
> The following reply was made to PR toolchain/55043; it has been noted =
by GNATS.
>=20
> From: Rin Okuyama <rokuyama.rk@gmail.com>
> To: gnats-bugs@netbsd.org, Jason Thorpe <thorpej@me.com>
> Cc:=20
> Subject: Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on =
mips
> Date: Tue, 3 Mar 2020 15:00:10 +0900
>=20
> Seems like GNU_RELRO v.s. 8KB-page problem observed on mips64:
Hm, more info:
[ 93016.520396] trap: pid 21349(visudo): sig 11: cause=3D0x80000004 =
epc=3D0x7dea4db0 va=3D0x7deb9421
That cause maps to T_TLB_MOD, and the VA of 0x7deb9421 would indicate =
that it is in fact the "sb" instruction that's faulting, so you may be =
right and that it's a RELRO botch (downgrading pages to RO that =
shouldn't be).
-- thorpej
Responsible-Changed-From-To: toolchain-manager->thorpej
Responsible-Changed-By: thorpej@NetBSD.org
Responsible-Changed-When: Tue, 03 Mar 2020 19:52:52 +0000
Responsible-Changed-Why:
Take.
State-Changed-From-To: open->analyzed
State-Changed-By: thorpej@NetBSD.org
State-Changed-When: Tue, 03 Mar 2020 19:52:52 +0000
State-Changed-Why:
I have analyzed the issue and have a potential fix.
From: "Jason R Thorpe" <thorpej@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55043 CVS commit: src/libexec/ld.elf_so
Date: Wed, 4 Mar 2020 01:21:17 +0000
Module Name: src
Committed By: thorpej
Date: Wed Mar 4 01:21:17 UTC 2020
Modified Files:
src/libexec/ld.elf_so: headers.c map_object.c rtld.c
Log Message:
PT_GNU_RELRO segments are arranged such that their vaddr + memsz ends
on a linker common page size boundary. However, if the common page size
used by the linker is less than the VM page size being used by the kernel,
this can end up in the middle of a VM page and when the region is write-
protected, this can cause objects in neighboring .data to get incorrectly
write-protected, resulting in a crash.
Avoid this situation by calculating the end of the RELRO region not by
rounding memsz up to the VM page size, but rather by adding vaddr + memsz
and then truncating to the VM page size.
Fixes PR toolchain/55043.
XXX pullup-9
To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 src/libexec/ld.elf_so/headers.c
cvs rdiff -u -r1.60 -r1.61 src/libexec/ld.elf_so/map_object.c
cvs rdiff -u -r1.202 -r1.203 src/libexec/ld.elf_so/rtld.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: analyzed->closed
State-Changed-By: thorpej@NetBSD.org
State-Changed-When: Wed, 04 Mar 2020 03:26:39 +0000
State-Changed-Why:
Issue is fixed.
From: Rin Okuyama <rokuyama.rk@gmail.com>
To: gnats-bugs@netbsd.org, thorpej@netbsd.org, netbsd-bugs@netbsd.org,
gnats-admin@netbsd.org, thorpej@me.com
Cc:
Subject: Re: toolchain/55043 (pkgsrc/security/sudo reliably crashes on mips)
Date: Wed, 4 Mar 2020 13:00:27 +0900
With this fix, sudo became to work fine also on mips64.
Thank you very much for quick fix!
rin
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55043 CVS commit: [netbsd-9] src/libexec/ld.elf_so
Date: Sun, 8 Mar 2020 10:22:29 +0000
Module Name: src
Committed By: martin
Date: Sun Mar 8 10:22:29 UTC 2020
Modified Files:
src/libexec/ld.elf_so [netbsd-9]: headers.c map_object.c rtld.c
Log Message:
Pull up following revision(s) (requested by thorpej in ticket #758):
libexec/ld.elf_so/map_object.c: revision 1.61
libexec/ld.elf_so/headers.c: revision 1.68
libexec/ld.elf_so/rtld.c: revision 1.203
PT_GNU_RELRO segments are arranged such that their vaddr + memsz ends
on a linker common page size boundary. However, if the common page size
used by the linker is less than the VM page size being used by the kernel,
this can end up in the middle of a VM page and when the region is write-
protected, this can cause objects in neighboring .data to get incorrectly
write-protected, resulting in a crash.
Avoid this situation by calculating the end of the RELRO region not by
rounding memsz up to the VM page size, but rather by adding vaddr + memsz
and then truncating to the VM page size.
Fixes PR toolchain/55043.
XXX pullup-9
To generate a diff of this commit:
cvs rdiff -u -r1.65 -r1.65.2.1 src/libexec/ld.elf_so/headers.c
cvs rdiff -u -r1.60 -r1.60.2.1 src/libexec/ld.elf_so/map_object.c
cvs rdiff -u -r1.197.2.2 -r1.197.2.3 src/libexec/ld.elf_so/rtld.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.