290249 – sys-apps/sandbox deadlocks if other library interposes mmap() and calls open() in it

Bug 290249 - sys-apps/sandbox deadlocks if other library interposes mmap() and calls open() in it

Summary: sys-apps/sandbox deadlocks if other library interposes mmap() and calls open(...

Status:	RESOLVED NEEDINFO

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Sandbox (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Sandbox Maintainers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-10-23 15:04 UTC by Diego Elio Pettenò (RETIRED)
Modified:	2012-06-23 02:59 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
libsandbox-mmap.patch (libsandbox-mmap.patch,1.90 KB, patch) 2009-10-25 08:59 UTC, SpanKY	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Diego Elio Pettenò (RETIRED) gentoo-dev

2009-10-23 15:04:33 UTC

As I told Mike before, when testing a library that interposes mmap() and calls open() in it (such as dev-util/google-perftools), sandbox deadlocks:

(gdb) bt
#0  __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
#1  0x00002ac1d3aa8ed5 in _L_lock_941 () from /lib/libpthread.so.0
#2  0x00002ac1d3aa8cf8 in __pthread_mutex_lock (mutex=0x2ac1d33053e0) at pthread_mutex_lock.c:61
#3  0x00002ac1d30fa131 in before_syscall (dirfd=-100, sb_nr=<value optimized out>, func=<value optimized out>, file=<value optimized out>, 
    flags=<value optimized out>) at ../../sandbox-2.1/libsandbox/libsandbox.c:1022
#4  0x00002ac1d30fee56 in open_DEFAULT (pathname=0x7fff77cbc750 "/proc/19915/maps", flags=0) at ../../sandbox-2.1/libsandbox/wrapper-funcs/__wrapper_simple.c:52
#5  0x00002ac1d421cd11 in open (mi=0x7fff77cbe760, pid=<value optimized out>) at /usr/include/bits/fcntl2.h:54
#6  maps_init (mi=0x7fff77cbe760, pid=<value optimized out>) at ./os-linux.h:73
#7  0x00002ac1d421d57c in find_binary_for_address (as=<value optimized out>, info=<value optimized out>, addr=4205320, dlname=<value optimized out>)
    at dwarf/Gfind_proc_info-lsb.c:246
#8  locate_debug_info (as=<value optimized out>, info=<value optimized out>, addr=4205320, dlname=<value optimized out>) at dwarf/Gfind_proc_info-lsb.c:290
#9  0x00002ac1d421d9bf in callback (info=0x7fff77cbe900, size=<value optimized out>, ptr=<value optimized out>) at dwarf/Gfind_proc_info-lsb.c:580
#10 0x00002ac1d3dc00fe in *__GI___dl_iterate_phdr (callback=0x2ac1d421d600 <callback>, data=0x7fff77cbe990) at dl-iteratephdr.c:76
#11 0x00002ac1d421cb7f in _ULx86_64_dwarf_find_proc_info (as=<value optimized out>, ip=4205320, pi=0x7fff77cbf1f8, need_unwind_info=1, arg=0x7fff77cbf120)
    at dwarf/Gfind_proc_info-lsb.c:732
#12 0x00002ac1d421b284 in fetch_proc_info (c=0x7fff77cbf120, ip=4205320, need_unwind_info=1) at dwarf/Gparser.c:397
#13 0x00002ac1d421c3f0 in _ULx86_64_dwarf_find_save_locs (c=0x7fff77cbf120) at dwarf/Gparser.c:825
#14 0x00002ac1d421c8e9 in _ULx86_64_dwarf_step (c=0x2ac1d33053e0) at dwarf/Gstep.c:35
#15 0x00002ac1d421eed4 in _ULx86_64_step (cursor=0x2ac1d33053e0) at x86_64/Gstep.c:42
#16 0x00002ac1d333623d in GetStackTrace (result=0x7fff77cbf920, max_depth=42, skip_count=0) at src/stacktrace_libunwind-inl.h:81
