Bug 669702

Created attachment 553230 [details]
build.log

Created attachment 553232 [details]
config.log

Comment 3 Lars Wendler (Polynomial-C) (RETIRED) 2018-10-26 20:27:59 UTC

Most likely not a sandbox issue.

Please post the output of

  emerge --info sandbox gcc glibc gzip

Portage 2.3.51 (python 3.6.6-final-0, hardened/linux/amd64, gcc-8.2.0, glibc-2.28-r1, 4.19.0-gentoo x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-4.19.0-gentoo-x86_64-Intel-R-_Core-TM-_i5-7600K_CPU_@_3.80GHz-with-gentoo-2.6
KiB Mem:     8074592 total,   5350348 free
KiB Swap:    8388604 total,   8388604 free
Head commit of repository gentoo: 3b8059376ea43c9675f58e24d4f417885f54896c

sh dash 0.5.10.2
ld GNU ld (Gentoo 2.31.1 p3) 2.31.1
app-shells/bash:          4.4_p23::gentoo
dev-java/java-config:     2.2.0-r4::gentoo
dev-lang/perl:            5.26.2::gentoo
dev-lang/python:          2.7.15::gentoo, 3.6.6::gentoo, 3.7.0::gentoo
dev-util/cmake:           3.12.3::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.6-r1::gentoo
sys-apps/openrc:          0.39.1::gentoo
sys-apps/sandbox:         2.13::gentoo
sys-devel/autoconf:       2.69-r4::gentoo
sys-devel/automake:       1.16.1-r1::gentoo
sys-devel/binutils:       2.31.1-r1::gentoo
sys-devel/gcc:            7.3.0-r5::gentoo, 8.2.0-r3::gentoo
sys-devel/gcc-config:     2.0::gentoo
sys-devel/libtool:        2.4.6-r5::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers)
sys-libs/glibc:           2.28-r1::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: git
    sync-uri: https://anongit.gentoo.org/git/repo/gentoo.git
    priority: -1000

x-portage
    location: /usr/local/portage
    masters: gentoo
    priority: 0

Installed sets: @steam
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -fPIE"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -fPIE"
DISTDIR="/usr/portage/distfiles"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="https://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/ http://de-mirror.org/gentoo/"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="de de_DE"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X aac acl acpi alsa alsa-plugin amd64 aspell avcodec avformat bdplus berkdb bluray bzip2 caps cli cron crypt cryptsetup cups cxx dri dri3 dts dvb dvd dvi2tty dvipdfm egl ffmpeg fontconfig gdbm glamor glib graphics gtk hardened iconv infinality ipv6 jpeg lame libressl libtirpc logrotate mmx mp3 mpeg multilib ncurses nls nptl nvidia ogg open_perms opengl openh264 openmp orc pam pcre peer_perms pie png postproc ppp pstricks python qt5 readline rtlsdr science scrypt seccomp sna socks5 spell sse sse2 ssl ssp static static-libs tcpd theora tiff truetype ubac udev unicode urandom vaapi vim-syntax vorbis wayland x264 x265 xattr xtpax xv xvid xvmc xwayland zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon plan sheets stage words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X87="aes avx avx2 f16c fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" CURL_SSL="libressl" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="evdev joystick" KERNEL="linux" L10N="de" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-1" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" QEMU_SOFTMMU_TARGETS="x86_64 i386" RUBY_TARGETS="ruby24 ruby25" SANE_BACKENDS="epson epson2 net canon" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

sys-apps/sandbox-2.13::gentoo was built with the following:
USE="" ABI_X86="(32) (64) (-x32)"


sys-devel/gcc-7.3.0-r5::gentoo was built with the following:
USE="cxx fortran hardened (multilib) nls nptl openmp (pie) (ssp) vtv (-altivec) -cilk -debug -doc (-fixed-point) -go -graphite (-jit) (-libssp) -mpx -objc -objc++ -objc-gc (-pch) -pgo -regression-test (-sanitize) -vanilla" ABI_X86="(64)"
CFLAGS="-O2 -pipe"
CXXFLAGS="-O2 -pipe"


