Summary: | =sys-apps/sandbox-2.13 kills gcc (segmentation fault) if /bin/sh points to /bin/dash instead of /bin/bash (=app-shells/dash-0.5.10.2) for some packages | ||
---|---|---|---|
Product: | Portage Development | Reporter: | 0x6d6174 |
Component: | Sandbox | Assignee: | Sandbox Maintainers <sandbox> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | andrey, base-system, mgorny, slyfox, walther.md |
Priority: | Normal | Keywords: | PATCH |
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=673560 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 526268 | ||
Attachments: |
build.log
config.log sandbox-2.14-execv-environ.patch |
Description
0x6d6174
2018-10-26 20:13:07 UTC
Created attachment 553230 [details]
build.log
Created attachment 553232 [details]
config.log
Most likely not a sandbox issue. Please post the output of emerge --info sandbox gcc glibc gzip Portage 2.3.51 (python 3.6.6-final-0, hardened/linux/amd64, gcc-8.2.0, glibc-2.28-r1, 4.19.0-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-4.19.0-gentoo-x86_64-Intel-R-_Core-TM-_i5-7600K_CPU_@_3.80GHz-with-gentoo-2.6 KiB Mem: 8074592 total, 5350348 free KiB Swap: 8388604 total, 8388604 free Head commit of repository gentoo: 3b8059376ea43c9675f58e24d4f417885f54896c sh dash 0.5.10.2 ld GNU ld (Gentoo 2.31.1 p3) 2.31.1 app-shells/bash: 4.4_p23::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.26.2::gentoo dev-lang/python: 2.7.15::gentoo, 3.6.6::gentoo, 3.7.0::gentoo dev-util/cmake: 3.12.3::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.6-r1::gentoo sys-apps/openrc: 0.39.1::gentoo sys-apps/sandbox: 2.13::gentoo sys-devel/autoconf: 2.69-r4::gentoo sys-devel/automake: 1.16.1-r1::gentoo sys-devel/binutils: 2.31.1-r1::gentoo sys-devel/gcc: 7.3.0-r5::gentoo, 8.2.0-r3::gentoo sys-devel/gcc-config: 2.0::gentoo sys-devel/libtool: 2.4.6-r5::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers) sys-libs/glibc: 2.28-r1::gentoo Repositories: gentoo location: /usr/portage sync-type: git sync-uri: https://anongit.gentoo.org/git/repo/gentoo.git priority: -1000 x-portage location: /usr/local/portage masters: gentoo priority: 0 Installed sets: @steam ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -fPIE" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -pipe -fPIE" DISTDIR="/usr/portage/distfiles" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="https://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/ http://de-mirror.org/gentoo/" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="de de_DE" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X aac acl acpi alsa alsa-plugin amd64 aspell avcodec avformat bdplus berkdb bluray bzip2 caps cli cron crypt cryptsetup cups cxx dri dri3 dts dvb dvd dvi2tty dvipdfm egl ffmpeg fontconfig gdbm glamor glib graphics gtk hardened iconv infinality ipv6 jpeg lame libressl libtirpc logrotate mmx mp3 mpeg multilib ncurses nls nptl nvidia ogg open_perms opengl openh264 openmp orc pam pcre peer_perms pie png postproc ppp pstricks python qt5 readline rtlsdr science scrypt seccomp sna socks5 spell sse sse2 ssl ssp static static-libs tcpd theora tiff truetype ubac udev unicode urandom vaapi vim-syntax vorbis wayland x264 x265 xattr xtpax xv xvid xvmc xwayland zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon plan sheets stage words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X87="aes avx avx2 f16c fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" CURL_SSL="libressl" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="evdev joystick" KERNEL="linux" L10N="de" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-1" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" QEMU_SOFTMMU_TARGETS="x86_64 i386" RUBY_TARGETS="ruby24 ruby25" SANE_BACKENDS="epson epson2 net canon" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= sys-apps/sandbox-2.13::gentoo was built with the following: USE="" ABI_X86="(32) (64) (-x32)" sys-devel/gcc-7.3.0-r5::gentoo was built with the following: USE="cxx fortran hardened (multilib) nls nptl openmp (pie) (ssp) vtv (-altivec) -cilk -debug -doc (-fixed-point) -go -graphite (-jit) (-libssp) -mpx -objc -objc++ -objc-gc (-pch) -pgo -regression-test (-sanitize) -vanilla" ABI_X86="(64)" CFLAGS="-O2 -pipe" CXXFLAGS="-O2 -pipe" sys-devel/gcc-8.2.0-r3::gentoo was built with the following: USE="cxx fortran hardened (multilib) nls nptl openmp (pie) (ssp) vtv (-altivec) -debug -doc (-fixed-point) -go -graphite (-jit) (-libssp) -mpx -objc -objc++ -objc-gc (-pch) -pgo -regression-test (-sanitize) -systemtap -vanilla" ABI_X86="(64)" CFLAGS="-O2 -pipe" CXXFLAGS="-O2 -pipe" sys-libs/glibc-2.28-r1::gentoo was built with the following: USE="caps hardened multiarch (multilib) -audit (-cet) (-compile-locales) -doc -gd -headers-only -nscd (-profile) (-selinux) -suid -systemtap -test (-vanilla)" ABI_X86="(64)" CFLAGS="-pipe -ggdb -O2 -fno-strict-aliasing" CXXFLAGS="-pipe -ggdb -O2 -fno-strict-aliasing" app-arch/gzip-1.9::gentoo was built with the following: USE="static -pic" ABI_X86="(64)" CFLAGS="-O2 -pipe -fPIE -static" CXXFLAGS="-O2 -pipe -fPIE -static" If it's not a sandbox issue, why can emerge =app-arch/gzip-1.9 