#17 0x00002ac1d332d0b7 in MallocHook_GetCallerStackTrace (result=0x7fff77cbfbe8, max_depth=1, skip_count=<value optimized out>) at src/malloc_hook.cc:324
#18 0x00002ac1d33333be in MallocHook::GetCallerStackTrace (start=<value optimized out>, size=<value optimized out>) at ./src/google/malloc_hook.h:192
#19 MemoryRegionMap::RecordRegionAddition (start=<value optimized out>, size=<value optimized out>) at src/memory_region_map.cc:471
#20 0x00002ac1d333bd65 in MallocHook::InvokeMmapHook (start=0x0, length=8200, prot=3, flags=34, fd=-1, offset=0) at src/malloc_hook-inl.h:141
#21 mmap (start=0x0, length=8200, prot=3, flags=34, fd=-1, offset=0) at src/malloc_hook.cc:471
#22 0x00002ac1d30fab62 in malloc (size=8200) at ../../sandbox-2.1/libsandbox/memory.c:26
#23 0x00002ac1d31004fb in __xmalloc (size=47011960214496, file=0x80 <Address 0x80 out of bounds>, func=0x2ac1d3100e81 "open_rd", line=18446744073709551615)
    at ../../sandbox-2.1/libsbutil/sb_memory.c:31
#24 0x00002ac1d30f9926 in resolve_path (path=0x2ac1d4705d6e "/etc/group", follow_link=0) at ../../sandbox-2.1/libsandbox/libsandbox.c:205
#25 0x00002ac1d30fa519 in check_syscall (dirfd=-100, sb_nr=<value optimized out>, func=<value optimized out>, file=<value optimized out>, 
    flags=<value optimized out>) at ../../sandbox-2.1/libsandbox/libsandbox.c:874
#26 before_syscall (dirfd=-100, sb_nr=<value optimized out>, func=<value optimized out>, file=<value optimized out>, flags=<value optimized out>)
    at ../../sandbox-2.1/libsandbox/libsandbox.c:1062
#27 0x00002ac1d30fe92c in fopen_DEFAULT (pathname=0x2ac1d4705d6e "/etc/group", mode=0x2ac1d4705d6a "rme")
    at ../../sandbox-2.1/libsandbox/wrapper-funcs/__wrapper_simple.c:52
#28 0x00002ac1d4701623 in internal_setgrent (ent=0x2ac1d4907140, stayopen=1, needent=1) at nss_compat/compat-grp.c:124
#29 0x00002ac1d4702336 in _nss_compat_getgrent_r (grp=0x2ac1d400fb80, buffer=0x1e40800 "", buflen=1024, errnop=0x2ac1d46b3eb8) at nss_compat/compat-grp.c:396
#30 0x00002ac1d3d9b63a in __nss_getent_r (getent_func_name=0x2ac1d3dd7d4a "getgrent_r", setent_func_name=<value optimized out>, 
    lookup_fct=0x2ac1d3d9c1b0 <*__GI___nss_group_lookup2>, nip=0x2ac1d400fc30, startp=<value optimized out>, last_nip=<value optimized out>, stayopen_tmp=0x0, 
    res=0, resbuf=0x2ac1d400fb80, buffer=0x1e40800 "", buflen=1024, result=0x7fff77cc6078, h_errnop=0x0) at getnssent_r.c:164
#31 0x00002ac1d3d582c6 in __getgrent_r (resbuf=<value optimized out>, buffer=<value optimized out>, buflen=<value optimized out>, result=0x7fff77cbf1f8)
    at ../nss/getXXent_r.c:162
#32 0x00002ac1d3d9b253 in __nss_getent (func=0x2ac1d3d58230 <__getgrent_r>, resbuf=0x2ac1d400fb80, buffer=0x2ac1d400ddd8, buflen=<value optimized out>, 
    buffer_size=0x2ac1d400fba0, h_errnop=0x0) at getnssent.c:38
#33 0x00002ac1d3d57bc2 in getgrent () at ../nss/getXXent.c:84
#34 0x0000000000405f41 in TestLibCAllocate () at src/tests/heap-checker_unittest.cc:832
#35 0x0000000000407866 in main (argc=<value optimized out>, argv=<value optimized out>) at src/tests/heap-checker_unittest.cc:1343


It would be a good idea to have a way to tell the sandbox to only rely on ptrace-based sandboxing in such a case.

