Project

General

Profile

Bug #4544

shadow 4.2.1 segfault

Added by Stuart Cardall over 3 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
Category:
Aports
Target version:
-
Start date:
08/20/2015
Due date:
% Done:

0%

Estimated time:
Affected versions:
Security IDs:

Description

This is the bug preventing unprivileged containers from working in LXC. It is similar to http://bugs.alpinelinux.org/issues/3750 except _GNU_SOURCE is already defined in $srcdir/config.h

To reproduce the bug:

newuidmap <lxc container pid> <uid> <loweruid> <count>

I am sending a patch today to enable the debug build I used:

root@kvm64 [~]# gdb newuidmap
GNU gdb (GDB) 7.9.1
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying" 
and "show warranty" for details.
This GDB was configured as "x86_64-alpine-linux-musl".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from newuidmap...Reading symbols from /usr/lib/debug//usr/bin/newuidmap.debug...done.
done.
(gdb) run 2674 0 100000 65535
Starting program: /usr/bin/newuidmap 2674 0 100000 65535

Program received signal SIGSEGV, Segmentation fault.
0x00007f33a129d1d8 in __intscan (f=f@entry=0x7ffeaf94c770, base=base@entry=0, pok=pok@entry=1, lim=lim@entry=9223372036854775808)
    at src/internal/intscan.c:36
36    src/internal/intscan.c: No such file or directory.
(gdb) backtrace full
#0  0x00007f33a129d1d8 in __intscan (f=f@entry=0x7ffeaf94c770, base=base@entry=0, pok=pok@entry=1, lim=lim@entry=9223372036854775808)
    at src/internal/intscan.c:36
        c = <optimized out>
        neg = 0
        x = <optimized out>
        y = <optimized out>
#1  0x00007f33a12ce6bc in strtox (s=0x0, p=0x7ffeaf94c898, base=0, lim=9223372036854775808) at src/stdlib/strtol.c:21
        f = {flags = 0, rpos = 0x1 <error: Cannot access memory at address 0x1>, 
          rend = 0x7fffffffffffffff <error: Cannot access memory at address 0x7fffffffffffffff>, close = 0x7f33a1507048 <builtin_tls+136>, wend = 0x0, 
          wpos = 0x7f33a12c6fdf <cleanup> "H\203\277\200", mustbezero_1 = 0x7f33a1509520 "\030", wbase = 0x0, read = 0x42fa0000af94c80f, 
          write = 0x7f33a12a4505 <alloc_fwd+183>, seek = 0x7f33a1509608, buf = 0x0, buf_size = 139859726472480, prev = 0x7f33a21cf030, next = 0x0, 
          fd = -1591064810, pipe_pid = 32563, lockcount = 2, dummy3 = 96, mode = 0 '\000', lbf = 0 '\000', lock = -1, waiters = -1575165936, 
          cookie = 0x7f33a12a4716 <free+145>, off = 43, getln_buf = 0x7f33a1712e50 "A", mustbezero_2 = 0x1, 
          shend = 0x7fffffffffffffff <error: Cannot access memory at address 0x7fffffffffffffff>, shlim = 0, shcnt = 9223372036854775807, 
          prev_locked = 0x7f33a15073b8 <mal+120>, next_locked = 0x7f33a12a4e9a <malloc+1202>}
        y = 0
#2  0x00007f33a150c896 in getulong (numstr=0x0, result=0x7f33a1712e60) at getulong.c:51
        val = 2189687800
        endptr = 0x0
#3  0x00007f33a150bfcb in get_map_ranges (ranges=1, argc=3, argv=0x7ffeaf94da18) at idmapping.c:74
        mappings = 0x7f33a1712e60
        mapping = 0x7f33a1712e60
        idx = 0
        argidx = 32563
#4  0x00007f33a150bd76 in main (argc=5, argv=0x7ffeaf94da08) at newuidmap.c:173
        proc_dir_name = "/proc/2674/", '\000' <repeats 1941 times>...
        target_str = 0x7ffeaf94ecd7 "2674" 
        target = 2674
        proc_dir_fd = 3
        ranges = 1
        mappings = 0x0
        st = {st_dev = 3, st_ino = 645723, st_nlink = 7, st_mode = 16749, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 0, st_blksize = 1024, 
          st_blocks = 0, st_atim = {tv_sec = 1440092176, tv_nsec = 586666664}, st_mtim = {tv_sec = 1440092176, tv_nsec = 586666664}, st_ctim = {
            tv_sec = 1440092176, tv_nsec = 586666664}, __unused = {0, 0, 0}}
        pw = 0x7f33a1712f00
        written = 11
(gdb) thread apply all backtrace

Thread 1 (process 2946):
#0  0x00007f33a129d1d8 in __intscan (f=f@entry=0x7ffeaf94c770, base=base@entry=0, pok=pok@entry=1, lim=lim@entry=9223372036854775808)
    at src/internal/intscan.c:36
#1  0x00007f33a12ce6bc in strtox (s=0x0, p=0x7ffeaf94c898, base=0, lim=9223372036854775808) at src/stdlib/strtol.c:21
#2  0x00007f33a150c896 in getulong (numstr=0x0, result=0x7f33a1712e60) at getulong.c:51
#3  0x00007f33a150bfcb in get_map_ranges (ranges=1, argc=3, argv=0x7ffeaf94da18) at idmapping.c:74
#4  0x00007f33a150bd76 in main (argc=5, argv=0x7ffeaf94da08) at newuidmap.c:173
(gdb) info registers
rax            0x0    0
rbx            0x7ffeaf94c770    140731844183920
rcx            0x8000000000000000    -9223372036854775808
rdx            0x1    1
rsi            0x0    0
rdi            0x7ffeaf94c770    140731844183920
rbp            0x0    0x0
rsp            0x7ffeaf94c710    0x7ffeaf94c710
r8             0x41    65
r9             0x7f33a15073b0    139859726463920
r10            0x0    0
r11            0x246    582
r12            0x7ffeaf94c770    140731844183920
r13            0x8000000000000000    -9223372036854775808
r14            0x1    1
r15            0x8283fbf8    2189687800
rip            0x7f33a129d1d8    0x7f33a129d1d8 <__intscan+55>
eflags         0x10293    [ CF AF SF IF RF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
(gdb)

History

#1 Updated by Stuart Cardall over 3 years ago

Patch submitted for debug build: http://patchwork.alpinelinux.org/patch/497/

#2 Updated by Jakub Jirutka over 2 years ago

After removing CFLAGS="$CFLAGS -O0" from the abuild, newuidmap does not segfault anymore.

However, it still doesn’t work, I’m getting newuidmap: write to uid_map failed: Operation not permitted.

#3 Updated by Stuart Cardall over 2 years ago

this can be closed now unprivileged containers work:

https://github.com/alpinelinux/aports/pull/294

Also available in: Atom PDF