with /bin/dash as /bin/sh only compile, if I add FEATURES="-sandbox -usersandbox"? I can re-produce this. It happens for me if dash is compiled statically. Steps to re-produce: # env USE="static" emerge -v1 app-shells/dash eselect-sh # eselect sh set dash # cd /usr/portage/app-arch/gzip # ebuild gzip-1.10.ebuild clean unpack # cd /var/tmp/portage/app-arch/gzip-1.10/work/gzip-1.10/ # sudo -u portage -- sandbox bash checking whether the C compiler works... no configure: error: in `/var/tmp/portage/app-arch/gzip-1.10/work/gzip-1.10': configure: error: C compiler cannot create executables See `config.log' for more details # exit # sudo -u portage -- bash # ./configure # configure should succeed outside of the sandbox You seem to have fallen into the trap of thinking that statically linked executables are more portable/resistant to defects. They are not. In fact, -static usually means things are really fragile to libc or other system API changes. Apparently, using sandbox is one of those which break it. If @base-system wants, they can remove the static flag to stop people from shooting themselves in the feet. There's nothing sandbox@ can do here. USE=static is a red herring here. The same failure occasionally happens on dynamically linked bash as well. execv() wrapper of sandbox breaks the assumption of 'environ' being unchanged during execv() call. The affected code uses the following pattern: save_env = environ; vfork(); /* child */ environ = new_env; // [1] execv(); /* parent */ wait(); environ = save_env; // undo [1] putenv(...); // [2] It's an extract of gcc's (and gdb's) pex_unix_exec_child() function: https://github.com/gcc-mirror/gcc/blob/d1961e648e0fedebd06e4ad786c1bfc536312ef7/libiberty/pex-unix.c#L566 In case of libsandbox execv() has an effect of clobbering environ via sb_check_envp(): https://gitweb.gentoo.org/proj/sandbox.git/tree/libsandbox/wrapper-funcs/__wrapper_exec.c#n277 Namely at: https://gitweb.gentoo.org/proj/sandbox.git/tree/libsandbox/libsandbox.c#n1126 for (i = 0; i < num_vars; ++i) { if (found_vars[i] || !vars[i].value) continue; setenv(vars[i].name, vars[i].value, 1); // here } setenv() occasionally relocates 'environ' array on heap and [1] points to freed memory. If host process happens to access environment later it has all chances reaching garbled data. To avoid fork()/vfork() involvement failed case could even be as simple as: save_env = environ; // [3] execv(); // expect failure environ = save_env; // undo [4] *** Bug 673560 has been marked as a duplicate of this bug. *** *** Bug 673724 has been marked as a duplicate of this bug. *** Created attachment 560120 [details, diff]
sandbox-2.14-execv-environ.patch
sandbox-2.14-execv-environ.patch adds a simple test for 'environ' stability and fixes execv*() wrappers to preserve 'environ'.
Feel free to push it after some testing. @slyfox, perfect job, thanks As a user, I can confirm the patch works well on the different ebuilds which were causing a segmentation fault in my system (busybox openssl libdrm mesa libepoxy ghostscript-gpl nvidia-drivers). The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=f3e51a930312422cc78b693a247b7c5704ac90a2 commit f3e51a930312422cc78b693a247b7c5704ac90a2 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2019-01-06 09:32:55 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2019-01-08 22:48:44 +0000 exec*() wrappers: never mutate 'environ' of host process In bug #669702 gcc exposed sandbox bug where execv() wrapper changed 'environ' global variable underneath. A few GNU projects (pex_unix_exec_child in gcc and gdb) use the following idiom: for (;;) { vfork(); char ** save_environ = environ; // [1] if (child) { environ = child_environ; // [2] execv(payload); // [3] } if (parent) { environ = save_environ; // [4] ... waitpid(child, ...); } } Code above assumes that execv() does not mutate 'environ'. In case of #669702 sandbox's execv() wrapper at '[3]' mutated 'environ' and relocated it (via maloc()/free() internally). This caused '[4]' to point 'environ' fo freed location. The change fixes it in a following way: - execv() call now works more like execve() call by mutating external array and substitutes 'environ' only for a period of 'execv()' execution. - add basic execv()/'environ' corruption test Tested on: - linux/glibc-2.28 - linux/uclibc-ng-1.0.31 Reported-and-tested-by: Walther Reported-by: 0x6d6174@posteo.de Reported-by: Andrey Korolyov Bug: https://bugs.gentoo.org/669702 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> libsandbox/libsandbox.c | 92 +++++++++++++++---------------- libsandbox/libsandbox.h | 17 +++++- libsandbox/wrapper-funcs/__wrapper_exec.c | 15 +++-- tests/Makefile.am | 1 + tests/execv-0.c | 21 +++++++ tests/execv-1.sh | 4 ++ tests/execv.at | 1 + 7 files changed, 96 insertions(+), 55 deletions(-) Pushed patch to master branch. Next step is to cut a release or apply the fix (without test suite changes) on current sandbox ebuild. Thanks all! With the patch the problem is fixed, so thanks for resolving the issue! :) Tested ebuild =sys-apps/sandbox-2.15 *** Bug 621542 has been marked as a duplicate of this bug. *** |