Comment 1 SpanKY gentoo-dev

2009-10-25 08:59:44 UTC

Created attachment 208180 [details, diff]
libsandbox-mmap.patch

give this patch a try please

Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev

2009-10-25 21:33:27 UTC

Patch works fine. When in tree I'll "test?" depend on the new sandbox.

Comment 3 SpanKY gentoo-dev

2009-10-26 08:01:22 UTC

ive added this for sandbox-2.3 then

http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commitdiff;h=bf79706bc65de415cb0dd82aeba55164cd4cca96

Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev

2010-08-05 23:09:58 UTC

Mike can we get a sandbox with this patch added to the tree? Pleeease.

Comment 5 SpanKY gentoo-dev

2010-08-15 05:40:16 UTC

it'll happen.  open bugs clutter my queue.

Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev

2010-08-19 12:15:26 UTC

Did you revert this patch by chance? Because 2.3-r1 has the problem as well and I'm sure the patch worked:

#0  __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
#1  0x00002b62d3ff5584 in _L_lock_999 () from /lib/libpthread.so.0
#2  0x00002b62d3ff539a in __pthread_mutex_lock (mutex=0x2b62d3852400) at pthread_mutex_lock.c:61
#3  0x00002b62d3646294 in before_syscall (dirfd=-100, sb_nr=-3, func=0x2b62d364d16b "open_rd", file=0x7fff3d62f510 "/proc/28612/maps", flags=0)
    at ../../sandbox-2.3/libsandbox/libsandbox.c:1049
#4  0x00002b62d3648b95 in open_DEFAULT (pathname=0x7fff3d62f510 "/proc/28612/maps", flags=0) at ../../sandbox-2.3/libsandbox/wrapper-funcs/__wrapper_simple.c:52
#5  0x00002b62d477e8c6 in open (addr=4204712, dlname=<value optimized out>, as=<value optimized out>, info=<value optimized out>) at /usr/include/bits/fcntl2.h:54
#6  maps_init (addr=4204712, dlname=<value optimized out>, as=<value optimized out>, info=<value optimized out>) at ./os-linux.h:73
#7  find_binary_for_address (addr=4204712, dlname=<value optimized out>, as=<value optimized out>, info=<value optimized out>) at dwarf/Gfind_proc_info-lsb.c:246
#8  locate_debug_info (addr=4204712, dlname=<value optimized out>, as=<value optimized out>, info=<value optimized out>) at dwarf/Gfind_proc_info-lsb.c:290
#9  0x00002b62d477f3d5 in callback (info=0x7fff3d631670, size=<value optimized out>, ptr=0x7fff3d631700) at dwarf/Gfind_proc_info-lsb.c:580
#10 0x00002b62d4310c2e in *__GI___dl_iterate_phdr (callback=0x2b62d477f040 <callback>, data=0x7fff3d631700) at dl-iteratephdr.c:75
#11 0x00002b62d477f91f in _ULx86_64_dwarf_find_proc_info (as=0x2b62d49871c0, ip=4204712, pi=0x7fff3d631f98, need_unwind_info=1, arg=0x7fff3d631ec0)
    at dwarf/Gfind_proc_info-lsb.c:732
#12 0x00002b62d477d12c in fetch_proc_info (c=0x7fff3d631ec0, ip=4204712, need_unwind_info=1) at dwarf/Gparser.c:397
#13 0x00002b62d477e230 in _ULx86_64_dwarf_find_save_locs (c=0x7fff3d631ec0) at dwarf/Gparser.c:825
#14 0x00002b62d477e749 in _ULx86_64_dwarf_step (c=0x7fff3d631ec0) at dwarf/Gstep.c:35
#15 0x00002b62d4780b16 in _ULx86_64_step (cursor=<value optimized out>) at x86_64/Gstep.c:42
#16 0x00002b62d3886b63 in GetStackTrace (result=<value optimized out>, max_depth=42, skip_count=<value optimized out>) at src/stacktrace_libunwind-inl.h:114
#17 0x00002b62d387d2b7 in MallocHook_GetCallerStackTrace (result=0x7fff3d632998, max_depth=1, skip_count=<value optimized out>) at src/malloc_hook.cc:338