sys-devel/gcc-8.2.0-r3::gentoo was built with the following:
USE="cxx fortran hardened (multilib) nls nptl openmp (pie) (ssp) vtv (-altivec) -debug -doc (-fixed-point) -go -graphite (-jit) (-libssp) -mpx -objc -objc++ -objc-gc (-pch) -pgo -regression-test (-sanitize) -systemtap -vanilla" ABI_X86="(64)"
CFLAGS="-O2 -pipe"
CXXFLAGS="-O2 -pipe"


sys-libs/glibc-2.28-r1::gentoo was built with the following:
USE="caps hardened multiarch (multilib) -audit (-cet) (-compile-locales) -doc -gd -headers-only -nscd (-profile) (-selinux) -suid -systemtap -test (-vanilla)" ABI_X86="(64)"
CFLAGS="-pipe -ggdb -O2 -fno-strict-aliasing"
CXXFLAGS="-pipe -ggdb -O2 -fno-strict-aliasing"


app-arch/gzip-1.9::gentoo was built with the following:
USE="static -pic" ABI_X86="(64)"
CFLAGS="-O2 -pipe -fPIE -static"
CXXFLAGS="-O2 -pipe -fPIE -static"

If it's not a sandbox issue, why can emerge =app-arch/gzip-1.9 with /bin/dash as /bin/sh only compile, if I add FEATURES="-sandbox -usersandbox"?

I can re-produce this. It happens for me if dash is compiled statically.

Steps to re-produce:

# env USE="static" emerge -v1 app-shells/dash eselect-sh
# eselect sh set dash
# cd /usr/portage/app-arch/gzip
# ebuild gzip-1.10.ebuild clean unpack
# cd /var/tmp/portage/app-arch/gzip-1.10/work/gzip-1.10/
# sudo -u portage -- sandbox bash

checking whether the C compiler works... no
configure: error: in `/var/tmp/portage/app-arch/gzip-1.10/work/gzip-1.10':
configure: error: C compiler cannot create executables
See `config.log' for more details

# exit
# sudo -u portage -- bash
# ./configure # configure should succeed outside of the sandbox

Comment 7 Michał Górny 2019-01-02 08:20:08 UTC

You seem to have fallen into the trap of thinking that statically linked executables are more portable/resistant to defects.  They are not.  In fact, -static usually means things are really fragile to libc or other system API changes.  Apparently, using sandbox is one of those which break it.

If @base-system wants, they can remove the static flag to stop people from shooting themselves in the feet.  There's nothing sandbox@ can do here.

Comment 8 Sergei Trofimovich (RETIRED) 2019-01-03 14:22:08 UTC

USE=static is a red herring here. The same failure occasionally happens on dynamically linked bash as well.

execv() wrapper of sandbox breaks the assumption of 'environ' being unchanged during execv() call.

The affected code uses the following pattern:
    save_env = environ;
    vfork();
      /* child */
        environ = new_env; // [1]
        execv();
      /* parent */
        wait();
        environ = save_env; // undo [1]
        putenv(...); // [2]

It's an extract of gcc's (and gdb's) pex_unix_exec_child() function:
    https://github.com/gcc-mirror/gcc/blob/d1961e648e0fedebd06e4ad786c1bfc536312ef7/libiberty/pex-unix.c#L566

In case of libsandbox execv() has an effect of clobbering environ via sb_check_envp():
    https://gitweb.gentoo.org/proj/sandbox.git/tree/libsandbox/wrapper-funcs/__wrapper_exec.c#n277

Namely at:
    https://gitweb.gentoo.org/proj/sandbox.git/tree/libsandbox/libsandbox.c#n1126

    for (i = 0; i < num_vars; ++i) {
        if (found_vars[i] || !vars[i].value)
            continue;
        setenv(vars[i].name, vars[i].value, 1); // here
    }

setenv() occasionally relocates 'environ' array on heap and [1] points to freed memory. If host process happens to access environment later it has all chances reaching garbled data.

To avoid fork()/vfork() involvement failed case could even be as simple as:
    save_env = environ; // [3]
    execv(); // expect failure
    environ = save_env; // undo [4]

Comment 9 Sergei Trofimovich (RETIRED) 2019-01-03 14:23:00 UTC

*** Bug 673560 has been marked as a duplicate of this bug. ***

Comment 10 Sergei Trofimovich (RETIRED) 2019-01-03 14:23:17 UTC

*** Bug 673724 has been marked as a duplicate of this bug. ***

Comment 11 Sergei Trofimovich (RETIRED) 2019-01-06 18:25:55 UTC

Created attachment 560120 [details, diff]
sandbox-2.14-execv-environ.patch

sandbox-2.14-execv-environ.patch adds a simple test for 'environ' stability and fixes execv*() wrappers to preserve 'environ'.

Comment 12 Michał Górny 2019-01-06 18:28:58 UTC

Feel free to push it after some testing.

@slyfox, perfect job, thanks

As a user, I can confirm the patch works well on the different ebuilds which were causing a segmentation fault in my system (busybox openssl libdrm mesa libepoxy ghostscript-gpl nvidia-drivers).

Comment 15 Larry the Git Cow 2019-01-08 22:58:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=f3e51a930312422cc78b693a247b7c5704ac90a2

commit f3e51a930312422cc78b693a247b7c5704ac90a2
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2019-01-06 09:32:55 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2019-01-08 22:48:44 +0000

    exec*() wrappers: never mutate 'environ' of host process
    
    In bug #669702 gcc exposed sandbox bug where execv()
    wrapper changed 'environ' global variable underneath.
    
    A few GNU projects (pex_unix_exec_child in gcc and gdb)
    use the following idiom:
    
    for (;;) {
        vfork();
        char ** save_environ = environ; // [1]
        if (child) {
            environ = child_environ; // [2]
            execv(payload); // [3]
        }
        if (parent) {
            environ = save_environ; // [4]
            ...
            waitpid(child, ...);
        }
    }
    
    Code above assumes that execv() does not mutate 'environ'.
    
    In case of #669702 sandbox's execv() wrapper at '[3]' mutated
    'environ' and relocated it (via maloc()/free() internally).
    This caused '[4]' to point 'environ' fo freed location.
    
    The change fixes it in a following way:
    - execv() call now works more like execve() call by mutating
      external array and substitutes 'environ' only for a period
      of 'execv()' execution.
    - add basic execv()/'environ' corruption test
    
    Tested on:
    - linux/glibc-2.28
    - linux/uclibc-ng-1.0.31
    
    Reported-and-tested-by: Walther
    Reported-by: 0x6d6174@posteo.de
    Reported-by: Andrey Korolyov
    Bug: https://bugs.gentoo.org/669702
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 libsandbox/libsandbox.c                   | 92 +++++++++++++++----------------
 libsandbox/libsandbox.h                   | 17 +++++-
 libsandbox/wrapper-funcs/__wrapper_exec.c | 15 +++--
 tests/Makefile.am                         |  1 +
 tests/execv-0.c                           | 21 +++++++
 tests/execv-1.sh                          |  4 ++
 tests/execv.at                            |  1 +
 7 files changed, 96 insertions(+), 55 deletions(-)

Comment 16 Sergei Trofimovich (RETIRED) 2019-01-08 23:01:05 UTC

Pushed patch to master branch. Next step is to cut a release or apply the fix (without test suite changes) on current sandbox ebuild.

Thanks all!

With the patch the problem is fixed, so thanks for resolving the issue! :)

Tested ebuild =sys-apps/sandbox-2.15

*** Bug 621542 has been marked as a duplicate of this bug. ***