#18 0x00002b62d388479e in MallocHook::GetCallerStackTrace (start=<value optimized out>, size=<value optimized out>) at ./src/google/malloc_hook.h:192
#19 MemoryRegionMap::RecordRegionAddition (start=<value optimized out>, size=<value optimized out>) at src/memory_region_map.cc:471
#20 0x00002b62d388e8a5 in MallocHook::InvokeMmapHook (start=0x0, length=8200, prot=3, flags=34, fd=-1, offset=0) at src/malloc_hook-inl.h:150
#21 mmap (start=0x0, length=8200, prot=3, flags=34, fd=-1, offset=0) at src/malloc_hook.cc:485
#22 0x00002b62d3646cab in sb_mmap (size=8200) at ../../sandbox-2.3/libsandbox/memory.c:26
#23 malloc (size=8200) at ../../sandbox-2.3/libsandbox/memory.c:46
#24 0x00002b62d364c6db in __xmalloc (size=8192, file=0x2b62d364d188 "../../sandbox-2.3/libsandbox/libsandbox.c", func=0x2b62d364d2f1 "resolve_path", line=214)
    at ../../sandbox-2.3/libsbutil/sb_memory.c:31
#25 0x00002b62d3645a06 in resolve_path (path=0x2b62d4c70eee "/etc/group", follow_link=0) at ../../sandbox-2.3/libsandbox/libsandbox.c:214
#26 0x00002b62d364669e in check_syscall (dirfd=<value optimized out>, sb_nr=-3, func=0x2b62d364d16b "open_rd", file=0x2b62d4c70eee "/etc/group", flags=0)
    at ../../sandbox-2.3/libsandbox/libsandbox.c:901
#27 before_syscall (dirfd=<value optimized out>, sb_nr=-3, func=0x2b62d364d16b "open_rd", file=0x2b62d4c70eee "/etc/group", flags=0)
    at ../../sandbox-2.3/libsandbox/libsandbox.c:1089
#28 0x00002b62d3648eac in fopen_DEFAULT (pathname=0x2b62d4c70eee "/etc/group", mode=0x2b62d4c70eea "rme")
    at ../../sandbox-2.3/libsandbox/wrapper-funcs/__wrapper_simple.c:52
#29 0x00002b62d4c6c5d3 in internal_setgrent (ent=0x2b62d4e73140, stayopen=1, needent=1) at nss_compat/compat-grp.c:124
#30 0x00002b62d4c6cfc6 in _nss_compat_getgrent_r (grp=0x2b62d4570c20, buffer=0x2814800 "", buflen=1024, errnop=0x2b62d4c154b0) at nss_compat/compat-grp.c:396
#31 0x00002b62d42eb7fa in __nss_getent_r (getent_func_name=0x2b62d4333448 "getgrent_r", setent_func_name=0x2b62d4333453 "setgrent", 
    lookup_fct=<value optimized out>, nip=0x2b62d4570d10, startp=<value optimized out>, last_nip=0x2b62d4570d20, stayopen_tmp=0x0, res=0, resbuf=0x2b62d4570c20, 
    buffer=0x2814800 "", buflen=1024, result=0x7fff3d638e38, h_errnop=0x0) at getnssent_r.c:164
#32 0x00002b62d42a7eb6 in __getgrent_r (resbuf=<value optimized out>, buffer=<value optimized out>, buflen=<value optimized out>, result=<value optimized out>)
    at ../nss/getXXent_r.c:162
#33 0x00002b62d42eb403 in __nss_getent (func=0x2b62d42a7e20 <__getgrent_r>, resbuf=0x2b62d4570c20, buffer=0x2b62d456edd8, buflen=<value optimized out>, 
    buffer_size=0x2b62d4570c40, h_errnop=0x0) at getnssent.c:37
#34 0x00002b62d42a7622 in getgrent () at ../nss/getXXent.c:85
#35 0x0000000000407841 in TestLibCAllocate () at src/tests/heap-checker_unittest.cc:852
#36 0x00000000004078e6 in main (argc=<value optimized out>, argv=<value optimized out>) at src/tests/heap-checker_unittest.cc:1370

Comment 7 SpanKY gentoo-dev

2010-08-19 15:52:49 UTC

you can clearly see sb_mmap() in that trace, so obviously no, the patch hasnt been reverted

Comment 8 SpanKY gentoo-dev

2012-06-23 02:59:29 UTC

we need a reduced test case here ...